From owner-freebsd-security  Sun Jul 19 19:11:14 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id TAA28764
          for freebsd-security-outgoing; Sun, 19 Jul 1998 19:11:14 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from beatrice.rutgers.edu (beatrice.rutgers.edu [165.230.209.143])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA28753
          for <security@FreeBSD.ORG>; Sun, 19 Jul 1998 19:11:12 -0700 (PDT)
          (envelope-from easmith@beatrice.rutgers.edu)
Received: (from easmith@localhost) by beatrice.rutgers.edu (980427.SGI.8.8.8/970903.SGI.AUTOCF) id WAA23529; Sun, 19 Jul 1998 22:09:29 -0400 (EDT)
From: "Allen Smith" <easmith@beatrice.rutgers.edu>
Message-Id: <9807192209.ZM23527@beatrice.rutgers.edu>
Date: Sun, 19 Jul 1998 22:09:29 -0400
In-Reply-To: Warner Losh <imp@village.org>   "Re: The 99,999-bug question: Why can you execute from the stack?" (Jul 19,  7:48pm)
References: <199807200102.SAA07953@bubba.whistle.com> 
	<199807200148.TAA07794@harmony.village.org>
X-Mailer: Z-Mail (3.2.3 08feb96 MediaMail)
To: Warner Losh <imp@village.org>, Archie Cobbs <archie@whistle.com>
Subject: Re: The 99,999-bug question: Why can you execute from the stack?
Cc: brett@lariat.org (Brett Glass), security@FreeBSD.ORG
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Jul 19,  7:48pm, Warner Losh (possibly) wrote:

> I think that most, but not all, of the problems can be fixed by making
> the stack non-executables for set[gu]id binaries.  this will fix the
> attacks where elevated privs are used to get access.  however, i'm not
> completely sure about this because there are many problems with this
> idea.  not the least of which is that it feels like a bandaide to me.

I'd suggest adding anything executing with an effective uid of root;
keep in mind servers. I've actually worked on this with the
libparanoia's libc substitution, at least with the non-assembler ones;
I'll try to find the time to test soon whether this actually speeds
things up.

BTW, breaking binary compatibility on software that runs as root or
that's set[gu]id isn't as much of a problem as it might seem - if a
piece of software is going to run at elevated permissions, you ought
to have the source code. That's (part of) the lesson of _An Empirical
Study of the Reliability of UNIX Utilities_, in which GNUware (and
software with free source code in general) was found to be a lot more
reliable. (Admittedly, another part is that the GNU project has rules
against doing things that let in buffer overflows...) See
ftp://grilled.cs.wisc.edu/technical_papers/fuzz.ps.Z and
ftp://grilled.cs.wisc.edu/technical_papers/fuzz-revisited.ps.gz for
more information.

	-Allen

-- 
Allen Smith				easmith@beatrice.rutgers.edu
	

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message