[rescue] A perverse thought (SGI security division)

[Dave McGuire]

On Mar 12, 2004, at 12:05 PM, Clayton Wheeler wrote:
> Recent versions of OpenBSD actually have pretty nice security features 
> at the kernel and C runtime level. It makes sure that writable pages 
> are not executable, and vice versa, to prevent buffer overflows from 
> inserting code successfully; Solaris and some other OSs do this to 
> some extent. However, OpenBSD also puts guard words (or something) 
> around stack frames, so programs will be terminated if they clobber 
> the stack. And I think the most recent version loads shared libraries 
> in random order and at random offsets, so hostile inserted code can't 
> make assumptions about where (for example) libc is found.

   Holy cow, I'm impressed by this.  I need to read up on this a bit 
more.  It seems that, nowadays, OpenBSD has come a bit further than 
copying the NetBSD source tree, adding a new SCSI driver, and changing 
all the copyright notices.

   Since at least release 2.7 or maybe even 2.6, Solaris has had 
facilities to prevent the execution of code from the stack, and to log 
any attempts to do so.  It does this by marking the memory pages used 
for the stack as non-executable and catching the traps.  To enable 
this, add the following lines to /etc/system and reboot:

set noexec_user_stack = 1
set noexec_user_stack_log = 1

   Note that, as far as I'm aware, this doesn't work in sun4c machines 
due to missing hardware support...but running Solaris on sun4c machines 
is asking for trouble (or at least extended periods of boredom while 
you wait for things to finish) anyway.

            -Dave

--
Dave McGuire          "PC users only know two 'solutions'...
Cape Coral, FL          reboot and upgrade."    -Jonathan Patschke