Re: ProPolice: best way to fill canary
Hi Mike, On Fri, Jul 08, 2005 at 07:22:13PM -0500, Mike Silbersack wrote: On Fri, 8 Jul 2005, Jeremie Le Hen wrote: The second method requires to introduce the kern.arnd sysctl (KERN_ARND). FYI, note that NetBSD has kern.urandom (KERN_URND) and they define KERN_ARND to be an alias to this. I don't see any problem with introducing such a sysctl, if it would make the propolice patch simpler. Thanks for you answer. In that case, which sysctl should we use ? * OpenBSD's kern.arnd (KERN_ARND) which is a front-end to the arc4random() function ? * NetBSD's kern.urandom (KERN_URND) which is using the rnd(4) pseudo-device. They also have KERN_ARND in sysctl.h, which is no more than a #define of KERN_URND, for compatibility with OpenBSD. Usually, I noticed that FreeBSD used to be as close as possible with NetBSD. But I would like to hear the voice of a more experienced hacker about this. Thanks. Best regards, -- Jeremie Le Hen jeremie at le-hen dot org ttz at chchile dot org ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ProPolice: best way to fill canary
On Sat, 9 Jul 2005, Jeremie Le Hen wrote: Thanks for you answer. In that case, which sysctl should we use ? * OpenBSD's kern.arnd (KERN_ARND) which is a front-end to the arc4random() function ? * NetBSD's kern.urandom (KERN_URND) which is using the rnd(4) pseudo-device. They also have KERN_ARND in sysctl.h, which is no more than a #define of KERN_URND, for compatibility with OpenBSD. Usually, I noticed that FreeBSD used to be as close as possible with NetBSD. But I would like to hear the voice of a more experienced hacker about this. Thanks. Best regards, -- Jeremie Le Hen I wouldn't say that we favor code from any one project over another, every situation is different. In this case, I'm personally rather indifferent - both RNGs should supply good entropy. Arc4 may be a bit faster (I don't know if anyone has benchmarked by how much), so for this purpose it would seem to be the one to use. I can commit any patches you have after the 6.0 code freeze ends, which should be in the next few weeks. (It can be MFC'd to 6.0 and 5.4 after that as well.) Mike Silby Silbersack ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ProPolice: best way to fill canary
Jeremie Le Hen wrote: Hi Mike, On Fri, Jul 08, 2005 at 07:22:13PM -0500, Mike Silbersack wrote: On Fri, 8 Jul 2005, Jeremie Le Hen wrote: The second method requires to introduce the kern.arnd sysctl (KERN_ARND). FYI, note that NetBSD has kern.urandom (KERN_URND) and they define KERN_ARND to be an alias to this. I don't see any problem with introducing such a sysctl, if it would make the propolice patch simpler. Thanks for you answer. In that case, which sysctl should we use ? * OpenBSD's kern.arnd (KERN_ARND) which is a front-end to the arc4random() function ? * NetBSD's kern.urandom (KERN_URND) which is using the rnd(4) pseudo-device. They also have KERN_ARND in sysctl.h, which is no more than a #define of KERN_URND, for compatibility with OpenBSD. Usually, I noticed that FreeBSD used to be as close as possible with NetBSD. But I would like to hear the voice of a more experienced hacker about this. I asked a certain person to add the obsd sysctl long ago but it never happened. Sam ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ProPolice: best way to fill canary
Sam Leffler writes: I asked a certain person to add the obsd sysctl long ago but it never happened. That would be me. And it wouldn't be the first time a ball got dropped. I'll get to it. :-] M -- Mark R V Murray What is the most interesting question you have asked? What, if any, was the answer? ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
ProPolice: best way to fill canary
Hello hackers, I'm going to disturb you once again with ProPolice. The original ProPolice patch, as well as most of FreeBSD variants and Linux one, uses /dev/urandom to fill the canary with random data (the canary is what is going to be put between buffer and return address in the stack). OTOH, OpenBSD uses kern.arnd sysctl to achieve this (this is a sysctl front-end to the arc4random() function). I don't really see the pros and cons between the two methods, so I'd like taste your opinions. Note that the first method (opening /dev/urandom) requires to patch open(2) wrapper from libpthread and libthr (cognet@ did this for me), in order to initialize _thr_initial, because the SSP constructor is called quite early. The second method requires to introduce the kern.arnd sysctl (KERN_ARND). FYI, note that NetBSD has kern.urandom (KERN_URND) and they define KERN_ARND to be an alias to this. Your comments will be welcome. Best regards, -- Jeremie Le Hen jeremie at le-hen dot org ttz at chchile dot org ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ProPolice: best way to fill canary
