From owner-freebsd-chat  Sun Feb 16 22:08:05 1997
Return-Path: <owner-chat>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id WAA26437
          for chat-outgoing; Sun, 16 Feb 1997 22:08:05 -0800 (PST)
Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id WAA26422
          for <freebsd-chat@FreeBSD.ORG>; Sun, 16 Feb 1997 22:07:59 -0800 (PST)
Received: (from msmith@localhost) by genesis.atrad.adelaide.edu.au (8.8.2/8.7.3) id QAA08532; Mon, 17 Feb 1997 16:37:51 +1030 (CST)
From: Michael Smith <msmith@atrad.adelaide.edu.au>
Message-Id: <199702170607.QAA08532@genesis.atrad.adelaide.edu.au>
Subject: Re: Countering stack overflow
In-Reply-To: <Pine.BSF.3.91.970216224824.1692C-100000@darkstar> from Charles Mott at "Feb 16, 97 10:58:32 pm"
To: cmott@srv.net (Charles Mott)
Date: Mon, 17 Feb 1997 16:37:50 +1030 (CST)
Cc: msmith@atrad.adelaide.edu.au, freebsd-chat@FreeBSD.ORG
X-Mailer: ELM [version 2.4ME+ PL28 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-chat@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

Charles Mott stands accused of saying:
> 
> The only mechanism I have seen for an intruder to gain control of the
> executable stream is to rewrite a return address on the stack.  I don't
> see how an overflow of a malloc()'ed buffer can allow someone to gain
> control of your machine.

Think "change the behaviour of a function by altering its local
variables".  As I stated, this is dependant entirely on the nature of
the application in question, and is thus a restatement of the halting
problem.  No practical guard against this is possible outside of the
specific domain of each application.

>  They may crash it or corrupt operation, but not
> gain control.  Crashing seems to me a much less serious problem.  Also it
> is possible to keep network connection logs to see where intruders came
> from before the machine died. 

There was a very clear and succint description of the basic procedure for
an attack overwriting local variables posted a week or so ago.

> Charles Mott

-- 
]] Mike Smith, Software Engineer        msmith@gsoft.com.au             [[
]] Genesis Software                     genesis@gsoft.com.au            [[
]] High-speed data acquisition and      (GSM mobile)     0411-222-496   [[
]] realtime instrument control.         (ph)          +61-8-8267-3493   [[
]] Unix hardware collector.             "Where are your PEZ?" The Tick  [[