From owner-freebsd-arch  Sun Jun 30  0: 0: 2 2002
Delivered-To: freebsd-arch@freebsd.org
Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 6468537B400
	for <arch@FreeBSD.ORG>; Sat, 29 Jun 2002 23:59:59 -0700 (PDT)
Received: from overcee.wemm.org (12-232-114-102.client.attbi.com [12.232.114.102])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 22CD643E0A
	for <arch@FreeBSD.ORG>; Sat, 29 Jun 2002 23:59:59 -0700 (PDT)
	(envelope-from peter@wemm.org)
Received: from wemm.org (localhost [127.0.0.1])
	by overcee.wemm.org (Postfix) with ESMTP
	id 092FD390F; Sun, 30 Jun 2002 00:00:05 -0700 (PDT)
	(envelope-from peter@wemm.org)
X-Mailer: exmh version 2.5 07/13/2001 with nmh-1.0.4
To: Terry Lambert <tlambert2@mindspring.com>
Cc: arch@FreeBSD.ORG
Subject: Re: Time to make the stack non-executable? 
In-Reply-To: <3D1E3126.C96FFAA5@mindspring.com> 
Date: Sun, 30 Jun 2002 00:00:05 -0700
From: Peter Wemm <peter@wemm.org>
Message-Id: <20020630070005.092FD390F@overcee.wemm.org>
Sender: owner-freebsd-arch@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-arch.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-arch>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-arch>
X-Loop: FreeBSD.ORG

Terry Lambert wrote:

> Sean Eric Fagan and I discussed this several years ago, and we
> discussed it again the other day, before this attack hit.  It
> looks like it's an idea whose time has come.

The Linux folks have been tinkering with this on and off for years. There's
one problem.  Making the stack not-executable only makes exploits a bit
harder, but doesn't solve the problem.  There is some nice executable
trampoline code in the ELF PLT that can be abused to make libc do the
execution part for you.

ie: most stack overflow holes would still be exploitable.  It just makes it
a little harder since you can only push data instead of shellcode.  But
that's all there is to it, you push your args, the set the return address
to point to the PLT trapoline and in most cases you are home.

Making the stack non-executable is not the final solution.  It just raises
the bar a bit.

Note that I'm not saying that we shouldn't do it, just do not have
unrealistic expectations for it.

Cheers,
-Peter
--
Peter Wemm - peter@wemm.org; peter@FreeBSD.org; peter@yahoo-inc.com
"All of this is for nothing if we don't go to the stars" - JMS/B5


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-arch" in the body of the message