Re: OT: UK okays warrantless remote hacking of PCs
- From: Martin Brown <|||newspam|||@nezumi.demon.co.uk>
- Date: Thu, 8 Jan 2009 04:16:18 -0800 (PST)
On Jan 8, 1:14 am, John Larkin
<jjlar...@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote:
On Thu, 08 Jan 2009 12:00:58 +1100, Sylvia Else
<syl...@xxxxxxxxxxxxxxxxxxx> wrote:
Joel Koltner wrote:
OK, you make a lot of good points, and in general there's something to be said
for using "safer" languages so long as using them doesn't hamper productivity
Actually, it probably improves productivity. An awful lot of time can be
spent tracking down faults caused by pointer misuse, array overflows and
use of freed memory. I remember one instance (not perpetrated by me)
where data in memory was being corrupted by an instruction that had
itself been corrupted by a misused pointed. You can imagine how long
that took to resolve.
What happened to i/d space separation? Even in the early 1970's you
could buy a minicomputer that had hardware-enforced page attributes;
it was *impossible* for code to modify code, or to overflow a stack
without a trap, or to execute data.
It is possible on the Intel architecture - OS/2 used that model. There
is a small hit on changing privilige ring. Unfortunately the abysmal
IBM marketting droids so completely cocked up selling OS/2 that MS
Windows won the day. 386, 486 and Pentium are quite capable of running
with hardware enforced page attributes (although there are gotchas).
That said legacy h/w issues mean that even some Unix systems on Intel
CPUs are not immune to sophisticated exploits eg.
http://www.ssi.gouv.fr/fr/sciences/fichiers/lti/cansecwest2006-duflot.pdf
Even compilers for Intel crud should be able to position stuff so that
stacks don't overflow into code.
That isn't how it is done. The basic trick is that a fixed length
buffer on the stack is overflowed in such a way as to deliberately
overwrite the return address with a pointer to code you want executed
and the code itself. It isn't the compilers fault that C allows and
even encourages sloppy programming practices in the name of
efficiency.
Certain MS data structures are prone to being utilitised in this way
because they contain a "how long I am field" you only need to find a
structure where no matter what value is in the data the system
allocates the length that these usually fixed length objects always
have and you are in. The deadly ones are where the memory is allocated
fixed length but the data is copied using the value in the dataheader
(which is telling fibs) or until the next null byte. A variant of this
method has been used to break the MS JPEG codec.
Belatedly a no-execute flag has been added for data segments, since it
seems impossible to train the monkeys at Microsoft not to write
insecure code.
Regards,
Martin Brown
.
- Follow-Ups:
- Re: OT: UK okays warrantless remote hacking of PCs
- From: Nobody
- Re: OT: UK okays warrantless remote hacking of PCs
- References:
- Re: OT: UK okays warrantless remote hacking of PCs
- From: Sylvia Else
- Re: OT: UK okays warrantless remote hacking of PCs
- From: Jim Thompson
- Re: OT: UK okays warrantless remote hacking of PCs
- From: Sylvia Else
- Re: OT: UK okays warrantless remote hacking of PCs
- From: Jim Thompson
- Re: OT: UK okays warrantless remote hacking of PCs
- From: Sylvia Else
- Re: OT: UK okays warrantless remote hacking of PCs
- From: Joel Koltner
- Re: OT: UK okays warrantless remote hacking of PCs
- From: Sylvia Else
- Re: OT: UK okays warrantless remote hacking of PCs
- From: Joel Koltner
- Re: OT: UK okays warrantless remote hacking of PCs
- From: Sylvia Else
- Re: OT: UK okays warrantless remote hacking of PCs
- From: John Larkin
- Re: OT: UK okays warrantless remote hacking of PCs
- Prev by Date: Re: OT: UK okays warrantless remote hacking of PCs
- Next by Date: 34330A 30 A Current Shunt any cheaper alternative?
- Previous by thread: Re: OT: UK okays warrantless remote hacking of PCs
- Next by thread: Re: OT: UK okays warrantless remote hacking of PCs
- Index(es):
Relevant Pages
|
