Re: Stack Shield 0.6 beta relased

From: Crispin Cowan (crispinat_private)
Date: Mon Nov 01 1999 - 15:28:38 PST

Next message: Greg Francis: "Re: AW: Mac OS 9 Idle Lock Bug"

Previous message: Ian Turner: "Re: Amanda multiple vendor local root compromises"
Maybe in reply to: vendicatorat_private: "Stack Shield 0.6 beta relased"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

vendicatorat_private wrote:

> A new version of Stack Shield has been relased. It includes
> the new protection for "function pointer" attacks and some
> minor bug fixes.
>
> http://www.angelfire.com/sk/stackshield

I'm intrigued by the claim to protect against function pointer attacks.
I read the TECHNICAL file included with the download, and can't figure
out what you're doing.  Here's the relevant text from the
TECHNICAL file:

     The secondary protection method handles the function pointer
     overwrite exploit
     class. When a buffer overflow causes the overwrite of a
     function pointer with
     an arbitrary address (usualy of some location in the buffer)
     and the function
     pointer is called, the program will execute the attacker's
     code without being
     detected by the primary method, since the RET address will not
     have been
     modified. Also the execution of the shell code may take place
     before the
     execution of the function epilog.
     The secondary method adds a portion of code in the begining of
     the asm file and
     before each function call with a non-costant parameter. The
     header declares a
     variable in the DATA segment. The part inserted before the
     calls checks if the
     parameter value is not in the DATA or in the STACK segment.
     This is done by
     comparing the parameter with the previously declared variable
     address. If the
     parameter is greater, it is in the DATA or in the STACK
     segment (or outside the
     process memory space). In this case the program is terminated
     via an exit()
     system call, returning a nonzero value.
     This method can cause errors in programs that normaly execute
     asm code in the
     DATA or in the STACK segment. If you experience unexpected
     program terminations
     not caused by attack attemps use the Stack Shield -f flag to
     disable this
     protection method.

Based on this, I can make some guesses as to what your function pointer
defense is, but they'd just be guesses.  What "parameter" is it that
you're checking?

Thanks,
    Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc.    http://wirex.com
Free Hardened Linux Distribution:                 http://immunix.org

Next message: Greg Francis: "Re: AW: Mac OS 9 Idle Lock Bug"
Previous message: Ian Turner: "Re: Amanda multiple vendor local root compromises"
Maybe in reply to: vendicatorat_private: "Stack Shield 0.6 beta relased"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:09:20 PDT