[11888] in bugtraq
Re: fixing all buffer overflows --- random magin numbers
daemon@ATHENA.MIT.EDU (Crispin Cowan)
Tue Sep 14 15:04:38 1999
Mime-Version: 1.0
Content-Type: multipart/alternative;
boundary="------------757A0386B0ADD67A9B891E28"
Message-Id: <37DD927B.9003E6C6@cse.ogi.edu>
Date: Tue, 14 Sep 1999 00:10:35 +0000
Reply-To: crispin@CSE.OGI.EDU
From: Crispin Cowan <crispin@CSE.OGI.EDU>
X-To: nm <nmanisca@VT.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
--------------757A0386B0ADD67A9B891E28
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
(post sent as HTML and ASCII because there's a table that's easier to read
in HTML. Aleph, go ahead and nuke the HTML if you prefer)
nm wrote:
> Neat idea.
>
> But, couldn't someone just take a common binary (say ls) that exists
> on the target system and reverse engineer it and begin to make a mapping
> of numbers to syscalls.
I wrote two papers last year that classified post hoc security enhancements
into a 2D grid:
* one dimension is *what* is adapted: the interface, or the
implementation
* the other dimension is what *kind* of adaptation you apply: either a
restriction, or a permutation
The result looks like this:
Interface Implementation
Restriction * Firewalls * Bounds checking
* TCP Wrappers * StackGuard
* Randomly renaming system files
* Randomly renumbering system
Permutation calls (the hack proposed here * Randomly munging
by Maniscalco) data layout
* Fred Cohen's Deception Toolkit
The papers describing this work are:
* "Death, Taxes, and Imperfect Software: Surviving the Inevitable", by
Crispin Cowan, Calton Pu, and Heather Hinton, presented at the 1998
New Security Paradigms workshop, and available here:
http://www.cse.ogi.edu/~crispin/bugtol.ps.gz or here:
http://www.cse.ogi.edu/~crispin/bugtol.pdf .
* "Survivability from a Sow's Ear: The Retrofit Security Requirement",
by Crispin Cowan and Calton Pu, presented at the 1998 Information
Survivability Workshop, and available here
http://www.cse.ogi.edu/~crispin/isw98.ps.gz or here
http://www.cse.ogi.edu/~crispin/isw98.pdf
In these papers we conclude that "Interface Permutations" (such as randomly
swizling the syscall numbers) has a problem: it is just weak crypto. It
makes the "current configuration of the interface" a symmetric session key
that must be shared amongst all the servers and clients. It is a shared
secret. You have all the usual problems of shared secrets, plus the
following problems:
* it is a relatively small secret
* it is often a very easy to observe secret (such as the ls reverse
engineering hack that nm mentions)
The only advantage offered by interface permutation is that the secret is
not amenable to off-line cracking: you have to make your guesses against
the host system, and that gives intrusion detectors a good shot at
detecting your cracking attempts. Naturally, this just means that
attackers will infer the current configuration indrectly instead of brute
forcing it.
Crispin
-----
Crispin Cowan, Research Assistant Professor of Computer Science, OGI
NEW: Protect Your Linux Host with StackGuard'd Programs :FREE
http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/
>
>
> Nick Maniscalco
>
> At 09:37 PM 9/11/99 -0400, Dr. Joel M. Hoffman wrote:
> >I was thinking
> -- it wouldn't be too hard to make buffer overflow
> >attacks impossible. The basic idea is to do away with binary
> >compatibility.
> >
> >In particular, I was thinking that part of building a kernel would
> >involve assigning a random number to each syscall, and creating a
> >syscall.h file with these random numbers. A binary would only run if
> >it was compiled with the proper syscall.h, so all binaries would have
> >to be recompiled for the new kernel, but then, syscall.h could be
> >removed, and the system would be impervious to buffer overflow
> >attacks. (One step further would involve random magic numbers in
> >every function call.)
> >
> >I would be happy to give up binary compatilibyt for the added security
> >it would add.
> >
> >Comments?
> >
> >-Joel Hoffman
> >(joel@exc.com)
> >
--------------757A0386B0ADD67A9B891E28
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
<html>
(post sent as HTML and ASCII because there's a table that's easier to read
in HTML. Aleph, go ahead and nuke the HTML if you prefer)
<p>nm wrote:
<blockquote TYPE=CITE>Neat idea.
