argus suggestion
David Brumley
dbrumley at rtfm.stanford.edu
Mon Jul 24 15:39:51 EDT 2000
I was looking at argus for unsigned to signed conversions. It seems there
are a few places where this happens. For example, in cons_frag.c in 1.8.1
length is a signed int, which is added to fragCb->bytes, which is
unsigned. If for some reason the packet shows up with a negative offset,
this would spoil the counter.
The example may not be all that interesting (because it probably isn't
exploitable), but it's the kind of thing that someone would use to create
a covert channel.
My suggestion would be to look through for these sorts of things and make
sure there are no system dependencies, esp between signed/unsigned
bytes. For the most part it looks good in 1.8.1, but moving forward I
would explicitly note in the design programmatic methods such as this.
cheers,
david
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
David Brumley - Stanford Computer Security - dbrumley at Stanford.EDU
Phone: +1-650-723-2445 WWW: http://www.stanford.edu/~dbrumley
Fax: +1-650-725-9121 PGP: finger dbrumley-pgp at sunset.Stanford.EDU
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
c:\winnt> secure_nt.exe
Securing NT. Insert Linux boot disk to continue......
"I have opinions, my employer does not."
More information about the argus
mailing list