Vulnerability Development mailing list archives

Re: stackguard-like embedded protection

From: Crispin Cowan <crispin () WIREX COM>
Date: Sun, 17 Sep 2000 22:09:32 -0700

"Bluefish (P.Magnusson)" wrote:

Another factor to consider is that what you're doing in guessing at canary
values is knocking over service daemons on someone's server.  They may notice
that the Foo Daemon (food :-) has re-set itself 19,485 times in the last 9
hours.


Hmmm. Based on the concept of the administrator actually looking through
the logs, and that attacks are logged.


Badly maintained and un-monitored systems will get 0wned, regardless of the
technologies involved.  I'm considering how effective canaries are in defending a
system that someone wants defended.

I still haven't seen any estimations on how fast a simple suid foo.c
with main(){ char s[100]; gets(s); } can be bruteforced, if protected by
32 bits [assuming 32 bit entropy for simplicity].


Excellent idea.

$ echo "" | time ./simpletest
Command exited with non-zero status 164
0.00user 0.01system 0:00.01elapsed 90%CPU (0avgtext+0avgdata
0maxresident)k
0inputs+0outputs (69major+9minor)pagefaults 0swaps

Assuming that this "0.01" actually is closer to 1 than 0 (not being
entirely sure how trustworthy time is in this situation)


You're right not to trust it; time's precision is poor at small intervals.

I revised your experiment by putting 1000 lines of "echo "" | time ./simpletest"
into a shell script and timing that.  My P II/366 takes a reliable 5 seconds to run
1000 instances of this simple program, or 5 ms of time per copy.  Long division
says this will take 125 days on average to crack a 32-bit value.

The conclusion must, IMHO, be that the attack cannot be applied to
regulary used machines. However, there may be numerous servers which are
badly supervised... And these is all basicly based upon the time giving a
good values with only one none-zero number, not a very good aproach :)


Agreed.

Crispin

--
Crispin Cowan, Ph.D.
Chief Research Scientist, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution:                    http://immunix.org
                Olympics:  The Corruption Games

Current thread:

Re: stackguard-like embedded protection, (continued)
- Re: stackguard-like embedded protection Hiroaki Etoh (Sep 12)
  - Re: stackguard-like embedded protection antirez (Sep 13)
- Re: stackguard-like embedded protection Hiroaki Etoh (Sep 13)
  - Re: stackguard-like embedded protection antirez (Sep 13)
    - Re: stackguard-like embedded protection Crispin Cowan (Sep 13)
  - Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 13)
    - Re: stackguard-like embedded protection antirez (Sep 13)
    - Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 16)
    - Re: stackguard-like embedded protection Crispin Cowan (Sep 16)
    - Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 17)
    - Re: stackguard-like embedded protection Crispin Cowan (Sep 18)
    - The much popular t0rnkit. Masial (Sep 17)
    - Re: The much popular t0rnkit. Neil Sequeira (Sep 19)
- Re: stackguard-like embedded protection Michael Wojcik (Sep 13)