Subject: Re: Random PID'
To: David Brownlee <abs@netbsd.org>
From: None <jchacon@genuity.net>
List: current-users
Date: 11/10/2000 13:04:07
Q: Why doesn't NetBSD implement random PID assignments like other free *IX's
   offer?

A: The stated reason this is done in other *IX's has often been touted as a
   security win. i.e. programs with exploits that depend upon pid guessing 
   are presumed to be harder to exploit when this feature is enabled.

   However under basic analysis this is shown to be false for a variety of
   reasons:

        1. The pid space is small (2^16 generally), so instead of targeting
           a specific pid all the attacker has to do is target them all. This
           is by no means hard on any modern system. Even increasing the pid
           space to 2^32 won't increase the overall work required beyond 
           anything a modern system can't perform.

        2. The randomness is truly questionable. In order to generate a pid
           it must not already conflict with existing pids. On any 
           reasonably busy system this makes guessing the "random" pid a fairly
           basic task since it's now pseudo-random and follows a set of known
           rules. 

        3. The security win isn't really there. The programs that have the
           exploits in them still have the exploits available if random pids
           is the only answer provided. 

There's my first shot, someone want to add/correct anything?

James


>	Maybe we should have a nte in the FAQ as to why we don't
>	have the feature - anyone care to write up all the reasons?
>
>                David/absolute
>			       -- www.netbsd.org: A pmap for every occasion --
>
>
>On Fri, 10 Nov 2000 jchacon@genuity.net wrote:
>
>> The fact is, it buys you nothing. I can still attack against the pid because
>> the attacked program was never fixed. (it's not as if the pseudo-random code
>> isn't something someone can't analyze).
>>
>> So what you end up with here is "I feel better, my system is more secure!"
>> when in reality it's no more secure than before for any reasonably bright
>> attacker. i.e. marketing fluff.
>>
>> James
>>
>> >
>> >On Mon, Nov 06, 2000 at 04:06:45PM -0400, Jared D. McNeill wrote:
>> >> On Mon, 6 Nov 2000, Jason R Thorpe wrote exactly what I was thinking
>> >>
>> >> > Just out of curiosity, what in particular did you like about it?
>> >>
>> >> Which is why I didn't expect to get it committed; I'm running it on fairly
>> >> powerful hardware and I decided I'd share it with other people. I don't
>> >> have time to look through the source of every single program on my boxes.
>> >
>> >It definitely falls into the category of security through obscurity. If
>> >I know you're going to create files with a fixed /tmp/abc.$$ format, the
>> >random pids may make my life harder, but not impossible.
>> >
>> >I'd like to see these types of things in pkgsrc though - perhaps with
>> >attached commentary from Bugtraq discussions, or from our own gurus.
>> >
>> >Then someone can
>> >
>> >a) Have the feature
>> >b) Know why it's not in the base system
>> >c) Understand why it was done that way.
>> >
>> >--
>> >David Maxwell, david@vex.net|david@maxwell.net --> Although some of you out
>> >there might find a microwave oven controlled by a Unix system an attractive
>> >idea, controlling a microwave oven is easily accomplished with the smallest
>> >of micro controllers. - Russ Hersch - (Micro controller primer and FAQ)
>> >
>> >
>> >
>> >
>> >
>>
>>
>
>
>
>
>