Date: Thu, 30 Jan 1997 19:06:04 -0600 From: Travis Hassloch x231 <travis@evtech.com> To: Terrell Thacker <tthacker@mtc.iitri.com> Cc: best-of-security@suburbia.net, travis@evtech.com, bugtraq@fc.net Subject: Re: BoS: Re: Smashing the stack Message-ID: <9701310106.AA07829@borneo> In-Reply-To: Your message of "Wed, 22 Jan 1997 14:12:42 EST." <9701221912.AA23790@mtc.iitri.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <9701221912.AA23790@mtc.iitri.com> you write: > My main question is if all > of these protection modes are available, why are they not being used > effectively in the OSs that exist for the X86 line? Well, I wondered this exact thing, and the reasons I got back usually were: 1) It doesn't fit the memory mapping model. Virtual memory handling is VERY difficult to do right under Unix, and it's very hard to know when you've broken something. Ask the FreeBSD people, they just redesigned theirs not long ago. I looked briefly at the description of the cmap (core map) in a book a while back and I bet most BSD Unixes haven't changed their memory model much from the original Vax-specific stuff. 2) It's SLOW. Reloading a segment register on a 486 in protected mode took a VERY long time. It's probably a lot faster on newer models. (Sorry, don't remember the exact number; I want to say it was 100 cycles). Most Unices on the PC simply set the segment registers to base 0, size 4GB, r/w, and leave it at that the whole time, never incurring the overhead of reloading them. In fact, for all of Intel's fancy x86 call-gate stuff, I believe the Linux people ran some benchmarks and determined the old-fashioned software interrupt (trap) was faster and so nobody even bothers with it. 3) Not many people are qualified to make that kind of a change. Many of the ones who are are too busy :) > If so, what are those OSs? I believe OS/2 uses segment-based protection, but don't quote me on it. > Wouldn't it be nice if you could write off stack smashing > on certain X86 platforms because the OS/processor combination wouldn't > allow it to occur? Yes. It would also be nice if they took advantage of better memory-mapping techniques (like using a single 4MB page to map the non-swappable monolithic kernel image instead of multiple 4K pages) to improve performance by having a smaller TLB footprint, too. It's on my todo list. ;) -- Travis Hassloch | Beware of False Profits | P=NP if (P=0 or N=1) Fools are often sure of themselves, but wise men are full of doubt.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9701310106.AA07829>