Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Stack Overflow

From: "Rocky Heckman" <rocky.he () g-wizinnovations com>
Date: Tue, 11 Jan 2005 09:49:08 +1100
Hi Nelson,
Technically they are supposed to be 'immune' to standard stack overflows
because they have bounds checking built in by default.  In fact one of the
suggestions in order to prevent Buffer Overflows in code is to use languages
like Java, C# and VB.NET.  However this doesn't mean it can't happen. 

You can still write unmanaged C++ code in .NET. You can still have
stack-allocated pointers in C++ in .NET as well. You can create classes that
are prefixed with the _value attribute which creates them on the Stack.  All
of these things can lead to possible buffer overflow situations.  Managed
C++ does provide some protection against this. 

If you stick to C# and VB.NET you have to try harder to create stack
overflow situations but it can be done. In unmanaged C/C++ it happens easily
unless you take steps to avoid it. Even when using things like Visual Studio
with the GC compiler option (the one that provides Canary based stack
overflow protection) it is still possible to exploit an unchecked buffer. A
paper I wrote covers that in more detail. (http://tinyurl.com/4k3bb )

Hope this helped a bit.

Rocky



 
 
Rocky Heckman
G-Wiz Innovations Pty Ltd
http://www.g-wizinnovations.com
IT Peace of mind!
-----Original Message-----
From: Nelson Santos [mailto:nsantos () gmail com] 
Sent: Tuesday, 11 January 2005 12:11 Early
To: Sec Basic
Subject: Stack Overflow

Hi list,

  My question is: can programs made with newer languages (Java and
.NET) have buffer overflow exploits?

Tnx,
Nelson Santos
Previous By Date Next
Previous By Thread Next

Current thread: