From owner-freebsd-security Wed Nov 3 10: 3:39 1999 Delivered-To: freebsd-security@freebsd.org Received: from gatekeeper.veriohosting.com (gatekeeper.veriohosting.com [192.41.0.2]) by hub.freebsd.org (Postfix) with ESMTP id 776D5156A2 for ; Wed, 3 Nov 1999 10:03:35 -0800 (PST) (envelope-from hart@iserver.com) Received: by gatekeeper.veriohosting.com; Wed, 3 Nov 1999 11:03:34 -0700 (MST) Received: from unknown(192.168.1.109) by gatekeeper.veriohosting.com via smap (V3.1.1) id xma014059; Wed, 3 Nov 99 11:03:17 -0700 Received: (hart@localhost) by anchovy.orem.iserver.com (8.9.3) id LAA31333; Wed, 3 Nov 1999 11:01:07 -0700 (MST) Date: Wed, 3 Nov 1999 11:01:07 -0700 (MST) From: Paul Hart X-Sender: hart@anchovy.orem.iserver.com To: Andre Gironda Cc: freebsd-security@FreeBSD.ORG Subject: Re: stack protecting In-Reply-To: <19991103090003.B18803@toaster.sun4c.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 3 Nov 1999, Andre Gironda wrote: > And I really doubt in either case you prevent 50% of breakins. Why? By a significant margin, most exploitable buffer overflows have proven to be of the stack-based variety, and if you've got StackGuard up and running I think you'll prevent much more than just 50% of breakins from buffer overflows. > There is a LOT of material available that explains the inner-workings > of heap overflows. There is a lot of generated code that aids a > person with exploiting heap overflows. They are readily available just > like stack overflow exploit scripts are readliy available. I agree that heap-based overflows can be exploitable, but they are typically more difficult to exploit and seem to be usually less prevalent than stack-based overflows. On other OSes such as Solaris, attacking important memory areas such as the procedure linkage table (used for dynamic linking) by hitting the stdio FILE structures through an overflow in the data/BSS segment has been fruitful in the past, but I don't know that we've seen the same for FreeBSD. What was the last heap-based overflow exploit for FreeBSD? The l0pht crontab hole or maybe the suidperl 4.x hole? > If you can find a way to stack protect FreeBSD, go for it, I say. But it's > not going to solve every problem. I agree, but if it adds at least some protection against the biggest cause of holes, why not use it? I don't think people should use it to give themselves a false sense of security though. BTW, it *is* possible to use StackGuard on FreeBSD, but it does take some hackage to get it to work. Paul Hart -- Paul Robert Hart ><8> ><8> ><8> Verio Web Hosting, Inc. hart@iserver.com ><8> ><8> ><8> http://www.iserver.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message