Security Basics mailing list archives
RE: Stack Overflow
From: "Rocky Heckman" <rocky.he () g-wizinnovations com>
Date: Tue, 11 Jan 2005 09:49:08 +1100
Hi Nelson, Technically they are supposed to be 'immune' to standard stack overflows because they have bounds checking built in by default. In fact one of the suggestions in order to prevent Buffer Overflows in code is to use languages like Java, C# and VB.NET. However this doesn't mean it can't happen. You can still write unmanaged C++ code in .NET. You can still have stack-allocated pointers in C++ in .NET as well. You can create classes that are prefixed with the _value attribute which creates them on the Stack. All of these things can lead to possible buffer overflow situations. Managed C++ does provide some protection against this. If you stick to C# and VB.NET you have to try harder to create stack overflow situations but it can be done. In unmanaged C/C++ it happens easily unless you take steps to avoid it. Even when using things like Visual Studio with the GC compiler option (the one that provides Canary based stack overflow protection) it is still possible to exploit an unchecked buffer. A paper I wrote covers that in more detail. (http://tinyurl.com/4k3bb ) Hope this helped a bit. Rocky Rocky Heckman G-Wiz Innovations Pty Ltd http://www.g-wizinnovations.com IT Peace of mind! -----Original Message----- From: Nelson Santos [mailto:nsantos () gmail com] Sent: Tuesday, 11 January 2005 12:11 Early To: Sec Basic Subject: Stack Overflow Hi list, My question is: can programs made with newer languages (Java and .NET) have buffer overflow exploits? Tnx, Nelson Santos
Current thread:
- Stack Overflow Nelson Santos (Jan 10)
- Re: Stack Overflow P. Schmiel (Jan 10)
- RE: Stack Overflow Rocky Heckman (Jan 10)
- <Possible follow-ups>
- RE: Stack Overflow Beilin Zhang (Jan 10)
- RE: Stack Overflow lists (Jan 10)
- Re[2]: Stack Overflow P. Schmiel (Jan 10)
- RE: Re[2]: Stack Overflow Rocky Heckman (Jan 11)
- RE: Re[2]: Stack Overflow jnf (Jan 11)
- RE: Re[2]: Stack Overflow Rocky Heckman (Jan 12)