Re: WordPad/riched20.dll buffer overflow

From: Crispin Cowan (crispinat_private)
Date: Sat Nov 27 1999 - 19:19:01 PST

Next message: Pavel Machek: "Re: WordPad/riched20.dll buffer overflow"

Previous message: Martin.Wunderliat_private: "Re: Oracle 8i questions"
Maybe in reply to: Pauli Ojanpera: "WordPad/riched20.dll buffer overflow"
Next in thread: Pavel Machek: "Re: WordPad/riched20.dll buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Aleph, please kill my article if someone else says it better/first.  I've been
waiting in silence for Solar Designer to speak up and end the debate about how
to do this, but I guess he's away from his e-mail.

Glynn Clements wrote:

> Christopher Rhodes wrote:
> > I think one of the major problems with the Linux implementation, and
> > apparently windows too, is that noone pays attention to the added security
> > provided by segmentation (at least to the point of putting the stack on a
> > different segment?)
>
> Having separate non-overlapping stack and data segments causes a great
> many problems if you want to be able to write programs in C, given
> that a data pointer has to be able to record the address of any
> variable, regardless of whether it is static (data segment) or
> automatic (stack segment).

This work has already been done:  there is a kernel patch for Linux that makes
the stack segment non-executable.  For details, go read Solar's source:
http://www.openwall.com/linux/

> There are workarounds (i.e. foregoing the simplicity of a flat memory
> model), but these are invariably either inefficient (e.g. the "huge"
> memory model found on 16-bit x86 C compilers), or not actually C (e.g.
> the "near" and "far" keywords in the language-which-looks-like-C-but-isn't
> that was commonly used for 16-bit x86 development).

The kernel patch makes no such compromise.  As near as I can tell, it is
completely performance neutral, and largely transparent.  The only compromise
is that special handling for signal delivery is required, which the kernel
patch provides.

> Also, using segmentation pretty much guarantees that your OS cannot be
> made to run on anything other than the x86 architecture (which is
> about the worst of the bunch; no sane person would use x86 if wasn't
> for the compatibility issues).

Other, more sane, processors provide for read & no-execute pages, so you use a
different kernel MMU mechanism to make the stack non-executable.  Thus, Casper
Dik has a similar kernel enhancement for Solaris that makes the stack
non-executable.

Crispin
-----
Crispin Cowan, CTO, WireX Communications, Inc.    http://wirex.com
Free Hardened Linux Distribution:                 http://immunix.org

Next message: Pavel Machek: "Re: WordPad/riched20.dll buffer overflow"
Previous message: Martin.Wunderliat_private: "Re: Oracle 8i questions"
Maybe in reply to: Pauli Ojanpera: "WordPad/riched20.dll buffer overflow"
Next in thread: Pavel Machek: "Re: WordPad/riched20.dll buffer overflow"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:14:40 PDT