On Thu, Jan 27, 2005 at 08:37:19PM +0100, Michal Zalewski wrote:
On Thu, 27 Jan 2005, Brad Spengler wrote:
I guess anyone who thinks that taking a hardcoded exploit and running it
256 times would always result in a successful exploit is stupid.
It would not always result in a successful exploitation; just as flipping
the coin twice is not a guarantee of getting tails once.
Of course, but you get the idea. Your chances of succeeding after 256
tries are such that it is highly probable you wouldn't fail (and in
fact, if the process you're attacking is a forking daemon like apache,
if you iterate through all the possibilities, you do indeed have a 100%
chance of succeeding after 256 tries).
Other than that, the amount of randomization is indeed puny; but then,
even 32-bit randomization is a good defense only in certain situations,
and often, can be defeated with some time, aided by luck or a decent
NOP-equivalent sled.
Indeed, and only PaX/grsecurity handles these things, which is why it is
useful in our case. However, attempting to use weak randomization as
RedHat is trying is nothing more than trivial obfuscation, which should
have no place in the kernel. All it does is give people a false sense
of security, and allow RedHat to make claims that they're preventing
75% of exploits with Exec-shield (of course ignoring that all such
exploits that failed could be easily rewritten to succeed). Things
have really taken a turn for the worse: Linus used to be against having
only a non-executable stack because it's trivially evaded. Now he's
all for something that is even more obfuscation than having only a
non-executable stack: the exploits don't even have to be rewritten in
this case. This all reeks of security ignorance and politics.
-Brad
signature.asc
Description: Digital signature
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
