Re: [Fwd: [PATCH] [SECURITY] suid procs exec'd with bad 0,1,2 fds]

H. Peter Anvin (hpa@transmeta.com)
7 Aug 1998 10:05:16 GMT

Followup to: <35CA1803.95659883@clampton.com>
By author: Joseph Malicki <jmalicki@clampton.com>
In newsgroup: linux.dev.kernel
>
> Now, this leads to a way to have a truly secure system: an EXPAND-UP
> STACK. With an expand up stack, where the ESP increments rather than
> decrements on a push, you can not overwrite the return address with
> the address of your own function. This could probably be implementable
> as an ELF flag, or maybe as a separate "architecture" with its own set
> of compiled libraries (as the current system would not work, since you
> would be calling a library that uses an expand-down stack). The
> Intel architecture, at least, allows you to specify an expand-up
> stack via the descriptor table segment type flag by setting it up
> like a normal data segment.
>

Oh, no. That doesn't change the direction the stack pointer moves; it
just changes the way the descriptor fields are interpreted.

On Intel you really want to use PUSH, POP, CALL and RET, and they
always expect a "hanging" stack.

Most RISC machines to stack manipulation in software, though (using
ordinary adds and subtracts; the stack pointer being a standard GPR),
for which it would be pretty easy to do.

-hpa

-- 
    PGP: 2047/2A960705 BA 03 D3 2C 14 A8 A8 BD  1E DF FE 69 EE 35 BD 74
    See http://www.zytor.com/~hpa/ for web page and full PGP public key
        I am Bahá'í -- ask me about it or see http://www.bahai.org/
   "To love another person is to see the face of God." -- Les Misérables


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.altern.org/andrebalsa/doc/lkml-faq.html