AK's weblog

ndbm is library standardized by SuSv3 to store arbitrary key/value pairs into a file. Out of boredom, I wrote a small and simple implementation of it for dietlibc. The format it implements is incompatible with other ndbm implementations. I compared my implementation with BerkeleyDB and GDBM (which both feature ndbm compatibility modes), and while my implementation is a lot slower, the size of my data files is about 50 to 60 % of the ones produced by BDB and GDBM.

You can download the patch here. I submitted this patch to the dietlibc author, and he found it cool, but hasn't integrated it into dietlibc yet. Oh, and in case anybody asks what software I use to manage my dietlibc patches: I use StGIT on top of git. I have a local copy of the CVS repository, and with StGIT, I can manage the patches in a stack (similar to Andrew Morton's patch scripts and transvn) and keep everything up to date if any changes in the CVS repository or on any patch are done.

Once in a while, I'm googling for feedback on various projects that I implemented in the past. One of these projects is ContraPolice, which resulted in a brief paper and a prototype implemented as a patch for dietlibc. In fact, I'm really proud of what I produced here, because it is a straight-forward and simple solution to a big problem in IT security. While I don't claim that it's perfect (no solution is), it's supposed to be effective in (wild guess) 90 % of all incidents it tries to prevent.
Also, other security researchers came upon ContraPolice, most notably Yves Younan, who mentioned it in a number of papers, including a lecture at 22C3 on memory allocator security.
What I regret most about it is that I didn't put any further work into it. The concept of ContraPolice itself could be definitely improved in some points (Yves points out some weaknesses in his papers), and the prototype could be made more complete. I could also have tried to try to present it at some conference by myself, as it is definitely something that makes sense and is interesting to a number of people, if it only got out of prototype stage. Oh, actually it does already, e.g. the Annvix project mentions ContraPolice as one of their hardening technologies they employ.
And on a funny sidenote, I also found a call for help in a Linux forum where ContraPolice seems to have brought a bug to notice, with the consequence that the user is unable to install Mandriva 2006 onto his RAID. And according to the changelog found here this issue only seems to come up on x86_64...