On Thu, Jan 27, 2005 at 08:37:19PM +0100, Michal Zalewski wrote: > On Thu, 27 Jan 2005, Brad Spengler wrote: > > > I guess anyone who thinks that taking a hardcoded exploit and running it > > 256 times would always result in a successful exploit is stupid. > > It would not always result in a successful exploitation; just as flipping > the coin twice is not a guarantee of getting tails once. Of course, but you get the idea. Your chances of succeeding after 256 tries are such that it is highly probable you wouldn't fail (and in fact, if the process you're attacking is a forking daemon like apache, if you iterate through all the possibilities, you do indeed have a 100% chance of succeeding after 256 tries). > Other than that, the amount of randomization is indeed puny; but then, > even 32-bit randomization is a good defense only in certain situations, > and often, can be defeated with some time, aided by luck or a decent > NOP-equivalent sled. Indeed, and only PaX/grsecurity handles these things, which is why it is useful in our case. However, attempting to use weak randomization as RedHat is trying is nothing more than trivial obfuscation, which should have no place in the kernel. All it does is give people a false sense of security, and allow RedHat to make claims that they're preventing 75% of exploits with Exec-shield (of course ignoring that all such exploits that failed could be easily rewritten to succeed). Things have really taken a turn for the worse: Linus used to be against having only a non-executable stack because it's trivially evaded. Now he's all for something that is even more obfuscation than having only a non-executable stack: the exploits don't even have to be rewritten in this case. This all reeks of security ignorance and politics. -Brad
Attachment:
signature.asc
Description: Digital signature
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html