On Thu, 14 Aug 2008, Sunnz wrote:

quoted text
> Hi,
> 
> I am just curious, have Vista implemented something similar to
> Stack-Smashing Protector as in OpenBSD's GCC?
> 
> http://arstechnica.com/news.ars/post/20080811-the-sky-isnt-falling-a-look-at-a-new-vis...
> 
> I don't really know that much, so I am just asking here... if those
> things can be bypassed, would a same type of attack be threatening to
> OpenBSD systems?

The actual paper is here and it is very good - well
worth reading for anyone interested in this stuff:
http://taossa.com/archive/bh08sotirovdowd.pdf

The described stack protection is quite Propolice-like and I think that
a similar attack would work on OpenBSD: corrupt a value in the stack,
use it to gain control in the executing function and its antecedents but
never return as that would activate the stack canary checks.

For this to work, an attacker would need to find 1) a function with a
stack-based overflow that 2) has a stack-allocated variable that is
amenable to their purpose. I'm sure these exist, but I have no idea how
common they are. Note that the attacks in the paper make use of the
stack layout used by C++ method calls which makes things quite a bit for
the attacker.

The thing that struck me most from the paper was how close Microsoft has
come to implementing a good set of protections and how they have managed
to screw them up by failing to turn them on everywhere. What use if DEP
or DLL load address randomisation if it isn't turned on everywhere? What
is the point of those (really good) heap consistency checks if you don't
abort() when they fail?

-d