Re: stackguard-like embedded protection

["Bluefish (P.Magnusson)" <11a () GMX NET>]

(a bit drunk, but I think I can handle mail responding anyway ;)

> does every stupid idea have to be marketed as 'research' nowadays?

Since both you and I either are students or teachers (noticed your .edu),
plus I cc:ed my mail to the IBM researchers, I don't think I overly abused
the term 'research'.

> where's the need for research? i've made glibc rpms without %n the day
> the first format bugs went to bugtraq, and had them installed on all of my
> [linux] machines since then...

Where as, that was a "hack", not an overly researched solution - maybe not
even a good one. Am I missing something, or is this - and a number of
other 'fixes' sugested not even close to a fix? these bugs basicly rely on
the ability to change EIP/return address. Sure, you can make it harder for
people to exploit it by breaking some of the printf functionallity
(removing %x, %n etc and hope for luck), but would it *really* stop people
from %d-ing (or maybe even %s-ing and hope for luck) until printf has
'poped' enough to get an adress which points to something the attacker
whiches to use into the return adress.

/*
   note:
   Bluefish doesn't count merely making stacks and likewise none-exec
   a solution. It's an efficient way to make it harder to create exploits,
   and yes it works in many real-world examples. But in most applications
   it's never acceptable that return adress can be modified, even if not
   to attacker-supplied code
*/

Unless somebody picks up a shotgun and says "Bluefish - you got it all
wrong" and kills me, your 'fix' is merely a layer of obcurity which may be
enough in some cases. 'Research' would be to have some serious
considerations, pounder and bouncing ideas between each others, until one
agrees on what to be the best fix and implements it, plus presenting a
detailed analysis of why the fix really works and why it's a reasonably
good solution.

If one could simply wave a wand and make everyone change the compilers and
binaries to what I like, I'd simply implement a counter on how long the
VARGS is, and ensure that printf makes use of all vargs, no more no less.
To me, it seems to be a good solution, but I haven't really carefully
examined the implications. That's why my idea is simply me babbeling in a
mailinglist and not me presenting 'research'.

No, I don't think that for something to be called 'research' it has to
stand up to all definitions of academic presentations or be material
enough for a Ph.d. Or you might say my english is lacking, perhaps I
should be using another word than 'research'. Replace with 'studdied' or
whatever you prefere.

..:::::::::::::::::::::::::::::::::::::::::::::::::..
     http://www.11a.nu || http://bluefish.11a.nu
    eleventh alliance development & security team