OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Buffer Overflows and DoS
From: Crispin Cowan (crispinwirex.com)
Date: Wed Apr 26 2000 - 23:22:49 CDT

Note the subject change to distinguish this thread from the "DoS is inevitable / No
it isn't" thread.

Douglas Ostling wrote:

> So, if you use StackGuard to compile a server application, then the
> program dies upon overflow, and the administrator has to have a way to
> start it back up automatically.

On WireX appliances, we provide a "weeble" that re-starts services that die. As in
most cases, this mitigates the DoS, but does not eliminate it. However, DoS
vulnerability is a strict upgrade from root vulnerability :-)

> Of course, we know the DoS implications
> of this, so what is the result when the same happens to an application on
> an Openwall-patched kernel system?

Context dependant. The program might seg fault, or it might catch the seg fault and
carry on. Unlike StackGuarded programs, it does not give you a definitive syslog
entry that says "someone tried to overflow this program in that function(), but I
stopped them."

> I have noticed in the past a server
> that lies unresponsive for hours and suspected overflow was to blame.
> Which situation is more desirable? What does it take for a program to
> recover effectively from an overflow?

That pretty much depends on the program. Many vulnerable programs are actually
children of inetd. They are started onesy-twosy upon requests from clients to serve
a single request, so it doesn't matter if they die. Others are expected to stay
running, so you need something like our "weeble" to re-start it.

Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution: http://immunix.org
                  JOBS! http://immunix.org/jobs.html