Bugtraq mailing list archives

Re: fixing all buffer overflows --- random magin numbers

From: crispin () CSE OGI EDU (Crispin Cowan)
Date: Tue, 14 Sep 1999 00:10:35 +0000


(post sent as HTML and ASCII because there's a table that's easier to read
in HTML.  Aleph, go ahead and nuke the HTML if you prefer)

nm wrote:

Neat idea.

But, couldn't someone just take a common binary (say ls) that exists
on the target system and reverse engineer it and begin to make a mapping
of numbers to syscalls.


I wrote two papers last year that classified post hoc security enhancements
into a 2D grid:

   * one dimension is *what* is adapted:  the interface, or the
     implementation
   * the other dimension is what *kind* of adaptation you apply:  either a
     restriction, or a permutation

The result looks like this:

            Interface                            Implementation

 Restriction   * Firewalls                          * Bounds checking
               * TCP Wrappers                       * StackGuard
               * Randomly renaming system files
               * Randomly renumbering system
 Permutation     calls (the hack proposed here      * Randomly munging
                 by Maniscalco)                       data layout
               * Fred Cohen's Deception Toolkit

The papers describing this work are:

   * "Death, Taxes, and Imperfect Software:  Surviving the Inevitable", by
     Crispin Cowan, Calton Pu, and Heather Hinton, presented at the 1998
     New Security Paradigms workshop, and available here:
     http://www.cse.ogi.edu/~crispin/bugtol.ps.gz or here:
     http://www.cse.ogi.edu/~crispin/bugtol.pdf .
   * "Survivability from a Sow's Ear:  The Retrofit Security Requirement",
     by Crispin Cowan and Calton Pu, presented at the 1998 Information
     Survivability Workshop, and available here
     http://www.cse.ogi.edu/~crispin/isw98.ps.gz or here
     http://www.cse.ogi.edu/~crispin/isw98.pdf

In these papers we conclude that "Interface Permutations" (such as randomly
swizling the syscall numbers) has a problem:  it is just weak crypto.  It
makes the "current configuration of the interface" a symmetric session key
that must be shared amongst all the servers and clients.  It is a shared
secret.  You have all the usual problems of shared secrets, plus the
following problems:

   * it is a relatively small secret
   * it is often a very easy to observe secret (such as the ls reverse
     engineering hack that nm mentions)

The only advantage offered by interface permutation is that the secret is
not amenable to off-line cracking:  you have to make your guesses against
the host system, and that gives intrusion detectors a good shot at
detecting your cracking attempts.  Naturally, this just means that
attackers will infer the current configuration indrectly instead of brute
forcing it.

Crispin
-----
 Crispin Cowan, Research Assistant Professor of Computer Science, OGI
    NEW:  Protect Your Linux Host with StackGuard'd Programs  :FREE
       http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/



Nick Maniscalco

At 09:37 PM 9/11/99 -0400, Dr. Joel M. Hoffman wrote:

I was thinking

-- it wouldn't be too hard to make buffer overflow

attacks impossible.  The basic idea is to do away with binary
compatibility.

In particular, I was thinking that part of building a kernel would
involve assigning a random number to each syscall, and creating a
syscall.h file with these random numbers.  A binary would only run if
it was compiled with the proper syscall.h, so all binaries would have
to be recompiled for the new kernel, but then, syscall.h could be
removed, and the system would be impervious to buffer overflow
attacks.  (One step further would involve random magic numbers in
every function call.)

I would be happy to give up binary compatilibyt for the added security
it would add.

Comments?

-Joel Hoffman
(joel () exc com)


<!-- body="end" -->
<HR>

<UL>
<LI><STRONG>Next message:</STRONG> Vladimir Dubrovin: "Re: CGI security"
<LI><STRONG>Previous message:</STRONG> Bill Nottingham: "[RHSA-1999:037-01] Buffer overflow in mars_nwe"
<LI><STRONG>Next in thread:</STRONG> Oliver Xymoron: "Re: fixing all buffer overflows --- random magin numbers"
<LI><STRONG>Reply:</STRONG> Oliver Xymoron: "Re: fixing all buffer overflows --- random magin numbers"
</UL>
<HR>

<SMALL>

This archive was generated by hypermail 2.0b3 
on Tue Sep 14 1999 - 13:53:31 CDT</EM>
</EM>
</SMALL>
</BODY>
</HTML>

Current thread:

Re: fixing all buffer overflows --- random magin numbers nm (Sep 12)
- Re: fixing all buffer overflows --- random magin numbers Crispin Cowan (Sep 13)
  - Re: fixing all buffer overflows --- random magin numbers Oliver Xymoron (Sep 17)
    - Exploit for proftpd 1.2.0pre6 Tymm Twillman (Sep 20)
    - Re: fixing all buffer overflows --- random magin numbers Crispin Cowan (Sep 20)
    - BP9909-00: cfingerd local buffer overflow Przemyslaw Frasunek (Sep 21)
    - Windows IP source routing attack Dug Song (Sep 21)
    - FreeBSD-specific denial of service Charles M. Hannum (Sep 21)
    - Re: FreeBSD-specific denial of service Alan Cox (Sep 22)
    - Re: FreeBSD-specific denial of service Bjoern Fischer (Sep 24)