[ih] Re: OOT: What is a stack?
David P. Reed
dpreed at reed.com
Tue Jul 31 11:57:44 PDT 2001
Small issue: Return addresses of calling routines are on the stack, and
they don't require execute access to exploit. Thus, every fixed length
buffer is indeed a potential exploit, whether or not you give "execute"
permission to the stack.
I sense a wish to "blame Microsoft" or "blame Intel" on this one. Blame
the designers of "C" string handling routines, instead - or is Bell Labs
Murray Hill exempt from criticism these days?
Who wrote the first set of str* libraries in C, and forgot to require
bounding of the target string, anyway?
At 07:44 PM 7/30/01 -0700, James P. Salsman wrote:
>Thank you for your questions about stacks.
>Since the virtual memory management unit defines which segments are and
>are not executable, I think it is best to think of the stack as the
>memory which has been allocated to the MMU's "stack segment" instead of
>in terms of particular registers.
>It turns out that the i386 MMU does have provisions for nonexecutable
>segments, and such safeguards for the stack are implemented in certain
>patches to Linux. However, those patches break certain features of
>the GDB debugger, so they are not popular. Also, it is rumored that
>certain unix signaling packages push legitimate code on to the stack,
>but they are sloppy, because there is a miniscule efficiency advantage
>to doing so, and the pitfalls are very bad. (Every fixed-length buffer
>becomes a potential security exploit.)
>Maybe someone at Microsoft can tell us what happens to Windows when
>the stack segment is marked non-executable. Does anything break? At
>least the CodeRed worm would break, along with similar stack exploits.
> > Date: Tue, 31 Jul 2001 09:15:54 +0700
> > From: "Rahmat M. Samik-Ibrahim" <rms46 at vlsm.org>
> > To: MILIS Internet History <internet-history at postel.org>
> > CC: "James P. Salsman" <bovik at best.com>
> > Subject: OOT: What is a stack?
> > Hello:
> > I have no idea where to follow up this issue; hopefully this
> > list is the best fit.
> > James P. Salsman wrote on the IETF list:
> > > Speaking of prevention measures, is there anything in
> > > i386 architecture which can prevetn execution of code
> > > on the stack, or is that exclusive to SPARCitecture?
> > I am not familiar with SPARC, cmiiw, it uses 32 multipurpose
> > registers with a sliding window. Therefore, what is exactly
> > "prevent execution of code on the stack" ?
> > Speaking of stack history, how many processors that actually
> > call one of its register as a "stack pointer"? Intel 8XXX,
> > Zilog, what else?
> > How about PDP-11, does R5 count as a stack pointer?
> > How about HP-1000, where a return address was stored
> > in the front of a subroutine (Jump save address)?
> > regards,
> > --
> > Rahmat M. Samik-Ibrahim - VLSM-TJT - http://rms46.vlsm.org
> > - Hi! How are you? I send you this in order to have advice
More information about the Internet-history