[cgl_discussion] Buffer overflow

Paul Kierstead paul.kierstead at alcatel.com
Tue Apr 22 11:23:15 PDT 2003


I have been a bit absent recent; sorry about that. I will be absent again
next week, but that is all good :)

A non-executable stack is one of the very best defenses (in theory, anyway)
to badly written software and -- lets face it -- most software is badly
written. It comes pretty close to stopping all buffer overflows (well, their
effects actually) in their tracks (there are a few exceptions). You software
may still suffer a denial of service (the stack is still garbage), but no
intrusion should happen. This is awesome.

Now the problem is that it still isn't mature. But I -- for one -- would
love to see it at least mentioned somewhere as a future consideration (upon
maturation). I suspect if we see the level of effort that goes into
exploiting Windows overflows applied to Linux, we might see it mature a
little more quickly.

That all being said, DTE (Domain Type Enforcement) can offer many similar
benefits if applied well by strictly containing the damage.

Or we could just write the software better :)


Paul Kierstead
Senior Security Researcher, Alcatel R&I Security Group
600 March Rd. Kanata, Ontario, Canada K2K 2E6 
Tel: +1 613 784 4991 - EST 


> -----Original Message-----
> From: cgl_discussion-admin at lists.osdl.org 
> [mailto:cgl_discussion-admin at lists.osdl.org] On Behalf Of 
> Stefano.Campadello at nokia.com
> Sent: Tuesday, April 22, 2003 8:09 AM
> To: Makan.Pourzandi at ericsson.ca; 
> mikukkon at miku-t21-linox.koti.nokia.com; cgl_discussion at osdl.org
> Subject: RE: [cgl_discussion] Buffer overflow
> 
> 
> So, what is your opinion? Should we add a requirement for 3.0 
> or it is still premature now?
> 
> Stefano
> 
> > -----Original Message-----
> > From: ext Makan Pourzandi (LMC) [mailto:Makan.Pourzandi at ericsson.ca]
> > Sent: 17 April, 2003 01:37
> > To: 'Mika Kukkonen'; cgl_discussion at osdl.org
> > Subject: RE: [cgl_discussion] Buffer overflow
> > 
> > 
> > Hi,
> > 
> > My first reaction is to wait and see. Even if open bsd has a
> > very good reputation (I mean regarding security), we have to 
> > wait for 1st May. 
> > 
> > Second, open bsd has always been more on advance at security
> > than linux. In best case, it will take some time before those 
> > modification get into linux kernel. hopefully, this will not 
> > generate too many flames ;-) 
> > 
> > last but not least, there are already linux kernel patches
> > regarding buffer overflows, one of the ones I know of is 
> http://www.openwall.com/linux/README,  which implements 
> Non-executable user stack area.  open wall is also 
> implemented as a lsm module but at my knowledge not all 
> functionality available by openwall is provided by the lsm module. 
> 
> regards, 
> makan 
> 
> 
> > -----Original Message-----
> > From: Mika Kukkonen [mailto:mikukkon at miku-t21-linox.koti.nokia.com]
> > Sent: Wednesday, April 16, 2003 10:58 AM
> > To: cgl_discussion at osdl.org
> > Subject: [cgl_discussion] Buffer overflow
> > 
> > 
> > An Anonymous Coward suggested to me that CGL should also 
> > include something like this:
> > http://news.com.com/2100-1002-996584.html
> > 
> > Now looking at the pace RedHat sends me up2date packages
> > that fix buffer overflows, I tend to agree, but I do think
> > this is one of those features that are _very_ hard to get
> > accepted by Linus.
> > 
> > Any opinions?
> > 
> > --MiKu
> > 
> > _______________________________________________
> > cgl_discussion mailing list
> > cgl_discussion at lists.osdl.org
> > http://lists.osdl.org/mailman/listinfo/cgl_discussion
> > 
> _______________________________________________
> cgl_discussion mailing list
> cgl_discussion at lists.osdl.org
> http://lists.osdl.org/mailman/listinfo/cgl_discussion
> 
> _______________________________________________
> cgl_discussion mailing list
> cgl_discussion at lists.osdl.org
> http://lists.osdl.org/mailman/listinfo/cgl_discussion
> 





More information about the cgl_discussion mailing list