On 10/17/14 22:38, Theo de Raadt wrote: >> I'm trying to read the stack of another process that has the same user >> credentials. Here is my program, I am stuck with this, it doesn't work >> for me. Printing 0's is rewrapped to '.' and you should use this program >> with hexdump like so: ./memtest [pid] | hexdump -C | less >> Sometimes I get a bit of the stack but it seems random, dunno what the >> deal is. > > In OpenBSD, each process has the same 'stack space' (a large region), > but actual area in use is biased randomly up to 256K or so. > > % sysctl kern.stackgap_random > kern.stackgap_random=262144 >
Stackgap! That's awesome! Too bad I forgot about it. And like it wasted my time it'll waste attackers time. Let me share what I was able to do on another OS. I wrote a proof-of-concept that reads crypto keys out of a certain program's stack while the user is hitting saving the crypto to a file. I'm not going to name that program but what's important, and I learned this lesson from OpenBSD, is that that cryptokeys and passwords are zero'ed right after their use. So thanks for both the stackgap and zero'ing keys! That's simply brilliant and makes attackers life harder. Cheers, -peter
