[11893] in bugtraq
Re: Stack Shield: defending from "stack smashing" attacks
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@VT.EDU)
Tue Sep 14 18:07:53 1999
X-To: crispin@CSE.OGI.EDU
Message-Id: <199909020335.d823ZiT04212@black-ice.cc.vt.edu>
Date: Wed, 1 Sep 1999 23:35:39 -0400
Reply-To: Valdis.Kletnieks@VT.EDU
From: Valdis.Kletnieks@VT.EDU
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: Your message of "Tue, 31 Aug 1999 17:13:21 -0000."
<37CC0D31.55882224@cse.ogi.edu>
On Tue, 31 Aug 1999 17:13:21 -0000, Crispin Cowan <crispin@CSE.OGI.EDU> said:
> Tobias Haustein wrote:
> > I was about to write a
> > binary translator, that reads an executeable, locates every function
> > prolog and epilog, adds the nescessary code to detect buffer
> > overflows, and writes a new version of the executeable.
>
> How do you make room for the extra code in prolog & epilog without re-linking
> the entire program?
The old-time IBM mainframe people would consider it a "piece of cake".
Basically, you replace one instruction with a branch to your code
stored someplace else, which would do your added code, then execute
the replaced instruction, then branch back to the next original opcode.
For example:
old code:
STM R2,R12,12(R13)
L R5,24(,R1)
ST R6,20(,R1)
new code:
STM R2,R12,12(R13)
B 2400(,R15) -----> SR R2,R5
ST R6,20(,R1) <---+ MVI 36(R3),C'+'
| L R5,24(,R1)
+-- B 8(,R15)
You get the idea. Of course, quite often you had to first perform
*one* 'zap' to free up space inside the 4K-per-base-register
restriction, and then a second 'zap' to put code into there. I've
personally hacked up HMASPZAP jobs that would end up replacing 5 or 6
different patches of code, 20 to 30 bytes at a stretch. You would
quite often find a string of 16 to 32 bytes of zeros at the end of a
module, specifically intended for patch space.
Valdis Kletnieks
Computer Systems Senior Engineer
Virginia Tech
