[ih] Re: OOT: What is a stack?

Tue Jul 31 11:57:44 PDT 2001

Small issue: Return addresses of calling routines are on the stack, and 
they don't require execute access to exploit.  Thus, every fixed length 
buffer is indeed a potential exploit, whether or not you give "execute" 
permission to the stack.

I sense a wish to "blame Microsoft" or "blame Intel" on this one.  Blame 
the designers of "C" string handling routines, instead - or is Bell Labs 
Murray Hill exempt from criticism these days?

Who wrote the first set of str* libraries in C, and forgot to require 
bounding of the target string, anyway?

At 07:44 PM 7/30/01 -0700, James P. Salsman wrote:
>Rahmat,
>
>Thank you for your questions about stacks.
>
>Since the virtual memory management unit defines which segments are and
>are not executable, I think it is best to think of the stack as the
>memory which has been allocated to the MMU's "stack segment" instead of
>in terms of particular registers.
>
>It turns out that the i386 MMU does have provisions for nonexecutable
>segments, and such safeguards for the stack are implemented in certain
>patches to Linux.  However, those patches break certain features of
>the GDB debugger, so they are not popular.  Also, it is rumored that
>certain unix signaling packages push legitimate code on to the stack,
>but they are sloppy, because there is a miniscule efficiency advantage
>to doing so, and the pitfalls are very bad.  (Every fixed-length buffer
>becomes a potential security exploit.)
>
>Maybe someone at Microsoft can tell us what happens to Windows when
>the stack segment is marked non-executable.  Does anything break?  At
>least the CodeRed worm would break, along with similar stack exploits.
>
>Cheers,
>James
>
> > Date: Tue, 31 Jul 2001 09:15:54 +0700
> > From: "Rahmat M. Samik-Ibrahim" <rms46 at vlsm.org>
> > To: MILIS Internet History <internet-history at postel.org>
> > CC: "James P. Salsman" <bovik at best.com>
> > Subject: OOT: What is a stack?
> >
> > Hello:
> >
> > I have no idea where to follow up this issue; hopefully this
> > list is the best fit.
> >
> > James P. Salsman wrote on the IETF list:
> >
> > > Speaking of prevention measures, is there anything in
> > > i386 architecture which can prevetn execution of code
> > > on the stack, or is that exclusive to SPARCitecture?
> >
> > I am not familiar with SPARC, cmiiw, it uses 32 multipurpose
> > registers with a sliding window. Therefore, what is exactly
> > "prevent execution of code on the stack" ?
> >
> > Speaking of stack history, how many processors that actually
> > call one of its register as a "stack pointer"? Intel 8XXX,
> > Zilog, what else?
> >
> > How about PDP-11, does R5 count as a stack pointer?
> > How about HP-1000, where a return address was stored
> > in the front of a subroutine (Jump save address)?
> >
> > regards,
> >
> > --
> > Rahmat M. Samik-Ibrahim - VLSM-TJT - http://rms46.vlsm.org
> > - Hi! How are you? I send you this in order to have advice