From owner-freebsd-hackers@FreeBSD.ORG Fri Jul 8 23:55:48 2005 Return-Path: X-Original-To: freebsd-hackers@freebsd.org Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 13EC016A41C for ; Fri, 8 Jul 2005 23:55:48 +0000 (GMT) (envelope-from www@marlena.vvi.at) Received: from marlena.vvi.at (marlena.vvi.at [208.252.225.59]) by mx1.FreeBSD.org (Postfix) with ESMTP id A2D4843D45 for ; Fri, 8 Jul 2005 23:55:47 +0000 (GMT) (envelope-from www@marlena.vvi.at) Received: from marlena.vvi.at (localhost.marlena.vvi.at [127.0.0.1]) by marlena.vvi.at (8.12.10/8.12.9) with ESMTP id j68FE25m062031; Fri, 8 Jul 2005 08:14:04 -0700 (PDT) (envelope-from www@marlena.vvi.at) Received: (from www@localhost) by marlena.vvi.at (8.12.10/8.12.10/Submit) id j68FDrkh062029; Fri, 8 Jul 2005 08:13:53 -0700 (PDT) (envelope-from www) Date: Fri, 8 Jul 2005 08:13:53 -0700 (PDT) Message-Id: <200507081513.j68FDrkh062029@marlena.vvi.at> To: root@Neo-Vortex.net From: "ALeine" Cc: freebsd-hackers@freebsd.org, jeremie@le-hen.org Subject: Re: ProPolice: best way to fill canary X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Jul 2005 23:55:48 -0000 root@Neo-Vortex.net wrote: > On Fri, 8 Jul 2005, Jeremie Le Hen wrote: > > > Hello hackers, > > > > I'm going to disturb you once again with ProPolice. The > > original ProPolice patch, as well as most of FreeBSD variants > > and Linux one, uses /dev/urandom to fill the "canary" with > > random data (the canary is what is going to be put between > > buffer and return address in the stack). OTOH, OpenBSD uses > > kern.arnd sysctl to achieve this (this is a sysctl front-end > > to the arc4random() function). > > Just one question, why does the canary have to be filled with > random data? Why not just zero it? sure you get a single random > value to find out how many zero's to use, but why waste that much > good-quality random data (and of course if there isn't enough in > urandom, you would have to make it loop till there is enough unless > you make it just leave the rest as-is) > > IMHO there is no advantages (well, that i can see) of having it > random data rather than just NULL... > > Feel free to correct me if i'm wrong... You're wrong, when the canary value is fixed and known (such as in terminator canaries), there are cases where an attacker could manage to reset the canary to the expected value and circumvent the protection mechanism. That chance doesn't exist with random canaries. AFAIK, ProPolice supports both terminator and random canaries. As for the original topic, I would prefer the sysctl front-end, IMO it's more consistent with other BSDs and more clean and direct while extending open(2) would only appear transparent at the expense of needlessly increasing the complexity of open(2). ALeine ___________________________________________________________________ WebMail FREE http://mail.austrosearch.net