Home page logo

bugtraq logo Bugtraq mailing list archives

Re: In response to alleged vulnerabilities in Microsoft Visual C++ security checks feature
From: Crispin Cowan <crispin () wirex com>
Date: Thu, 14 Feb 2002 18:33:51 -0800

Brandon Bray wrote:

[2] Cigital alleges that the /GS security check feature was a port of
StackGuard. This happens to be untrue, as both technologies were
invented independently.

I challenge that. The StackGuard paper was written in summer 1997, and published in early 1998. The Microsoft /GS paper appeared in mid-2001, and bears a STRIKING resemblance to the StackGuard paper. It is theoretically possible that /GS was an independent invention, but only by being astonishingly ignorant of the literature.

[1] "Writing Secure Code" is the prescriptive guide to Microsoft
developers for, oddly enough, writing secure code.

Funnily enough, this book (published in November 2001) actually refers to the stack ornaments that provide for overflow detection as "canaries," a term coined in the StackGuard 1998 paper. See the book's index and search for "canary" http://www.microsoft.com/mspress/books/index/5612.asp#Index

If it was independent invention, there are a lot of surprising coincidences.


Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution:       http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html

       The Olympic Games: A Century of Corruption and Graft
             The FIS: Crushing the soul of snowboarding

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]