Re: StackGuard: Automatic Protection From Stack-smashing Attacks

Theo de Raadt (deraadt@CVS.OPENBSD.ORG)
Fri, 19 Dec 1997 15:01:35 -0700

> int save_uid;
> char buf[10];
> save_uid = getuid();
> setuid(0);
> fp = fopen("input", "r");
> fscanf(fp, "%s", buf);
> setuid(save_uid);

For this particular example, in some levels of optimization (gcc -O2,
I believe, or via other future compiler hacks) your generated code
could place the objects on the stack in this order: return address,
buf[], save_uid. Coupled with the other approaches, that would solve
this particular case.

(But I don't believe in solving these special cases one by one).

> My personal feelings on the recent proposals for fixing
> "the overflow problem" is that I don't like them. They all
> seem hacky to me, and all claim to be a silver bullet to finally
> put an end to the problem. I much rather see the original problems
> fixed, a solution that is much more aesthetically pleasing to
> me. On the other hand the proposals do reduce the number of
> attacks, and buy time until attackers get more sophisticated
> in their exploits.

I don't even hope to see a magic solution coming down the line. I'll
just continue fixing the basic bugs. (But they are getting harder to
find; perhaps I should start using Purify or Insight..)