Bugtraq mailing list archives
Re: Stack Shield: defending from "stack smashing" attacks
From: Valdis.Kletnieks () VT EDU (Valdis.Kletnieks () VT EDU)
Date: Wed, 1 Sep 1999 23:35:39 -0400
On Tue, 31 Aug 1999 17:13:21 -0000, Crispin Cowan <crispin () CSE OGI EDU> said:
Tobias Haustein wrote:I was about to write a binary translator, that reads an executeable, locates every function prolog and epilog, adds the nescessary code to detect buffer overflows, and writes a new version of the executeable.How do you make room for the extra code in prolog & epilog without re-linking the entire program?
The old-time IBM mainframe people would consider it a "piece of cake". Basically, you replace one instruction with a branch to your code stored someplace else, which would do your added code, then execute the replaced instruction, then branch back to the next original opcode. For example: old code: STM R2,R12,12(R13) L R5,24(,R1) ST R6,20(,R1) new code: STM R2,R12,12(R13) B 2400(,R15) -----> SR R2,R5 ST R6,20(,R1) <---+ MVI 36(R3),C'+' | L R5,24(,R1) +-- B 8(,R15) You get the idea. Of course, quite often you had to first perform *one* 'zap' to free up space inside the 4K-per-base-register restriction, and then a second 'zap' to put code into there. I've personally hacked up HMASPZAP jobs that would end up replacing 5 or 6 different patches of code, 20 to 30 bytes at a stretch. You would quite often find a string of 16 to 32 bytes of zeros at the end of a module, specifically intended for patch space. Valdis Kletnieks Computer Systems Senior Engineer Virginia Tech
Current thread:
- Re: Stack Shield: defending from "stack smashing" attacks Tobias Haustein (Aug 31)
- <Possible follow-ups>
- Re: Stack Shield: defending from "stack smashing" attacks Crispin Cowan (Aug 31)
- Re: Stack Shield: defending from "stack smashing" attacks Tobias Haustein (Sep 01)
- Re: Stack Shield: defending from "stack smashing" attacks Valdis.Kletnieks () VT EDU (Sep 01)
- Netscape communicator 4.06J, 4.5J-4.6J, 4.61e Buffer Overflow DEF CON ZERO WINDOW (Sep 02)
- Re: Netscape communicator 4.06J, 4.5J-4.6J, 4.61e Buffer Overflow Brett Glass (Sep 03)
- Netscape 4.x exploit code DEF CON ZERO WINDOW (Sep 02)
- Re: Stack Shield: defending from "stack smashing" attacks Chris Keane (Sep 02)
- Re: Stack Shield: defending from "stack smashing" attacks Crispin Cowan (Sep 04)