[24291] in bugtraq
Re: In response to alleged vulnerabilities in Microsoft Visual C++ security checks feature
daemon@ATHENA.MIT.EDU (Crispin Cowan)
Fri Feb 15 10:43:34 2002
Message-ID: <3C6C738F.50800@wirex.com>
Date: Thu, 14 Feb 2002 18:33:51 -0800
From: Crispin Cowan <crispin@wirex.com>
MIME-Version: 1.0
To: Brandon Bray <branbray@microsoft.com>
Cc: bugtraq@securityfocus.com
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Brandon Bray wrote:
>[2] Cigital alleges that the /GS security check feature was a port of
>StackGuard. This happens to be untrue, as both technologies were
>invented independently.
>
I challenge that. The StackGuard paper was written in summer 1997, and
published in early 1998. The Microsoft /GS paper appeared in mid-2001,
and bears a STRIKING resemblance to the StackGuard paper. It is
theoretically possible that /GS was an independent invention, but only
by being astonishingly ignorant of the literature.
>[1] "Writing Secure Code" is the prescriptive guide to Microsoft
>developers for, oddly enough, writing secure code.
>
Funnily enough, this book (published in November 2001) actually refers
to the stack ornaments that provide for overflow detection as
"canaries," a term coined in the StackGuard 1998 paper. See the book's
index and search for "canary"
http://www.microsoft.com/mspress/books/index/5612.asp#Index
If it was independent invention, there are a lot of surprising coincidences.
Crispin
--
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution: http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
The Olympic Games: A Century of Corruption and Graft
The FIS: Crushing the soul of snowboarding
