|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: Here is my plan for firewall implementation
Adam Shostack (adam
homeport.org)
Mon, 22 Sep 1997 13:37:58 -0400 (EDT)
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Greg Haverkamp: "HTTP in practice"
- Previous message: tbirdimhotep.cerner.com: "Network Security Certification"
- Next in thread: Paul D. Robertson: "Re: Here is my plan for firewall implementation"
- Reply: Paul D. Robertson: "Re: Here is my plan for firewall implementation"
Joseph S. D. Yao wrote:
| > this takes more kernel expertise than I have) is
| > modifications to the memory management to make
| > stack space protected so it's not executable. When
| > someone tries to hit a buffer overrun, *poof* instant
| > SIGSEGV.
| Of the hardware architectures I just glanced at, it appears that the
| Alpha and HP-PA allow this, the x86 and MIPS and possibly the Sparc do
| not. Software implementations slow the system down, unforgivable to
Casper Dik has posted a tool to Bugtraq to turn off stack
executability on Sparcs. It invalidates the standard egg, but there
may be ways around it. (If a user can overwrite arbitrary memory, he
can probably do arbitrary things. The 'correct' solution is to
implement your code well. BSDI encourages this by having unsafe
function calls print "This program uses gets(), which is unsafe" on
startup.
Adam
-- "It is seldom that liberty of any kind is lost all at once." -Hume
- Next message: Greg Haverkamp: "HTTP in practice"
- Previous message: tbirdimhotep.cerner.com: "Network Security Certification"
- Next in thread: Paul D. Robertson: "Re: Here is my plan for firewall implementation"
- Reply: Paul D. Robertson: "Re: Here is my plan for firewall implementation"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:08:58 CDT