mailing list archives
Re: Smashing the Stack: prevention?
From: deraadt () CVS OPENBSD ORG (Theo de Raadt)
Date: Mon, 28 Apr 1997 18:32:50 -0600
1. 'you gotta change the code'
This one is obvious; people must change their SUID programs'
source code to avoid nasty things like gets() sprintf() strcat() and
strcpy() using things like fgets() strncat() strncpy() as substitutes.
(there are many more 'problem' functions, i'm only listing a few here).
Any unbounded byte copying is suspect to buffer overruns, and needs to
be examined and changed. The drawbacks are obvious, thousands of lines
of source need to be changed/examined, re-written.
However, it's important to remember that such auditing buys you not
just a secure program but a robust program as well. So it is
something you would want to do anyway, even if the programs were not
suid. The security issue just gives it urgency.
Security and robustness really go hand in hand -- they both involve
thinking about the ranges of allowable inputs and responses, and
limiting them so undesirable responses are not produced.
I am very happy to see someone else point this out! I was holding
back on mentioning this.
During the OpenBSD security code review that we've been doing for
almost a year now, we have fixed numerous other robustness problems.
Just as a small example, more than 10 ways to make ftpd dump core have
been resolved. Thousands of non-security bugs got fixed at the same
When you are looking at each source file one by one, it is an ideal
time to evaluate what problems and solutions other OS groups have
Michael -- thanks a lot.
- SMASHING THE STACK: PREVENTION?, (continued)