ProPolice: best way to fill canary
root at Neo-Vortex.net
Fri Jul 8 23:59:12 GMT 2005
On Fri, 8 Jul 2005, ALeine wrote:
> root at Neo-Vortex.net wrote:
> > On Fri, 8 Jul 2005, Jeremie Le Hen wrote:
> > > Hello hackers,
> > >
> > > I'm going to disturb you once again with ProPolice. The
> > > original ProPolice patch, as well as most of FreeBSD variants
> > > and Linux one, uses /dev/urandom to fill the "canary" with
> > > random data (the canary is what is going to be put between
> > > buffer and return address in the stack). OTOH, OpenBSD uses
> > > kern.arnd sysctl to achieve this (this is a sysctl front-end
> > > to the arc4random() function).
> > Just one question, why does the canary have to be filled with
> > random data? Why not just zero it? sure you get a single random
> > value to find out how many zero's to use, but why waste that much
> > good-quality random data (and of course if there isn't enough in
> > urandom, you would have to make it loop till there is enough unless
> > you make it just leave the rest as-is)
> > IMHO there is no advantages (well, that i can see) of having it
> > random data rather than just NULL...
> > Feel free to correct me if i'm wrong...
> You're wrong, when the canary value is fixed and known (such as in
> terminator canaries), there are cases where an attacker could manage
> to reset the canary to the expected value and circumvent the protection
> mechanism. That chance doesn't exist with random canaries. AFAIK,
> ProPolice supports both terminator and random canaries.
> As for the original topic, I would prefer the sysctl front-end, IMO it's
> more consistent with other BSDs and more clean and direct while extending
> open(2) would only appear transparent at the expense of needlessly
> increasing the complexity of open(2).
I was meaning random length fixed value... and unless the attacker wants
to set the return address to 0x0...
More information about the freebsd-hackers