Bugtraq mailing list archives
Re: fixing all buffer overflows --- random magin numbers
From: crispin () CSE OGI EDU (Crispin Cowan)
Date: Mon, 20 Sep 1999 22:36:10 +0000
Oliver Xymoron wrote:
On Tue, 14 Sep 1999, Crispin Cowan wrote:The result looks like this: Interface Implementation Restriction * Firewalls * Bounds checking * TCP Wrappers * StackGuard * Randomly renaming system files * Randomly renumbering system Permutation calls (the hack proposed here * Randomly munging by Maniscalco) data layout * Fred Cohen's Deception ToolkitYou missed a couple interesting ones.
The table was intended to be a representative sample. It would be rather large if I included every security defense :-)
One is randomly offsetting the stack.
That is the (patented :-) method that Memco uses in their SEOS product. It's interesting that you point that out, as it too clearly illustrates my point: * randomly offsetting the stack is an implementation permutation, while StackGuard and array bounds checking are implementation restrictions * randomly offsetting the stack is strictly less effective: you can discover the stack offset, or inject code that is insensitive to location, via various means.
Another is having separate stacks for the call chain and local variables. Obviously wastes a register (or an indirection), but can probably be proved secure against stack smashing.
That's a variation on the method proposed by StackShield. Hard to say whether the separate stack for the call chain is a restriction or a permutation. However, it is exactly as effective as StackGuard. I both cases, you are effectively prevented from corrupting the call chain. Crispin ----- Crispin Cowan, Research Assistant Professor of Computer Science, OGI NEW: Protect Your Linux Host with StackGuard'd Programs :FREE http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/
Current thread:
- Re: fixing all buffer overflows --- random magin numbers nm (Sep 12)
- Re: fixing all buffer overflows --- random magin numbers Crispin Cowan (Sep 13)
- Re: fixing all buffer overflows --- random magin numbers Oliver Xymoron (Sep 17)
- Exploit for proftpd 1.2.0pre6 Tymm Twillman (Sep 20)
- Re: fixing all buffer overflows --- random magin numbers Crispin Cowan (Sep 20)
- BP9909-00: cfingerd local buffer overflow Przemyslaw Frasunek (Sep 21)
- Windows IP source routing attack Dug Song (Sep 21)
- FreeBSD-specific denial of service Charles M. Hannum (Sep 21)
- Re: FreeBSD-specific denial of service Alan Cox (Sep 22)
- Re: FreeBSD-specific denial of service Bjoern Fischer (Sep 24)
- Re: fixing all buffer overflows --- random magin numbers Oliver Xymoron (Sep 17)
- Re: fixing all buffer overflows --- random magin numbers Crispin Cowan (Sep 13)