Re: Things look bad for vendor-sec

[theowl () freemail hu]

> Does anyone know if you can use the GCC stack protection in kernel code? 
>   It would make sense if they did. I know the Windows people try to when 
> they can. (Although never on any of my bugs, so I dunno what's up with 
> that.)

you can but in its current incarnation it makes little sense. think
about it, all kernel contexts see/use the same canary value, any info
leak will compromise it. you'd have a case if you could prove that
userland is unable to leak (read) kernel memory (in particular, the
kernel stack where it is the easiest to acquire copies of the canary
from), but that's hardly the case for any of the widespread kernels
(open source or proprietary).

another (and imho, better) approach would be to use per thread kernel
canaries (i.e., each time a thread enters the kernel, it should use a
freshly generated canary value), this would make info leaking useless.
we've actually tried to explain this to the SSP author but he didn't
seem to have understood the idea so no dice for SSP users yet. we'll
see if MS will have independently invented it in a few years time though.
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave