Comments on: How to protect buggy programs from security vulnerabilities under Linux and UNIX

By: nixcraft

nixcraft — Sun, 14 Jan 2007 23:00:18 +0000

Stool,

Yes this program eats lots of memory.

HTH

By: Stool pusher

Stool pusher — Sun, 14 Jan 2007 19:29:44 +0000

I used this on Xp w/ Firefox.

Firefox keeps running no matter what.

So, according to task manager, I have an unresponsive instance of Firefox running and it is consuming over 250mb RAM.

By: nixcraft

nixcraft — Thu, 04 Jan 2007 11:25:31 +0000

@kerbe, According to man page LD_PRELOAD applied to all ELF shared libraries to be loaded before all others. So you can use options from menu itself. No need to start firefox from command prompt. You can verify this with lsof command lsof | grep libdiehard.so Output:

startx    4386      vivek  mem       REG       3,65   215612   2150782 /home/vivek/dirhard/libdiehard.so
xinit     4397      vivek  mem       REG       3,65   215612   2150782 /home/vivek/dirhard/libdiehard.so

By: nixcraft

nixcraft — Thu, 04 Jan 2007 11:20:44 +0000

craigevil,

Remove export LD_PRELOAD=/path/to command from .bash_profile and delete files libdiehard.so libdiehard_r.so replicated

Reboot system.

By: craigevil

craigevil — Thu, 04 Jan 2007 11:08:49 +0000

Ok how do you remove it once it is installed?
Sounds like a great idea, but I can’t afford the extra memory usage especially when running Firefox.

By: kerbe

kerbe — Thu, 04 Jan 2007 10:41:19 +0000

Is there way to know when this protection is used? It is supposedly be used with all programs, but how do I make sure programs I run have understood LD_PRELOAD and have loaded this?
False belief of security is quite often more dangerous than actually knowing you’re not secured :)

Does this work with KDE/Gnome after this trick, or do they need something else? I don’t like starting konsole to start up my apps to get this run :)

By: nixcraft

nixcraft — Tue, 02 Jan 2007 18:15:58 +0000

Bill.

Personally I have not tested it with Apache. It is recommended that you run this software in sandbox for few days.

By: bill

bill — Tue, 02 Jan 2007 18:14:06 +0000

Can i use this on server to protect Apache?

TIA.

By: nixcraft

nixcraft — Tue, 02 Jan 2007 16:13:20 +0000

Nightfox

You can try out buffer overflow against your apps or use old version of Firefox which is affected by this kind of attacks. Get FF 1.7.3 and visit test page http://www.cs.umass.edu/%7Eemery/diehard/crash-mozilla.htm

Appreciate your post.

By: nightfox

nightfox — Tue, 02 Jan 2007 11:23:29 +0000

so what’s the evidence that it really works?

By: jack

jack — Tue, 02 Jan 2007 08:44:26 +0000

woot. just downloaded and running this new stuff. thnaks for article

By: nixcraft

nixcraft — Tue, 02 Jan 2007 05:27:20 +0000

Thanks for comment and pointing out difference between two. I have updated post :)

By: Emery Berger

Emery Berger — Tue, 02 Jan 2007 05:17:53 +0000

Thanks for the nice summary. One correction – DieHard is *very* different from ExecShield, which is primarily aimed at protecting the stack. Most of ExecShield’s compiler techniques to avoid stack overflows would complement DieHard’s protection of the heap. However, DieHard’s protection – and its ability to continue execution in the face of errors – go far beyond the checks that glibc now includes (intended to detect heap corruption that DieHard makes impossible).

– Emery