From owner-freebsd-security  Sun May 20 18:12: 3 2001
Delivered-To: freebsd-security@freebsd.org
Received: from virginia.yamato.ibm.co.jp (virginia.yamato.ibm.co.jp [203.141.89.165])
	by hub.freebsd.org (Postfix) with ESMTP id 41D9C37B422
	for <security@FreeBSD.ORG>; Sun, 20 May 2001 18:12:00 -0700 (PDT)
	(envelope-from etoh@trl.ibm.co.jp)
Received: from ns.trl.ibm.com (ns.trl.ibm.com [9.116.48.18])
	by virginia.yamato.ibm.co.jp (8.9.3/3.7W/GW3.3) with ESMTP id KAA14674;
	Mon, 21 May 2001 10:11:49 +0900
Received: from localhost by ns.trl.ibm.com (AIX4.3/8.9.3/TRL4.5SRV)
	id KAA24158; Mon, 21 May 2001 10:11:49 +0900
To: mixtim@home.com
Cc: security@FreeBSD.ORG
Subject: Re: Base system with gcc stack-smashing protector
In-Reply-To: <20010518211301.A53682@home.com>
References: <20010519093227T.etoh@trl.ibm.com>
	<20010518211301.A53682@home.com>
X-Mailer: Mew version 1.94b48 on Emacs 20.7 / Mule 4.0 (HANANOEN)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20010521101149B.etoh@trl.ibm.com>
Date: Mon, 21 May 2001 10:11:49 +0900
From: Hiroaki Etoh <etoh@trl.ibm.co.jp>
X-Dispatcher: imput version 990813(IM119)
Lines: 26
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

At Fri, 18 May 2001 21:13:01 -0400,
 Mixtim <mixtim@home.com> wrote:
> Have you seen Phrack Magazine issue 56, article 5? The title is "Bypassing
> StackGuard and StackShield."
> 
>   "This article is an attempt to demonstrate that it is possible to
>    exploit stack overflow vulnerabilities on systems secured by
>    StackGuard or StackShield even in hostile environments (such as when
>    the stack is non-executable)."
>    
> Does your patch address their concerns?

Yes. 

The article pointed out that StackGuard or StackShield protection can be
bypassed using buffer overflows to  alter other pointers in the program
besides the return address. (StackGuard introduced a remediation, which
is called XOR canary protection with a little bit performance overhead.)

My protection changes the locations of such pointers to the location
behind buffers, so those pointers can not be altered using buffer
overflows. It acheives the protection without performance degradation.

Please see
http://www.trl.ibm.com/projects/security/ssp/node4.html#SECTION00042000000000000000
in detail.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message