Re: [ANNOUNCE] glibc heap protection patch
Hello,
Your heap protection scheme is based on checking the validity of the chunk
structure magic value that is calculated as
(chunk)->magic = (((int) chunk) ^ *__heap_magic ^ (chunk)->size)
I believe that "chunk" and "(chunk)->size" can be considered to be known
to attackers and thus contain no entropy. Thus the security of your scheme
is based on the randomness of the "__heap_magic" value which is calculated
as
+#ifdef __HEAP_PROTECTION
[snip]
+ srand(time(NULL));
+ *__heap_magic = rand();
[snip]
+ if (mprotect(__heap_magic, sizeof(*__heap_magic), PROT_READ))
+ fprintf(stderr, "glibc: WARNING: unable to protect heap magic!\n");
+#endif /* __HEAP_PROTECTION */
With such a poor random number generator you only raise a bar slightly
higher whereby attackers have to predict your "random" canary in their
exploits.
Also, since you initialize "__heap_magic" once per process, an attacker
might be able to use nmap to determine the uptime of the victim machine
which will quite precisely determine when a process was started (a valid
assumption for daemon processes).
cheers,
eugene
> Hi all,
>
> I'd just like to announce that we have a heap protection system for
glibc available for download. The system detects and prevents all heap
overflow exploits that modify inline control information from
> succeeding against a protected application, can be installed
> system-wide or on a per-process basis using LD_PRELOAD, and is
> transparent to existing applications.
>
> We would definitely appreciate any feedback and bug reports on the code.
The patch and some additional information is available at:
>
> http://www.cs.ucsb.edu/~wkr/projects/heap_protection/
>
> Enjoy!
>
> --
> William Robertson
> Reliable Software Group, UC Santa Barbara
> http://www.cs.ucsb.edu/~wkr/