Vulnerability Development mailing list archives
Re: Core Dump as an Intrusion Event
From: Slawek <sgp () TELSATGP COM PL>
Date: Thu, 5 Oct 2000 17:03:14 +0200
Hi, Yes, this would be good idea. There souldn't be coredumps from daemons, and if they are than I think they need to be analised even if they aren't "intrusion triggered" :) BUT there is a "small" problem Format bugs (in many situations) allow an attacker to read the memory without core dumping.. and modify it after an analise so there is _no_ coredump from "wrong" exploit nor from successsful exploit. just my $.02 Slawek ----- Original Message ----- From: "Crispin Cowan" <crispin () WIREX COM> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Thursday, October 05, 2000 4:00 PM Subject: [VULN-DEV] Core Dump as an Intrusion Event
Background: StackGuard 2.0 (as released this summer) does not provide secure resistance to format bugs. However, because StackGuard changes some data layouts, it does tend to change the offsets that are required to make the exploit work. As a result, exploits tuned for the "standard" instance of a vulnerable program tend to just cause the victim program to dump core without giving up the shell prompt. This leads me to conjecture that "core dump" makes a good intrusion detection event. Server apps. ("services", e.g. Apache, ftpd, fingerd ;-) should not be dumping core, so you could treat a core dump as an indication that an attacker is rattling your door. StackGuard enhances this effect, by making it unlikely that the first attack attempt will work. Other factors may also be used to enhance this effect. In theory, theory is just like practice, but in practice it's different. Anyone have practical comments on this hypothesis? In practice, how often do services dump core for non-security reasons? If services dump core for non-security reasons even just a little, then the false-positive rate of intrusion detection from this clue gets out of control. Caveat: I know that this is a bad heuristic for Windows machines :-) Thanks, Crispin -- Crispin Cowan, Ph.D. Chief Research Scientist, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org
Current thread:
- Core Dump as an Intrusion Event Crispin Cowan (Oct 05)
- Re: Core Dump as an Intrusion Event Alexander Kiwerski (Oct 05)
- Re: Core Dump as an Intrusion Event antirez (Oct 05)
- Re: Core Dump as an Intrusion Event Slawek (Oct 05)
- Re: Core Dump as an Intrusion Event Pascal Bouchareine (Oct 05)
- Re: Core Dump as an Intrusion Event Crist Clark (Oct 05)
- Re: Core Dump as an Intrusion Event W. Reilly Cooley (Oct 05)
- Re: Core Dump as an Intrusion Event Eclipse, Solar (Oct 05)
- Re: Core Dump as an Intrusion Event Erik Tayler (Oct 06)
- Re: Core Dump as an Intrusion Event Jarno Huuskonen (Oct 06)
- Re: Core Dump as an Intrusion Event Crist Clark (Oct 07)
- Re: Core Dump as an Intrusion Event Kev (Oct 07)
- Re: Core Dump as an Intrusion Event antirez (Oct 08)
- Re: Core Dump as an Intrusion Event Jarno Huuskonen (Oct 08)
(Thread continues...)