Bugtraq mailing list archives
Re: fixing all buffer overflows --- random magin numbers
From: crispin () CSE OGI EDU (Crispin Cowan)
Date: Tue, 14 Sep 1999 00:10:35 +0000
(post sent as HTML and ASCII because there's a table that's easier to read in HTML. Aleph, go ahead and nuke the HTML if you prefer) nm wrote:
Neat idea. But, couldn't someone just take a common binary (say ls) that exists on the target system and reverse engineer it and begin to make a mapping of numbers to syscalls.
I wrote two papers last year that classified post hoc security enhancements into a 2D grid: * one dimension is *what* is adapted: the interface, or the implementation * the other dimension is what *kind* of adaptation you apply: either a restriction, or a permutation The result looks like this: Interface Implementation Restriction * Firewalls * Bounds checking * TCP Wrappers * StackGuard * Randomly renaming system files * Randomly renumbering system Permutation calls (the hack proposed here * Randomly munging by Maniscalco) data layout * Fred Cohen's Deception Toolkit The papers describing this work are: * "Death, Taxes, and Imperfect Software: Surviving the Inevitable", by Crispin Cowan, Calton Pu, and Heather Hinton, presented at the 1998 New Security Paradigms workshop, and available here: http://www.cse.ogi.edu/~crispin/bugtol.ps.gz or here: http://www.cse.ogi.edu/~crispin/bugtol.pdf . * "Survivability from a Sow's Ear: The Retrofit Security Requirement", by Crispin Cowan and Calton Pu, presented at the 1998 Information Survivability Workshop, and available here http://www.cse.ogi.edu/~crispin/isw98.ps.gz or here http://www.cse.ogi.edu/~crispin/isw98.pdf In these papers we conclude that "Interface Permutations" (such as randomly swizling the syscall numbers) has a problem: it is just weak crypto. It makes the "current configuration of the interface" a symmetric session key that must be shared amongst all the servers and clients. It is a shared secret. You have all the usual problems of shared secrets, plus the following problems: * it is a relatively small secret * it is often a very easy to observe secret (such as the ls reverse engineering hack that nm mentions) The only advantage offered by interface permutation is that the secret is not amenable to off-line cracking: you have to make your guesses against the host system, and that gives intrusion detectors a good shot at detecting your cracking attempts. Naturally, this just means that attackers will infer the current configuration indrectly instead of brute forcing it. Crispin ----- Crispin Cowan, Research Assistant Professor of Computer Science, OGI NEW: Protect Your Linux Host with StackGuard'd Programs :FREE http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/
Nick Maniscalco At 09:37 PM 9/11/99 -0400, Dr. Joel M. Hoffman wrote:I was thinking-- it wouldn't be too hard to make buffer overflowattacks impossible. The basic idea is to do away with binary compatibility. In particular, I was thinking that part of building a kernel would involve assigning a random number to each syscall, and creating a syscall.h file with these random numbers. A binary would only run if it was compiled with the proper syscall.h, so all binaries would have to be recompiled for the new kernel, but then, syscall.h could be removed, and the system would be impervious to buffer overflow attacks. (One step further would involve random magic numbers in every function call.) I would be happy to give up binary compatilibyt for the added security it would add. Comments? -Joel Hoffman (joel () exc com)
<!-- body="end" --> <HR> <UL> <LI><STRONG>Next message:</STRONG> Vladimir Dubrovin: "Re: CGI security" <LI><STRONG>Previous message:</STRONG> Bill Nottingham: "[RHSA-1999:037-01] Buffer overflow in mars_nwe" <LI><STRONG>Next in thread:</STRONG> Oliver Xymoron: "Re: fixing all buffer overflows --- random magin numbers" <LI><STRONG>Reply:</STRONG> Oliver Xymoron: "Re: fixing all buffer overflows --- random magin numbers" </UL> <HR> <SMALL> This archive was generated by hypermail 2.0b3 on Tue Sep 14 1999 - 13:53:31 CDT</EM> </EM> </SMALL> </BODY> </HTML>
Current thread:
- Re: fixing all buffer overflows --- random magin numbers nm (Sep 12)
- Re: fixing all buffer overflows --- random magin numbers Crispin Cowan (Sep 13)
- Re: fixing all buffer overflows --- random magin numbers Oliver Xymoron (Sep 17)
- Exploit for proftpd 1.2.0pre6 Tymm Twillman (Sep 20)
- Re: fixing all buffer overflows --- random magin numbers Crispin Cowan (Sep 20)
- BP9909-00: cfingerd local buffer overflow Przemyslaw Frasunek (Sep 21)
- Windows IP source routing attack Dug Song (Sep 21)
- FreeBSD-specific denial of service Charles M. Hannum (Sep 21)
- Re: FreeBSD-specific denial of service Alan Cox (Sep 22)
- Re: FreeBSD-specific denial of service Bjoern Fischer (Sep 24)
- Re: fixing all buffer overflows --- random magin numbers Oliver Xymoron (Sep 17)
- Re: fixing all buffer overflows --- random magin numbers Crispin Cowan (Sep 13)