From owner-freebsd-security  Mon Jul 20 11:28:05 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA16794
          for freebsd-security-outgoing; Mon, 20 Jul 1998 11:28:05 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from marta.arcom.spb.su (marta.arcom.spb.su [195.190.100.18])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA16786
          for <security@FreeBSD.ORG>; Mon, 20 Jul 1998 11:28:02 -0700 (PDT)
          (envelope-from snar@marta.arcom.spb.su)
Received: (from snar@localhost)
	by marta.arcom.spb.su (8.8.8/t/97-Mar-14) id WAA00193;
	Mon, 20 Jul 1998 22:26:13 +0400 (MSD)
Message-ID: <19980720222613.37562@nevalink.ru>
Date: Mon, 20 Jul 1998 22:26:13 +0400
From: Alexandre Snarskii <snar@paranoia.ru>
To: Brett Glass <brett@lariat.org>, Alexandre Snarskii <snar@paranoia.ru>
Cc: security@FreeBSD.ORG
Subject: Re: The 99,999-bug question: Why can you execute from the stack?
References: <199807200148.TAA07794@harmony.village.org> <199807200102.SAA07953@bubba.whistle.com> <199807200148.TAA07794@harmony.village.org> <19980720152932.42290@nevalink.ru> <199807201714.LAA19993@lariat.lariat.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.89i
In-Reply-To: <199807201714.LAA19993@lariat.lariat.org>; from Brett Glass on Mon, Jul 20, 1998 at 11:14:33AM -0600
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Mon, Jul 20, 1998 at 11:14:33AM -0600, Brett Glass wrote:
> Waitaminnit. Intel installed, IN THE x86 CHIPS WE ARE NOW USING, special
> hardware designed to guard against these exploits. The mechanisms
> they designed are called "segments" and "call gates" (among other
> things). And what do we do? We turn it off. In fact, Intel sees
> so few people using these vital features that it doesn't bother
> to speed them up in new CPU models, as they do other parts of
> the chip.
> 
> In short, the hackers who want slightly more convenient "flat" 
> address spaces have contributed in devastating ways to the problems
> we have now.

Can you release kernel patches to realise hardware-level protection ? 
( I'm not an experienced kernel programer, and have no enough time 
to learn kernel internals, sorry :( )

I know, that my solution is rather 'fast and dirty hack', but it works.
And i don't see any another solution for stack smashing prevention
for FreeBSD now. 

PS: btw, non-executable stack don't protect against return-into-libc
attack ( as demonstrated by Rafal Wojtczuk in bugtraq against 
Solar Designer's patch ).
-- 
Alexandre Snarskii
the source code is included

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message