Bugtraq mailing list archives
Re: [ANNOUNCE] glibc heap protection patch
From: "Eugene Tsyrklevich" <eugene () securityarchitects com>
Date: Tue, 2 Dec 2003 03:27:52 -0800 (PST)
Hello, Your heap protection scheme is based on checking the validity of the chunk structure magic value that is calculated as (chunk)->magic = (((int) chunk) ^ *__heap_magic ^ (chunk)->size) I believe that "chunk" and "(chunk)->size" can be considered to be known to attackers and thus contain no entropy. Thus the security of your scheme is based on the randomness of the "__heap_magic" value which is calculated as +#ifdef __HEAP_PROTECTION [snip] + srand(time(NULL)); + *__heap_magic = rand(); [snip] + if (mprotect(__heap_magic, sizeof(*__heap_magic), PROT_READ)) + fprintf(stderr, "glibc: WARNING: unable to protect heap magic!\n"); +#endif /* __HEAP_PROTECTION */ With such a poor random number generator you only raise a bar slightly higher whereby attackers have to predict your "random" canary in their exploits. Also, since you initialize "__heap_magic" once per process, an attacker might be able to use nmap to determine the uptime of the victim machine which will quite precisely determine when a process was started (a valid assumption for daemon processes). cheers, eugene
Hi all, I'd just like to announce that we have a heap protection system for
glibc available for download. The system detects and prevents all heap overflow exploits that modify inline control information from
succeeding against a protected application, can be installed system-wide or on a per-process basis using LD_PRELOAD, and is transparent to existing applications. We would definitely appreciate any feedback and bug reports on the code.
The patch and some additional information is available at:
http://www.cs.ucsb.edu/~wkr/projects/heap_protection/ Enjoy! -- William Robertson Reliable Software Group, UC Santa Barbara http://www.cs.ucsb.edu/~wkr/
Current thread:
- [ANNOUNCE] glibc heap protection patch William Robertson (Dec 01)
- Re: [ANNOUNCE] glibc heap protection patch Stefan Esser (Dec 02)
- Re: [ANNOUNCE] glibc heap protection patch William Robertson (Dec 02)
- Re: [ANNOUNCE] glibc heap protection patch Stefan Esser (Dec 03)
- Re: [ANNOUNCE] glibc heap protection patch William Robertson (Dec 03)
- Re: [ANNOUNCE] glibc heap protection patch William Robertson (Dec 02)
- Re: [ANNOUNCE] glibc heap protection patch Stefan Esser (Dec 02)
- Re: [ANNOUNCE] glibc heap protection patch Eugene Tsyrklevich (Dec 02)
- Re: [ANNOUNCE] glibc heap protection patch William Robertson (Dec 02)
- Re: [ANNOUNCE] glibc heap protection patch Han Boetes (Dec 03)
- Re: [ANNOUNCE] glibc heap protection patch Adam Shostack (Dec 04)
- Re: [ANNOUNCE] glibc heap protection patch Jim Knoble (Dec 04)
- Re: [ANNOUNCE] glibc heap protection patch William Robertson (Dec 02)
- Message not available
- Re: [ANNOUNCE] glibc heap protection patch William Robertson (Dec 04)
- <Possible follow-ups>
- Re: [ANNOUNCE] glibc heap protection patch xenophi1e (Dec 03)
- Re: [ANNOUNCE] glibc heap protection patch Stefan Esser (Dec 04)
- Re: [ANNOUNCE] glibc heap protection patch Troed SĂ„ngberg (Dec 04)
- Re: [ANNOUNCE] glibc heap protection patch Stefan Esser (Dec 04)
- Re: [ANNOUNCE] glibc heap protection patch Marco Ivaldi (Dec 04)