Re: Easily and Permanently prevent all stack buffer overflows
- From: Wayne <nospam@xxxxxxxxxxxxxx>
- Date: Thu, 15 Nov 2007 00:36:48 -0500
Nico wrote:
Wayne wrote:
Please, could you explain why reversing the stack growth
direction would not solve this security problem? I grant
such a drastic change to the memory system would cause
other problems, but maybe those are not unsurmountable?
I appreciate your patience with my ignorance, and your
replies. Thanks!
Wouldn't you then have an "underflow" problem, allowing programs to
"underflow" into other regions of allocated memory? There's nothing
magic about it: if you have access to pointers, you can decrement them
as well as increment them. It might be easier to bounds-check them, I
admit.
Obviously in my ignorance I have not explained my idea well.
Sorry! How about this as an illustration:
crackme.c:
#include <string.h>
int main (int argc, char* argv[]) {
char buf[20];
strcpy( buf, argv[1]); // A bad idea!
return 0;
}
Now if crackme.c is compiled into crackme, and then run as:
crackme "A buffer overflow is an easy mistake to make but hard to find"
AFAIK, this causes a classic stack-based buffer overflow.
By crafting the string passed in you can over-write
the return address on the stack, causing a return into libc
and/or other nastiness.
Now, if the stack grew in the other direction, the over-flowing
text (" an easy mistake to make but hard to find\0") will
harmlessly over-write the unused stack space. An attacker armed
with "crackme" can't do anything about it. The programming error
is rendered harmless. (Well mostly harmless since the string may
over-write other local variables in that function.)
(And Nico, an attacker can't pass in a "negative length" string
to cause an "under-flow". :-)
Hopefully my idea is clearer now, and some knowledgeable
security folks here will explain why this isn't a good idea.
(I don't think it is; someone would have been done it long
ago if it were a good idea. I just want to know why it's
a bad idea since I clearly don't "get it".
Then again, maybe I'm a security genius and just ahead
of my time with a brilliant idea? :-)
-Wayne
.
- References:
- Easily and Permanently prevent all stack buffer overflows
- From: Wayne
- Re: Easily and Permanently prevent all stack buffer overflows
- From: xi4oyu
- Re: Easily and Permanently prevent all stack buffer overflows
- From: Wayne
- Re: Easily and Permanently prevent all stack buffer overflows
- From: Tauno Voipio
- Re: Easily and Permanently prevent all stack buffer overflows
- From: Wayne
- Re: Easily and Permanently prevent all stack buffer overflows
- From: Nico
- Easily and Permanently prevent all stack buffer overflows
- Prev by Date: Re: Easily and Permanently prevent all stack buffer overflows
- Next by Date: Re: Easily and Permanently prevent all stack buffer overflows
- Previous by thread: Re: Easily and Permanently prevent all stack buffer overflows
- Next by thread: Re: Easily and Permanently prevent all stack buffer overflows
- Index(es):
Relevant Pages
|
