Dailydave mailing list archives
Re: Things look bad for vendor-sec
From: theowl () freemail hu
Date: Fri, 21 Jan 2005 04:38:50 +0100
Does anyone know if you can use the GCC stack protection in kernel code? It would make sense if they did. I know the Windows people try to when they can. (Although never on any of my bugs, so I dunno what's up with that.)
you can but in its current incarnation it makes little sense. think about it, all kernel contexts see/use the same canary value, any info leak will compromise it. you'd have a case if you could prove that userland is unable to leak (read) kernel memory (in particular, the kernel stack where it is the easiest to acquire copies of the canary from), but that's hardly the case for any of the widespread kernels (open source or proprietary). another (and imho, better) approach would be to use per thread kernel canaries (i.e., each time a thread enters the kernel, it should use a freshly generated canary value), this would make info leaking useless. we've actually tried to explain this to the SSP author but he didn't seem to have understood the idea so no dice for SSP users yet. we'll see if MS will have independently invented it in a few years time though. _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Things look bad for vendor-sec Dave Aitel (Jan 14)
- Re: Things look bad for vendor-sec Jirka Kosina (Jan 14)
- Re: Things look bad for vendor-sec theowl (Jan 20)