On Thu, 14 Aug 2008, Sunnz wrote: > Hi, > > I am just curious, have Vista implemented something similar to > Stack-Smashing Protector as in OpenBSD's GCC? > > http://arstechnica.com/news.ars/post/20080811-the-sky-isnt-falling-a-look-at-a-new-vista-security-bypass.html > > I don't really know that much, so I am just asking here... if those > things can be bypassed, would a same type of attack be threatening to > OpenBSD systems?
The actual paper is here and it is very good - well worth reading for anyone interested in this stuff: http://taossa.com/archive/bh08sotirovdowd.pdf The described stack protection is quite Propolice-like and I think that a similar attack would work on OpenBSD: corrupt a value in the stack, use it to gain control in the executing function and its antecedents but never return as that would activate the stack canary checks. For this to work, an attacker would need to find 1) a function with a stack-based overflow that 2) has a stack-allocated variable that is amenable to their purpose. I'm sure these exist, but I have no idea how common they are. Note that the attacks in the paper make use of the stack layout used by C++ method calls which makes things quite a bit for the attacker. The thing that struck me most from the paper was how close Microsoft has come to implementing a good set of protections and how they have managed to screw them up by failing to turn them on everywhere. What use if DEP or DLL load address randomisation if it isn't turned on everywhere? What is the point of those (really good) heap consistency checks if you don't abort() when they fail? -d
