From owner-freebsd-security Mon Feb 10 04:54:42 1997 Return-Path: Received: (from root@localhost) by freefall.freebsd.org (8.8.5/8.8.5) id EAA00892 for security-outgoing; Mon, 10 Feb 1997 04:54:42 -0800 (PST) Received: from agora.rdrop.com (root@agora.rdrop.com [199.2.210.241]) by freefall.freebsd.org (8.8.5/8.8.5) with SMTP id EAA00887 for ; Mon, 10 Feb 1997 04:54:40 -0800 (PST) Received: from hda.hda.com by agora.rdrop.com with smtp (Smail3.1.29.1 #17) id m0vtvFl-0008yJC; Mon, 10 Feb 97 04:54 PST Received: (from dufault@localhost) by hda.hda.com (8.6.12/8.6.12) id HAA08991; Mon, 10 Feb 1997 07:44:31 -0500 From: Peter Dufault Message-Id: <199702101244.HAA08991@hda.hda.com> Subject: Re: buffer overruns In-Reply-To: <19970210115941.27807.qmail@char-star.rdist.org> from "tqbf@enteract.com" at "Feb 10, 97 11:59:41 am" To: tqbf@enteract.com Date: Mon, 10 Feb 1997 07:44:31 -0500 (EST) Cc: dufault@hda.com, freebsd-security@freebsd.org X-Mailer: ELM [version 2.4ME+ PL25 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-security@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > >Is the stack executable? I've been assuming the exploits modify > > Yes. > > >the stack to return to a built up call to "system" or something > > system() is a library routine that decays to an execve() (which is a > system call) of /bin/sh... (Yes - that's why I said "or something") (...) > >Has anyone seen modifications to gcc to generate guard bands around > >automatics and stack check sequences? The automatics can be checked > > On SunOS, yep. It broke alot of things we tried compiling. If you went that far you know the answer to my next two part question: is it realistic and doable to require suid programs to be text-execute only? Peter -- Peter Dufault (dufault@hda.com) Realtime Machine Control and Simulation HD Associates, Inc. Voice: 508 433 6936