Date: Mon, 20 Jul 1998 17:49:21 -0600 From: Brett Glass <brett@lariat.org> To: security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? Message-ID: <199807202349.RAA27220@lariat.lariat.org> In-Reply-To: <199807202109.PAA13333@harmony.village.org> References: <Your message of "Mon, 20 Jul 1998 11:14:33 MDT."<199807201714.LAA19993@lariat.lariat.org> <199807201714.LAA19993@lariat.lariat.org> <199807200148.TAA07794@harmony.village.org> <199807200102.SAA07953@bubba.whistle.com> <199807200148.TAA07794@harmony.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
At 03:09 PM 7/20/98 -0600, Warner Losh wrote: >How do you enable call gates, and how do they fix these problems? How >exactly do call gates eliminate this problem? A call gate is an abstract descriptor that points to a legal entry point of a routine (usually a shared library routine or an OS routine). It's the only way to get in. You can't jump into the middle because the segmentation mechanism won't let you through. You have to use the gate. You also can't use a RET instruction to call something backwards through a gate (the designers thought of that). >The kernel already uses segments to manage security, so I don't think >I understand your comment about this. Actually, the segmentation mechanisms are hardly used. One of the first things they COULD be used for is to prevent execution out of the stack and data segments, which is normally disallowed. (You need what's called a "CS alias" to allow execution out of something other than the code segment.) This is all in the Intel docs on protected mode. >Can you elaberate in more >detail how exactly these tools will solve the problems that we're >having? I wish I still had the original Intel papers on the subject. They were thinking about these things way back in the 1980's! But here are some URLS with good information. At http://www.fh-zwickau.de/~hoh/pmode/ there's a good tutorial in German that's partially translated to English. Note in particular the section on gates. Also see the 80386 programmer's reference at http://www.jimbrooks.org/web/programming/i386-html/toc.htm --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807202349.RAA27220>