From owner-freebsd-security  Sat Jun 27 03:07:57 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id DAA21614
          for freebsd-security-outgoing; Sat, 27 Jun 1998 03:07:57 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from heron.doc.ic.ac.uk (9df69Gvr/jlafjFbVbkFgWsChIjmYN4P@heron.doc.ic.ac.uk [146.169.46.3])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id DAA21601
          for <security@freebsd.org>; Sat, 27 Jun 1998 03:07:47 -0700 (PDT)
          (envelope-from njs3@doc.ic.ac.uk)
Received: from oak67.doc.ic.ac.uk [146.169.33.67] ([KTN53/4oxxsJ2KaQYV3lXopB7BF39KHT])
	by heron.doc.ic.ac.uk with smtp (Exim 1.62 #3)
	id 0yprtD-0002VF-00; Sat, 27 Jun 1998 11:07:23 +0100
Received: from njs3 by oak67.doc.ic.ac.uk with local (Exim 1.62 #3)
	id 0yprtC-0006B4-00; Sat, 27 Jun 1998 11:07:22 +0100
From: njs3@doc.ic.ac.uk (Niall Smart)
Date: Sat, 27 Jun 1998 11:07:22 +0100
In-Reply-To: Patrick McAndrew  <pfm@slack.net>
       "Re: non-executable stack?" (Jun 27, 12:13am)
X-Mailer: Mail User's Shell (7.2.5 10/14/92)
To: Patrick McAndrew  <pfm@slack.net>, jtb <jtb@pubnix.org>
Subject: Re: non-executable stack?
Cc: Wojciech Sobczuk <sopel@hood.1lo.lublin.pl>, fpscha@schapachnik.com.ar,
        Niall Smart <njs3@doc.ic.ac.uk>, ncb05@uow.edu.au,
        security@FreeBSD.ORG
Message-Id: <E0yprtC-0006B4-00@oak67.doc.ic.ac.uk>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Jun 27, 12:13am, Patrick McAndrew wrote:
} Subject: Re: non-executable stack?
> 
> 
> On Fri, 26 Jun 1998, jtb wrote:
> 
> > Actually, Brian Matthews brought this idea up to me last fall, and the
> > more I've been thinking about it lately, why not just deny a handful of
> > ctrl-char's that a buffer overflow needs, i.e. 0x90, 0xff, etc.  I'd have
> > to say there is a minimal number of ctrl-char's we can disallow to stop
> > your average script kiddie from sending shellcode into a process via
> > cmdline or environment arguments.  This method won't really protect
> > against attacks involving sscanf()'ing data from files ala the Vixie Cron
> > bug for RH 4.x, but security will definitely be improved with minimal
> > loses funcionality-wise.  Let me know what you guys think.  All replies
> > are welcomed, critical or not.
> 
> Why bother? Just practice good security programming and check bounds. It
> would be much easier to fix a getc() call than to write an entire function
> that checks for certain control characters that were passed.. Rember,
> "keep it simpe stupid" :)

You misunderstand.  My proposal, seemingly seconded by jtb, was to
allow the administrator to disallow the presence of non-printable ascii
characters in the environment or command line arguments at the time of
execve of certain processes.  We still don't know if this will have any
effect on security though, since no-one has checked to see if its possible
to write shellcode using just printable ASCII.  It would certainly
make life difficult for the attacker, since it would be impossible to
overwrite the saved eip with an address on the stack since the stack
is at the top of the address space around 0xFFxxxxxx or 0xEFxxxxxx.

Niall

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message