[32690] in bugtraq
Re: [ANNOUNCE] glibc heap protection patch
daemon@ATHENA.MIT.EDU (William Robertson)
Thu Dec 4 14:14:22 2003
In-Reply-To: <1058164061362141070445179@securityarchitects.com>
Mime-Version: 1.0 (Apple Message framework v606)
Content-Type: text/plain; charset=US-ASCII; format=flowed
Message-Id: <A26CD36A-25C7-11D8-8B1F-000A95675F0E@cs.ucsb.edu>
Content-Transfer-Encoding: 7bit
Cc: sectools@securityfocus.com, bugtraq@securityfocus.com
From: William Robertson <wkr@cs.ucsb.edu>
Date: Wed, 3 Dec 2003 11:33:56 -0800
To: "Eugene Tsyrklevich" <eugene@securityarchitects.com>
On Dec 03, 2003, at 01:52, Eugene Tsyrklevich wrote:
> indeed, it should
This has been patched to use /dev/urandom in v1.4, which also fixes a
couple of other issues.
> have you seen http://synflood.at/contrapolice/? your paper did not
> mention
> this.
We didn't find this when we did our related work search back during
late spring, but Andreas contacted me after our announcement. From
looking at the code, I don't think the goals are quite the same. We
only try to protect the chunk headers, but it seems that he wants
instead to protect data contained in the user-visible memory region.
This would be nice, but I think this has its own set of issues.
> any plans on porting this to OpenBSD (and saving me time :)?
I've started looking at it, but I don't think I'll have time to
seriously evaluate the situation there for a week or two, so feel free.
:-)
> eugene
--
William Robertson
Reliable Software Group, UC Santa Barbara
http://www.cs.ucsb.edu/~wkr/
