From owner-freebsd-arch Sun Jun 30 3:26:15 2002 Delivered-To: freebsd-arch@freebsd.org Received: from mx1.FreeBSD.org (mx1.FreeBSD.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 43BE937B400 for ; Sun, 30 Jun 2002 03:26:11 -0700 (PDT) Received: from albatross.prod.itd.earthlink.net (albatross.mail.pas.earthlink.net [207.217.120.120]) by mx1.FreeBSD.org (Postfix) with ESMTP id E1C7B43E0A for ; Sun, 30 Jun 2002 03:26:10 -0700 (PDT) (envelope-from tlambert2@mindspring.com) Received: from pool0052.cvx40-bradley.dialup.earthlink.net ([216.244.42.52] helo=mindspring.com) by albatross.prod.itd.earthlink.net with esmtp (Exim 3.33 #2) id 17Obu3-0007O4-00; Sun, 30 Jun 2002 03:25:59 -0700 Message-ID: <3D1EDC8F.930AE88A@mindspring.com> Date: Sun, 30 Jun 2002 03:25:19 -0700 From: Terry Lambert X-Mailer: Mozilla 4.7 [en]C-CCK-MCD {Sony} (Win98; U) X-Accept-Language: en MIME-Version: 1.0 To: Peter Wemm Cc: arch@FreeBSD.ORG Subject: Re: Time to make the stack non-executable? References: <20020630070005.092FD390F@overcee.wemm.org> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Peter Wemm wrote: > ie: most stack overflow holes would still be exploitable. It just makes it > a little harder since you can only push data instead of shellcode. But > that's all there is to it, you push your args, the set the return address > to point to the PLT trapoline and in most cases you are home. > > Making the stack non-executable is not the final solution. It just raises > the bar a bit. > > Note that I'm not saying that we shouldn't do it, just do not have > unrealistic expectations for it. This is a good point. The intent was not invulnerability; you could still buffer overflow to get instructions to scripting engines, like the JVM, mod_perl, etc., which "execute" data. I was aware of the libc exploit, but didn't want to really publicize it that much. Too late now. 8-). I expect that the way around it is to statically link the program: linked static -> no PLT. But there are still tons of ways to exploit badly written code. The real benefit is to reduce the number of cases in which a programming mistake results in an exploit, not make things "exploit proof" (I'm a firm believer in Goedel). Raising the bar is useful; if nothing else, it sends them to the house without even cheap locks, and our neighbors stereo goes missing instead of ours (not a paredo-optimal result, but better than *our* stereo going missing). -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message