OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: Core Dump as an Intrusion Event
From: antirez (antirezLINUXCARE.COM)
Date: Thu Oct 05 2000 - 07:40:04 CDT

On Thu, Oct 05, 2000 at 07:00:15AM -0700, Crispin Cowan wrote:
> Anyone have practical comments on this hypothesis? In practice, how
> often do services dump core for non-security reasons? If services dump
> core for non-security reasons even just a little, then the
> false-positive rate of intrusion detection from this clue gets out of
> control.

This is quite interesting I think:
Once I tried this:

1] shifting of stack addresses like this
   (no flames for rand() use your PRNG, and
   an alternative way to change the stack
   address).

#include <stdio.h>
#include <stdlib.h>
#include <time.h>

void foo(void);

int main(int argc, char **argv)
{
        char s[1024];
        char *z;

        srand(time(NULL));
        z = alloca(rand() % 1024);

        foo();
}

void foo(void)
{
        int var;

        printf("%p\n", &var);
}

$ ./a.out
0xbffff4b4
$ ./a.out
0xbffff37c
$ ./a.out
0xbffff248

2] SIGSEGV trapping, writing /some/dir/not_exec_the_next_time

At start-up the program performs stat(/some/dir/...) and exit
if the file exist.

really trivial protection compared with advanced protections like
stackguard, but it can be quite funny to read nowaday :)

regards,
antirez 

--
Salvatore Sanfilippo, Open Source Developer, Linuxcare Italia spa
+39.049.80 43 411 tel, +39.049.80 43 412 fax
antirezlinuxcare.com, http://www.linuxcare.com/
Linuxcare. Support for the revolution.