Date: Thu, 13 Feb 1997 16:03:24 -0700 (MST) From: Charles Mott <cmott@srv.net> To: J Wunsch <j@uriah.heep.sax.de> Cc: freebsd-chat@FreeBSD.ORG Subject: Re: Trying to understand stack overflow Message-ID: <Pine.BSF.3.91.970213154654.6401B-100000@darkstar> In-Reply-To: <Mutt.19970213230219.j@uriah.heep.sax.de>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 13 Feb 1997, J Wunsch wrote: [snip] > Basically, the stack overflow attack allows for remote exploitation if > it's possible to send the eploiting data across the net. For the > setlocale() attack, the exploiting data were required to be in a local > file already, so it required at least another security hole in advance > (or something like an anon ftp upload area). Does the location on the stack of the automatic string variable have to be known precisely for exploitation? If it does, then it would be interesting to have a version of gcc which adds some "noise" as to where exactly in the stack an automatic variable is located. Variables could be re-ordered or dead space could added here and there in the stack. Users wanting extra security would do a make world with stack randomization. Would it also be possible to have separate data and control flow stacks? If the 386 instruction code allows this to be done in an efficient manner, then we could consider a compiler modification. (I'm always looking for a non-standard type of project). My instinct is to go after this problem at a more fundamental level than doing giant code audits. Obviously I don't know too much about all this, so this message is in freebsd-chat. Charles Mott P.S. One can imagine Siberian camps where prisoners audit code at night after cutting down trees or working in the mines during the day.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.91.970213154654.6401B-100000>