| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1448101133295651070364472@securityarchitects.com> Date: Tue, 2 Dec 2003 03:27:52 -0800 (PST) From: "Eugene Tsyrklevich" <eugene@...urityarchitects.com> To: "William Robertson" <wkr@...ucsb.edu> Cc: sectools@...urityfocus.com, bugtraq@...urityfocus.com, focus-ids@...urityfocus.com Subject: Re: [ANNOUNCE] glibc heap protection patch Hello, Your heap protection scheme is based on checking the validity of the chunk structure magic value that is calculated as (chunk)->magic = (((int) chunk) ^ *__heap_magic ^ (chunk)->size) I believe that "chunk" and "(chunk)->size" can be considered to be known to attackers and thus contain no entropy. Thus the security of your scheme is based on the randomness of the "__heap_magic" value which is calculated as +#ifdef __HEAP_PROTECTION [snip] + srand(time(NULL)); + *__heap_magic = rand(); [snip] + if (mprotect(__heap_magic, sizeof(*__heap_magic), PROT_READ)) + fprintf(stderr, "glibc: WARNING: unable to protect heap magic!\n"); +#endif /* __HEAP_PROTECTION */ With such a poor random number generator you only raise a bar slightly higher whereby attackers have to predict your "random" canary in their exploits. Also, since you initialize "__heap_magic" once per process, an attacker might be able to use nmap to determine the uptime of the victim machine which will quite precisely determine when a process was started (a valid assumption for daemon processes). cheers, eugene > Hi all, > > I'd just like to announce that we have a heap protection system for glibc available for download. The system detects and prevents all heap overflow exploits that modify inline control information from > succeeding against a protected application, can be installed > system-wide or on a per-process basis using LD_PRELOAD, and is > transparent to existing applications. > > We would definitely appreciate any feedback and bug reports on the code. The patch and some additional information is available at: > > http://www.cs.ucsb.edu/~wkr/projects/heap_protection/ > > Enjoy! > > -- > William Robertson > Reliable Software Group, UC Santa Barbara > http://www.cs.ucsb.edu/~wkr/ --------------------------------------------------------------------------- ---------------------------------------------------------------------------
Powered by blists - more mailing lists