Bugtraq mailing list archives
Re: Smashing the Stack: prevention?
From: shields () CROSSLINK NET (Michael Shields)
Date: Mon, 28 Apr 1997 19:38:33 -0000
1. 'you gotta change the code' This one is obvious; people must change their SUID programs' source code to avoid nasty things like gets() sprintf() strcat() and strcpy() using things like fgets() strncat() strncpy() as substitutes. (there are many more 'problem' functions, i'm only listing a few here). Any unbounded byte copying is suspect to buffer overruns, and needs to be examined and changed. The drawbacks are obvious, thousands of lines of source need to be changed/examined, re-written.
However, it's important to remember that such auditing buys you not just a secure program but a robust program as well. So it is something you would want to do anyway, even if the programs were not suid. The security issue just gives it urgency. Security and robustness really go hand in hand -- they both involve thinking about the ranges of allowable inputs and responses, and limiting them so undesirable responses are not produced. -- Shields, CrossLink.
Current thread:
- Sun Security Bulletin #00139, (continued)
- Sun Security Bulletin #00139 Sun Security Coordination Team (Apr 29)
- SMASHING THE STACK: PREVENTION? massimo at vnet.ibm.com (Apr 28)
- Re: SMASHING THE STACK: PREVENTION? Alex Belits (Apr 28)
- Re: SMASHING THE STACK: PREVENTION? Thomas H. Ptacek (Apr 29)
- Re: Smashing the Stack: prevention? Tim Newsham (Apr 27)
- Re: Smashing the Stack: prevention? Joe Zbiciak (Apr 28)
- Re: Smashing the Stack: prevention? Daniel Ryde (Apr 28)
- xlock clarification.... David Hedley (Apr 28)
- Re: Smashing the Stack: prevention? Steve Coleman - SEWP (Apr 28)
- Re: Smashing the Stack: prevention? Alexander Snarskii (Apr 28)
- Re: Smashing the Stack: prevention? Michael Shields (Apr 28)
- Re: Smashing the Stack: prevention? Theo de Raadt (Apr 28)
- Re: Smashing the Stack: prevention? Shawn Instenes (Apr 29)
- Re: Smashing the Stack: prevention? J.R.Valverde (Apr 28)
- Re: Smashing the Stack: prevention? Randal Schwartz (Apr 28)
- Re: Smashing the Stack: prevention? Thomas H. Ptacek (Apr 29)
- Re: Smashing the Stack: prevention? J.R.Valverde (Apr 29)
- Re: Smashing the Stack: prevention? J.R.Valverde (Apr 29)