OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: stackguard-like embedded protection
From: antirez (antirezLINUXCARE.COM)
Date: Wed Sep 06 2000 - 02:24:36 CDT

On Tue, Sep 05, 2000 at 01:44:57PM -0700, Greg KH wrote:
> I know that StackGuard and ProPolice can't combat formation bugs, and I
> am guessing that libsafe and StackShield can't either (once you can
> write arbitrary data to any spot in memory, you can get around any of
> these protections.

Yes, anyway Stackguard-like protection maybe conceptually less strong
in this context.
Even if with some tricks both Stackguard-like and Stackshield-like can be
defeating using the %n bug.

<to simplify>
In order to defeat the stackguard protection you can read the random number
so you can spoof it. In order to defeat the stackshield protection you
must _write_ the saved RET, so that they will match. Anyway it's a lot
more simple to protect (with for example mprotect(2)) from writing that
protect from reading. Unfortunatelly page alignment isn't our friend, and
we must allocare a lot of memory in order to use mprotect.
</to simplify>

antirez 

--
Salvatore Sanfilippo, Open Source Developer, Linuxcare Italia spa
+39.049.80 43 411 tel, +39.049.80 43 412 fax
antirezlinuxcare.com, http://www.linuxcare.com/
Linuxcare. Support for the revolution.