[PLUG] First JPEG virus is out there

Galen Seitz galens at seitzassoc.com
Wed Sep 29 11:50:03 PDT 2004


Daggett, Steve <Steve.Daggett at fiserv.com> wrote:

>  
> Randal wrote:
> > 
> > >>>>> "Steve" == Daggett, Steve <Steve.Daggett at fiserv.com> writes:
> >> `smash the stack` [C programming] n. On many C implementations
> >> it is possible to corrupt the execution stack by writing past
> >> the end of an array declared auto in a routine. Code that does
> >> this is said to smash the stack, and can cause return from the
> >> routine to jump to a random address.
> <SNIPAGE>
> > 
> > And virtually impossible in OpenBSD now, thanks to W^X, 
> > randomized stack pointers, sentry elements on the stack, and 
> > randomized order of dynloading.
> > 
> > Yeay, OpenBSD.  Helping me sleep at night once again.
> 
>   There are also assorted non-executable stack patches for Linux and GCC
> that do the same kind of thing.  Including, Crispin's Immunix StackGuard.
> 
>   Newer Intel and AMD CPUs include a technology called Data Execution
> Prevention (DEP).  The DEP allows specific memory pages to be marked
> non-executable.  There is apparently work being done in the Linux kernel to
> support DEP.  M$ XP is also moving to DEP based stack protection.  
> 

Which begs the question, "What took them so long?"  PowerPC parts have
always had an execute bit in their MMU.

galen




More information about the PLUG mailing list