| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20030814184743.GA3715@c9x.org>
Date: Thu, 14 Aug 2003 20:47:21 +0200
From: Jedi/Sector One <j@...eftpd.org>
To: Mariusz Woloszyn <emsi@...rtners.pl>
Subject: Re: Buffer overflow prevention
On Thu, Aug 14, 2003 at 07:26:47PM +0200, Mariusz Woloszyn wrote:
> What we're discussing here is an internal structures and data protecting.
> IMHO the ProPolice (http://www.research.ibm.com/trl/projects/security/ssp/),
> is the best protection in this kind, even comparing to "two stack"
> approach.
ProPolice is not magical, though. There are plenty of cases where it is
totally inefficient. To illustrate a very common one :
#include <string.h>
struct Test {
char str[5];
};
int main(void)
{
struct Test x;
strcpy(x.str, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
return 0;
}
Propolice doesn't see anything wrong and eip happily goes to 0x41414141.
Propolice also doesn't give any protection against heap overflows.
So the best protection is probably Propolice + non exec stack + write xor
executable pages. Oh, surprise, this is just how OpenBSD works.
This is still not a magical protection against everything. A vulnerable
application can still behave abnormally after an overflow. But this couple
makes injection + execution of arbitrary code way more tricky.
The only way to sleep quietly is still to audit the code at the first place.
--
__ /*- Frank DENIS (Jedi/Sector One) <j@...Networks.Com> -*\ __
\ '/ <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a> \' /
\/ <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a> \/
Powered by blists - more mailing lists