Re: Buffer overflow prevention

["Matt D. Harris" <vesper () depraved org>]

Theo de Raadt wrote:
> > Solaris 2.6 and above also support a kernel variable which can be set 
> > via /etc/system called "noexec_user_stack", which can make the stack for 
> > userland processes non-executable by default.  Note that this behavior 
> > is the default for 64-bit binaries in Solaris 7, 8, and 9, and this 
> > kernel variable forces the behavior for 32-bit binaries.  I run all 
> > sorts of odd software and have never had an issue with having this 
> > always turned on for all of my systems.
>
>
> You just don't get it, do you?  Are you even reading what people are
> saying?  Protecting just the stack is basically useless.  99.9% of
> exploits that use the stack can be rewritten to NOT use the stack!
>
> But W^X protects THE ENTIRE ADDRESS SPACE.

That's fine.  I'm not pointing out this functionality as some sort of 
be-all-end-all fix for everything.  I'm simply pointing out a function 
that a system provides that people may find useful.  And how many script 
kiddies are resourceful enough to re-write an exploit to *not* use the 
stack?  The fact is, simply preventing the stack isn't perfect.  But 
it's not entirely worthless, either.  To call anything that does 
something useful entirely worthless is just downright silly.  In today's 
day and age, one should do everything possible to protect themselves, 
whether it's going to be effective 1% of the time of 99% of the time. 
So, when are you releasing the Solaris kernel module to support the W^X 
stuff?  Someone who's so married to a specific bit of defense would 
certainly want to release it to as many potential users as possible, 
whether they use OpenBSD or not, right?  :-)