Bugtraq mailing list archives
Re: WordPad/riched20.dll buffer overflow
From: crispin () CSE OGI EDU (Crispin Cowan)
Date: Sun, 28 Nov 1999 03:19:01 +0000
Aleph, please kill my article if someone else says it better/first. I've been waiting in silence for Solar Designer to speak up and end the debate about how to do this, but I guess he's away from his e-mail. Glynn Clements wrote:
Christopher Rhodes wrote:I think one of the major problems with the Linux implementation, and apparently windows too, is that noone pays attention to the added security provided by segmentation (at least to the point of putting the stack on a different segment?)Having separate non-overlapping stack and data segments causes a great many problems if you want to be able to write programs in C, given that a data pointer has to be able to record the address of any variable, regardless of whether it is static (data segment) or automatic (stack segment).
This work has already been done: there is a kernel patch for Linux that makes the stack segment non-executable. For details, go read Solar's source: http://www.openwall.com/linux/
There are workarounds (i.e. foregoing the simplicity of a flat memory model), but these are invariably either inefficient (e.g. the "huge" memory model found on 16-bit x86 C compilers), or not actually C (e.g. the "near" and "far" keywords in the language-which-looks-like-C-but-isn't that was commonly used for 16-bit x86 development).
The kernel patch makes no such compromise. As near as I can tell, it is completely performance neutral, and largely transparent. The only compromise is that special handling for signal delivery is required, which the kernel patch provides.
Also, using segmentation pretty much guarantees that your OS cannot be made to run on anything other than the x86 architecture (which is about the worst of the bunch; no sane person would use x86 if wasn't for the compatibility issues).
Other, more sane, processors provide for read & no-execute pages, so you use a different kernel MMU mechanism to make the stack non-executable. Thus, Casper Dik has a similar kernel enhancement for Solaris that makes the stack non-executable. Crispin ----- Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org
Current thread:
- Re: WordPad/riched20.dll buffer overflow, (continued)
- Re: WordPad/riched20.dll buffer overflow Christopher Rhodes (Nov 26)
- Re: WordPad/riched20.dll buffer overflow Glynn Clements (Nov 27)
- SCO su patches Alfred Huger (Nov 28)
- Solaris7 dtmail/dtmailpr/mailtool Buffer Overflow UNYUN (Nov 29)
- Page table protection on Intel Jason Spence (Nov 26)
- SuSE Security Announcement - new security tools Marc Heuse (Nov 26)
- 3Com cable modems / Mediaone Signal 11 (Nov 27)
- Re: 3Com cable modems / Mediaone Joseph W. Breu (Nov 29)
- NTmail and VRFY George (Nov 30)
- Netscape Communicator 4.7 - Navigator Overflows Mike Boto (Nov 27)
- Re: WordPad/riched20.dll buffer overflow Crispin Cowan (Nov 27)
- Re: WordPad/riched20.dll buffer overflow Solar Designer (Nov 29)
- Re: WordPad/riched20.dll buffer overflow Casper Dik (Nov 30)
- Default IE 5.0 security settings allow frame spoofing Georgi Guninski (Nov 30)
- Re: WordPad/riched20.dll buffer overflow Jason Spence (Nov 28)
- TooRcon Computer Security Expo Announces Pre-Registration Ben (Nov 28)
- Re: WordPad/riched20.dll buffer overflow - Full Details Solar Eclipse (Nov 21)
- Re: WordPad/riched20.dll buffer overflow Solar Eclipse (Nov 22)
- Re: WordPad/riched20.dll buffer overflow Ron Parker (Nov 23)