Vulnerability Development mailing list archives

Re: stackguard-like embedded protection

From: "Bluefish (P.Magnusson)" <11a () GMX NET>
Date: Mon, 18 Sep 2000 03:23:00 +0200

The important factor to consider here is that the guesses must run against the
VICTIM's computer.  You don't get to substitute arbitrarily fast hardware and
skoosh down the attack time.


True.

Another factor to consider is that what you're doing in guessing at canary
values is knocking over service daemons on someone's server.  They may notice
that the Foo Daemon (food :-) has re-set itself 19,485 times in the last 9
hours.


Hmmm. Based on the concept of the administrator actually looking through
the logs, and that attacks are logged.

If it is a StackGuarded program they're attacking, then syslog will be
STUFFED with failed attempts.


So S.G. logs, good. :)

This attack will be noticed LONG before it succeeds.


I still haven't seen any estimations on how fast a simple suid foo.c
with main(){ char s[100]; gets(s); } can be bruteforced, if protected by
32 bits [assuming 32 bit entropy for simplicity].

$ cat test.c
main(){ char s[100]; gets(s); }

$ gcc -o simpletest test.c
/tmp/ccHR9vq9.o: In function `main':
/tmp/ccHR9vq9.o(.text+0xb): the `gets' function is dangerous and should
not be used.

$ echo "" | time ./simpletest
Command exited with non-zero status 164
0.00user 0.01system 0:00.01elapsed 90%CPU (0avgtext+0avgdata
0maxresident)k
0inputs+0outputs (69major+9minor)pagefaults 0swaps

Assuming that this "0.01" actually is closer to 1 than 0 (not being
entirely sure how trustworthy time is in this situation) I'm not sure if I
can agree totally. It would on a Pentium 100 take 250 days to get a 50%
success chance, if my math is right. Assuming a new 32 bit 1GHz processor
to be about twice as fast per Hz, we get 250/5/2 = 25 days.

The conclusion must, IMHO, be that the attack cannot be applied to
regulary used machines. However, there may be numerous servers which are
badly supervised... And these is all basicly based upon the time giving a
good values with only one none-zero number, not a very good aproach :)

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team

Current thread:

Re: stackguard-like embedded protection, (continued)
- - - Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 08)
- Re: stackguard-like embedded protection Hiroaki Etoh (Sep 12)
  - Re: stackguard-like embedded protection antirez (Sep 13)
- Re: stackguard-like embedded protection Hiroaki Etoh (Sep 13)
  - Re: stackguard-like embedded protection antirez (Sep 13)
    - Re: stackguard-like embedded protection Crispin Cowan (Sep 13)
  - Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 13)
    - Re: stackguard-like embedded protection antirez (Sep 13)
    - Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 16)
    - Re: stackguard-like embedded protection Crispin Cowan (Sep 16)
    - Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 17)
    - Re: stackguard-like embedded protection Crispin Cowan (Sep 18)
    - The much popular t0rnkit. Masial (Sep 17)
    - Re: The much popular t0rnkit. Neil Sequeira (Sep 19)
- Re: stackguard-like embedded protection Michael Wojcik (Sep 13)