From owner-freebsd-security  Sun Feb 16 13:07:01 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id NAA27109
          for security-outgoing; Sun, 16 Feb 1997 13:07:01 -0800 (PST)
Received: from cwsys.cwent.com (cschuber.net.gov.bc.ca [142.31.240.113])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id NAA27104
          for <freebsd-security@FreeBSD.org>; Sun, 16 Feb 1997 13:06:56 -0800 (PST)
Received: (from uucp@localhost) by cwsys.cwent.com (8.8.5/8.6.10) id NAA03252; Sun, 16 Feb 1997 13:05:16 -0800 (PST)
Message-Id: <199702162105.NAA03252@cwsys.cwent.com>
Received: from localhost.cwent.com(127.0.0.1), claiming to be "cwsys"
 via SMTP by localhost.cwent.com, id smtpd003247; Sun Feb 16 21:05:09 1997
Reply-to: cschuber@uumail.gov.bc.ca
X-Mailer: Xmh
To: Bruce Evans <bde@zeta.org.au>
cc: dufault@hda.com, roberto@keltia.freenix.fr, freebsd-security@FreeBSD.org
Subject: Re: buffer overruns 
In-reply-to: Your message of "Tue, 11 Feb 1997 12:23:40 +1100."
             <199702110123.MAA28254@godzilla.zeta.org.au> 
Date: Sun, 16 Feb 1997 13:05:08 -0800
From: Cy Schubert <cy@cwsys.cwent.com>
Sender: owner-security@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

> >Has anyone seen modifications to gcc to generate guard bands around
> >automatics and stack check sequences?  The automatics can be checked
> >when they come into / go out of existence, and stack integrity at
> >return time.  It won't stop the exploits, but it will make them
> >harder, and you will get "security" dumps from setuid programs if
> >you require that setuid programs be compiled that way (and linked
> >against a separate "secure" library compiled that way also).
> 
> I haven't seen anything.  Perhaps something could be hacked into
> the existing profiling support.  I added a -mprofiler-epilogue
> call to FreeBSD's gcc.  It results in calls to a profiling function
> `mexitcount' before each normal function returns.  This would be
> a good to check the return address and other stuff in the caller's
> frame.

What about the bounds-checking gcc?  Would that be a place to start?
You can get it from ftp://dse.doc.ic.ac.uk/pub/misc/bcc/.


Regards,                       Phone:  (250)387-8437
Cy Schubert                      Fax:  (250)387-5766
UNIX Support                   OV/VM:  BCSC02(CSCHUBER)
ITSD                          BITNET:  CSCHUBER@BCSC02.BITNET
Government of BC            Internet:  cschuber@uumail.gov.bc.ca
                                       cschuber@bcsc02.gov.bc.ca

                "Quit spooling around, JES do it."