Vulnerability Development mailing list archives
Re: vulndev-1 and a suggestion about the ensuing discussion
From: xenophi1e <oliver.lavery () sympatico ca>
Date: 15 May 2003 16:46:57 -0000
In-Reply-To: <200305142359.h4ENxLHw004175 () mail rev net>
The second aspect is also interesting, but to my view *separate*: if my above analysis is correct, then the question is, "how much damage can
you
cause in various operating systems and with particular C compilers if
you
can clobber that one byte off the end of a malloc" [with the answer
being
"a widely variable amount of damage, of course..:o)]. And I realize
this On a related note, how many ways are there of preventing this sort of error, or at least preventing it from being a security issue? To me that's more interesting than a blow by blow of the impact... 1) Don't make silly mistakes. Obviously this isn't going to happen. 2) Use canaries in the allocator. What's the best way to do this? For one byte overflows a simple value at the end that's difficult to guess would have saved this snippet from being 0wn3d. What about a longer overflow as might have resulted from using strcpy? 3) How could the layout of malloc()s bookeeping info be smarter? Are there any platforms that have allocators that are more robust against overruns? Perhaps this is off-topic for some, but it seems like the most interesting part of a problem like this, to me... Cheers, ~ol
Current thread:
- vulndev-1 and a suggestion about the ensuing discussion Bernie Cosell (May 15)
- <Possible follow-ups>
- Re: vulndev-1 and a suggestion about the ensuing discussion xenophi1e (May 15)
- possible format string in ultra edit 8.00 Thijs Dalhuijsen (May 16)
- safe mallocs (was Re: vulndev-1 and a suggestion about the ensuing discussion) Bennett Todd (May 16)
- RE: vulndev-1 and a suggestion about the ensuing discussion Michael Wojcik (May 15)
- Re: vulndev-1 and a suggestion about the ensuing discussion xenophi1e (May 16)
- Re: vulndev-1 and a suggestion about the ensuing discussion Valdis . Kletnieks (May 17)