From owner-freebsd-security  Tue Jul 21 16:29:30 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA09718
          for freebsd-security-outgoing; Tue, 21 Jul 1998 16:29:30 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from marta.arcom.spb.su (marta.arcom.spb.su [195.190.100.18])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA09711
          for <security@FreeBSD.ORG>; Tue, 21 Jul 1998 16:29:27 -0700 (PDT)
          (envelope-from snar@marta.arcom.spb.su)
Received: (from snar@localhost)
	by marta.arcom.spb.su (8.8.8/t/97-Mar-14) id DAA19580;
	Wed, 22 Jul 1998 03:26:47 +0400 (MSD)
Message-ID: <19980722032647.05314@nevalink.ru>
Date: Wed, 22 Jul 1998 03:26:47 +0400
From: Alexandre Snarskii <snar@paranoia.ru>
To: Peter Jeremy <peter.jeremy@alcatel.com.au>
Cc: security@FreeBSD.ORG
Subject: Re: The 99,999-bug question: Why can you execute from the stack?
References: <199807212304.JAA28032@gsms01.alcatel.com.au>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.89i
In-Reply-To: <199807212304.JAA28032@gsms01.alcatel.com.au>; from Peter Jeremy on Wed, Jul 22, 1998 at 09:04:27AM +1000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Wed, Jul 22, 1998 at 09:04:27AM +1000, Peter Jeremy wrote:
> On Wed, 22 Jul 1998 01:31:20 +0400, Alexandre Snarskii <snar@paranoia.ru> wrote:
> >On Mon, Jul 20, 1998 at 02:30:33PM -0700, Don Lewis wrote:
> >> In the situations where I've used code compiled this way, it seems
> >> to average about a factor of 20 more expensive in terms of CPU usage.
> >
> >Strange result. Program, which does nothig but 100.000 strcpy's
> >works _six_ times slower with bounds checking, but not 20... 
> 
> It's strongly dependent on which strcpy was used:

Sorry, it should be explained that i used handwritten strcpy from 
libparanoia.
 
> 1) If you use the strcpy in libc, then there's no bounds checking -
>    all you get is that both the source and destination pointers are
>    valid when strcpy is called.
> 2) The bounds checking library includes a strcpy which is bounds
>    checking aware - it explicitly checks the source string and
>    destination buffer for validity and compatibility and then performs
>    the copy without further checks.
> 3) If you wrote your own strcpy, then each time you copy a character,
>    both the source and destination pointers will be checked.

Fourth way :) 
First thing, which strcpy does is a call to function, which 
saves last 10 BP/IP pairs from stack to internal array, then 
original strcpy code executed ( w/out any checking ), and at 
exit called function, which retrieves last 10 BP/IP pairs and 
compares it with saved ones. 
Really there are a little more complicated algorhytm, but, i hope you 
got the main idea. 

-- 
Alexandre Snarskii
the source code is included

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message