Re: IP Level Encryption
From: Robert Wessel (robertwessel2_at_yahoo.com)
Date: 12/13/03
- Previous message: Scott Wilber: "Re: Good enough for crypto?"
- In reply to: Henrick Hellström: "Re: IP Level Encryption"
- Next in thread: Henrick Hellström: "Re: IP Level Encryption"
- Reply: Henrick Hellström: "Re: IP Level Encryption"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 12 Dec 2003 21:17:41 -0800
Henrick Hellström <henrick.hellstrm@telia.com> wrote in message news:<4lgCb.41746$dP1.161355@newsc.telia.net>...
> Robert Wessel wrote:
>
> > The problem is not where the data is stored, but with unbounded
> > pointers. Most language implementations store procedure-local
> > variables and objects in a stack (or stack-like) structure, even those
> > that are not subject to buffer overruns.
>
> The problem *is* where the data is stored. The CPU can't tell a pointer
> to data from a pointer to code. If you store variable sized data on the
> stack, it might be followed by a return address (i.e. to code) and there
> is no way for the CPU to know that unless your code tells it that's the
> way it is. For that reason, it is safer to only store values of simple
> types and pointers (to both data and code) on the stack. That way you
> will not corrupt the return address if you write past the end of a buffer.
*sigh*
struct abc {char c[8]; int (*func)(int);};
...
struct *pabc;
pabc = malloc(sizeof(struct abc));
pabc->func = somefunction;
...
strcpy(pabc->c, "abcdefgh\x12\x34\x56\x78");
(pabc->func)(1); /* now calls address 0x12345678 or 0x78563412 */
And given typical code sequences generated by compilers, the address
pabc is quite likely to be floating around in a register. So all you
need is to find a fixed "jmp [reg]" to branch to, you can execute
arbitrary code starting at the first position of (pabc->c). IOW, this
is almost identical to the traditional x86/Windows stack smashing
attack so popular at the moment.
So long as you can run off the end of an object, there will be ways to
overwrite dangerous addresses. The above sample is going to be a bit
more difficult to *find* than the common stack smashing vulnerability,
since that type of structure is more rare than "ordinary" stack
frames, but it is no more difficult to exploit once it's found. And
it's only one sample, of one vulnerability.
- Previous message: Scott Wilber: "Re: Good enough for crypto?"
- In reply to: Henrick Hellström: "Re: IP Level Encryption"
- Next in thread: Henrick Hellström: "Re: IP Level Encryption"
- Reply: Henrick Hellström: "Re: IP Level Encryption"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
