From: Vinzent Hoefler <ada.rocks@jlfencey.com>
Subject: Re: Partial Hardware Protection for Buffer Overrun Exploits
Date: Wed, 16 Apr 2003 13:28:50 -0400
Date: 2003-04-16T13:28:50-04:00 [thread overview]
Message-ID: <b7k3su$1q9au$1@ID-175126.news.dfncis.de> (raw)
In-Reply-To: 3E9D8AB6.4090009@cogeco.ca
"Warren W. Gay VE3WWG" <ve3wwg@cogeco.ca> wrote:
>If it is possible for the CPU to distinguish between the
>"text" region and the "data" regions (including stack),
It does in some way. But in the flat model it does not distinguish the
addresses. So if you say CS:[03FC7687] and SS:[03FC7687] it refers to
the same memory, although the access rights are different depending on
how you access it. That is the danger.
>then
>a new instruction (say RETT - Return to Text), could cause
>a fault to occur, if the return address is not to a text
>virtual memory address (for exploits this address points
>to a "data" region, and usually part of the current stack
>frame).
There is already an easier solution (at least for x86-CPU's): Don't
use a purely flat model, with this I mean, you shouldn't use the same
address space for both data/stack and code. This could already be
accomplished with the standard protection/paging features of the x86.
Unfortunately there are some features in current real world compilers
(like for instance, the so-called trampolines) that require an
"executable" stack segment. Simply get rid of these features and the
solution is easy.
Well, it would make the writing of self-modifying code a little bit
harder.
>As far as I see, the only way to exploit buffers would
>then require the attacker to find usable sections of text
>to do his bidding.
Because you cannot write to the code segment without triggering a GPF
it would be simply impossible. Still, you could launch a DoS-attack
this way.
>There has to be a better solution to the current crop of
>buffer exploits, that are being used daily.
Yes. What about using Ada? ;-)
Vinzent.
--
Parents strongly cautioned -- this posting is intended for mature
audiences over 18. It may contain some material that many parents
would not find suitable for children and may include intense violence,
sexual situations, coarse language and suggestive dialogue.
next prev parent reply other threads:[~2003-04-16 17:28 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-04-16 16:54 Partial Hardware Protection for Buffer Overrun Exploits Warren W. Gay VE3WWG
2003-04-16 17:28 ` Vinzent Hoefler [this message]
2003-04-17 16:33 ` Warren W. Gay VE3WWG
2003-04-17 21:29 ` Robert A Duff
2003-04-16 19:13 ` Brian Catlin
2003-04-17 15:00 ` Bob French
2003-04-17 16:14 ` Warren W. Gay VE3WWG
2003-04-17 23:22 ` Randy Brukardt
2003-04-21 16:42 ` Warren W. Gay VE3WWG
2003-04-21 17:26 ` tmoran
2003-04-22 1:40 ` Frank J. Lhota
2003-04-22 21:15 ` Robert A Duff
2003-04-22 21:19 ` Ed Falis
2003-04-24 2:00 ` Randy Brukardt
2003-04-24 13:49 ` Ed Falis
2003-04-24 18:42 ` Randy Brukardt
2003-04-24 18:49 ` Ed Falis
2003-04-17 21:22 ` Robert A Duff
2003-04-21 16:33 ` Warren W. Gay VE3WWG
2003-04-21 19:28 ` Robert A Duff
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox