'Re: Smashing the stack'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Re: Smashing the stack
From:       Terrell Thacker <tthacker () mtc ! iitri ! com>
Date:       1997-01-22 14:12:42
[Download RAW message or body]

>    Here you must know that x86 uses two different types of protection -
> selector based, and page based. Selector based protection does not allow
> more than _one_ selector to point to any area of memory and this one
> selector defines protection type - either OS level or application level
> and along with this its usage type - code or data. This is adding to the
> overhead of OS when loading and running application, as to write the code
> to memory areas where it will run, OS needs to _change_ the type of
> selector, copy the code, then change it back to code type, only after
> that can application run there.

When running in protected mode, every memory reference is subject to
protection checks starting with segments.  Whether paging is enabled or not,
the segment registers must be loaded with a valid selector when in protected
mode.  The selector may exist in either the global or local descriptor table
and may point to a memory area that is defined as a segment range in bytes or
pages.  The processor does not restrict the definitions of the selectors
that exist in the global or local descriptor tables.  You can create
selectors that access the same or overlapping areas of memory that are
of different types. This was achievable under MS Windows 3.x using the
function PrestoChangoSelector(from, to) to create a duplicate selector
that had the opposite segment type (code->data or data->code).  This way
you could modify a code segment using the aliased data segment or execute
code out of your data segment.  An OS would perform something similar
when loading and executing code.

The segment types provided by the Intel 286/386/486/... line are just
part of the overall hardware protection provided.  There are 4 privilege
levels for selector segment protection and user/supervisor and
write-protect bits for page protection.  My main question is if all
of these protection modes are available, why are they not being used
effectively in the OSs that exist for the X86 line?  If so, what are
those OSs?  Wouldn't it be nice if you could write off stack smashing
on certain X86 platforms because the OS/processor combination wouldn't
allow it to occur?

*-----------------------------------------------------------------------*
      []  [] ###### #####   []      Maryland Technology Center
      ##  ##   ##   ##  ##  ##      IIT Research Institute
      ##  ##   ##   #####   ##
      ##  ##   ##   ##  ##  ##      Terrell Thacker
      ##  ##   ##   ##  ##  ##      tthacker@mtc.iitri.com
*-----------------------------------------------------------------------*

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic