Bugtraq mailing list archives

Re: Clarification: LD_PRELOAD issue

From: kragen () POBOX COM (Kragen Sitaker)
Date: Fri, 14 May 1999 17:28:42 -0400


A Mr. Skoll writes:

Now, any license manager can be spoofed, from as blunt an attack as
changing the system time to sophisticated reverse-engineering attacks
on the license manager binary.  The issue is to prevent "cheap"
attacks -- if attacking the license manager is expensive enough,
people won't bother (or they'll find other avenues of attack. :-))

Changing the system time introduces all kinds of problems, so most
potential license abusers won't do it.  A two-line shell script with a
6-line C program is a very cheap attack on a dynamically-linked
license manager daemon.  Attacking a statically-linked license manager
binary is quite a bit more expensive, and should greatly reduce the
incentive for an attack.


This logic is utter nonsense when applied to programs.

It makes sense when applied to safes or encrypted messages.  If a
single safe takes 20 hours to break into, a thousand of them will take
20,000 hours to break into.

It does not make sense when applied to software.  If a single program
takes 20 hours to break into (quite a liberal estimate for most
copy-protection), then it will take perhaps another half hour to post
the exploit, and then ten minutes each to apply the fix to the other
thousand copies of the program, for a total of about 187 hours.

And static linking doesn't take care of it, either; root still can load
kernel modules to put each application in a different 'time zone', for
example, and running the license manager under a debugger that traps
calls to the time() function is also no big deal, and works fine even
if the program is statically linked.

In short: your battle is in vain, and the futile measures you employ in
it hurt the rest of us.  They hurt our system security, reliability,
and performance.  Your needs (treat the kernel and root as potential
crackers) are in direct opposition to those of us who wish to run
secure systems.

--
<kragen () pobox com>       Kragen Sitaker     <http://www.pobox.com/~kragen/>
TurboLinux is outselling NT in Japan's retail software market 10 to 1,
so I hear.
-- http://www.performancecomputing.com/opinions/unixriot/981218.shtml

Current thread:

Clarification: LD_PRELOAD issue David F. Skoll (May 14)
- Re: Clarification: LD_PRELOAD issue Casper Dik (May 14)
- <Possible follow-ups>
- Re: Clarification: LD_PRELOAD issue John R. LoVerso (May 14)
- Re: Clarification: LD_PRELOAD issue Kragen Sitaker (May 14)
- Re: Clarification: LD_PRELOAD issue John Daniele (May 15)
- Re: Clarification: LD_PRELOAD issue Daniel Brown (May 18)