Hello, Your heap protection scheme is based on checking the validity of the chunk structure magic value that is calculated as (chunk)->magic = (((int) chunk) ^ *__heap_magic ^ (chunk)->size) I believe that "chunk" and "(chunk)->size" can be considered to be known to attackers and thus contain no entropy. Thus the security of your scheme is based on the randomness of the "__heap_magic" value which is calculated as +#ifdef __HEAP_PROTECTION [snip] + srand(time(NULL)); + *__heap_magic = rand(); [snip] + if (mprotect(__heap_magic, sizeof(*__heap_magic), PROT_READ)) + fprintf(stderr, "glibc: WARNING: unable to protect heap magic!\n"); +#endif /* __HEAP_PROTECTION */ With such a poor random number generator you only raise a bar slightly higher whereby attackers have to predict your "random" canary in their exploits. Also, since you initialize "__heap_magic" once per process, an attacker might be able to use nmap to determine the uptime of the victim machine which will quite precisely determine when a process was started (a valid assumption for daemon processes). cheers, eugene > Hi all, > > I'd just like to announce that we have a heap protection system for glibc available for download. The system detects and prevents all heap overflow exploits that modify inline control information from > succeeding against a protected application, can be installed > system-wide or on a per-process basis using LD_PRELOAD, and is > transparent to existing applications. > > We would definitely appreciate any feedback and bug reports on the code. The patch and some additional information is available at: > > http://www.cs.ucsb.edu/~wkr/projects/heap_protection/ > > Enjoy! > > -- > William Robertson > Reliable Software Group, UC Santa Barbara > http://www.cs.ucsb.edu/~wkr/
