DragonFly BSD
DragonFly commits List (threaded) for 2003-12
[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]

Re: cvs commit: src/contrib/gcc protector.c protector.h Makefile.in calls.c combine.c cse.c explow.c expr.c flags.h function.c gcse.c integrate.c libgcc2.c loop.c optabs.c reload1.c toplev.c src/gnu/usr.bin/cc/cc_int Makefile


From: Matthew Dillon <dillon@xxxxxxxxxxxxxxxxxxxx>
Date: Thu, 11 Dec 2003 10:07:35 -0800 (PST)

:-On [20031211 09:52], Matthew Dillon (dillon@xxxxxxxxxxxxxxxxxxxx) wrote:
:>    huh?  I don't think I understood a single word of this posting (!) :-)
:
:As far as I understand it:
:
:With Propolice you only disable smashing the stack.  What Propolice and
:StackGuard and similar protections do is add a 'canary' (informer/decoy)
:value just before the return addresses on the run-time stack.  Propolice
:and StackGuard add additional code in your binary which then checks if
:the canary value is present or not.  If it is not a buffer overflow has
:occured.
:
:Thing is that SEBP or SEIP still is available before or after the canary
:value.  You can place shellcode on the heap and just jump there.
:
:Hence OpenBSD also implemented W^X (Write XOR eXecutable).  This also
:makes sure that memory get fine-grained permissions.  Which thus limits
:executing in the stack and heap.
:
:This is at least my understanding, I could of course be way off with my
:interpretation.
:
:-- 
:Jeroen Ruigrok van der Werven <asmodai(at)wxs.nl> / asmodai / kita no mono

    I still have no idea what SEBP or SEIP means.

    In anycase, the propolice code also reorders local pointer declarations
    so they occur before the buffer rather then after.  It's not sure-fire
    because it is possible that an earlier stack frame will contain 
    function pointer information that a later subroutine call uses,
    prior to the return check, but it does cover 90% of the cases.  What
    this means is that even though you can temporarily overwrite the stack,
    it is unlikely that you would be able to overwrite anything that the
    code would call through or return through prior to the guard check.
    And since the guard value is 'random' the hacker code cannot reliably
    'fake' it.

    I don't know who comes up with these names.  W^X?  IA32 does not support
    fine-grained permissions, the only way to make the stack non-executable
    is to modify the SS segment register and while this does work, it creates
    severe restrictions on how threaded programs can operate.
     
					-Matt
					Matthew Dillon 
					<dillon@xxxxxxxxxxxxx>



[Date Prev][Date Next]  [Thread Prev][Thread Next]  [Date Index][Thread Index]