From owner-freebsd-hackers@FreeBSD.ORG Fri Jul 8 23:59:12 2005 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB43116A41C for ; Fri, 8 Jul 2005 23:59:11 +0000 (GMT) (envelope-from root@Neo-Vortex.net) Received: from Neo-Vortex.net (203-206-17-78.dyn.iinet.net.au [203.206.17.78]) by mx1.FreeBSD.org (Postfix) with ESMTP id 19C5443D46 for ; Fri, 8 Jul 2005 23:59:10 +0000 (GMT) (envelope-from root@Neo-Vortex.net) Received: from localhost.Neo-Vortex.net (Neo-Vortex@localhost.Neo-Vortex.net [127.0.0.1]) by Neo-Vortex.net (8.13.1/8.12.10) with ESMTP id j68Nx4Zh018064; Sat, 9 Jul 2005 09:59:04 +1000 (EST) (envelope-from root@Neo-Vortex.net) Date: Sat, 9 Jul 2005 09:59:04 +1000 (EST) From: Neo-Vortex To: ALeine In-Reply-To: <200507081513.j68FDrkh062029@marlena.vvi.at> Message-ID: <20050709095826.T18020@Neo-Vortex.net> References: <200507081513.j68FDrkh062029@marlena.vvi.at> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Cc: freebsd-hackers@freebsd.org, jeremie@le-hen.org Subject: Re: ProPolice: best way to fill canary X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2005 23:59:12 -0000 On Fri, 8 Jul 2005, ALeine wrote: > root@Neo-Vortex.net wrote: > > > On Fri, 8 Jul 2005, Jeremie Le Hen wrote: > > > > > Hello hackers, > > > > > > I'm going to disturb you once again with ProPolice. The > > > original ProPolice patch, as well as most of FreeBSD variants > > > and Linux one, uses /dev/urandom to fill the "canary" with > > > random data (the canary is what is going to be put between > > > buffer and return address in the stack). OTOH, OpenBSD uses > > > kern.arnd sysctl to achieve this (this is a sysctl front-end > > > to the arc4random() function). > > > > Just one question, why does the canary have to be filled with > > random data? Why not just zero it? sure you get a single random > > value to find out how many zero's to use, but why waste that much > > good-quality random data (and of course if there isn't enough in > > urandom, you would have to make it loop till there is enough unless > > you make it just leave the rest as-is) > > > > IMHO there is no advantages (well, that i can see) of having it > > random data rather than just NULL... > > > > Feel free to correct me if i'm wrong... > > You're wrong, when the canary value is fixed and known (such as in > terminator canaries), there are cases where an attacker could manage > to reset the canary to the expected value and circumvent the protection > mechanism. That chance doesn't exist with random canaries. AFAIK, > ProPolice supports both terminator and random canaries. > > As for the original topic, I would prefer the sysctl front-end, IMO it's > more consistent with other BSDs and more clean and direct while extending > open(2) would only appear transparent at the expense of needlessly > increasing the complexity of open(2). I was meaning random length fixed value... and unless the attacker wants to set the return address to 0x0... ~NVX