lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sat, 07 Feb 2004 15:44:46 -0800
From: Crispin Cowan <>
To: Hilmi Ozdoganoglu <>
Cc: Dave Paris <>,
Subject: Re:

Hilmi Ozdoganoglu wrote:

>        Agreed, the software based approach does not take a significant
>performance hit, but the hardware approach is transparent to the user
>and does not require recompilation of the source code. Therefore, all
>programs can run securely on a machine whether or not they are "compiled
>securely" (e.g. legacy software).
Utter nonsense. Legacy software has to be recompiled to use the new CPU 
instruction set. A new CPU architecture is vastly *more* intrusive than 
a new compiler.

>The idea is not to create "custom CPUs" but to have our modification
>picked up by major vendors.  Clearly there is interest in applying
>hardware to solve security issues based on the latest press releases
>from AMD that AMD chips include buffer-overflow protection (see
>Computer World, January 15, 2004).
As Theo said, the AMD buffer overflow "protection" is nothing more than 
sensible separation of R and X bits per page, fixing a glaring and 
anomalous defect in the original 386 MMU. Many CPUs before and since had 
this feature, and it was just Intel slop in the early 1980s that 
developed an MMU (and associated instruction set) that mistakenly 
treated R and X per page as one bit.


Crispin Cowan, Ph.D.
CTO, Immunix
Immunix 7.3 

Powered by blists - more mailing lists