Vulnerability Development mailing list archives
Re: stackguard-like embedded protection
From: Crispin Cowan <crispin () WIREX COM>
Date: Sun, 17 Sep 2000 22:09:32 -0700
"Bluefish (P.Magnusson)" wrote:
Another factor to consider is that what you're doing in guessing at canary values is knocking over service daemons on someone's server. They may notice that the Foo Daemon (food :-) has re-set itself 19,485 times in the last 9 hours.Hmmm. Based on the concept of the administrator actually looking through the logs, and that attacks are logged.
Badly maintained and un-monitored systems will get 0wned, regardless of the technologies involved. I'm considering how effective canaries are in defending a system that someone wants defended.
I still haven't seen any estimations on how fast a simple suid foo.c with main(){ char s[100]; gets(s); } can be bruteforced, if protected by 32 bits [assuming 32 bit entropy for simplicity].
Excellent idea.
$ echo "" | time ./simpletest Command exited with non-zero status 164 0.00user 0.01system 0:00.01elapsed 90%CPU (0avgtext+0avgdata 0maxresident)k 0inputs+0outputs (69major+9minor)pagefaults 0swaps Assuming that this "0.01" actually is closer to 1 than 0 (not being entirely sure how trustworthy time is in this situation)
You're right not to trust it; time's precision is poor at small intervals. I revised your experiment by putting 1000 lines of "echo "" | time ./simpletest" into a shell script and timing that. My P II/366 takes a reliable 5 seconds to run 1000 instances of this simple program, or 5 ms of time per copy. Long division says this will take 125 days on average to crack a 32-bit value.
The conclusion must, IMHO, be that the attack cannot be applied to regulary used machines. However, there may be numerous servers which are badly supervised... And these is all basicly based upon the time giving a good values with only one none-zero number, not a very good aproach :)
Agreed. Crispin -- Crispin Cowan, Ph.D. Chief Research Scientist, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org Olympics: The Corruption Games
Current thread:
- Re: stackguard-like embedded protection, (continued)
- Re: stackguard-like embedded protection Hiroaki Etoh (Sep 12)
- Re: stackguard-like embedded protection antirez (Sep 13)
- Re: stackguard-like embedded protection Hiroaki Etoh (Sep 13)
- Re: stackguard-like embedded protection antirez (Sep 13)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 13)
- Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 13)
- Re: stackguard-like embedded protection antirez (Sep 13)
- Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 16)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 16)
- Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 17)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 18)
- The much popular t0rnkit. Masial (Sep 17)
- Re: The much popular t0rnkit. Neil Sequeira (Sep 19)
- Re: stackguard-like embedded protection antirez (Sep 13)
- Re: stackguard-like embedded protection Hiroaki Etoh (Sep 12)