[4376] in bugtraq
Re: Smashing the Stack: prevention?
daemon@ATHENA.MIT.EDU (Theo de Raadt)
Tue Apr 29 18:23:08 1997
Date: Mon, 28 Apr 1997 18:32:50 -0600
Reply-To: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
From: Theo de Raadt <deraadt@CVS.OPENBSD.ORG>
X-To: Michael Shields <shields@CROSSLINK.NET>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Mon, 28 Apr 1997 19:38:33 -0000."
<g6vi57ndmr.fsf@daedalus.crosslink.net>
> > 1. 'you gotta change the code'
> > This one is obvious; people must change their SUID programs'
> > source code to avoid nasty things like gets() sprintf() strcat() and
> > strcpy() using things like fgets() strncat() strncpy() as substitutes.
> > (there are many more 'problem' functions, i'm only listing a few here).
> > Any unbounded byte copying is suspect to buffer overruns, and needs to
> > be examined and changed. The drawbacks are obvious, thousands of lines
> > of source need to be changed/examined, re-written.
>
> However, it's important to remember that such auditing buys you not
> just a secure program but a robust program as well. So it is
> something you would want to do anyway, even if the programs were not
> suid. The security issue just gives it urgency.
>
> Security and robustness really go hand in hand -- they both involve
> thinking about the ranges of allowable inputs and responses, and
> limiting them so undesirable responses are not produced.
I am very happy to see someone else point this out! I was holding
back on mentioning this.
During the OpenBSD security code review that we've been doing for
almost a year now, we have fixed numerous other robustness problems.
Just as a small example, more than 10 ways to make ftpd dump core have
been resolved. Thousands of non-security bugs got fixed at the same
time.
When you are looking at each source file one by one, it is an ideal
time to evaluate what problems and solutions other OS groups have
done.
Michael -- thanks a lot.
