Subject: req: logging core dumps automatically as security-relevant data
To: None <tech-security@netbsd.org>
From: Travis H. <travis+ml-tech-security-netbsd@subspacefield.org>
List: tech-security
Date: 01/22/2007 02:09:07
--kbCYTQG2MZjuOjyn
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
I know there's been some discussion previoisly about where core files
(especially for SUID programs) should go. I really liked the idea of
being able to quarantine them somewhere other than their cwd; too
often that jumbles up things, and could lead to further problems,
like is a SUID program working on authentication data dumped core
inside a directory in a web DocumentRoot that was open to the public.
To the end user and most sysadmins, core files are an annoyance,
akin to file system litter, and they rarely get analyzed.
Apart from that, I think that the knowledge of what programs are
segfaulting, in what directories and for what users would be a
great way to identify if someone is testing SGUID programs for
vulernabilities, or to outright exploit them. The harder this is,
the more noise they make, so the better our detection can work here.
We can probably even figure out exactly what they were doing,
which could lead to whitehats learning about a new technique
before it is publicly discussed.
Also, it will increase the "noise" of the exploitation, especially
with address space layout randomization. The kind of people who
work out an exploit on a system live don't particularly like drawing
attention to themselves...
Another neat trick would be to give the cores (corpses) very confusing
contents; perhaps some binary stuff that looks like code, with heap
and stack pages partially corrupted and swapped about, and missing
chunks from the .text segment, and with the shared libraries remapped
to new addresses just for fun. Oh yeah, don't forget to load all
the saved registers with random data (or taken from another part
of the image). That would be kind of a fun project, actually :-)
--=20
``Unthinking respect for authority is the greatest enemy of truth.''
-- Albert Einstein -><- <URL:http://www.subspacefield.org/~travis/>
--kbCYTQG2MZjuOjyn
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2.1 (OpenBSD)
iQIVAwUBRbRxImQVZZEDJt9HAQK9HBAAmg6Oa98ivhlBZPX8ItrWQ7l3KATj46qT
//XHqjhq3dBTYsjwXf0U6xwlAWWdATCQBl6thIbzQddjY35ByfQYglfgLWvev751
Sw/oKhIC2qctDz+k8FbPrl+TQgGDKB2Pgxh94rl0VMVdhnJLv+MxapqI/gFi0SR8
KURR/dhqzZqUjoS6M4jJN2oaRhW0U1fXSPAGH5ihTtK/axu+/DQTJ76ofGbONAmk
6sjiXeBka+SxBVsqGCvlDH1I2UVu4ywpi0WMEPlr+RUgF1eyshSyuScagqDwoQyy
7ofEDFej1jHfgA18dzW90Iw06q1EDjP1fAdMZGso8dGpyx/1lr1Y4UzwVnlhXSMs
4sVp3gnD1Mm8KL1YME1Gzne9vT41TphUPL7nEj8AAVIekizQURwejnZA+byp0b+C
Pr7wKaOU29jCffCNDC6TyEV/NI5WFh1LP5nz1FmV2WYD8YECrBZQTOxRRSV1WfOP
R7Lf5AtI1L/4rpwhv9F+S8+VHnCrFdrsYB+8ktu96rgE0wrBaSADy6wzT/tdVHEZ
OjZXFLwgY1ijYkB3BtgnpAF/9KaxBNZwKXlMRSO38lnkY6i1i4bsSzejtkr6z0W5
o81DNWyhqclG89xaC3uXnTmWCheEj6nz42VZBjQVzNJi63sngtXQcErFbIcZDjfD
NEsRIqji12c=
=69uK
-----END PGP SIGNATURE-----
--kbCYTQG2MZjuOjyn--