<p>But, couldn't someone just take a common binary (say ls) that exists
<br>on the target system and reverse engineer it and begin to make a mapping
<br>of numbers to syscalls.</blockquote>
I wrote two papers last year that classified post hoc security enhancements
into a 2D grid:
<ul>
<li>
one dimension is *what* is adapted: the interface, or the implementation</li>
<li>
the other dimension is what *kind* of adaptation you apply: either
a restriction, or a permutation</li>
</ul>
The result looks like this:
<br>
<table BORDER NOSAVE >
<tr>
<td></td>
<td>Interface</td>
<td>Implementation</td>
</tr>
<tr>
<td>Restriction</td>
<td>
<ul>
<li>
Firewalls</li>
<li>
TCP Wrappers</li>
</ul>
</td>
<td>
<ul>
<li>
Bounds checking</li>
<li>
StackGuard</li>
</ul>
</td>
</tr>
<tr>
<td>Permutation</td>
<td>
<ul>
<li>
Randomly renaming system files</li>
<li>
Randomly renumbering system calls (the hack proposed here by Maniscalco)</li>
<li>
Fred Cohen's Deception Toolkit</li>
</ul>
</td>
<td>
<ul>
<li>
Randomly munging data layout</li>
</ul>
</td>
</tr>
</table>
<p>The papers describing this work are:
<ul>
<li>
"Death, Taxes, and Imperfect Software: Surviving the Inevitable",
by Crispin Cowan, Calton Pu, and Heather Hinton, presented at the 1998
New Security Paradigms workshop, and available here: <a href="http://www.cse.ogi.edu/~crispin/bugtol.ps.gz">http://www.cse.ogi.edu/~crispin/bugtol.ps.gz</a>
or here: <a href="http://www.cse.ogi.edu/~crispin/bugtol.pdf">http://www.cse.ogi.edu/~crispin/bugtol.pdf</a>
.</li>
<li>
"Survivability from a Sow's Ear: The Retrofit Security Requirement",
by Crispin Cowan and Calton Pu, presented at the 1998 Information Survivability
Workshop, and available here <a href="http://www.cse.ogi.edu/~crispin/isw98.ps.gz">http://www.cse.ogi.edu/~crispin/isw98.ps.gz</a>
or here <a href="http://www.cse.ogi.edu/~crispin/isw98.pdf">http://www.cse.ogi.edu/~crispin/isw98.pdf</a></li>
</ul>
In these papers we conclude that "Interface Permutations" (such as randomly
swizling the syscall numbers) has a problem: it is just weak crypto.
It makes the "current configuration of the interface" a symmetric session
key that must be shared amongst all the servers and clients. It is
a shared secret. You have all the usual problems of shared secrets,
plus the following problems:
<ul>
<li>
it is a relatively small secret</li>
<li>
it is often a very easy to observe secret (such as the ls reverse engineering
hack that nm mentions)</li>
</ul>
The only advantage offered by interface permutation is that the secret
is not amenable to off-line cracking: you have to make your guesses
against the host system, and that gives intrusion detectors a good shot
at detecting your cracking attempts. Naturally, this just means that
attackers will infer the current configuration indrectly instead of brute
forcing it.
<p>Crispin
<br>-----
<br> Crispin Cowan, Research Assistant Professor of Computer Science,
OGI
<br> NEW: Protect Your Linux Host with StackGuard'd
Programs :FREE
<br> <a href="http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/">http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/</a>
<br>
<blockquote TYPE=CITE>
<p>Nick Maniscalco
<p>At 09:37 PM 9/11/99 -0400, Dr. Joel M. Hoffman wrote:
<br>>I was thinking
<br>-- it wouldn't be too hard to make buffer overflow
<br>>attacks impossible. The basic idea is to do away with binary
<br>>compatibility.
<br>>
<br>>In particular, I was thinking that part of building a kernel would
<br>>involve assigning a random number to each syscall, and creating a
<br>>syscall.h file with these random numbers. A binary would only
run if
<br>>it was compiled with the proper syscall.h, so all binaries would have
<br>>to be recompiled for the new kernel, but then, syscall.h could be
<br>>removed, and the system would be impervious to buffer overflow
<br>>attacks. (One step further would involve random magic numbers
in
<br>>every function call.)
<br>>
<br>>I would be happy to give up binary compatilibyt for the added security
<br>>it would add.
<br>>
<br>>Comments?
<br>>
<br>>-Joel Hoffman
<br>>(joel@exc.com)
<br>></blockquote>
<br> </html>
--------------757A0386B0ADD67A9B891E28--
