subject:"\[Mingw\-w64\-public\] \[Patch\] \- Hardening libssp against malicious local processes"

[Mingw-w64-public] [Patch] - Hardening libssp against malicious local processes

2015-02-03 Thread Georg Koppen

Hi,

I am putting a patch inline (not sure if attachments are allowed on this
mailing list) that does not make it possible for a local process anymore
to replace canaries which in turn might disable SSP. Comments and/or
review are much appreciated.

The problem it is trying to solve is outlined in
https://trac.torproject.org/13169#comment:4:

(Quoting a cypherpunk)

"In Windows you can to create any directories for any disks(C:, D:, ..
Z:), only system directories (Windows directory, Program files, etc) are
protected. Any process with privileges of any standard user can to
create C:\dev\urandom file and to fill it by any stuff."

And now the patch (arguably the subject can be a bit more elaborate):

From 83e3ea38a5720df52bd5f78dcd3c7b7b842ddc3b Mon Sep 17 00:00:00 2001
From: Erinn Clark 
Date: Wed, 12 Mar 2014 16:09:10 +0100
Subject: [PATCH] skruffy patch

---
 libssp/ssp.c |   16 
 1 file changed, 16 insertions(+)

diff --git a/libssp/ssp.c b/libssp/ssp.c
index aaa5a32..37f4e27 100644
--- a/libssp/ssp.c
+++ b/libssp/ssp.c
@@ -55,6 +55,7 @@ see the files COPYING3 and COPYING.RUNTIME
respectively.  If not, see
 /* Native win32 apps don't know about /dev/tty but can print directly
to the console using  "CONOUT$"   */
 #if defined (_WIN32) && !defined (__CYGWIN__)
+#include 
 # define _PATH_TTY "CONOUT$"
 #else
 # define _PATH_TTY "/dev/tty"
@@ -75,6 +76,20 @@ __guard_setup (void)
   if (__stack_chk_guard != 0)
 return;

+#if defined (_WIN32) && !defined (__CYGWIN__)
+  HCRYPTPROV hprovider = 0;
+  if (CryptAcquireContext(&hprovider, NULL, NULL, PROV_RSA_FULL,
+  CRYPT_VERIFYCONTEXT | CRYPT_SILENT))
+{
+  if (CryptGenRandom(hprovider, sizeof (__stack_chk_guard),
+  (BYTE *)&__stack_chk_guard) &&  __stack_chk_guard != 0)
+{
+   CryptReleaseContext(hprovider, 0);
+   return;
+}
+  CryptReleaseContext(hprovider, 0);
+}
+#else
   fd = open ("/dev/urandom", O_RDONLY);
   if (fd != -1)
 {
@@ -85,6 +100,7 @@ __guard_setup (void)
 return;
 }

+#endif
   /* If a random generator can't be used, the protector switches the guard
  to the "terminator canary".  */
   p = (unsigned char *) &__stack_chk_guard;
--
1.7.10.4


Georg



signature.asc
Description: OpenPGP digital signature
--
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/___
Mingw-w64-public mailing list
Mingw-w64-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mingw-w64-public

Re: [Mingw-w64-public] [Patch] - Hardening libssp against malicious local processes

2015-02-03 Thread David Macek

On 3. 2. 2015 11:53, Georg Koppen wrote:
> I am putting a patch inline (not sure if attachments are allowed on this
> mailing list) that does not make it possible for a local process anymore
> to replace canaries which in turn might disable SSP. Comments and/or
> review are much appreciated.
> 
> The problem it is trying to solve is outlined in
> https://trac.torproject.org/13169#comment:4:
> 
> (Quoting a cypherpunk)
> 
> "In Windows you can to create any directories for any disks(C:, D:, ..
> Z:), only system directories (Windows directory, Program files, etc) are
> protected. Any process with privileges of any standard user can to
> create C:\dev\urandom file and to fill it by any stuff."

Hi. This is maybe off-topic, but I'd like to point out that ACLs can be 
customized, so any assumption of this kind can be wrong. Also, the motivation 
for this patch should be "don't use /dev/urandom on Windows, because it's not a 
thing", not "someone could supply fake random data to us".

-- 
David Macek



smime.p7s
Description: S/MIME Cryptographic Signature
--
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/___
Mingw-w64-public mailing list
Mingw-w64-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mingw-w64-public

Re: [Mingw-w64-public] [Patch] - Hardening libssp against malicious local processes

2015-02-04 Thread Jacek Caban

Hi Georg,

On 02/03/15 11:53, Georg Koppen wrote:
> Hi,
>
> I am putting a patch inline (not sure if attachments are allowed on this
> mailing list) that does not make it possible for a local process anymore
> to replace canaries which in turn might disable SSP. Comments and/or
> review are much appreciated.
>
> The problem it is trying to solve is outlined in
> https://trac.torproject.org/13169#comment:4:
>
> (Quoting a cypherpunk)
>
> "In Windows you can to create any directories for any disks(C:, D:, ..
> Z:), only system directories (Windows directory, Program files, etc) are
> protected. Any process with privileges of any standard user can to
> create C:\dev\urandom file and to fill it by any stuff."
>
> And now the patch (arguably the subject can be a bit more elaborate):

Thanks for the patch, but it belongs to GCC and as such gcc-patches ML
is the right place to send it.

