Re: Privilege-escalation attacks on NT-based Windows are unfixable

From: David Hopwood (
Date: 08/23/02

Date: Fri, 23 Aug 2002 16:58:06 +0000
From: David Hopwood <>


Barry Margolin wrote:
> David Wagner <> wrote:
> >Barry Margolin wrote:
> >>An analogy in the Unix world would be executable stacks, which many
> >>buffer-overflow exploits take advantage of.
> >
> >With respect, that seems like a poor choice of analogy. The real problem
> >is lack of array bounds checking in C and poor libraries, which is a
> >problem in the language and library, not the OS. Executable stacks are
> >not the problem, and non-executable stacks are not the fix. Making the
> >stack non-executable would not help; the restriction is easily bypassed
> >with alternate exploit techniques, and exploit scripts would quickly
> >use other methods. So I don't think this is such a great analogy.
> >
> >But that said, maybe it is a good enough analogy. The fault is
> >absolutely 100% with the C language and the standard libraries,

I wouldn't say 100%, but I would say 99%.

> >not with the applications.
> But given that programmers have *chosen* to program in a language with
> these known flaws, they are implicitly taking on the resposibility of doing
> their own checking. The analogy with Windows is apt: if you choose to
> write a privileged application that puts itself on the desktop, you must
> accept the responsibility of checking all messages to make sure that they
> won't violate your security.

There is a big practical difference: choosing a programming language need
not significantly limit the audience for your programs. Choosing an operating
system does necessarily limit your audience.

- --
David Hopwood <>

Home page & PGP public key:
RSA 2048-bit; fingerprint 71 8E A6 23 0E D3 4C E5 0F 69 8C D4 FA 66 15 01
Nothing in this message is intended to be legally binding. If I revoke a
public key but refuse to specify why, it is because the private key has been
seized under the Regulation of Investigatory Powers Act; see

Version: 2.6.3i
Charset: noconv


Relevant Pages