From owner-freebsd-hackers Thu Jan 30 21:41:53 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id VAA03407 for hackers-outgoing; Thu, 30 Jan 1997 21:41:53 -0800 (PST) Received: from pdx1.world.net (pdx1.world.net [192.243.32.18]) by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id VAA03399 for ; Thu, 30 Jan 1997 21:41:47 -0800 (PST) Received: from suburbia.net (suburbia.net [203.4.184.1]) by pdx1.world.net (8.7.5/8.7.3) with SMTP id VAA03447 for ; Thu, 30 Jan 1997 21:43:02 -0800 (PST) Received: (qmail 15308 invoked by uid 110); 31 Jan 1997 05:41:20 -0000 MBOX-Line: From best-of-security-request@suburbia.net Fri Jan 31 13:05:37 1997 remote from suburbia.net Received: (from list@localhost) by suburbia.net (8.8.4/8.8.4) id NAA12392 for proff@suburbia.net; Fri, 31 Jan 1997 13:05:37 +1100 (EST) Received: (qmail 11856 invoked from network); 31 Jan 1997 01:53:46 -0000 Received: from midway.evtech.com (204.96.163.2) by suburbia.net with SMTP; 31 Jan 1997 01:53:46 -0000 Received: from tahiti.evtech.com (tahiti.evtech.com [192.35.179.19]) by midway.evtech.com (8.7.3/8.6.9) with ESMTP id TAA28451; Thu, 30 Jan 1997 19:52:48 -0600 (CST) Received: from borneo (borneo.evtech.com [192.35.179.29]) by tahiti.evtech.com (8.6.12/8.6.12) with SMTP id TAA07088; Thu, 30 Jan 1997 19:52:46 -0600 Received: from borneo.evtech.com (localhost) by borneo (5.x) id AA07829; Thu, 30 Jan 1997 19:06:04 -0600 Message-Id: <9701310106.AA07829@borneo> To: Terrell Thacker Cc: best-of-security@suburbia.net, travis@evtech.com, bugtraq@fc.net Subject: Re: BoS: Re: Smashing the stack In-Reply-To: Your message of "Wed, 22 Jan 1997 14:12:42 EST." <9701221912.AA23790@mtc.iitri.com> Date: Thu, 30 Jan 1997 19:06:04 -0600 From: Travis Hassloch x231 Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk In message <9701221912.AA23790@mtc.iitri.com> you write: > My main question is if all > of these protection modes are available, why are they not being used > effectively in the OSs that exist for the X86 line? Well, I wondered this exact thing, and the reasons I got back usually were: 1) It doesn't fit the memory mapping model. Virtual memory handling is VERY difficult to do right under Unix, and it's very hard to know when you've broken something. Ask the FreeBSD people, they just redesigned theirs not long ago. I looked briefly at the description of the cmap (core map) in a book a while back and I bet most BSD Unixes haven't changed their memory model much from the original Vax-specific stuff. 2) It's SLOW. Reloading a segment register on a 486 in protected mode took a VERY long time. It's probably a lot faster on newer models. (Sorry, don't remember the exact number; I want to say it was 100 cycles). Most Unices on the PC simply set the segment registers to base 0, size 4GB, r/w, and leave it at that the whole time, never incurring the overhead of reloading them. In fact, for all of Intel's fancy x86 call-gate stuff, I believe the Linux people ran some benchmarks and determined the old-fashioned software interrupt (trap) was faster and so nobody even bothers with it. 3) Not many people are qualified to make that kind of a change. Many of the ones who are are too busy :) > If so, what are those OSs? I believe OS/2 uses segment-based protection, but don't quote me on it. > Wouldn't it be nice if you could write off stack smashing > on certain X86 platforms because the OS/processor combination wouldn't > allow it to occur? Yes. It would also be nice if they took advantage of better memory-mapping techniques (like using a single 4MB page to map the non-swappable monolithic kernel image instead of multiple 4K pages) to improve performance by having a smaller TLB footprint, too. It's on my todo list. ;) -- Travis Hassloch | Beware of False Profits | P=NP if (P=0 or N=1) Fools are often sure of themselves, but wise men are full of doubt.