Re: How to develop a random number generation device

On Wed, 12 Sep 2007 00:04:30 +0100, Nobody <nobody@xxxxxxxxxxx> wrote:

On Tue, 11 Sep 2007 13:11:18 -0700, John Larkin wrote:

Nothing the OS does can prevent machine code from overrunning a buffer.

Ancient computers, PDP-11 and VAX certainly, had memory management
hardware that separated I and D space, where I space was read-only,
and D space could not be executed. And the OS's enforced those rules.
It was common to have many users running the exact same code, but
mapped into different data spaces.

Problem is, neither Intel nor Microsoft was in the mainstream of
computing when they kluged up x86 and Windows.

W^X (write or execute but not both) is available on current systems, but
that doesn't necessarily cure all buffer overflow exploits. It prevents an
attacker from injecting new code, but it doesn't stop them from calling
existing code with their own data.

The latter may be just as good as the former if some form of "Swiss army
knife" function (e.g. execute arbitrary VB/C#/JS/etc code) is present in
the code space. Actually, system() is almost certain to be there, and
there isn't much you can't do by passing it the right string.

It sounds to me like C compilers/linkers tend to allocate memory to
code, buffers, and stack sort of anywhere they like. So a buffer can
overflow into code space. Why can't at least the compilers be fixed so
that they put all the stacks first, then the code, then all the
buffers? So a stack overflow or a buffer overflow will memory fault
but can't crunch the code.

As it is, a "malformed header" in a packet or even an image file can
result in it being copied into a buffer space that's too small for the
actual data+trojans, and the malware overflows into the next code
block, where it eventually gets executed. And the fix is apparently to
carefully check the headers!

John


.

Relevant Pages

  • RE: x86, ptrace: support for branch trace store(BTS)
    ... Is there already a per-task memory limit? ... buffer into a file - whether this is the real buffer or a bigger virtual ... The small profile cases would already be covered with a reasonably big ... Independent of how many buffers we have, we need to offer overflow ...
    (Linux-Kernel)
  • Re: Easily and Permanently prevent all stack buffer overflows
    ... stack buffer overflows. ... So how does the direction affect total memory usage? ... an overflow of a memory section. ...
    (comp.os.linux.security)
  • Re: Easily and Permanently prevent all stack buffer overflows
    ... stack buffer overflows. ... So how does the direction affect total memory usage? ... an overflow of a memory section. ...
    (comp.os.linux.security)
  • Re: Discovering variable types...
    ... >- but I suppose MS expect us to use wrappers ... memory allocations for your variables from disk as well. ... >They most certainly are of fixed size, changing the size of a String ... >>me to keep buffer size and current postion right in the memory block. ...
    (comp.lang.pascal.delphi.misc)
  • Buffer overflows in ircII-based clients
    ... I had been pretty sure for years that malicious servers can ... This means that these clients are safe when they're connected to standard ... buffer in stack if channel name is large enough. ... That alone can overflow the buffer. ...
    (Bugtraq)