I have nothing to do with libssp nor have much experience with GCC
patches, but I have some suggestions:

> From 83e3ea38a5720df52bd5f78dcd3c7b7b842ddc3b Mon Sep 17 00:00:00 2001
> From: Erinn Clark 
> Date: Wed, 12 Mar 2014 16:09:10 +0100
> Subject: [PATCH] skruffy patch
>
> ---
>  libssp/ssp.c |   16 
>  1 file changed, 16 insertions(+)
>
> diff --git a/libssp/ssp.c b/libssp/ssp.c
> index aaa5a32..37f4e27 100644
> --- a/libssp/ssp.c
> +++ b/libssp/ssp.c
> @@ -55,6 +55,7 @@ see the files COPYING3 and COPYING.RUNTIME
> respectively.  If not, see
>  /* Native win32 apps don't know about /dev/tty but can print directly
> to the console using  "CONOUT$"   */
>  #if defined (_WIN32) && !defined (__CYGWIN__)
> +#include 
>  # define _PATH_TTY "CONOUT$"
>  #else
>  # define _PATH_TTY "/dev/tty"
> @@ -75,6 +76,20 @@ __guard_setup (void)
>if (__stack_chk_guard != 0)
>  return;
>
> +#if defined (_WIN32) && !defined (__CYGWIN__)
> +  HCRYPTPROV hprovider = 0;

Looking at the rest of the file, it seems that it maintains C89
compatibility or at least coding style uses declarations in the
beginning of the block.

> +  if (CryptAcquireContext(&hprovider, NULL, NULL, PROV_RSA_FULL,
> +  CRYPT_VERIFYCONTEXT | CRYPT_SILENT))
> +{
> +  if (CryptGenRandom(hprovider, sizeof (__stack_chk_guard),
> +  (BYTE *)&__stack_chk_guard) &&  __stack_chk_guard != 0)
> +{
> +   CryptReleaseContext(hprovider, 0);
> +   return;
> +}
> +  CryptReleaseContext(hprovider, 0);
> +}

Did you consider using RtlGenRandom instead? This would simplify the code.

Another alternative would be using rand_s, which is a variant of rand
that doesn't require srand (see Wine implementation for an example [1]).
Its problem is, however, that it returns int, which is inconvenient for
64-bit arch in this case.

> +#else
>fd = open ("/dev/urandom", O_RDONLY);
>if (fd != -1)
>  {
> @@ -85,6 +100,7 @@ __guard_setup (void)
>  return;
>  }
>
> +#endif
>/* If a random generator can't be used, the protector switches the guard
>   to the "terminator canary".  */
>p = (unsigned char *) &__stack_chk_guard;
> --
> 1.7.10.4

Thanks,
Jacek

[1] http://source.winehq.org/git/wine.git/blob/HEAD:/dlls/msvcrt/misc.c#l68

--
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/
___
Mingw-w64-public mailing list
Mingw-w64-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mingw-w64-public

Re: [Mingw-w64-public] [Patch] - Hardening libssp against malicious local processes

2015-02-05 Thread Georg Koppen

Hi Jacek

Jacek Caban:
> Thanks for the patch, but it belongs to GCC and as such gcc-patches ML
> is the right place to send it.
> 
> I have nothing to do with libssp nor have much experience with GCC
> patches, but I have some suggestions:

thanks for both. I'll send it to gcc-patches to see what the GCC folks
are thinking about it.

Georg



signature.asc
Description: OpenPGP digital signature
--
Dive into the World of Parallel Programming. The Go Parallel Website,
sponsored by Intel and developed in partnership with Slashdot Media, is your
hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials and more. Take a
look and join the conversation now. http://goparallel.sourceforge.net/___
Mingw-w64-public mailing list
Mingw-w64-public@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/mingw-w64-public

[Mingw-w64-public] [Patch] - Hardening libssp against malicious local processes

Re: [Mingw-w64-public] [Patch] - Hardening libssp against malicious local processes

Re: [Mingw-w64-public] [Patch] - Hardening libssp against malicious local processes

Re: [Mingw-w64-public] [Patch] - Hardening libssp against malicious local processes

4 matches

Site Navigation

Mail list logo

Footer information