From owner-freebsd-security  Mon Jul 20 11:38:17 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id LAA18855
          for freebsd-security-outgoing; Mon, 20 Jul 1998 11:38:17 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from lariat.lariat.org (ppp1000.lariat.org@[206.100.185.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id LAA18849
          for <security@FreeBSD.ORG>; Mon, 20 Jul 1998 11:38:14 -0700 (PDT)
          (envelope-from brett@lariat.org)
Received: (from brett@localhost)
	by lariat.lariat.org (8.8.8/8.8.8) id MAA21687;
	Mon, 20 Jul 1998 12:37:47 -0600 (MDT)
Message-Id: <199807201837.MAA21687@lariat.lariat.org>
X-Sender: brett@mail.lariat.org
X-Mailer: QUALCOMM Windows Eudora Pro Version 4.0.1 
Date: Mon, 20 Jul 1998 12:37:38 -0600
To: Alexandre Snarskii <snar@paranoia.ru>,
        Alexandre Snarskii <snar@paranoia.ru>
From: Brett Glass <brett@lariat.org>
Subject: Re: The 99,999-bug question: Why can you execute from the
  stack?
Cc: security@FreeBSD.ORG
In-Reply-To: <19980720222613.37562@nevalink.ru>
References: <199807201714.LAA19993@lariat.lariat.org>
 <199807200148.TAA07794@harmony.village.org>
 <199807200102.SAA07953@bubba.whistle.com>
 <199807200148.TAA07794@harmony.village.org>
 <19980720152932.42290@nevalink.ru>
 <199807201714.LAA19993@lariat.lariat.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

At 10:26 PM 7/20/98 +0400, Alexandre Snarskii wrote:
 
>Can you release kernel patches to realise hardware-level protection ? 
>( I'm not an experienced kernel programer, and have no enough time 
>to learn kernel internals, sorry :( )

The patches would have to be both to the kernel and the compiler, since
the changes would change the machine's segmentation model. I can't
give you an instant evaluation of how extensive they would be; it depends
on how many programs and kernel routines are coded with the assumption 
that the world is totally "flat."

>PS: btw, non-executable stack don't protect against return-into-libc
>attack ( as demonstrated by Rafal Wojtczuk in bugtraq against 
>Solar Designer's patch ).

Segmentation would also guard against another exploit, by the way: jumping
into the middle of a routine to the point just after a security check.
I'm SURE that there are holes like this that haven't been exploited yet.

--Brett


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message