From owner-freebsd-security Mon Jul 20 16:50:06 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id QAA20424 for freebsd-security-outgoing; Mon, 20 Jul 1998 16:50:06 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA20316 for ; Mon, 20 Jul 1998 16:49:46 -0700 (PDT) (envelope-from brett@lariat.org) Received: (from brett@localhost) by lariat.lariat.org (8.8.8/8.8.8) id RAA27220; Mon, 20 Jul 1998 17:49:23 -0600 (MDT) Message-Id: <199807202349.RAA27220@lariat.lariat.org> X-Sender: brett@mail.lariat.org X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 Date: Mon, 20 Jul 1998 17:49:21 -0600 To: security@FreeBSD.ORG From: Brett Glass Subject: Re: The 99,999-bug question: Why can you execute from the stack? In-Reply-To: <199807202109.PAA13333@harmony.village.org> References: <199807201714.LAA19993@lariat.lariat.org> <199807200148.TAA07794@harmony.village.org> <199807200102.SAA07953@bubba.whistle.com> <199807200148.TAA07794@harmony.village.org> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org At 03:09 PM 7/20/98 -0600, Warner Losh wrote: >How do you enable call gates, and how do they fix these problems? How >exactly do call gates eliminate this problem? A call gate is an abstract descriptor that points to a legal entry point of a routine (usually a shared library routine or an OS routine). It's the only way to get in. You can't jump into the middle because the segmentation mechanism won't let you through. You have to use the gate. You also can't use a RET instruction to call something backwards through a gate (the designers thought of that). >The kernel already uses segments to manage security, so I don't think >I understand your comment about this. Actually, the segmentation mechanisms are hardly used. One of the first things they COULD be used for is to prevent execution out of the stack and data segments, which is normally disallowed. (You need what's called a "CS alias" to allow execution out of something other than the code segment.) This is all in the Intel docs on protected mode. >Can you elaberate in more >detail how exactly these tools will solve the problems that we're >having? I wish I still had the original Intel papers on the subject. They were thinking about these things way back in the 1980's! But here are some URLS with good information. At http://www.fh-zwickau.de/~hoh/pmode/ there's a good tutorial in German that's partially translated to English. Note in particular the section on gates. Also see the 80386 programmer's reference at http://www.jimbrooks.org/web/programming/i386-html/toc.htm --Brett To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message