[rescue] A perverse thought (SGI security division)
mcguire at neurotica.com
Fri Mar 12 12:32:15 CST 2004
On Mar 12, 2004, at 12:05 PM, Clayton Wheeler wrote:
> Recent versions of OpenBSD actually have pretty nice security features
> at the kernel and C runtime level. It makes sure that writable pages
> are not executable, and vice versa, to prevent buffer overflows from
> inserting code successfully; Solaris and some other OSs do this to
> some extent. However, OpenBSD also puts guard words (or something)
> around stack frames, so programs will be terminated if they clobber
> the stack. And I think the most recent version loads shared libraries
> in random order and at random offsets, so hostile inserted code can't
> make assumptions about where (for example) libc is found.
Holy cow, I'm impressed by this. I need to read up on this a bit
more. It seems that, nowadays, OpenBSD has come a bit further than
copying the NetBSD source tree, adding a new SCSI driver, and changing
all the copyright notices.
Since at least release 2.7 or maybe even 2.6, Solaris has had
facilities to prevent the execution of code from the stack, and to log
any attempts to do so. It does this by marking the memory pages used
for the stack as non-executable and catching the traps. To enable
this, add the following lines to /etc/system and reboot:
set noexec_user_stack = 1
set noexec_user_stack_log = 1
Note that, as far as I'm aware, this doesn't work in sun4c machines
due to missing hardware support...but running Solaris on sun4c machines
is asking for trouble (or at least extended periods of boredom while
you wait for things to finish) anyway.
Dave McGuire "PC users only know two 'solutions'...
Cape Coral, FL reboot and upgrade." -Jonathan Patschke
More information about the rescue