Vulnerability Development mailing list archives
Re: stackguard-like embedded protection
From: "Bluefish (P.Magnusson)" <11a () GMX NET>
Date: Mon, 18 Sep 2000 03:23:00 +0200
The important factor to consider here is that the guesses must run against the VICTIM's computer. You don't get to substitute arbitrarily fast hardware and skoosh down the attack time.
True.
Another factor to consider is that what you're doing in guessing at canary values is knocking over service daemons on someone's server. They may notice that the Foo Daemon (food :-) has re-set itself 19,485 times in the last 9 hours.
Hmmm. Based on the concept of the administrator actually looking through the logs, and that attacks are logged.
If it is a StackGuarded program they're attacking, then syslog will be STUFFED with failed attempts.
So S.G. logs, good. :)
This attack will be noticed LONG before it succeeds.
I still haven't seen any estimations on how fast a simple suid foo.c with main(){ char s[100]; gets(s); } can be bruteforced, if protected by 32 bits [assuming 32 bit entropy for simplicity]. $ cat test.c main(){ char s[100]; gets(s); } $ gcc -o simpletest test.c /tmp/ccHR9vq9.o: In function `main': /tmp/ccHR9vq9.o(.text+0xb): the `gets' function is dangerous and should not be used. $ echo "" | time ./simpletest Command exited with non-zero status 164 0.00user 0.01system 0:00.01elapsed 90%CPU (0avgtext+0avgdata 0maxresident)k 0inputs+0outputs (69major+9minor)pagefaults 0swaps Assuming that this "0.01" actually is closer to 1 than 0 (not being entirely sure how trustworthy time is in this situation) I'm not sure if I can agree totally. It would on a Pentium 100 take 250 days to get a 50% success chance, if my math is right. Assuming a new 32 bit 1GHz processor to be about twice as fast per Hz, we get 250/5/2 = 25 days. The conclusion must, IMHO, be that the attack cannot be applied to regulary used machines. However, there may be numerous servers which are badly supervised... And these is all basicly based upon the time giving a good values with only one none-zero number, not a very good aproach :) ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team
Current thread:
- Re: stackguard-like embedded protection, (continued)
- Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 08)
- Re: stackguard-like embedded protection Hiroaki Etoh (Sep 12)
- Re: stackguard-like embedded protection antirez (Sep 13)
- Re: stackguard-like embedded protection Hiroaki Etoh (Sep 13)
- Re: stackguard-like embedded protection antirez (Sep 13)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 13)
- Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 13)
- Re: stackguard-like embedded protection antirez (Sep 13)
- Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 16)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 16)
- Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 17)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 18)
- The much popular t0rnkit. Masial (Sep 17)
- Re: The much popular t0rnkit. Neil Sequeira (Sep 19)
- Re: stackguard-like embedded protection antirez (Sep 13)