bock(1M)


bock -- run a command with buffer overflow attack checks

Synopsis

bock [command [arg...]]

Description

Use the bock command to query the current state of buffer overflow attack checks in the kernel, and to run a command with buffer overflow checks enabled for that commmand. To run a command with bock, the URETADDR_CHECK kernel parameter must have been previously set to 1 to enable buffer overflow attack checks in the kernel (the default setting of URETADDR_CHECK is 0).

With no arguments, bock returns an exit status of 0 if buffer overflow attacks checks are not enabled, 1 if they are enabled, and 2 in case of an error.

When a command is passed to bock (along with any arguments the command requires), the kernel checks for buffer overflow attacks in the command's execution process and all of its child processes. Specifically, the kernel detects situations in which a system call is being issued from code running in a memory area that is also used as a stack.

If URETADDR_CHECK has a value of 1, a security message is logged to /var/adm/log/osmlog if a system call is issued from a memory area previously used as a stack by the calling process. Additionally, a value of 2 will cause the offending process to be terminated after having dumped core, whenever that is possible. Use idtune(1M) or the scoadmin system tuner to change the value of URETADDR_CHECK.

Diagnostics/Examples

bock can be used in either interactive or inetd daemon mode. In interactive mode (i.e. when file descriptor 0 is not associated with a socket), diagnostics are sent to standard error. In inetd daemon mode, they are logged through syslog(3G) using LOG_DAEMON as the facility and LOG_ERR as the priority.

The inetd invocation mode differs from the interactive mode in that argv[0] (see exec(2)) must be specified in addition to the pathname of the executable file associated with command. For instance, the CDE graphical user interface calendar manager, has been the object of several CERT advisories. When CDE is installed on a system, the following two entries are added to inetd.conf(4tcp):

   100068/2-5      dgram   rpc/udp wait    root    /usr/dt/bin/rpc.cmsd    rpc.cmsd
   dtspc           stream  tcp     nowait  root    /usr/dt/bin/dtspcd      dtspcd

By simply adding /bin/bock before the absolute pathname specification associated any inetd service, one gets the benefit of some degree of protection against buffer overflow attacks. Examples are listed below:

   100068/2-5 dgram  rpc/udp wait   root /bin/bock /usr/dt/bin/rpc.cmsd rpc.cmsd
   dtspc      stream tcp     nowait root /bin/bock /usr/dt/bin/dtspcd   dtspcd
   

telnet stream tcp nowait root /bin/bock /usr/sbin/in.tcpd in.telnetd ftp stream tcp nowait root /bin/bock /usr/sbin/in.tcpd in.ftpd -a

Notes

This command is intended to be used as a security testbed, i.e. in order to assess potential risks. It should not be used in a production environment. It targets buffer overflow attacks only and provides no protection from other forms of attack (such as denial of service attacks).

The performance impact will be minimal for single-threaded processes that use only the stack defined at compilation time. However, because the kernel will maintain a per-process linked list of VM segments used as stacks by all LWPs executing inside a process, heavily multithreaded applications are likely to be negatively impacted from a performance standpoint.

Exit Status

If no arguments are passed to bock, the exit status will be 0 if buffer overflow attacks checks are not enabled, 1 if they are, and 2 in case of an error.

When used with a command argument, the exit status will be that of the specified command, or 2 in case of error during a system call.

See Also

sysi86(2), syslog.conf(4bsd), inetd.conf(4tcp), ``Security parameters'' in Monitoring and tuning the system
© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 25 April 2004