Re: Unexecutable Stack / Buffer Overflow Exploits...

Martin Dalecki (dalecki@cs.net.pl)
Sat, 01 Jan 2000 20:10:29 +0100

"Theodore Y. Ts'o" wrote:
>
> Date: Thu, 30 Dec 1999 18:21:34 -0800 (PST)
> From: Dan Hollis <goemon@sasami.anime.net>
>
> Youre talking about stackguard right? I guess the problem here is that
> noone has ported stackguard to egcs yet. Would be nice though.
>
> No, I wasn't talking just about stackguard; other techniques do exist:
>
> * arranging so that the stack pointer contains a 0x00 byte to
> make it harder for null-terminated strings to be used to
> write a valid return address
>
> * at program start time, randomly changing the starting point of
> the stack by a few hundred kilbytes. (Since the starting
> location is changing randomly for every program
> invocation, guesses based on one process doesn't help
> eliminate possible guesses on another process.)
>
> * have libc do stack frame analysis, and then have certain
> functions (sprintf, memcpy, strcpy, etc.) not allow
> operations which overwrite stack frame boundaries.
>
> Both stackguard and the last option requires some CPU overhead at
> run-time; the first two don't require any overhead at all. Note that
> some of approaches, such as changing the stack location randomly will
> stop certain attacks that the Solar Designer patch won't catch.

I would just like to point out that all of the proposed stuff above can
be
mostly done at the libc level istead of the kernel.

For example you could just change the crt0 code to look along the lines
of
the following:

main()
{
char *trash = alloca(RANDOM_NUMBER_BETWEEN_0_AND_128K;

... go on.

Just to make sure the expolit can't rely anylonger on having a given
stack location at some point inside the programm. Similiarly one could
makeup for
a concrete stack start location...

BTW. It could just makes sense to add such kind of code at the startup
of some
daemons explicitly.

The text address games can be done inside ld.so as well I think at least
for PIC code.

--
	Marcin Dalecki


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/