Date: Sun, 19 Jul 1998 20:20:21 -0700 From: David Greenman <dg@root.com> To: Brett Glass <brett@lariat.org> Cc: Warner Losh <imp@village.org>, Archie Cobbs <archie@whistle.com>, security@FreeBSD.ORG Subject: Re: The 99,999-bug question: Why can you execute from the stack? Message-ID: <199807200320.UAA24309@implode.root.com> In-Reply-To: Your message of "Sun, 19 Jul 1998 20:10:39 MDT." <199807200210.UAA07188@lariat.lariat.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>At 07:48 PM 7/19/98 -0600, Warner Losh wrote: > >>I think that most, but not all, of the problems can be fixed by making >>the stack non-executables for set[gu]id binaries. this will fix the >>attacks where elevated privs are used to get access. however, i'm not >>completely sure about this because there are many problems with this >>idea. not the least of which is that it feels like a bandaide to me. > >I think it's fundamentally good architecture and a good general >precaution to keep code off the stack. After all, the original Intel >architecture was set up so that you couldn't execute from a stack segment >without doing special aliasing; they did this with security and reliability >in mind. Alas, most "flat model" OSes turn off this mechanism. I think people are fooling themselves if they think that making the stack non-executable is going to prevent any of the stack overflow related attacks from working (with minor mods of course). Most executables have plenty enough code mapped that in most cases it shouldn't be too difficult for the exploiter to frob the stack a bit with some reasonable arguments and then push a non- stack function as the return address (plenty of yummy things to choose from in shared libc, for example - including, but not limited to, execl()). This wouldn't require anything to execute from the stack, so making the stack non-executable wouldn't prevent this from working. -DG David Greenman Co-founder/Principal Architect, The FreeBSD Project To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199807200320.UAA24309>