On Fri, 8 Jul 2005, Jeremie Le Hen wrote: Hello hackers, I'm going to disturb you once again with ProPolice. The original ProPolice patch, as well as most of FreeBSD variants and Linux one, uses /dev/urandom to fill the canary with random data (the canary is what is going to be put between buffer and return address in the stack). OTOH, OpenBSD uses kern.arnd sysctl to achieve this (this is a sysctl front-end to the arc4random() function). Just one question, why does the canary have to be filled with random data? Why not just zero it? sure you get a single random value to find out how many zero's to use, but why waste that much good-quality random data (and of course if there isn't enough in urandom, you would have to make it loop till there is enough unless you make it just leave the rest as-is) IMHO there is no advantages (well, that i can see) of having it random data rather than just NULL... Feel free to correct me if i'm wrong... ~NVX ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ProPolice: best way to fill canary
[EMAIL PROTECTED] wrote: On Fri, 8 Jul 2005, Jeremie Le Hen wrote: Hello hackers, I'm going to disturb you once again with ProPolice. The original ProPolice patch, as well as most of FreeBSD variants and Linux one, uses /dev/urandom to fill the canary with random data (the canary is what is going to be put between buffer and return address in the stack). OTOH, OpenBSD uses kern.arnd sysctl to achieve this (this is a sysctl front-end to the arc4random() function). Just one question, why does the canary have to be filled with random data? Why not just zero it? sure you get a single random value to find out how many zero's to use, but why waste that much good-quality random data (and of course if there isn't enough in urandom, you would have to make it loop till there is enough unless you make it just leave the rest as-is) IMHO there is no advantages (well, that i can see) of having it random data rather than just NULL... Feel free to correct me if i'm wrong... You're wrong, when the canary value is fixed and known (such as in terminator canaries), there are cases where an attacker could manage to reset the canary to the expected value and circumvent the protection mechanism. That chance doesn't exist with random canaries. AFAIK, ProPolice supports both terminator and random canaries. As for the original topic, I would prefer the sysctl front-end, IMO it's more consistent with other BSDs and more clean and direct while extending open(2) would only appear transparent at the expense of needlessly increasing the complexity of open(2). ALeine ___ WebMail FREE http://mail.austrosearch.net ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ProPolice: best way to fill canary
On Fri, 8 Jul 2005, ALeine wrote: [EMAIL PROTECTED] wrote: On Fri, 8 Jul 2005, Jeremie Le Hen wrote: Hello hackers, I'm going to disturb you once again with ProPolice. The original ProPolice patch, as well as most of FreeBSD variants and Linux one, uses /dev/urandom to fill the canary with random data (the canary is what is going to be put between buffer and return address in the stack). OTOH, OpenBSD uses kern.arnd sysctl to achieve this (this is a sysctl front-end to the arc4random() function). Just one question, why does the canary have to be filled with random data? Why not just zero it? sure you get a single random value to find out how many zero's to use, but why waste that much good-quality random data (and of course if there isn't enough in urandom, you would have to make it loop till there is enough unless you make it just leave the rest as-is) IMHO there is no advantages (well, that i can see) of having it random data rather than just NULL... Feel free to correct me if i'm wrong... You're wrong, when the canary value is fixed and known (such as in terminator canaries), there are cases where an attacker could manage to reset the canary to the expected value and circumvent the protection mechanism. That chance doesn't exist with random canaries. AFAIK, ProPolice supports both terminator and random canaries. As for the original topic, I would prefer the sysctl front-end, IMO it's more consistent with other BSDs and more clean and direct while extending open(2) would only appear transparent at the expense of needlessly increasing the complexity of open(2). I was meaning random length fixed value... and unless the attacker wants to set the return address to 0x0... ~NVX ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ProPolice: best way to fill canary
[EMAIL PROTECTED] wrote: I was meaning random length fixed value... That may be what you meant, but that's definitely not what you said. and unless the attacker wants to set the return address to 0x0... You may want to read the paper Four different tricks to bypass StackShield and StackGuard protection before making more comments. http://www.coresecurity.com/files/files/11/StackguardPaper.pdf ALeine ___ WebMail FREE http://mail.austrosearch.net ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: ProPolice: best way to fill canary
On Fri, 8 Jul 2005, Jeremie Le Hen wrote: The second method requires to introduce the kern.arnd sysctl (KERN_ARND). FYI, note that NetBSD has kern.urandom (KERN_URND) and they define KERN_ARND to be an alias to this. Your comments will be welcome. Best regards, -- Jeremie Le Hen I don't see any problem with introducing such a sysctl, if it would make the propolice patch simpler. Mike Silby Silbersack ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to [EMAIL PROTECTED]
