• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Non-executable stack
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Non-executable stack

  • Subject: Re: Non-executable stack
  • From: Ragnar Sundblad <email@hidden>
  • Date: Wed, 02 Apr 2003 16:57:03 +0200
--On den 31 mars 2003 22:54 -0500 Jim Magee <email@hidden> wrote:

We can make suggestions for the next architecture.

Yes, this is what I meant. Apple is a big buyer and user of
PPCs, and what the OS designers think of the chip should
of course be fed back to the chip designers. I hope this
already is the case, but the page-exec thing maybe is an
issue that hasn't been brought up but should be.

But we'll never have any luck changing the one that's
sitting on your desk.

I fully understand that you won't come over here and carve
in the silicon in my box. :-)

But you could change the OS to it for an, in my eyes, pretty
small penalty for the programs. Others may think different.

Besides, all this is on the assumption that you have to execute code on
the stack. More common (from a PowerPC hack perspective) is to just
change link register values saved on the stack to trick the program into
running code that already exists (the blr instruction is used to both
call and return from a function). The only stuff that has to be on the
stack is the argument data and the stomped address. Jumping to the
well-known address for the system() library routine should do nicely. ;-)

As you said you have to have the argument(s) in place, but sure,
there are other ways to crack it without having to deal with
putting new code in the machine.

So, we should also have separate data and link stacks! :-)

Non-exec memory and capabilities and jails and *trusted* things
and all the others are of course not elegant or The Correct
Way to fix problems with software with security holes, still
I think their popularity are the sad consequence of a reality
that we just have to face.
You may be right that the cache syncing issues makes PPC less
susceptible to code insertion problems.

/ragge
_______________________________________________
darwin-kernel mailing list | email@hidden
Help/Unsubscribe/Archives: http://www.lists.apple.com/mailman/listinfo/darwin-kernel
Do not post admin requests to the list. They will be ignored.
  • Prev by Date: Re: Non-executable stack
  • Next by Date: Re: Non-executable stack
  • Previous by thread: Re: Non-executable stack
  • Next by thread: Re: Non-executable stack
  • Index(es):
    • Date
    • Thread