Contributed by jose on from the defense-on-many-fronts dept.
Recall that every stack protection mechanism has been defeated in some form or another, but OpenBSD's multifaced stance is sure to help protect things a bit further. Theo's right, the wider community's silence is interesting."List: openbsd-misc Subject: our recent security stuff From: Theo de RaadtLink: http://marc.theaimsgroup.com/?l=openbsd-misc&m=104425125001567&w=2 "
Date: 2003-02-03 5:45:36 The most amazing thing about this new buffer overflow stuff is that it appears noone in any other project has commented on it in a public mailing list anywhere. Eerie silence. I don't know about how you guys view that, but to me it is pretty depressing that none of these other projects (or their users) see the impact and import of these changes; that indicates a large lack of vision. The interesting side of ProPolice is that it will, once we ship 3.3, be on everyone's OpenBSD machines. People will run buggy software. ProPolice catches bugs at run-time. When a buffer overflow is accidentally (or purposefully) hit, a syslog will be delivered naming the function where the problem happened, before the program aborts. Since our noses are stuck in the source, and our run-time testing methodology is weak (as weak as the entire industry) many bugs will be found; safely. Many bugs will be found, because there's only a few of us running this stuff now, in the way we run it. But when these runtime errors are caught, it will be easy to find the actual bugs. And easy for an attacker to attack the same software on another system. I don't know how large this impact will be. However, it is possible it might be big. I used to ask Crispin Cowan if StackGuard had ever found any regular bugs; and he never said yes... well, since integrating ProPolice we've already found a whole bunch of bugs as a result of it. So, this might be very interesting...
(Comments are closed)