[31138] in bugtraq
Re: Buffer overflow prevention
daemon@ATHENA.MIT.EDU (Crispin Cowan)
Wed Aug 13 14:31:18 2003
Message-ID: <3F3A7F97.4030307@immunix.com>
Date: Wed, 13 Aug 2003 11:12:39 -0700
From: Crispin Cowan <crispin@immunix.com>
MIME-Version: 1.0
To: "Eygene A. Ryabinkin" <rea@rea.mbslab.kiae.ru>
In-Reply-To: <20030813102832.GE11695@rea.mbslab.kiae.ru>
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Eygene A. Ryabinkin wrote:
> I have an idea on buffer overflow prevention. I doubt that it's new, but I
>haven't seen an implementation of it in any freely distributable Un*x system.
>So, I hardly need your comments on it.
>...
> The idea itself: all (correct me if I'm wrong) buffer overflows are based on
>the fact that we're using the stack, referenced by SS:ESP pair, both for
>procedure return address and for local variables. It seems to me, that would we
>have two stacks -- one for real stack and one for variables -- it will solve
>a bunch of problems. So, my suggestion: let us organise two segments: one for
>normal stack, growing downwards, referenced by SS:ESP pair and the second one,
>for local variables, referenced by GS:EBP pair, with either upwards or
>downwards growing. Now, if we use first segment for passing variables and
>procedure return addresses (normal stack usage), and second segment only for
>local procedure variables, we will have the following advantages:
>
This is approximately what StackShield
<http://www.angelfire.com/sk/stackshield/info.html> does. However, it
does not appear to have been maintained since 2000.
Crispin
--
Crispin Cowan, Ph.D. http://immunix.com/~crispin/
Chief Scientist, Immunix http://immunix.com
http://www.immunix.com/shop/
