Subject: Re: Random PID'
To: None <jchacon@genuity.net>
From: R. C. Dowdeswell <elric@mabelode.imrryr.org>
List: current-users
Date: 11/10/2000 10:38:32
On 973879447 seconds since the Beginning of the UNIX epoch
jchacon@genuity.net wrote:
>
>Q: Why doesn't NetBSD implement random PID assignments like other free *IX's
> offer?
>
>A: The stated reason this is done in other *IX's has often been touted as a
> security win. i.e. programs with exploits that depend upon pid guessing
> are presumed to be harder to exploit when this feature is enabled.
>
> However under basic analysis this is shown to be false for a variety of
> reasons:
>
> 1. The pid space is small (2^16 generally), so instead of targeting
> a specific pid all the attacker has to do is target them all. This
> is by no means hard on any modern system. Even increasing the pid
> space to 2^32 won't increase the overall work required beyond
> anything a modern system can't perform.
>
> 2. The randomness is truly questionable. In order to generate a pid
> it must not already conflict with existing pids. On any
> reasonably busy system this makes guessing the "random" pid a fairly
> basic task since it's now pseudo-random and follows a set of known
> rules.
>
> 3. The security win isn't really there. The programs that have the
> exploits in them still have the exploits available if random pids
> is the only answer provided.
>
>There's my first shot, someone want to add/correct anything?
>
>James
You really need to disable ps, since using ps you can rather
effectively `guess' the pid of a process that runs for any length
of time before it drops its tmpfiles down.
And, if there are any tmpfile race conditions in a setuid program,
then to make random pids have any effect, you should disable the
return value of fork() -- since that allows the parent to effectively
`guess' the pid of the child.
== Roland Dowdeswell http://www.Imrryr.ORG/~elric/ ==
== The Unofficial NetBSD Web Pages http://www.Imrryr.ORG/NetBSD/ ==
== The NetBSD Project http://www.NetBSD.ORG/ ==