Bugtraq mailing list archives
Re: Smashing the stack
From: tthacker () mtc iitri com (Terrell Thacker)
Date: Wed, 22 Jan 1997 14:12:42 EST
Here you must know that x86 uses two different types of protection - selector based, and page based. Selector based protection does not allow more than _one_ selector to point to any area of memory and this one selector defines protection type - either OS level or application level and along with this its usage type - code or data. This is adding to the overhead of OS when loading and running application, as to write the code to memory areas where it will run, OS needs to _change_ the type of selector, copy the code, then change it back to code type, only after that can application run there.
When running in protected mode, every memory reference is subject to protection checks starting with segments. Whether paging is enabled or not, the segment registers must be loaded with a valid selector when in protected mode. The selector may exist in either the global or local descriptor table and may point to a memory area that is defined as a segment range in bytes or pages. The processor does not restrict the definitions of the selectors that exist in the global or local descriptor tables. You can create selectors that access the same or overlapping areas of memory that are of different types. This was achievable under MS Windows 3.x using the function PrestoChangoSelector(from, to) to create a duplicate selector that had the opposite segment type (code->data or data->code). This way you could modify a code segment using the aliased data segment or execute code out of your data segment. An OS would perform something similar when loading and executing code. The segment types provided by the Intel 286/386/486/... line are just part of the overall hardware protection provided. There are 4 privilege levels for selector segment protection and user/supervisor and write-protect bits for page protection. My main question is if all of these protection modes are available, why are they not being used effectively in the OSs that exist for the X86 line? If so, what are those OSs? Wouldn't it be nice if you could write off stack smashing on certain X86 platforms because the OS/processor combination wouldn't allow it to occur? *-----------------------------------------------------------------------* [] [] ###### ##### [] Maryland Technology Center ## ## ## ## ## ## IIT Research Institute ## ## ## ##### ## ## ## ## ## ## ## Terrell Thacker ## ## ## ## ## ## tthacker () mtc iitri com *-----------------------------------------------------------------------*
Current thread:
- Re: Smashing the stack Terrell Thacker (Jan 21)
- Re: Smashing the stack Thomas Pornin (Jan 22)
- <Possible follow-ups>
- Re: Smashing the stack Terrell Thacker (Jan 22)