From owner-freebsd-security  Mon Feb 10 01:59:56 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id BAA22526
          for security-outgoing; Mon, 10 Feb 1997 01:59:56 -0800 (PST)
Received: from hda.hda.com (ip36-max1-fitch.ziplink.net [199.232.245.36])
          by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id BAA22521
          for <freebsd-security@freebsd.org>; Mon, 10 Feb 1997 01:59:52 -0800 (PST)
Received: (from dufault@localhost) by hda.hda.com (8.6.12/8.6.12) id EAA08773; Mon, 10 Feb 1997 04:54:36 -0500
From: Peter Dufault <dufault@hda.com>
Message-Id: <199702100954.EAA08773@hda.hda.com>
Subject: Re: buffer overruns
In-Reply-To: <19970209231433.QS19404@keltia.freenix.fr> from Ollivier Robert at "Feb 9, 97 11:14:33 pm"
To: roberto@keltia.freenix.fr (Ollivier Robert)
Date: Mon, 10 Feb 1997 04:54:35 -0500 (EST)
Cc: freebsd-security@freebsd.org
X-Mailer: ELM [version 2.4ME+ PL25 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

> The easiest way to close all this bugs is to make the stack non executable
> (from a processor standpoint) but I'm not sure you can do it in Intel
> processors.

Is the stack executable?  I've been assuming the exploits modify
the stack to return to a built up call to "system" or something
else in the library with their own args setup.  I've been assuming
that executing data isn't part of modern exploits.

Has anyone seen modifications to gcc to generate guard bands around
automatics and stack check sequences?  The automatics can be checked
when they come into / go out of existence, and stack integrity at
return time.  It won't stop the exploits, but it will make them
harder, and you will get "security" dumps from setuid programs if
you require that setuid programs be compiled that way (and linked
against a separate "secure" library compiled that way also).
You could even hack things so that setuid would fail for
"insecure" executables.

The idea is simple enough that someone must have tried it.

-- 
Peter Dufault (dufault@hda.com)   Realtime Machine Control and Simulation
HD Associates, Inc.               Voice: 508 433 6936