Re: Buffer Overflows: A Summary

Tommy Marcus McGuire (mcguire@CS.UTEXAS.EDU)
Fri, 02 May 1997 10:18:57 -0500

Bill Trost <trost@CLOUD.RAIN.COM> wrote:
>Aleph One writes:
> It was suggested that the kernel should check in the exec system call
> to determine if a shell was being executed.... This path of thinking doe
s
> lead to an interesting defense that I believe would be of great use and
> should be implemented. Most daemons and utilities will not exec a progra
m.
> Most will simply fork. In such cases a system call that disabled any
> further calls to exec would stop all exploits that attempted to use the
> exec system call....
>
>That's an interesting idea, but note that the attacker need not call "exec",
>that's just the easiest approach. Given access to "open", "write" and "chmod
"
>or "umask" is probably equivalent, it just takes longer to write the exploit.
>And while I can see giving up a variety of system calls to enhance security,
>"open" and "write" are not among them. (-:

Oddly enough, we had a talk here in the CS department earlier this
week by Mootaz Elnozahy from Carnegie Mellon who suggested the idea of
writing a system call pattern associated with a security sensitive
program. The pattern would specify which calls would be used, with
what arguments, and in what order, etc. The kernel could check the
program's execution, and if the kernel detects a problem, it drops the
program into a secure mode where the attacker continues to get
responses like the attack is succeeding, but can't actually do any
damage.

A neat idea, although I don't know how practical it would be.

Tommy McGuire