Re: Stack growth direction to thwart buffer overflow attacks
From: Nick Maclaren (nmm1_at_cus.cam.ac.uk)
Date: 08/14/03
- Next message: Security Alert: "SSRT3585 Potential Security Vulnerability in PHNE_26413 and PHNE_27128 (rev.2)"
- Previous message: Ken Hagan: "Re: Stack growth direction to thwart buffer overflow attacks"
- In reply to: Ken Hagan: "Re: Stack growth direction to thwart buffer overflow attacks"
- Next in thread: Bill Unruh: "Re: Stack growth direction to thwart buffer overflow attacks"
- Reply: Bill Unruh: "Re: Stack growth direction to thwart buffer overflow attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 14 Aug 2003 09:27:06 GMT
In article <bhfiqa$i4d$1$8302bc10@news.demon.co.uk>,
"Ken Hagan" <K.Hagan@thermoteknix.co.uk> writes:
|> Douglas Siebert wrote:
|> >
|> > I'd
|> > like to see it create hidden internal variables attached to every
|> > array whether global, automatic or created via malloc() that are
|> > checked
|> > when writing to that string, calls to e.g., sprintf and strcpy
|> > replaced
|> > with calls to snprintf and strncpy, including appropriate termination
|> > via SIGABRT or whatever when the buffer is exceeded, etc.
|>
|> I don't think we need run-time support for this.
|>
|> Simply removing sprintf, strcpy and friends from the headers allows
|> the compile time detection of *these* cases. The resulting compiler
|> errors are either trivial to fix or something that shouldn't be let
|> out of the door. (Why? Well, either you know size of the target
|> buffer, in which case that's what you write for the extra parameter,
|> or you don't in which case how do you know it won't overflow?)
Agreed.
|> I think the honest truth is that buffer overflows can be all but
|> eliminated from real life C and C++ programs but that we haven't
|> been hit by enough worms yet.
That is not so. We could remove almost all, but such things are
an inherent problem in languages like C and C++.
Replacing sprintf by snprintf etc. does VERY little good unless
you can GUARANTEE that the length passed to the latter is the
correct one, is maintained correctly as the buffer is manipulated
AND there will be no overlaps. So all you are doing is moving the
problem around. Used appropriately, the strnxxx functions can help
to reduce buffer overflows, but they are not a solution.
Some of the qmail flammifers attacked Exim on this topic a while
back, basing their claims of Exim's insecurity on the purest dogma.
I checked the code. All but 6 uses of strcpy (the claimed loophole)
were obviously safe, 4 took me a minute to check, 1 could cause
buffer overflow only following a local root compromise, and only 1
was in any way 'real'. Even that needed a DNS corruption (sic) to
get past the information calls before there could be any trouble.
I have also looked at several codes that use strnxxx religiously.
Checking them was harder than checking Exim, because they were less
clean. In several cases, there was the potential for buffer
overflows by confusing the calculation of offsets and lengths,
such as by triggering undetected overflow.
TANSTAAFL.
The ONLY cure is an architected language where either the compiler
or the program can GUARANTEE to detect such things. There are (at
least theoretically) such languages, but C and C++ are not in that
category and cannot practically be extended or constrained to be
in it.
Regards,
Nick Maclaren.
- Next message: Security Alert: "SSRT3585 Potential Security Vulnerability in PHNE_26413 and PHNE_27128 (rev.2)"
- Previous message: Ken Hagan: "Re: Stack growth direction to thwart buffer overflow attacks"
- In reply to: Ken Hagan: "Re: Stack growth direction to thwart buffer overflow attacks"
- Next in thread: Bill Unruh: "Re: Stack growth direction to thwart buffer overflow attacks"
- Reply: Bill Unruh: "Re: Stack growth direction to thwart buffer overflow attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
