Re: ProPolice: best way to fill canary
On Fri, 8 Jul 2005, Jeremie Le Hen wrote: The second method requires to introduce the kern.arnd sysctl (KERN_ARND). FYI, note that NetBSD has kern.urandom (KERN_URND) and they define KERN_ARND to be an alias to this. Your comments will be welcome. Best regards, -- Jeremie Le Hen I don't see any problem with introducing such a sysctl, if it would make the propolice patch simpler. Mike "Silby" Silbersack ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ProPolice: best way to fill canary
[EMAIL PROTECTED] wrote: > I was meaning random length fixed value... That may be what you meant, but that's definitely not what you said. > and unless the attacker wants to set the return address to 0x0... You may want to read the paper "Four different tricks to bypass StackShield and StackGuard protection" before making more comments. http://www.coresecurity.com/files/files/11/StackguardPaper.pdf ALeine ___ WebMail FREE http://mail.austrosearch.net ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ProPolice: best way to fill canary
On Fri, 8 Jul 2005, ALeine wrote: > [EMAIL PROTECTED] wrote: > > > On Fri, 8 Jul 2005, Jeremie Le Hen wrote: > > > > > Hello hackers, > > > > > > I'm going to disturb you once again with ProPolice. The > > > original ProPolice patch, as well as most of FreeBSD variants > > > and Linux one, uses /dev/urandom to fill the "canary" with > > > random data (the canary is what is going to be put between > > > buffer and return address in the stack). OTOH, OpenBSD uses > > > kern.arnd sysctl to achieve this (this is a sysctl front-end > > > to the arc4random() function). > > > > Just one question, why does the canary have to be filled with > > random data? Why not just zero it? sure you get a single random > > value to find out how many zero's to use, but why waste that much > > good-quality random data (and of course if there isn't enough in > > urandom, you would have to make it loop till there is enough unless > > you make it just leave the rest as-is) > > > > IMHO there is no advantages (well, that i can see) of having it > > random data rather than just NULL... > > > > Feel free to correct me if i'm wrong... > > You're wrong, when the canary value is fixed and known (such as in > terminator canaries), there are cases where an attacker could manage > to reset the canary to the expected value and circumvent the protection > mechanism. That chance doesn't exist with random canaries. AFAIK, > ProPolice supports both terminator and random canaries. > > As for the original topic, I would prefer the sysctl front-end, IMO it's > more consistent with other BSDs and more clean and direct while extending > open(2) would only appear transparent at the expense of needlessly > increasing the complexity of open(2). I was meaning random length fixed value... and unless the attacker wants to set the return address to 0x0... ~NVX ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ProPolice: best way to fill canary
[EMAIL PROTECTED] wrote: > On Fri, 8 Jul 2005, Jeremie Le Hen wrote: > > > Hello hackers, > > > > I'm going to disturb you once again with ProPolice. The > > original ProPolice patch, as well as most of FreeBSD variants > > and Linux one, uses /dev/urandom to fill the "canary" with > > random data (the canary is what is going to be put between > > buffer and return address in the stack). OTOH, OpenBSD uses > > kern.arnd sysctl to achieve this (this is a sysctl front-end > > to the arc4random() function). > > Just one question, why does the canary have to be filled with > random data? Why not just zero it? sure you get a single random > value to find out how many zero's to use, but why waste that much > good-quality random data (and of course if there isn't enough in > urandom, you would have to make it loop till there is enough unless > you make it just leave the rest as-is) > > IMHO there is no advantages (well, that i can see) of having it > random data rather than just NULL... > > Feel free to correct me if i'm wrong... You're wrong, when the canary value is fixed and known (such as in terminator canaries), there are cases where an attacker could manage to reset the canary to the expected value and circumvent the protection mechanism. That chance doesn't exist with random canaries. AFAIK, ProPolice supports both terminator and random canaries. As for the original topic, I would prefer the sysctl front-end, IMO it's more consistent with other BSDs and more clean and direct while extending open(2) would only appear transparent at the expense of needlessly increasing the complexity of open(2). ALeine ___ WebMail FREE http://mail.austrosearch.net ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: ProPolice: best way to fill canary
On Fri, 8 Jul 2005, Jeremie Le Hen wrote: > Hello hackers, > > I'm going to disturb you once again with ProPolice. The original > ProPolice patch, as well as most of FreeBSD variants and Linux one, > uses /dev/urandom to fill the "canary" with random data (the canary > is what is going to be put between buffer and return address in the > stack). OTOH, OpenBSD uses kern.arnd sysctl to achieve this (this > is a sysctl front-end to the arc4random() function). Just one question, why does the canary have to be filled with random data? Why not just zero it? sure you get a single random value to find out how many zero's to use, but why waste that much good-quality random data (and of course if there isn't enough in urandom, you would have to make it loop till there is enough unless you make it just leave the rest as-is) IMHO there is no advantages (well, that i can see) of having it random data rather than just NULL... Feel free to correct me if i'm wrong... ~NVX ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
ProPolice: best way to fill canary
Hello hackers, I'm going to disturb you once again with ProPolice. The original ProPolice patch, as well as most of FreeBSD variants and Linux one, uses /dev/urandom to fill the "canary" with random data (the canary is what is going to be put between buffer and return address in the stack). OTOH, OpenBSD uses kern.arnd sysctl to achieve this (this is a sysctl front-end to the arc4random() function). I don't really see the pros and cons between the two methods, so I'd like taste your opinions. Note that the first method (opening /dev/urandom) requires to patch open(2) wrapper from libpthread and libthr (cognet@ did this for me), in order to initialize _thr_initial, because the SSP constructor is called quite early. The second method requires to introduce the kern.arnd sysctl (KERN_ARND). FYI, note that NetBSD has kern.urandom (KERN_URND) and they define KERN_ARND to be an alias to this. Your comments will be welcome. Best regards, -- Jeremie Le Hen < jeremie at le-hen dot org >< ttz at chchile dot org > ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: C programming question
On Mon, 04 Apr 2005 11:43:21 -0700 Matt <[EMAIL PROTECTED]> wrote: > I need some help understanding some C code. cdecl (devel/cdecl) is your friend. > int (*if_ioctl) > (struct ifnet *, int, caddr_t); explain int (*if_ioctl)(struct ifnet *, int, caddr_t) declare if_ioctl as pointer to function (pointer to struct ifnet, int, caddr_t) returning int > int (*if_watchdog) > (int); explain int (*if_watchdog)(int) declare if_watchdog as pointer to function (int) returning int The formatting on this one is strange. http://www.mired.org/consulting.html Independent Network/Unix/Perforce consultant, email for more information. ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"