|
Lines 57-69
Link Here
|
| 57 |
|
57 |
|
| 58 |
<indexterm><primary>Morris Internet worm</primary></indexterm> |
58 |
<indexterm><primary>Morris Internet worm</primary></indexterm> |
| 59 |
|
59 |
|
| 60 |
effective today. Of the 17 CERT security advisories of 1999, 10 |
60 |
effective today. |
| 61 |
|
|
|
| 62 |
<indexterm> |
| 63 |
<primary>CERT</primary><secondary>security advisories</secondary> |
| 64 |
</indexterm> |
| 65 |
|
| 66 |
of them were directly caused by buffer-overflow software bugs. |
| 67 |
By far the most common type of buffer overflow attack is based |
61 |
By far the most common type of buffer overflow attack is based |
| 68 |
on corrupting the stack.</para> |
62 |
on corrupting the stack.</para> |
| 69 |
|
63 |
|
|
Lines 259-297
Link Here
|
| 259 |
code in public use which blindly copies memory around without |
253 |
code in public use which blindly copies memory around without |
| 260 |
using any of the bounded copy routines we just discussed. |
254 |
using any of the bounded copy routines we just discussed. |
| 261 |
Fortunately, there is another solution. Several compiler |
255 |
Fortunately, there is another solution. Several compiler |
| 262 |
add-ons and libraries exist to do Run-time bounds checking in |
256 |
features and libraries exist to do Run-time bounds checking in |
| 263 |
C/C++.</para> |
257 |
C/C++.</para> |
| 264 |
|
258 |
|
|
|
259 |
<indexterm><primary>ProPolice</primary></indexterm> |
| 265 |
<indexterm><primary>StackGuard</primary></indexterm> |
260 |
<indexterm><primary>StackGuard</primary></indexterm> |
| 266 |
<indexterm><primary>gcc</primary></indexterm> |
261 |
<indexterm><primary>gcc</primary></indexterm> |
| 267 |
|
262 |
|
| 268 |
<para>StackGuard is one such add-on that is implemented as a |
263 |
<para>ProPolice is one such compiler feature, and is |
| 269 |
small patch to the gcc code generator. From the <ulink |
264 |
integrated into &man.gcc.1; version 4.1 and later. It |
| 270 |
url="http://immunix.org/stackguard.html">StackGuard |
265 |
replaces and extends the earlier StackGuard &man.gcc.1; |
| 271 |
website</ulink>: |
266 |
extension.</para> |
| 272 |
|
267 |
|
| 273 |
<blockquote><para>"StackGuard detects and defeats stack |
268 |
<para>ProPolice helps to protect against stack-based buffer |
| 274 |
smashing attacks by protecting the return address on the stack |
269 |
overflows and other attacks by laying pseudo-random numbers |
| 275 |
from being altered. StackGuard places a "canary" word next to |
270 |
in key areas of the stack before calling any function. On |
| 276 |
the return address when a function is called. If the canary |
271 |
the function return these "canaries" are checked, and if |
| 277 |
word has been altered when the function returns, then a stack |
272 |
they are found to have been changed the executable is |
| 278 |
smashing attack has been attempted, and the program responds |
273 |
immediately aborted. Thus any attempt to modify the return |
| 279 |
by emitting an intruder alert into syslog, and then |
274 |
address or other variable stored on the stack in an attempt |
| 280 |
halts."</para></blockquote> |
275 |
to get malicious code to run is unlikely to succeed, as the |
| 281 |
|
276 |
attacker would have to also manage to leave the pseudo-random |
| 282 |
<blockquote><para>"StackGuard is implemented as a small patch |
277 |
canaries untouched.</para> |
| 283 |
to the gcc code generator, specifically the function_prolog() |
|
|
| 284 |
and function_epilog() routines. function_prolog() has been |
| 285 |
enhanced to lay down canaries on the stack when functions |
| 286 |
start, and function_epilog() checks canary integrity when the |
| 287 |
function exits. Any attempt at corrupting the return address |
| 288 |
is thus detected before the function |
| 289 |
returns."</para></blockquote> |
| 290 |
</para> |
| 291 |
|
278 |
|
| 292 |
<indexterm><primary>buffer overflow</primary></indexterm> |
279 |
<indexterm><primary>buffer overflow</primary></indexterm> |
| 293 |
|
280 |
|
| 294 |
<para>Recompiling your application with StackGuard is an |
281 |
<para>Recompiling your application with ProPolice is an |
| 295 |
effective means of stopping most buffer-overflow attacks, but |
282 |
effective means of stopping most buffer-overflow attacks, but |
| 296 |
it can still be compromised.</para> |
283 |
it can still be compromised.</para> |
| 297 |
|
284 |
|
|
Lines 378-384
Link Here
|
| 378 |
should also be noted that a process can easily break out of a |
365 |
should also be noted that a process can easily break out of a |
| 379 |
chroot environment if it has root privilege. This could be |
366 |
chroot environment if it has root privilege. This could be |
| 380 |
accomplished by creating device nodes to read kernel memory, |
367 |
accomplished by creating device nodes to read kernel memory, |
| 381 |
attaching a debugger to a process outside of the jail, or in |
368 |
attaching a debugger to a process outside of the |
|
|
369 |
<function>chroot()</function> jail, or in |
| 382 |
many other creative ways.</para> |
370 |
many other creative ways.</para> |
| 383 |
|
371 |
|
| 384 |
<para>The behavior of the <function>chroot()</function> system |
372 |
<para>The behavior of the <function>chroot()</function> system |