Re: [ANNOUNCEMENT] Collision regression test suite released

From: Lorenzo Hernández García-Hierro (lorenzo@private)
Date: Wed Jan 19 2005 - 06:43:47 PST


El mié, 19-01-2005 a las 09:27 +0100, Arjan van de Ven escribió:
> On Tue, 2005-01-18 at 23:55 +0100, Lorenzo Hernández García-Hierro
> wrote:
> > Also, maybe an ExecShield specific test (see [1] and [2]) and possibly a
> > few other tests related with BSD Jails.
> 
> > [1]: http://212.130.50.194/papers/attack/ExploitingFedora.txt
> 
> fwiw this paper is about exploiting prelink more than execshield; the
> proposed technique only works because the system was prelinked (without
> prelink every time you start a program all addresses get randomized,
> with prelink the addresses randomize every 2 weeks) and the "security
> sensitive" application was not made a PIE.

Right, that's a point I forgot to talk about.

> The first makes it really hard to write generic exploits (but means you
> can do a local based attack within 2 weeks), the second means that the
> exploit technique only works for a subset of programs; in Fedora most
> (if not all) network daemons and a bunch of other things are PIE, and
> there even is an entire gentoo distribution which is entirely PIE.

Yes, the address space layout randomization (ASLR) as PaX calls it,
makes really difficult to get done the so-called ret2libc attacks, but
anyway it could be interesting to write some tests trying to achieve it,
most for fun than an useful thing, as (unexpected) results might be as
randomized as the address space can be ;D

PIE is, hopefully, also being introduced in Debian-based systems by the
Hardened Debian project.
Gentoo has the Hardened Gentoo official sub project, which is doing (and
has did) a great work around this stuff, among the deployment of other
security technologies.

Cheers and thanks for the comments,
-- 
Lorenzo Hernández García-Hierro <lorenzo@private> [1024D/6F2B2DEC]
[2048g/9AE91A22] Hardened Debian head developer & project manager





This archive was generated by hypermail 2.1.3 : Wed Jan 19 2005 - 06:45:49 PST