Re: Improving security for pkgsrc

[Marc Espie <espie%nerim.net@localhost>]

On Sun, Jul 19, 2015 at 05:12:28PM +0200, Joerg Sonnenberger wrote:
> No, this is plainly wrong. There is only a single canary and it is often
> not even directly after a buffer. So a single byte overflow of the
> top-most buffer is often not detected in case of padding nor is any
> single byte overflow of buffers lower than this. The detection of the
> buffer overflow also assumes that the buffer is overwritten completely
> -- if you can access arbitrary offsets, it doesn't help at all.

No, it is directly after a buffer.  Half the bugs in the original propolice
implementation were due to taking new paths in gcc 3.x, thanks to the
reordering of the stack done to be sure the canary was at least protecting
something.

> If you try to attack OpenSSH for example, it is that easy. The daemon
> will spawn you a nice new process to try and from the birthday paradox
> you can expect 64k to yield a matching canary. Such a scenario applies
> to many other daemons as well.

That assumes the service will keep running after the first attack.
IF something fishy is going on in a crucial service, such as an abort from
ssp checks, the right thing to do is to stop operations entirely.

What's better, a DoS, or an actual break-in ?... like come on.