Security: Libsafe

[Robert L Krawitz]

   Date: Fri, 21 Apr 2000 10:19:56 -0500
   From: Mark Donnelly <gimli at offcenter.org>

   If you put it on your LD_PRELOAD, its functions will be 
   used in place of strcpy, strcat, getwd, gets, [vf]
   scanf, realpath, and [v]sprintf.  

   Its behavior on detecting a buffer overflow is to kill the
   application and its process group (SIGKILL), and to log an error
   message to /var/log/security.

   Personally, I would prefer it to at least have the option to
   silently perform the function up to the point of the buffer overrun
   and return, rather than killing the process.  I don't sit on my box
   enough to justify the possibility of just outright killing
   sendmail.  :(

Well, then the program will continue on with garbage data (of a
different kind).  Is that really desirable?

Personally, I think that it should commit suicide if it even
encounters a call to gets at all.  strcpy, scanf, and sprintf can be
safe within the program, if there are other guarantees that the
supplied buffer won't be exceeded (for example, the string length
might be checked before being copied).  gets can only be safe if
behavior outside of the process can be guaranteed, which requires
non-local knowledge.

One obvious use for this is for the system administrator to put it in
/etc/ld.so.preload as part of an overall hardening procedure.  Having
it be defeatable gets around the whole purpose of doing that.

-- 
Robert Krawitz <rlk at alum.mit.edu>      http://www.tiac.net/users/rlk/

Tall Clubs International  --  http://www.tall.org/ or 1-888-IM-TALL-2
Member of the League for Programming Freedom -- mail lpf at uunet.uu.net
Project lead for The Gimp Print --  http://gimp-print.sourceforge.net

"Linux doesn't dictate how I work, I dictate how Linux works."
--Eric Crampton
-
Subcription/unsubscription/info requests: send e-mail with
"subscribe", "unsubscribe", or "info" on the first line of the
message body to discuss-request at blu.org (Subject line is ignored).