Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: machine independent protection from stack-smashing attack
From: Greg Hoglund <hoglund () IEWAY COM>
Date: Mon, 11 Sep 2000 14:27:22 -0700

Cheers,

--> snip -->

15 years of software reverse engineering experience allow me to easily
distinguish between a mistake in the code and a backdoor inserted on
purpose.

<--- <---

Clearly you do not understand the issue.  Since this is a very complex
topic, it deserves to be explained properly.  First and foremost, there is
no 'backdoor' - the reason that you cannot make a stack non-executable under
'wintel' has 100% to do with Intel, not Microsoft.  Secondly, the reason
Microsoft has the ability to virtual protect READ_ONLY as well as
EXECUTE_READ is because, naturally, Windows is an operating system that has
been ported to many hardware architectures - some of which DO support an
execute bit.

As I understand it, this is how the memory model works for x86 Protected
Mode:

First of all, there ___IS NO EXECUTE FLAG___ under the protected mode
mechanism for the x86 series of processors.  There is a single bit flag in
the page-table called R/W - and, specifically, it determines whether you can
write to the page.  You can ALWAYS read from the page, and therefore,
execute from the page.  End of story.

For added clarity, remember that there is also a user/supervisory bit - and
that is how operating systems such as NT protect 'kernel mode' pages from
being altered by 'user mode' programs.  Just wanted to point out that there
is NO backdoor, NO hidden agenda - this is just HOW the hardware works and
has 0% to do with Windows or Microsoft.

-Greg Hoglund
http://www.clicktosecure.com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]