RE: Backport of the integer overflow in the brk system call

["Julian Mehnle" <lists@mehnle.net>]

Russell Coker wrote:
> On Mon, 8 Dec 2003 13:16, Patrick Ouellette <pouelle@debian.org> wrote:
> > Instead of a smartcard/token/whatever physical device, this incident
> > could possibly have been thwarted by requiring developers to
> > pre-register their machine with the project (using ssh host key for
> > example).  The attacker would have the user's account information,
> > but project machines would have refused access since the host id did
> > not match the user's registered hosts.  Then the project machine
> > could have alerted both the project's admin team and the owner of the
> > compromised account. 
> 
> One problem with this is developer's machines that are on dial-up
> Internet connections.  In the case of such machines you can verify the
> host key but not the IP address.

You cannot verify the IP address *exactly*, but you can verify whether the IP address lies within a range.  Dial-up users could at least register a certain address range, so as to vastly mitigate the attack risk.  Apart from that, as soon as the use of IPv6 broadens, dynamically assigned IP addresses will diminish.

> But this still leaves the issue of how to deal with dial-up machines. 
> Even if we restrict connections to a single ISP as often dial-up
> machines are not used with multiple machines, this still isn't
> necessarily much good, some dial-up ISPs have >50,000 IP addresses.

Still, IP address (even if it's a range, not a single address) verification vastly mitigates the attack risk.

> Finally, if the attacker can compromise the machine and the machine is
> online (EG permanently connected machines) there's no good options.

What's more secure, "no good options", or "no good options" plus IP address verification, even if range-based?  Some attack vectors one will never be able to protect against, but it still makes sense to protect against other vectors, doesn't it?