Bugtraq mailing list archives
Re: In response to alleged vulnerabilities in Microsoft Visual C++ security checks feature
From: Crispin Cowan <crispin () wirex com>
Date: Thu, 14 Feb 2002 18:33:51 -0800
Brandon Bray wrote:
I challenge that. The StackGuard paper was written in summer 1997, and published in early 1998. The Microsoft /GS paper appeared in mid-2001, and bears a STRIKING resemblance to the StackGuard paper. It is theoretically possible that /GS was an independent invention, but only by being astonishingly ignorant of the literature.[2] Cigital alleges that the /GS security check feature was a port of StackGuard. This happens to be untrue, as both technologies were invented independently.
Funnily enough, this book (published in November 2001) actually refers to the stack ornaments that provide for overflow detection as "canaries," a term coined in the StackGuard 1998 paper. See the book's index and search for "canary" http://www.microsoft.com/mspress/books/index/5612.asp#Index[1] "Writing Secure Code" is the prescriptive guide to Microsoft developers for, oddly enough, writing secure code.
If it was independent invention, there are a lot of surprising coincidences. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html The Olympic Games: A Century of Corruption and Graft The FIS: Crushing the soul of snowboarding
Current thread:
- In response to alleged vulnerabilities in Microsoft Visual C++ security checks feature Brandon Bray (Feb 14)
- Re: In response to alleged vulnerabilities in Microsoft Visual C++ security checks feature Crispin Cowan (Feb 15)
- RE: In response to alleged vulnerabilities in Microsoft Visual C++ security checks feature David LeBlanc (Feb 19)
- Re: In response to alleged vulnerabilities in Microsoft Visual C++ security checks feature Crispin Cowan (Feb 15)