From: "Ronald F. Guilmette" <rfg@monkeys.com>
To: freebsd-hackers@freebsd.org, gnu-gcc@gnu.org
Subject: Defending against buffer overflows.
Date: Fri, 18 Feb 2000 14:21:00 -0000 [thread overview]
Message-ID: <12502.950912447@monkeys.com> (raw)
My attention has just been called to:
http://immunix.org/StackGuard/mechanism.html
Given all of the buffer overrun vulnerabilities that have been found in
various network daemons over time, this seems like a worthwhile sort of
technique to apply when compiling, in particular, network daemons and/or
servers.
I don't entirely agree with this fellow's approach however. I think that
the ``canary'' word should be located at the bottom end of the current
stack frame, i.e. in a place where no buffer overrun could possibly clobber
it.
Seems to me that this would be a nice and useful little enhancement for gcc.
I wouldn't mind having something like a -fbuffer-overrun-checks option for
gcc, and I would definitely use it when compiling network daemons.
Anybody else got an opinion?
WARNING: multiple messages have this Message-ID
From: "Ronald F. Guilmette" <rfg@monkeys.com>
To: freebsd-hackers@freebsd.org, gnu-gcc@gnu.org
Subject: Defending against buffer overflows.
Date: Sat, 01 Apr 2000 00:00:00 -0000 [thread overview]
Message-ID: <12502.950912447@monkeys.com> (raw)
Message-ID: <20000401000000.IeexFH-zBW14_Mo4BgvqZekZUYhhub2ypHdVWm_0U0w@z> (raw)
My attention has just been called to:
http://immunix.org/StackGuard/mechanism.html
Given all of the buffer overrun vulnerabilities that have been found in
various network daemons over time, this seems like a worthwhile sort of
technique to apply when compiling, in particular, network daemons and/or
servers.
I don't entirely agree with this fellow's approach however. I think that
the ``canary'' word should be located at the bottom end of the current
stack frame, i.e. in a place where no buffer overrun could possibly clobber
it.
Seems to me that this would be a nice and useful little enhancement for gcc.
I wouldn't mind having something like a -fbuffer-overrun-checks option for
gcc, and I would definitely use it when compiling network daemons.
Anybody else got an opinion?
next reply other threads:[~2000-02-18 14:21 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2000-02-18 14:21 Ronald F. Guilmette [this message]
2000-02-21 7:24 ` Bill C Riemers
2000-04-01 0:00 ` Bill C Riemers
2000-04-01 0:00 ` Ronald F. Guilmette
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=12502.950912447@monkeys.com \
--to=rfg@monkeys.com \
--cc=freebsd-hackers@freebsd.org \
--cc=gnu-gcc@gnu.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).