Is SIGSEGV a security feature against malware?
I've been studying about Linux security features recently and after that I came up with this question:
Is SIGSEGV (Segmentation Violation Signal) a security feature against malware? Or it's just a way to control processes?
Any help is appreciated.
No. When computers started serving multiple users the main protection idea was that you needed to protect one user's work from another user, and you needed to protect the system itself from all the users. And you needed to organise memory and have ways to address it.
Segmentation got involved in memory addressing and a segmentation fault happens when a process tries to use memory not available to it. Malware sometimes gets caught by this accidentally but it's not really a malware defence.
In fact to defend against malware which interferes with the operation of your processes (already running as you, with all the access that gives them) we need a new approach to OS permissioning, and application permissioning and even some sort of permissioning internal to programs that we haven't really got now.
Apparmor and the like are a start; access control depends not only on the user account but also on the program that's running.
The OLPC has a great description of the problem. http://wiki.laptop.org/go/OLPC_Bitfrost#Foreword
The object-capability model is good (and shouldn't be much more work than OO programmimg that people already do) ... but when you do capabilities today the hardware isn't really able to support them. To do good security we're probably going to get better hardware or keep going round in circles.
Your program runs in virtual memory. When your program refers to "pages" of memory that are properly-assigned to it, a segment-fault occurs, Linux finds the pages and automagically makes them available to you ... your program has no idea it's happening. The program automagically tries again and this time it works.
Other areas of memory, however, are off-limits. Linux knows the difference.
But let's say that you've got a bug in your program such that it "goes wild" and tries to do something like, say, write to location $00000000. That's inaccessible memory. The read/write fails, a segment-fault occurs, Linux decides it's an error, and throws the segment-fault exception back to you.
Thank you for your great replies.
|All times are GMT -5. The time now is 12:45 AM.|