Bugtraq mailing list archives
Re: machine independent protection from stack-smashing attack
From: Yarrow Charnot <ycharnot () IDENTIKEY COM>
Date: Mon, 11 Sep 2000 09:55:35 +0400
Microsoft purposely doesn't allow pages to be non-executable, leaving an easily exploitable hole to allow NSA hack into any Windows server or workstation exploiting buffer overflows.Can you rephrase that ? I _hope_ I didn't understand it right !
Well, let me describe it in three steps. Step 1. VirtualProtectEx behaviour: VirtualProtectEx (hProcess, lpAddress, dwSize, PAGE_EXECUTE_READ, &oldattr) has exactly the same effect as VirtualProtectEx (hProcess, lpAddress, dwSize, PAGE_READONLY, &oldattr) (READONLY or READWRITE doesn't matter) In other words, if the attribute READ is set, the page is automatically made EXECUTABLE. If you trace NT and 9X kernels up to the point where they set that attribute, they ignore your request to make it READ-ONLY (NON-EXECUTABLE) on purpose. What purpose? Who on Earth would want to keep your data segments executable??? If you want to make it executable, one call to this function enables it for you! Why did they restrict its behaviour completely disallowing *READ ONLY* pages??? 15 years of software reverse engineering experience allow me to easily distinguish between a mistake in the code and a backdoor inserted on purpose. I don't believe M$ would want to keep themselves constantly hurt by all the scandals caused by "hackers" exploiting buffer overflows in their M$ LookOut, M$ Internet Exploder, M$ Ward, Windoze kernel etc with such a simple solution in their own hands as removing that EXEC flag from all DATA sections. I don't buy that bullshit about Java or "other programming languages" that "require" your stack to be executable. Step 2. The US Government restricts export of more secure than B2 operating systems. Therefore the US companies in order to keep their software (and hardware) exportable are forced to keep it all hackable (exploitable, breakable, whatever you call it - not "too secure" that is). Step 3. As an example, ASIO (the Australian equivalent to CIA and SS) has made the Australian parliament pass the law (!!!) allowing them (literally and legally) *hack* into any computer, cover their tracks or presence, deny the fact they have done anything and not to be held responsible for any of their actions that include destruction or modification of the data or code in those computer systems. Doesn't make you wonder? Freaky? - Indeed. News? - Not really.
And if a reliable source of randomness is really such a problem,Geee thanks !
hehe - Yarrow Charnot ------------------------------------------------------------- Identikey - The Key To Internet Security ------------------------------------------------------------- The views expressed in this message are those of the individual sender, except where the sender specifically states them to be the views of Identikey (Australia) Pty Ltd. -------------------------------------------------------------
Current thread:
- Re: machine independent protection from stack-smashing attack Yarrow Charnot (Sep 12)
- Re: machine independent protection from stack-smashing attack Jan Echternach (Sep 12)
- Re: machine independent protection from stack-smashing attack Michael Nelson (Sep 12)
- <Possible follow-ups>
- Re: machine independent protection from stack-smashing attack Greg Hoglund (Sep 12)