OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Re: [ANNOUNCE] glibc heap protection patch

From: Eugene Tsyrklevich (eugenesecurityarchitects.com)
Date: Tue Dec 02 2003 - 05:27:52 CST


Hello,

Your heap protection scheme is based on checking the validity of the chunk
structure magic value that is calculated as

(chunk)->magic = (((int) chunk) ^ *__heap_magic ^ (chunk)->size)

I believe that "chunk" and "(chunk)->size" can be considered to be known
to attackers and thus contain no entropy. Thus the security of your scheme
is based on the randomness of the "__heap_magic" value which is calculated
as

+#ifdef __HEAP_PROTECTION

[snip]

+ srand(time(NULL));
+ *__heap_magic = rand();

[snip]

+ if (mprotect(__heap_magic, sizeof(*__heap_magic), PROT_READ))
+ fprintf(stderr, "glibc: WARNING: unable to protect heap magic!\n");
+#endif /* __HEAP_PROTECTION */

With such a poor random number generator you only raise a bar slightly
higher whereby attackers have to predict your "random" canary in their
exploits.

Also, since you initialize "__heap_magic" once per process, an attacker
might be able to use nmap to determine the uptime of the victim machine
which will quite precisely determine when a process was started (a valid
assumption for daemon processes).

cheers,
eugene

> Hi all,
>
> I'd just like to announce that we have a heap protection system for
glibc available for download. The system detects and prevents all heap
overflow exploits that modify inline control information from
> succeeding against a protected application, can be installed
> system-wide or on a per-process basis using LD_PRELOAD, and is
> transparent to existing applications.
>
> We would definitely appreciate any feedback and bug reports on the code.
The patch and some additional information is available at:
>
> http://www.cs.ucsb.edu/~wkr/projects/heap_protection/
>
> Enjoy!
>
> --
> William Robertson
> Reliable Software Group, UC Santa Barbara
> http://www.cs.ucsb.edu/~wkr/