Protection against buffer overflows: when your anchor is washed away, then you are overflowed and refuse to RET

From: Exurity Inc. (exurityat_private)
Date: Fri Apr 11 2003 - 17:20:04 PDT

Next message: Dan Harkless: "Re: Netscape and Opera crash via java"

Previous message: Martin Schulze: "[SECURITY] [DSA 283-1] New xfsdump packages fix insecure file creation"
In reply to: Exurity Inc.: "Vulnerabilities in Portable Executable (PE) File Format For Win32 Architecture"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi, Everyone on this list:
Please find http://members.rogers.com/exurity/pdf/AntiOverflows.pdf a
research paper on an anchoring mechanism to protect against overflow
exploitation. The concept presented is to utilize the address (and/or a
system-wide random number) of a structure or memory block to detect whether
the memory block above the anchor in memory address has been overflowed. If
it detects it has been overflowed, then protective steps such as generating
a single-step exception on x86 can be taken.
This article explains in depth the protection mechanisms for the following
exploitations of overflowing:

· Against Off-By-One Exploitation Of Overflowed Stack
· Against Exploitation of Heap Overflow and Memory Trampling
· Against Exploitation of Overflowed Structured Exception Handling (SEH)
Frame Like Code Red
· Against Brute Force Exploitation of RET in WebDAV Exploit Scheme.
· Application of Anti-Overflow Concepts in Daily Programming
Peter Huang
http://members.rogers.com/exurity/

Next message: Dan Harkless: "Re: Netscape and Opera crash via java"
Previous message: Martin Schulze: "[SECURITY] [DSA 283-1] New xfsdump packages fix insecure file creation"
In reply to: Exurity Inc.: "Vulnerabilities in Portable Executable (PE) File Format For Win32 Architecture"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sat Apr 12 2003 - 01:14:05 PDT