> StackGuard: Automatic Detection and Prevention of Buffer-Overflow At tacks >From the online paper: > StackGuard detects and defeats stack smashing attacks by protecting the > return address on the stack from being altered. StackGuard has two > mechanisms to protect the return address: one provides greater assu rance, > and the other provides greater performance. You are only protecting the return address. This means many programs will still be vulnerable to overflow attacks. In particular you don't protect the overflow of locals in a procedure, nor the overflow of globals in the data segment or heap. While it does stop the "cookbook" stack overflow attacks, it does not really put an end to the problem. Consider for example the following (contrived but not entirely fictional) examples: int save_uid; char buf[10]; save_uid = getuid(); setuid(0); fp = fopen("input", "r"); fscanf(fp, "%s", buf); setuid(save_uid); overflowing the buffer will allow the user to increase his priveledge for the duration of the program execution, which may be a very bad thi ng. Yup. In fact, the first buffer overflow security problem I know of was in an early version of UNIX -- 6th Edition, I think; possibly 5th -- where the 'logged in' flag in login.c was adjacent to an input buffer...
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 13:37:03 PDT