From owner-freebsd-chat  Mon Feb 17 20:11:41 1997
Return-Path: <owner-chat>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id UAA12521
          for chat-outgoing; Mon, 17 Feb 1997 20:11:41 -0800 (PST)
Received: from darkstar (ras517.srv.net [205.180.127.17])
          by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id UAA12498
          for <freebsd-chat@freebsd.org>; Mon, 17 Feb 1997 20:11:32 -0800 (PST)
Received: (from cmott@localhost) by darkstar (8.6.12/8.6.12) id VAA03599; Mon, 17 Feb 1997 21:10:18 -0700
Date: Mon, 17 Feb 1997 21:10:17 -0700 (MST)
From: Charles Mott <cmott@srv.net>
X-Sender: cmott@darkstar
To: David Greenman <dg@root.com>
cc: "Jordan K. Hubbard" <jkh@time.cdrom.com>, freebsd-chat@freebsd.org
Subject: Re: Countering stack overflow 
In-Reply-To: <199702180343.TAA03412@root.com>
Message-ID: <Pine.BSF.3.91.970217204736.3518C-100000@darkstar>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-chat@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

>    I really don't see how any of this is going to affect the problem. You
> can use relative addressing/position independant code to get around any
> differences in stack addresses.

The whole point of the stack overflow attack, as it has been explained to 
me, is that the return address has to be modified to point to the 
overflow region of the stack (with maybe a kilobyte or two of slack).  
This requires an approximate knowledge of where, in absolute address 
space, the stack overflow region is.

I am mainly interested in this vulnerability since it seems to allow an
outsider to waltz into your machine and gain root privilege immediately.  
It seems to be much more serious than the other security problems.

If there is an uncertainty of a few hundred megabytes of where the top of 
the stack is, then this would make compromise much more difficult, 
especially for a network based (rather than shell based) attack.

I agree that going to strncpy's is a good idea, I am just personally
curious about adding an extra layer of security.  This is just sound
strategy in my view.  I will work on this offline, since I think I have 
received as much information as I can from this venue.

I'm sort of tired of arguing with everybody on this.  No more responses, 
please.  I will just understand things on my own.

Charles Mott