Re: [ANNOUNCE] glibc heap protection patch

["Eugene Tsyrklevich" <eugene () securityarchitects com>]

Hello,

Your heap protection scheme is based on checking the validity of the chunk
structure magic value that is calculated as

(chunk)->magic = (((int) chunk) ^ *__heap_magic ^ (chunk)->size)

I believe that "chunk" and "(chunk)->size" can be considered to be known
to attackers and thus contain no entropy. Thus the security of your scheme
is based on the randomness of the "__heap_magic" value which is calculated
as

+#ifdef __HEAP_PROTECTION

[snip]

+  srand(time(NULL));
+  *__heap_magic = rand();

[snip]

+  if (mprotect(__heap_magic, sizeof(*__heap_magic), PROT_READ))
+    fprintf(stderr, "glibc: WARNING: unable to protect heap magic!\n");
+#endif /* __HEAP_PROTECTION */


With such a poor random number generator you only raise a bar slightly
higher whereby attackers have to predict your "random" canary in their
exploits.

Also, since you initialize "__heap_magic" once per process, an attacker
might be able to use nmap to determine the uptime of the victim machine
which will quite precisely determine when a process was started (a valid
assumption for daemon processes).

cheers,
eugene


> Hi all,
>
> I'd just like to announce that we have a heap protection system for
glibc available for download. The system detects and prevents all heap
overflow exploits that modify inline control information from
> succeeding against a protected application, can be installed
> system-wide or on a per-process basis using LD_PRELOAD, and is
> transparent to existing applications.
>
> We would definitely appreciate any feedback and bug reports on the code.
The patch and some additional information is available at:
> http://www.cs.ucsb.edu/~wkr/projects/heap_protection/
>
> Enjoy!
>
> --
> William Robertson
> Reliable Software Group, UC Santa Barbara
> http://www.cs.ucsb.edu/~wkr/