Bugtraq mailing list archives
Re: StackGuard: Automatic Protection From Stack-smashing Attacks
From: smb () RESEARCH ATT COM (Steve Bellovin)
Date: Fri, 19 Dec 1997 14:22:15 -0500
> StackGuard: Automatic Detection and Prevention of Buffer-Overflow At tacks >From the online paper: > StackGuard detects and defeats stack smashing attacks by protecting the > return address on the stack from being altered. StackGuard has two > mechanisms to protect the return address: one provides greater assu rance, > and the other provides greater performance. You are only protecting the return address. This means many programs will still be vulnerable to overflow attacks. In particular you don't protect the overflow of locals in a procedure, nor the overflow of globals in the data segment or heap. While it does stop the "cookbook" stack overflow attacks, it does not really put an end to the problem. Consider for example the following (contrived but not entirely fictional) examples: int save_uid; char buf[10]; save_uid = getuid(); setuid(0); fp = fopen("input", "r"); fscanf(fp, "%s", buf); setuid(save_uid); overflowing the buffer will allow the user to increase his priveledge for the duration of the program execution, which may be a very bad thi ng. Yup. In fact, the first buffer overflow security problem I know of was in an early version of UNIX -- 6th Edition, I think; possibly 5th -- where the 'logged in' flag in login.c was adjacent to an input buffer...
Current thread:
- Re: StackGuard: Automatic Protection From Stack-smashing Attacks Steve Bellovin (Dec 19)
- Re: StackGuard: Automatic Protection From Stack-smashing Attacks Crispin Cowan (Dec 19)
- Re: StackGuard: Automatic Protection From Stack-smashing Attacks Kragen (Dec 19)
- Re: StackGuard: Automatic Protection From Stack-smashing Attacks Tim Newsham (Dec 19)
- Re: StackGuard: Automatic Protection From Stack-smashing Attacks Crispin Cowan (Dec 19)
- Linux vsyslog() overflow Solar Designer (Dec 20)
- Re: Linux vsyslog() overflow Dann Lunsford (Dec 22)
- Re: StackGuard: Automatic Protection From Stack-smashing Attacks Mark Whitis (Dec 30)
- Re: StackGuard: Automatic Protection From Stack-smashing Attacks Ranaur the Elven Warlock (Dec 30)
- Apache memory/process management. MichaĆ Zalewski (Dec 31)
- Re: Apache memory/process management. Dean Gaudet (Dec 31)
- Re: StackGuard: Automatic Protection From Stack-smashing Attacks Crispin Cowan (Dec 19)