From owner-freebsd-chat Sun Feb 16 18:22:42 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id SAA14686 for chat-outgoing; Sun, 16 Feb 1997 18:22:42 -0800 (PST) Received: from darkstar (dialin1.anlw.anl.gov [141.221.252.101]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id SAA14681 for ; Sun, 16 Feb 1997 18:22:39 -0800 (PST) Received: (from cmott@localhost) by darkstar (8.6.12/8.6.12) id TAA01542; Sun, 16 Feb 1997 19:22:32 -0700 Date: Sun, 16 Feb 1997 19:22:31 -0700 (MST) From: Charles Mott X-Sender: cmott@darkstar To: freebsd-chat@freebsd.org Subject: Countering stack overflow Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-chat@freebsd.org X-Loop: FreeBSD.org Precedence: bulk What I have noticed running test programs is that the top of the stack always appears to be at or near 0xffffffff. I am interested in generating an experimental kernel patch (for 2.1.0-R) which would randomly change the top stack address over a range of 0x4fffffff 0xffffffff when a a new process (not a fork) is started. My guess is that this will practically shut down any stack overflow attacks which gain root privilege. They may still cause crashes or process termination, though. Please advise if there is a conceptual error in what I want to do. I have to stop at the library and check out a copy of Leffler et al to get an overview, but I seem to remember that I might have to do something with the exec() call. Does an executable a.out format specify how the stack pointer is initialized, or does the OS do this? Charles Mott