|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: Core Dump as an Intrusion Event
From: Eclipse, Solar (solareclipse
PHREEDOM.ORG)Date: Thu Oct 05 2000 - 11:22:57 CDT
- Next message: Begley, Mason: "Re: JetDirect Card DoS exploit?"
- Previous message: W. Reilly Cooley: "Re: Core Dump as an Intrusion Event"
- In reply to: Crispin Cowan: "Core Dump as an Intrusion Event"
- Next in thread: Erik Tayler: "Re: Core Dump as an Intrusion Event"
- Reply: Eclipse, Solar: "Re: Core Dump as an Intrusion Event"
- Reply: Erik Tayler: "Re: Core Dump as an Intrusion Event"
- Reply: Jarno Huuskonen: "Re: Core Dump as an Intrusion Event"
- Reply: Crist Clark: "Re: Core Dump as an Intrusion Event"
- Reply: Kev: "Re: Core Dump as an Intrusion Event"
- Reply: antirez: "Re: Core Dump as an Intrusion Event"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
On Thu, Oct 05, 2000 at 07:00:15AM -0700, Crispin Cowan wrote:
> Background: StackGuard 2.0 (as released this summer) does not provide
> secure resistance to format bugs. However, because StackGuard changes
> some data layouts, it does tend to change the offsets that are required
> to make the exploit work. As a result, exploits tuned for the
> "standard" instance of a vulnerable program tend to just cause the
> victim program to dump core without giving up the shell prompt.
>
> This leads me to conjecture that "core dump" makes a good intrusion
> detection event. Server apps. ("services", e.g. Apache, ftpd, fingerd
> ;-) should not be dumping core, so you could treat a core dump as an
> indication that an attacker is rattling your door. StackGuard enhances
> this effect, by making it unlikely that the first attack attempt will
> work. Other factors may also be used to enhance this effect.
>
> In theory, theory is just like practice, but in practice it's different.
>
> Anyone have practical comments on this hypothesis? In practice, how
> often do services dump core for non-security reasons? If services dump
> core for non-security reasons even just a little, then the
> false-positive rate of intrusion detection from this clue gets out of
> control.
This is a very interesting idea and it needs further research.
System services on Linux dump core very rarely and a core dump
can indeed be an indication that something is wrong. Keep in mind that
core dumps can be disabled and that it's easy to delete any evidence
once the attacker has root access.
A better solution would be a kernel patch that hooks into the SIGSEGV
signal handler and logs all segmentation faults. A predefined list of
programs can be monitored. Maybe it's fesable to log segfaults of all
root processes.
Maybe the kernel module could take further action to stop the attacker, but
I don't know exactly how this could be accomplished.
Solar Eclipse <solareclipsephreedom.org>
Phreedom Magazine
http://www.phreedom.org
- Next message: Begley, Mason: "Re: JetDirect Card DoS exploit?"
- Previous message: W. Reilly Cooley: "Re: Core Dump as an Intrusion Event"
- In reply to: Crispin Cowan: "Core Dump as an Intrusion Event"
- Next in thread: Erik Tayler: "Re: Core Dump as an Intrusion Event"
- Reply: Eclipse, Solar: "Re: Core Dump as an Intrusion Event"
- Reply: Erik Tayler: "Re: Core Dump as an Intrusion Event"
- Reply: Jarno Huuskonen: "Re: Core Dump as an Intrusion Event"
- Reply: Crist Clark: "Re: Core Dump as an Intrusion Event"
- Reply: Kev: "Re: Core Dump as an Intrusion Event"
- Reply: antirez: "Re: Core Dump as an Intrusion Event"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]