From owner-freebsd-security  Wed Nov  3 10: 3:39 1999
Delivered-To: freebsd-security@freebsd.org
Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2])
	by hub.freebsd.org (Postfix) with ESMTP id 776D5156A2
	for <freebsd-security@FreeBSD.ORG>; Wed,  3 Nov 1999 10:03:35 -0800 (PST)
	(envelope-from hart@iserver.com)
Received: by gatekeeper.veriohosting.com; Wed, 3 Nov 1999 11:03:34 -0700 (MST)
Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1)
	id xma014059; Wed, 3 Nov 99 11:03:17 -0700
Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.3) id LAA31333; Wed, 3 Nov 1999 11:01:07 -0700 (MST)
Date: Wed, 3 Nov 1999 11:01:07 -0700 (MST)
From: Paul Hart <hart@iserver.com>
X-Sender: hart@anchovy.orem.iserver.com
To: Andre Gironda <andre@sun4c.net>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: stack protecting
In-Reply-To: <19991103090003.B18803@toaster.sun4c.net>
Message-ID: <Pine.BSF.4.10.9911031024190.30946-100000@anchovy.orem.iserver.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, 3 Nov 1999, Andre Gironda wrote:

> And I really doubt in either case you prevent 50% of breakins.

Why?  By a significant margin, most exploitable buffer overflows have
proven to be of the stack-based variety, and if you've got StackGuard up
and running I think you'll prevent much more than just 50% of breakins
from buffer overflows.

> There is a LOT of material available that explains the inner-workings
> of heap overflows.  There is a lot of generated code that aids a
> person with exploiting heap overflows.  They are readily available just
> like stack overflow exploit scripts are readliy available.

I agree that heap-based overflows can be exploitable, but they are
typically more difficult to exploit and seem to be usually less prevalent
than stack-based overflows.  On other OSes such as Solaris, attacking
important memory areas such as the procedure linkage table (used for
dynamic linking) by hitting the stdio FILE structures through an overflow
in the data/BSS segment has been fruitful in the past, but I don't know
that we've seen the same for FreeBSD.

What was the last heap-based overflow exploit for FreeBSD?  The l0pht
crontab hole or maybe the suidperl 4.x hole?

> If you can find a way to stack protect FreeBSD, go for it, I say.  But it's
> not going to solve every problem.

I agree, but if it adds at least some protection against the biggest cause
of holes, why not use it?  I don't think people should use it to give
themselves a false sense of security though.

BTW, it *is* possible to use StackGuard on FreeBSD, but it does take some
hackage to get it to work.

Paul Hart

--
Paul Robert Hart        ><8>  ><8>  ><8>        Verio Web Hosting, Inc.
hart@iserver.com        ><8>  ><8>  ><8>        http://www.iserver.com/





To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message