Re: Improving security for pkgsrc

[Joerg Sonnenberger <joerg%britannica.bec.de@localhost>]

On Tue, Jul 21, 2015 at 09:36:59AM +0200, Marc Espie wrote:
> On Sun, Jul 19, 2015 at 05:12:28PM +0200, Joerg Sonnenberger wrote:
> > No, this is plainly wrong. There is only a single canary and it is often
> > not even directly after a buffer. So a single byte overflow of the
> > top-most buffer is often not detected in case of padding nor is any
> > single byte overflow of buffers lower than this. The detection of the
> > buffer overflow also assumes that the buffer is overwritten completely
> > -- if you can access arbitrary offsets, it doesn't help at all.
> 
> No, it is directly after a buffer.

It is after *one* buffer. Not after *every* buffer. It is also often not
directly after a buffer, because that can require unaligned access,
which would often make it expensive enough to be unjustifable.

> That assumes the service will keep running after the first attack.
> IF something fishy is going on in a crucial service, such as an abort from
> ssp checks, the right thing to do is to stop operations entirely.

Many classic Unix daemons fork after connect. No special handling of
child processes are done. You know, just the way e.g. sshd is implement.

> What's better, a DoS, or an actual break-in ?... like come on.

As I have been saying, there is no "or" here. In many practical
situations, the crash part just means "retry with a slightly different
payload".

Joerg