Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 18 Sep 1998 20:23:08 +0400
From:      Alexandre Snarskii <snar@paranoia.ru>
To:        Allen Smith <easmith@beatrice.rutgers.edu>, Alexandre Snarskii <snar@paranoia.ru>, Warner Losh <imp@village.org>
Cc:        security@FreeBSD.ORG
Subject:   Re: The 99,999-bug question: Why can you execute from the stack?
Message-ID:  <19980918202308.39458@nevalink.ru>
In-Reply-To: <9809171619.ZM23712@beatrice.rutgers.edu>; from Allen Smith on Thu, Sep 17, 1998 at 04:19:52PM -0400
References:  <199807200102.SAA07953@bubba.whistle.com> <199807200148.TAA07794@harmony.village.org> <imp@village.org> <9807192209.ZM23527@beatrice.rutgers.edu> <19980720173800.17978@nevalink.ru> <snar@paranoia.ru> <9809171619.ZM23712@beatrice.rutgers.edu>

next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Sep 17, 1998 at 04:19:52PM -0400, Allen Smith wrote:
> > > I'd suggest adding anything executing with an effective uid of root;
> > > keep in mind servers. I've actually worked on this with the
> > > libparanoia's libc substitution, at least with the non-assembler ones;
> > > I'll try to find the time to test soon whether this actually speeds
> > > things up.
> > 
> > Better approach is (every suid/sgid program) or ( euid == 0 ).
> > Patch to libparanoia/stentry.c attached. ( You have no need to 
> > patch any other file - all checks are in stentry.c, others is just 
> > standard files from /usr/src/lib/libc, just calls to stentry.c functions
> > added ). 
> > Patched libparanoia available at 
> > ftp://ftp.lexa.ru/pub/domestic/snar/libparanoia.1.1.tgz

New versions available at the same place. 

Library, which checks stack integrity only for cases
of setugid/root owned now called libaranoia.N.N-root.tgz, 
where N.N is a version. Note, that these checks is 
a little broken by design - there are some daemons 
(tftpd, for example) running non-setuid and with euid!=0, 
so, no checks of stack integrity done. 

> 
> Sorry about the delay on replying to this; I've been busy. While this
> is a nicer way to do this in many ways, I am concerned in whether the
> delay from calling the libparanoia checks is from the function call or 
> from what the function does. If the latter, fine; if the former, the
> problem I was working on (avoiding the slowdown except when really
> needed) still exists. Any idea which is the case? (Of course, there's
                        ^^^^^^^^^^^^^^^^^^^^^^^^^^
Second one. 

> also the time taken in doing the issetugid and geteuid checks in
> either case, whether one has them in the individual functions or in

This check done only once - at first call to any 'insecure' 
function. Result stored in global static variable, and used
in later calls to avoid switching to kernel mode. 

> stentry.c.) If need be, I'll try some profiling, but I'd prefer to
> avoid that if someone already knows the answer.

Paranoidal strcpy (on short strings) runs about six times slower
that standard. On longer strins (tested with 1K) there is about no 
difference. 

( 1K strings with 'always check' policy by default and 
'only root check' policy in preloaded libparanoia :
 
snar@horse:~/compile/p-checks>time ./a.out
        9.04 real         6.62 user         0.02 sys
snar@horse:~/compile/p-checks>export LD_PRELOAD=../libparanoia/libparanoia.so.1.2
snar@horse:~/compile/p-checks>time ./a.out
        8.80 real         6.46 user         0.00 sys

1 byte string with same policy:
snar@horse:~/compile/p-checks>time ./a.out
        0.46 real         0.42 user         0.00 sys
snar@horse:~/compile/p-checks>export LD_PRELOAD=../libparanoia/libparanoia.so.1.2
snar@horse:~/compile/p-checks>time ./a.out
        0.16 real         0.13 user         0.01 sys

-- 
Alexandre Snarskii
the source code is included

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980918202308.39458>