lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040205180603.GA28566@wirex.com>
Date: Thu, 5 Feb 2004 10:06:03 -0800
From: Seth Arnold <sarnold@...ex.com>
To: bugtraq@...urityfocus.com
Subject: Re: http://www.smashguard.org

On Wed, Feb 04, 2004 at 01:26:29PM +0800, Leon Harris wrote:
> Certain apps (notably java virtual machines) manipulate stack return 
> addresses. I understood that one of the advantages of Immunix's product 
> StackGuard was that you could still run these types of apps by 
> statically linking them against a normal libc (and chrooting them or 
> otherwise confining them). If the protection is mandatory, and in 
> hardware, then surely these types of app wont work.

Leon, the limitations with StackGuard and Java Just in Time compilers
and virtual machines have been removed with newer versions of
StackGuard. StackGuard 2, based on egcs (gcc 2.91.66), had an unfortunate
location in the stack layout for the canary which caused problems for
applications that 'knew' the stack layout well enough to introspect
the stack.

Newer versions of StackGuard have since remedied the location of the
canary (to be more secure, while we're at it) such that applications that
are stack-introspective no longer need to be patched to know a 'new'
stack layout. StackGuard 3 uses a better location that is transparent
to gdb, mozilla, JITs, etc.

Of course, I don't want to say what forms of applications may or may not
run on a SmashGuard system; however, the JVMs and JITs may or may not
function on SmashGuard on their own merits -- it was a limitation of
earlier StackGuard releases that caused problems for JVMs, JITs, gdb,
mozilla, etc.

Further information on StackGuard 3 may be found at:
http://immunix.org/stackguard.html

More information will be posted to this page as StackGuard continues
development, and we will periodically announce new developments to the
low traffic immunix-announce mail list:
http://mail.immunix.com/mailman/listinfo/immunix-announce

Thanks Leon

-- 
Immunix Secured Linux Distribution: http://immunix.org/

Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