Article delegate-en/643 of [1-5044] on the server delegate.cloudapp.net:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A642@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: Delegate Security - Buffer Overflows
29 Nov 1999 08:37:11 GMT ysato@etl.go.jp (Yutaka Sato)

On 11/28/99(00:55) I wrote in <_A642@delegate-en.ML_>
 |On 11/18/99(19:12) I wrote in <_A636@delegate-en.ML_>
 | |But all of these are platform dependent thus are hard to be portable.
 | |So I thought a simple and portable solution out now which may be
 | |feasible for a while, that is "stack-base randomization".  I enclosed
 |
 |I thought out one more device which will be effective to prevent that
 |kind of attack, that is "file-descriptor randomization", like enclosed.

Sorry, the patch was bad to cause accept error.  Here is a fixed
version of "file-descriptor randomization" patch.

Cheers,
Yutaka
--
Yutaka Sato <ysato@etl.go.jp> http://www.etl.go.jp/~ysato/   @ @ 
Computer Science Division, Electrotechnical Laboratory      ( - )
1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan            _<   >_


diff -cr 603/rary/randstack.c ./rary/randstack.c
*** 603/rary/randstack.c	Fri Nov 19 16:34:22 1999
--- ./rary/randstack.c	Mon Nov 29 17:26:13 1999
***************
*** 64,66 ****
--- 64,102 ----
  	arg.s_count = size;
  	return call1(&arg);
  }
+ 
+ /*
+  * This must be 32 or smaller because current implementation assumes
+  * the fd_mask as an integer of 32 bits. (PollIn(), etc)
+  */
+ int RANDFD_MAX = 32;
+ 
+ randfd(fd)
+ {	unsigned int sec,usec,foff;
+ 	int rfd,nfd;
+ 
+ 	if( fd < 0 )
+ 		return fd;
+ 
+ 	if( RANDFD_MAX == 0 )
+ 		return fd;
+ 	else{
+ 		sec = Gettimeofday(&usec);
+ 		foff = getpid() + sec ^ usec/1000;
+ 		rfd = -1;
+ 		if( fd < RANDFD_MAX-1 ){
+ 			nfd = fd + foff % (RANDFD_MAX - fd - 1) + 1;
+ 			if( !file_is(nfd) )
+ 				rfd = dup2(fd,nfd);
+ 		}
+ 		if( rfd < 0 )
+ 			rfd = dup(fd);
+ 		if( rfd < 0 )
+ 			rfd = fd;
+ 		else	close(fd);
+ 		/*
+ 		fprintf(stderr,"##[%d]## RANDFD %d -> %d\n",getpid(),fd,rfd);
+ 		*/
+ 		return rfd;
+ 	}
+ }
diff -cr 603/src/delegated.c ./src/delegated.c
*** 603/src/delegated.c	Thu Nov 25 11:08:25 1999
--- ./src/delegated.c	Mon Nov 29 16:57:13 1999
***************
*** 3307,3312 ****
--- 3307,3313 ----
  
  	ABMwhere = "accepting1";
  	clsock = ACCEPT1(svsock,1,exlock,1,sockname);
+ 	clsock = randfd(clsock);
  	ACCEPT_TIME = Time();
  	if( clsock < 0 )
  		sv1log("AcceptByMain[%d]: taken by a Sticky (%d)?\n",svsock,
***************
*** 3429,3434 ****
--- 3430,3436 ----
  		if( 0 <= clsock )
  			break;
  	}
+ 	clsock = randfd(clsock);
  	ACCEPT_TIME = Time();
  EXIT:
  	if( 0 <= shlock )

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V