Firewall Wizards mailing list archives
question on buffer overflow (was RE: Extreme Hacking)
From: "Choi, Byoung" <bchoi () visa com>
Date: Fri, 9 Jul 1999 10:56:04 -0700
i have a dumb question: a local buffer can be overflown to overwrite the thread's stack (if the code doesn't check for the EOB). overwriting the stack can change the flow of the code, and possibly redirect it to rogue code inserted. but what's the "typical" (if there is one) technique? it all seems rather precarious: the rogue code is platform-dependent (machine code, etc.) the exploit must anticipate the stack frame location where it will get overwritten so that 1. the address depedence of the rogue code is satisfied 2. control flow is correctly redirected to the rogue code. am i in the ball park? i would appreciate it if someone can enlighten me. byoung ---------- From: Stephen P. Berry[SMTP:spb () incyte com] Reply To: Stephen P. Berry Sent: Tuesday, July 06, 1999 4:59 PM To: Marcus J. Ranum Cc: Kunz, Peter; firewall-wizards () nfr net; spb () incyte com Subject: Re: Extreme Hacking -----BEGIN PGP SIGNED MESSAGE----- In message <3.0.6.32.19990705162655.007ce960 () mail clark net>, "Marcus J. Ranum" writes:A number of "reputable" security companies develop their own hacking techniques. I'm not sure what the justification is -- other than that it just comes naturally, since they tend to hire "ex-"hackers. It'd be unrealistic to expect those guys to stop thinking in terms of how systems are broken into, and to shift their thought-patterns into thinking about how to keep systems secure.I'm not sure that the two are necessarily entirely distinct. I know I wouldn't rely on a cryptosystem that wasn't designed by or at least reviewed by one or more competent cryptoanalysists. Or rely on code written by someone unfamiliar with what a buffer overflow is or how it is exploited[1]. The fundamental problem I see in general is a focus on teaching implimentation over theory. The vast majority of hacking (for this sense of `hacking') involves dicking around with implimentation problems. That's fine as far as that goes---in security, all the implimentation warts and technicalities count. The problem is that being able to break things (even very proficiently) doesn't necessarily make you any better prepared for fixing them...or even preventing other people from breaking them. Theory can. So I suspect that most employers would be better served by sending their security drones off to a `TCP/IP For Simpering Cretins' class or something similar, rather than something ostensibly teaching hacking techniques. Mod: I have grave reservations about the n hour one-shot course as a pedagogical tool for teaching security practises in general. I think the apprentice/journeyman/master system would be more appropriate.Here's a thought: when one of us gets broken into using one of the secret new techniques that E&Y is teaching, let's sue E&Y for developing it and disclosing it irresponsibly. They've got deep pockets.The deep pockets are presumably why Ernst and Young would make a more attractive target for annoyance litigation than, say, Richard Stevens or Linus Torvalds (for example)...both of whom have probably taught more bad guys how to commit Evil Deeds than Ernst and Young ever will[2]. Random aside: At least they didn't call it `Xtreme hacking' or something even goofier like that[3]. - -Steve - ----- 1 Mod if it's code to be used on a 370 or some such goddamn thing. 2 Not to mention bugtraq or any of a number of other public full-disclosure lists. 3 I wonder if the course materials have been run through a warez d00dz filter. -----BEGIN PGP SIGNATURE----- Version: 2.6.2 iQCVAwUBN4KYNirw2ePTkM9BAQGmxgP+Khs645RwclqFYbjZPB5rQidxzPO0VliV J2OslwhX8dI+TsZCvoBN0UxbtT6Kw45meh/tMT2yZUB2FihxiDe4n3fq0ie7ksu3 UZfL1fNAwgn5U2FGnhCtMCPK/Pp0tB4TzvMrftoA+gSQwtjVY0XbBy24q2DmzJFC RZxxd203DMY= =Pze1 -----END PGP SIGNATURE-----
Current thread:
- question on buffer overflow (was RE: Extreme Hacking) Choi, Byoung (Jul 12)
- <Possible follow-ups>
- Re: question on buffer overflow (was RE: Extreme Hacking) Antonomasia (Jul 12)
- RE: question on buffer overflow (was RE: Extreme Hacking) Choi, Byoung (Jul 13)