argus suggestion

Carter Bullard carter at qosient.com
Mon Jul 24 21:04:43 EDT 2000


Hey David,
   Thanks!!! Yes, I agree with you whole heartedly.
We do check for valid lengths, probably too much, 
in the code, but what we do when the packets are
not appropriate is just return, so at this point
we'll miss some of these poorly formed datagrams.
This, I know, will be something that we need to
correct in 2.0.

   On the side, I got my Linux and Solaris machines
in today, just in time for me to go to Wash DC
and then to the IETF, so we'll be in full swing
in 10-14 days.  I'm looking forward to that !!!!!

Carter


   

-----Original Message-----
From: owner-argus at lists.andrew.cmu.edu
[mailto:owner-argus at lists.andrew.cmu.edu]On Behalf Of David Brumley
Sent: Monday, July 24, 2000 3:40 PM
To: argus at lists.andrew.cmu.edu
Subject: argus suggestion


I was looking at argus for unsigned to signed conversions.  It seems there
are a few places where this happens.  For example, in cons_frag.c in 1.8.1
length is a signed int, which is added to fragCb->bytes, which is
unsigned.  If for some reason the packet shows up with a negative offset,
this would spoil the counter.

The example may not be all that interesting (because it probably isn't
exploitable), but it's the kind of thing that someone would use to create
a covert channel.

My suggestion would be to look through for these sorts of things and make
sure there are no system dependencies, esp between signed/unsigned
bytes.  For the most part it looks good in 1.8.1, but moving forward I
would explicitly note in the design programmatic methods such as this.

cheers,
david


#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
David Brumley - Stanford Computer Security - dbrumley at Stanford.EDU
Phone: +1-650-723-2445    WWW: http://www.stanford.edu/~dbrumley
Fax:   +1-650-725-9121    PGP: finger dbrumley-pgp at sunset.Stanford.EDU
#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#
c:\winnt> secure_nt.exe
  Securing NT.  Insert Linux boot disk to continue......
	    "I have opinions, my employer does not."



More information about the argus mailing list