Re: fixing all buffer overflows --- random magin numbers

[Crispin Cowan]

(post sent as HTML and ASCII because there's a table that's easier to read in HTML.  Aleph, go ahead and nuke the HTML if you prefer)

nm wrote:

Neat idea.

But, couldn't someone just take a common binary (say ls) that exists
on the target system and reverse engineer it and begin to make a mapping
of numbers to syscalls.

I wrote two papers last year that classified post hoc security enhancements into a 2D grid:

• one dimension is *what* is adapted:  the interface, or the implementation
• the other dimension is what *kind* of adaptation you apply:  either a restriction, or a permutation

The result looks like this:
 

	Interface	Implementation
Restriction	Firewalls TCP Wrappers	Bounds checking StackGuard
Permutation	Randomly renaming system files Randomly renumbering system calls (the hack proposed here by Maniscalco) Fred Cohen's Deception Toolkit	Randomly munging data layout

The papers describing this work are:

• "Death, Taxes, and Imperfect Software:  Surviving the Inevitable", by Crispin Cowan, Calton Pu, and Heather Hinton, presented at the 1998 New Security Paradigms workshop, and available here: http://www.cse.ogi.edu/~crispin/bugtol.ps.gz or here:   http://www.cse.ogi.edu/~crispin/bugtol.pdf .
• "Survivability from a Sow's Ear:  The Retrofit Security Requirement", by Crispin Cowan and Calton Pu, presented at the 1998 Information Survivability Workshop, and available here http://www.cse.ogi.edu/~crispin/isw98.ps.gz or here  http://www.cse.ogi.edu/~crispin/isw98.pdf

In these papers we conclude that "Interface Permutations" (such as randomly swizling the syscall numbers) has a problem:  it is just weak crypto.  It makes the "current configuration of the interface" a symmetric session key that must be shared amongst all the servers and clients.  It is a shared secret.  You have all the usual problems of shared secrets, plus the following problems:

• it is a relatively small secret
• it is often a very easy to observe secret (such as the ls reverse engineering hack that nm mentions)

The only advantage offered by interface permutation is that the secret is not amenable to off-line cracking:  you have to make your guesses against the host system, and that gives intrusion detectors a good shot at detecting your cracking attempts.  Naturally, this just means that attackers will infer the current configuration indrectly instead of brute forcing it.

Crispin
-----
 Crispin Cowan, Research Assistant Professor of Computer Science, OGI
    NEW:  Protect Your Linux Host with StackGuard'd Programs  :FREE
       http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/
 

 

Nick Maniscalco

At 09:37 PM 9/11/99 -0400, Dr. Joel M. Hoffman wrote:
>I was thinking
-- it wouldn't be too hard to make buffer overflow
>attacks impossible.  The basic idea is to do away with binary
>compatibility.
>
>In particular, I was thinking that part of building a kernel would
>involve assigning a random number to each syscall, and creating a
>syscall.h file with these random numbers.  A binary would only run if
>it was compiled with the proper syscall.h, so all binaries would have
>to be recompiled for the new kernel, but then, syscall.h could be
>removed, and the system would be impervious to buffer overflow
>attacks.  (One step further would involve random magic numbers in
>every function call.)
>
>I would be happy to give up binary compatilibyt for the added security
>it would add.
>
>Comments?
>
>-Joel Hoffman
>([EMAIL PROTECTED])
>