Vulnerability Development mailing list archives
Re: stackguard-like embedded protection
From: "Bluefish (P.Magnusson)" <11a () GMX NET>
Date: Wed, 6 Sep 2000 07:03:33 +0200
(a bit drunk, but I think I can handle mail responding anyway ;)
does every stupid idea have to be marketed as 'research' nowadays?
Since both you and I either are students or teachers (noticed your .edu), plus I cc:ed my mail to the IBM researchers, I don't think I overly abused the term 'research'.
where's the need for research? i've made glibc rpms without %n the day the first format bugs went to bugtraq, and had them installed on all of my [linux] machines since then...
Where as, that was a "hack", not an overly researched solution - maybe not even a good one. Am I missing something, or is this - and a number of other 'fixes' sugested not even close to a fix? these bugs basicly rely on the ability to change EIP/return address. Sure, you can make it harder for people to exploit it by breaking some of the printf functionallity (removing %x, %n etc and hope for luck), but would it *really* stop people from %d-ing (or maybe even %s-ing and hope for luck) until printf has 'poped' enough to get an adress which points to something the attacker whiches to use into the return adress. /* note: Bluefish doesn't count merely making stacks and likewise none-exec a solution. It's an efficient way to make it harder to create exploits, and yes it works in many real-world examples. But in most applications it's never acceptable that return adress can be modified, even if not to attacker-supplied code */ Unless somebody picks up a shotgun and says "Bluefish - you got it all wrong" and kills me, your 'fix' is merely a layer of obcurity which may be enough in some cases. 'Research' would be to have some serious considerations, pounder and bouncing ideas between each others, until one agrees on what to be the best fix and implements it, plus presenting a detailed analysis of why the fix really works and why it's a reasonably good solution. If one could simply wave a wand and make everyone change the compilers and binaries to what I like, I'd simply implement a counter on how long the VARGS is, and ensure that printf makes use of all vargs, no more no less. To me, it seems to be a good solution, but I haven't really carefully examined the implications. That's why my idea is simply me babbeling in a mailinglist and not me presenting 'research'. No, I don't think that for something to be called 'research' it has to stand up to all definitions of academic presentations or be material enough for a Ph.d. Or you might say my english is lacking, perhaps I should be using another word than 'research'. Replace with 'studdied' or whatever you prefere. ..:::::::::::::::::::::::::::::::::::::::::::::::::.. http://www.11a.nu || http://bluefish.11a.nu eleventh alliance development & security team
Current thread:
- stackguard-like embedded protection antirez (Sep 04)
- Re: stackguard-like embedded protection antirez (Sep 04)
- Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 05)
- Re: stackguard-like embedded protection Greg KH (Sep 05)
- Re: stackguard-like embedded protection antirez (Sep 06)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 06)
- Re: stackguard-like embedded protection typo (Sep 05)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 05)
- Re: stackguard-like embedded protection Benjamin Karas (Sep 05)
- Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 05)
- Re: stackguard-like embedded protection Greg KH (Sep 05)
- Re: stackguard-like embedded protection Juliano Rizzo (Sep 06)
- Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 05)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 05)
- Re: stackguard-like embedded protection H D Moore (Sep 05)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 06)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 06)
- Re: stackguard-like embedded protection Slawek (Sep 07)
- Re: stackguard-like embedded protection antirez (Sep 04)
- Re: stackguard-like embedded protection antirez (Sep 08)