From owner-freebsd-security  Mon Jul 20 14:08:07 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id OAA14595
          for freebsd-security-outgoing; Mon, 20 Jul 1998 14:08:07 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from rover.village.org (rover.village.org [204.144.255.49])
          by hub.freebsd.org (8.8.8/8.8.8) with SMTP id OAA14504
          for <security@freebsd.org>; Mon, 20 Jul 1998 14:08:04 -0700 (PDT)
          (envelope-from imp@village.org)
Received: from harmony [10.0.0.6] 
	by rover.village.org with esmtp (Exim 1.71 #1)
	id 0yyN9t-0004D5-00; Mon, 20 Jul 1998 15:07:45 -0600
Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.8.8/8.8.3) with ESMTP id PAA13333; Mon, 20 Jul 1998 15:09:58 -0600 (MDT)
Message-Id: <199807202109.PAA13333@harmony.village.org>
To: Brett Glass <brett@lariat.org>
Subject: Re: The 99,999-bug question: Why can you execute from the stack? 
Cc: Alexandre Snarskii <snar@paranoia.ru>, Archie Cobbs <archie@whistle.com>,
        security@FreeBSD.ORG
In-reply-to: Your message of "Mon, 20 Jul 1998 11:14:33 MDT."
		<199807201714.LAA19993@lariat.lariat.org> 
References: <199807201714.LAA19993@lariat.lariat.org>  <199807200148.TAA07794@harmony.village.org> <199807200102.SAA07953@bubba.whistle.com> <199807200148.TAA07794@harmony.village.org> 
Date: Mon, 20 Jul 1998 15:09:58 -0600
From: Warner Losh <imp@village.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <199807201714.LAA19993@lariat.lariat.org> Brett Glass writes:
: Waitaminnit. Intel installed, IN THE x86 CHIPS WE ARE NOW USING, special
: hardware designed to guard against these exploits. The mechanisms
: they designed are called "segments" and "call gates" (among other
: things). And what do we do? We turn it off. In fact, Intel sees
: so few people using these vital features that it doesn't bother
: to speed them up in new CPU models, as they do other parts of
: the chip.

How do you enable call gates, and how do they fix these problems?  How
exactly do call gates eliminate this problem?

The kernel already uses segments to manage security, so I don't think
I understand your comment about this.  Can you elaberate in more
detail how exactly these tools will solve the problems that we're
having?  Specifically the problem of overwriting the return address,
to say setuid with an arg of 0.  While it isn't arbitrary code, it
does give you elevated privs.  I don't see how any of them can solve
that problem.  Educate me please.

Warner

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message