vendicatorat_private wrote: > A new version of Stack Shield has been relased. It includes > the new protection for "function pointer" attacks and some > minor bug fixes. > > http://www.angelfire.com/sk/stackshield I'm intrigued by the claim to protect against function pointer attacks. I read the TECHNICAL file included with the download, and can't figure out what you're doing. Here's the relevant text from the TECHNICAL file: The secondary protection method handles the function pointer overwrite exploit class. When a buffer overflow causes the overwrite of a function pointer with an arbitrary address (usualy of some location in the buffer) and the function pointer is called, the program will execute the attacker's code without being detected by the primary method, since the RET address will not have been modified. Also the execution of the shell code may take place before the execution of the function epilog. The secondary method adds a portion of code in the begining of the asm file and before each function call with a non-costant parameter. The header declares a variable in the DATA segment. The part inserted before the calls checks if the parameter value is not in the DATA or in the STACK segment. This is done by comparing the parameter with the previously declared variable address. If the parameter is greater, it is in the DATA or in the STACK segment (or outside the process memory space). In this case the program is terminated via an exit() system call, returning a nonzero value. This method can cause errors in programs that normaly execute asm code in the DATA or in the STACK segment. If you experience unexpected program terminations not caused by attack attemps use the Stack Shield -f flag to disable this protection method. Based on this, I can make some guesses as to what your function pointer defense is, but they'd just be guesses. What "parameter" is it that you're checking? Thanks, Crispin ----- Crispin Cowan, CTO, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:09:20 PDT