Bugtraq mailing list archives
RE: In response to alleged vulnerabilities in Microsoft Visual C++ security checks feature
From: "David LeBlanc" <dleblanc () mindspring com>
Date: Fri, 15 Feb 2002 09:06:01 -0800
From: Crispin Cowan [mailto:crispin () wirex com]
Funnily enough, this book (published in November 2001) actually refers to the stack ornaments that provide for overflow
detection as
"canaries," a term coined in the StackGuard 1998 paper. See the book's index and search for "canary" http://www.microsoft.com/mspress/books/index/5612.asp#Index
I can tell you why this occurred, as I'm the one who wrote that phrase. I have followed Stackguard on this mailing list for quite some time (dating back to well before I joined Microsoft), and I believe had a brief conversation with you about it at USENIX. In fact, if you search on "Cowan" or "Stackguard", you will also find a hit (in the same paragraph, actually). It seemed to me to be an appropriate phrase to describe the functionality. The exact quote is: "Tools exist to make static buffer overruns more difficult to exploit. StackGuard, developed by Crispin Cowan and others, uses a test value - known as a canary after the miner's practice of taking a canary into a coal mine - to make a static buffer overrun much less trivial to exploit. Visual C++ .NET incorporates a similar approach." So the reason I used that exact term is because I was explicitly mentioning your application and work. Although a fair bit of the content of the book is Windows-centric, I tried to make the sections I wrote which applied to all platforms as generic as possible. I felt it would be a serious omission to write a chapter on buffer overruns and not mention your work. However, I do not work on the compiler team, and the /GS option was implemented before I became aware of it. I have no idea what processes went into that.
If it was independent invention, there are a lot of surprising coincidences.
The mention of your name in "Writing Secure Code" is not at all related to the implementation of the /GS option. I don't think you should find it surprising to be mentioned in a chapter about buffer overruns. As a former academic, I try and cite relevant work when writing about any given area. David LeBlanc dleblanc () mindspring com
Current thread:
- In response to alleged vulnerabilities in Microsoft Visual C++ security checks feature Brandon Bray (Feb 14)
- Re: In response to alleged vulnerabilities in Microsoft Visual C++ security checks feature Crispin Cowan (Feb 15)
- RE: In response to alleged vulnerabilities in Microsoft Visual C++ security checks feature David LeBlanc (Feb 19)
- Re: In response to alleged vulnerabilities in Microsoft Visual C++ security checks feature Crispin Cowan (Feb 15)