[14821] in bugtraq
Re: Libsafe Protecting Critical Elements of Stacks
daemon@ATHENA.MIT.EDU (Mariusz Woloszyn)
Sat May 6 21:10:20 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-2
Message-Id: <Pine.LNX.4.04.10005041143350.19576-100000@dzyngiel.ipartners.pl>
Date: Thu, 4 May 2000 12:06:21 +0200
Reply-To: Mariusz Woloszyn <emsi@IT.PL>
From: Mariusz Woloszyn <emsi@IT.PL>
X-To: Crispin Cowan <crispin@WIREX.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <39050BF9.B0C98C45@wirex.com>
Content-Transfer-Encoding: 8bit
On Tue, 25 Apr 2000, Crispin Cowan wrote:
> JEFF PFOHL wrote:
>
> > Does anyone know anything about this?
> >
> > http://www.bell-labs.com/org/11356/html/security.html
>
> Solar Designer has posted his analysis to the Linux security-audit
> mailing list
> http://www2.merton.ox.ac.uk/~security/security-audit-200004/0069.html .
> Perry Wagle (principle StackGuard developer, cc'd) has written an
> analysis comparing StackGuard to libsafe (attached). The summary is as
> follows:
>
> * Use StackGuard where you can, because it is safer:
> o Libsafe only wraps selected string library functions. Buffer
> overflows affecting other library functions or user-written
> loops will not be protected
> o Libsafe attempts to wrap these functions by parsing the stack,
> but it doesn't always succeed. In particular, libsafe depends
> on the existance of the frame pointer, and fails when it isn't
> present, as happens if the code was compiled with -fno_fp, or
> if the optimizer removed the frame pointer.
> * Use Libsafe where you cannot use StackGuard, i.e. for binary-only
> applications.
>
Most of what we presented in Phrack article
(http://phrack.infonexus.com/search.phtml?view&article=p56-5) works
against libsafe as it protects only RET value using frame pointer to
determine place of local variables.
Is there any compilation time tool (could be lots of macros ;)that uses
buffer size declarations to protect against overflows?
--
Mariusz Wołoszyn
Internet Security Specialist, Internet Partners, GTS Poland
