Re: Buffer overflow prevention

[Jedi/Sector One <[EMAIL PROTECTED]>]

On Thu, Aug 14, 2003 at 07:26:47PM +0200, Mariusz Woloszyn wrote:
> What we're discussing here is an internal structures and data protecting.
> IMHO the ProPolice (http://www.research.ibm.com/trl/projects/security/ssp/),
> is the best protection in this kind, even comparing to "two stack"
> approach.

  ProPolice is not magical, though. There are plenty of cases where it is
totally inefficient. To illustrate a very common one :

#include <string.h>

struct Test {	
	char str[5];
};

int main(void)
{
	struct Test x;	
	strcpy(x.str, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
	
	return 0;
}

  Propolice doesn't see anything wrong and eip happily goes to 0x41414141.
  
  Propolice also doesn't give any protection against heap overflows.
  
  So the best protection is probably Propolice + non exec stack + write xor
executable pages. Oh, surprise, this is just how OpenBSD works.

  This is still not a magical protection against everything. A vulnerable
application can still behave abnormally after an overflow. But this couple
makes injection + execution of arbitrary code way more tricky.

  The only way to sleep quietly is still to audit the code at the first place.
  
-- 
 __  /*-      Frank DENIS (Jedi/Sector One) <[EMAIL PROTECTED]>     -*\  __
 \ '/    <a href="http://www.PureFTPd.Org/";> Secure FTP Server </a>    \' /
  \/  <a href="http://www.Jedi.Claranet.Fr/";> Misc. free software </a>  \/