From owner-freebsd-security Wed Nov 3 9: 9:34 1999 Delivered-To: freebsd-security@freebsd.org Received: from toaster.sun4c.net (toaster.sun4c.net [63.193.27.6]) by hub.freebsd.org (Postfix) with ESMTP id A4F871536D for ; Wed, 3 Nov 1999 09:09:23 -0800 (PST) (envelope-from andre@toaster.sun4c.net) Received: (from andre@localhost) by toaster.sun4c.net (8.9.3/8.9.3) id JAA19080; Wed, 3 Nov 1999 09:00:04 -0800 (PST) Date: Wed, 3 Nov 1999 09:00:03 -0800 From: Andre Gironda To: David G Andersen Cc: Andre Gironda , frank@hellbell.agava.ru, freebsd-security@FreeBSD.ORG Subject: Re: stack protecting Message-ID: <19991103090003.B18803@toaster.sun4c.net> References: <19991103012048.A18803@toaster.sun4c.net> <199911031358.GAA22340@faith.cs.utah.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 0.95i In-Reply-To: <199911031358.GAA22340@faith.cs.utah.edu>; from David G Andersen on Wed, Nov 03, 1999 at 06:58:09AM -0700 Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, Nov 03, 1999 at 06:58:09AM -0700, David G Andersen wrote: > Lo and behold, Andre Gironda once said: > > > > Stack protection doesn't work as there are still heap overflows and > > race conditions. it's best to apply TPE patches (Phrack, Issue 52/54), > > like originally implemented on upt.org. Or write perfect code ;> > > While I agree with you that it's not a perfect solution, isn't that > like saying that using a car alarm isn't a good idea, even though it will > prevent 50% of the breakins to your car? > > Defense in depth *is* a good idea. Stackguard and like products can > help quite a bit with this. I wouldn't go around toting car alarms or Stackguard for full protection, that's all. ;> And I really doubt in either case you prevent 50% of breakins. There is a LOT of material available that explains the inner- workings of heap overflows. There is a lot of generated code that aids a person with exploiting heap overflows. They are readily available just like stack overflow exploit scripts are readliy available. If you can find a way to stack protect FreeBSD, go for it, I say. But it's not going to solve every problem. dre To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message