mailing list archives
Re: In response to alleged vulnerabilities in Microsoft Visual C++ security checks feature
From: Crispin Cowan <crispin () wirex com>
Date: Thu, 14 Feb 2002 18:33:51 -0800
Brandon Bray wrote:
I challenge that. The StackGuard paper was written in summer 1997, and
published in early 1998. The Microsoft /GS paper appeared in mid-2001,
and bears a STRIKING resemblance to the StackGuard paper. It is
theoretically possible that /GS was an independent invention, but only
by being astonishingly ignorant of the literature.
 Cigital alleges that the /GS security check feature was a port of
StackGuard. This happens to be untrue, as both technologies were
Funnily enough, this book (published in November 2001) actually refers
to the stack ornaments that provide for overflow detection as
"canaries," a term coined in the StackGuard 1998 paper. See the book's
index and search for "canary"
 "Writing Secure Code" is the prescriptive guide to Microsoft
developers for, oddly enough, writing secure code.
If it was independent invention, there are a lot of surprising coincidences.
Crispin Cowan, Ph.D.
Chief Scientist, WireX Communications, Inc. http://wirex.com
Security Hardened Linux Distribution: http://immunix.org
Available for purchase: http://wirex.com/Products/Immunix/purchase.html
The Olympic Games: A Century of Corruption and Graft
The FIS: Crushing the soul of snowboarding