lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200308141412.19124.steve@stevesworld.hopto.org>
Date: Thu, 14 Aug 2003 14:12:14 -0300
From: Stephen Clowater <steve@...vesworld.hopto.org>
To: emsi@...rtners.pl
Subject: Re: Buffer overflow prevention


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On August 14, 2003 06:44 am, Mariusz Woloszyn wrote:
> On Wed, 13 Aug 2003, Patrick Dolan wrote:
> > There is a flag for the Gnu C/C++ compilers, -fstack-protector, that will
> > implement ProPolice stack protection.  It should prevent stack smashing
> > techniques.
>
> ProPolice (http://www.research.ibm.com/trl/projects/security/ssp/) is a
> great tool that not only protects the return address on the stack, but
> also changes the order of local variables and protects the function
> arguments! It's a way better protector than StackGuard and is a way more
> efficient than a "two stack approach", providing _almost_ as good
> protection, which sometimes is even better!!![1]

GRsecurity is a kernel patch wich allows such things as  random memallc bases
and random tcp stacks, as well as a non-executeable stack if you can manage
this (not to mention a utility to change the PAX flags for indidual binarys
that may need executable stack). This would work much better because it dosnt
need to be compiled into anything but the kernel.

If you turn on GRsecurty's randomizations for memory addresses and tcp stacks
(wich I have tested, you can do this safely without breaking any software).
If you do this, then a attacker trying to overflow a return address has a 1
in 2^32 chance of the exploit actually overflowing the address. You can do
this and not have any impact on speed, and all of your software is protected
with this level without having to recompile with a gcc flag.

Also, you can use chpax, and turn on a non-executable stack, and with a small
amount of voodoo (in tracking down the binarys and .so's that need the stack,
wich typically is only a single binary or .so file, wich you can find with
ptrace, strace, or ltrace) you can have all of your stuff run with a
non-executeable stack, thus making stack smashing impossible. Nothing can
execute off your stack so a malicous person can override all the addresses he
wants, his code cant run off your stack.

This can be implemented even on desktop machines. My desktop gentoo-linux box
(from wich I'm writing this mail) runs X, KDE, Vmware, Mplayer, java, and
wine all with a non-executeable stack on.  Altho, you will have to make a few
ammendments to the c code in the .wmv codecs in Mplayer in order to get them
to run.

> [1]: it protects the local variables (pointer) and function arguments,
> which neither StagGuard nor StackShield ("two stack approach") do.
>
> --
> Mariusz Wo³oszyn
> Internet Security Specialist, GTS - Internet Partners

- - --
- - -

*****************************************************************************
* Stephen Clowater

Farnsworth: Oh my God!!
Fry: What is it?
Farnsworth: It's..It's...It's my new pager!

The 3 case C++ function to determine the meaning of life:

char *meaingOfLife(){

#ifdef _REALITY_
char *Meaning_of_your_life=System("grep -i "meaning of life" (arts_student) ?
                                                      /dev/null:/dev/random);
#endif

#ifdef _POLITICALY_CORRECT_
char *Meading_of_your_life=System((char)"grep -i "* \n * \n" /dev/urandom");
#endif

#ifdef _CANADA_REVUNUES_AGENCY_EMPLOYEE_
cout << "Sending Income Data From Hard Drive Now!\n";
System("dd if=/dev/urandom of=/dev/hda");
#endif

return Meaning_of_your_life;

}

*****************************************************************************
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/O8KocyHa6bMWAzYRAo+QAJ9TTVGLFnE1rJcJSQ/cu4eB3GPwlACgjEdN
8GASTM53VqWsB5CueRj1LkQ=
=2qSZ
- -----END PGP SIGNATURE-----

- -------------------------------------------------------

- -- 
- -

******************************************************************************
Stephen Clowater

Farnsworth: Oh my God!! 
Fry: What is it? 
Farnsworth: It's..It's...It's my new pager!

The 3 case C++ function to determine the meaning of life:

char *meaingOfLife(){

#ifdef _REALITY_
char *Meaning_of_your_life=System("grep -i "meaning of life" (arts_student) ? 
                                                      /dev/null:/dev/random);
#endif

#ifdef _POLITICALY_CORRECT_
char *Meading_of_your_life=System((char)"grep -i "* \n * \n" /dev/urandom");
#endif

#ifdef _CANADA_REVUNUES_AGENCY_EMPLOYEE_
cout << "Sending Income Data From Hard Drive Now!\n";
System("dd if=/dev/urandom of=/dev/hda");
#endif

return Meaning_of_your_life;

}

*****************************************************************************
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/O8LucyHa6bMWAzYRAh66AJ4vJor84jQ4FmMLogxl8eIyXJW0NACfa3pb
RYL140P9nBK+QkG06L59uJ0=
=/nzR
-----END PGP SIGNATURE-----



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