Date: Wed, 19 Apr 2000 09:59:36 -0400
From: "Michael H. Warfield" <mhw@wittsend.com>
> First of all, you can mess up the address of the string by
> randomizing the initial stack pointer. One might be willing
> to use 10 to 16 bits of randomness. If a failed attack kills
> the daemon, it is not likely the attack will succeed.
Now this one actually has some prospects. Most exploits
require some knowledge of at least a few addresses on the stack.
16 bits of randomness would walk your stack over 1/4 of a meg (stacks
are aligned on at least a 4 byte boundry remember). That's a lot
of space. You could still do an effective job with only 6 bits, though.
Random guessing 1 chance out of 64 and you only get one shot at it...
That's got some possiblities and would only consume 256 bytes of stack
per process. You could scale that up if you thought it necessary or
even make it run time configurable.
Keep in mind that you don't necessarily get one shot at things ----
apache for example will has a watcher process which will restart worker
processes which have core'd themselves. So you can try arbitrary number
of times to guess the stack pointer, until you finally get it right.
The same is of course true of any program fired out of inetd.conf ---
like telnetd, ftpd, etc.
- Ted
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sun Apr 23 2000 - 21:00:15 EST