It's a known class of exploit...

IWETHEY v. 0.3.0 | TODO

1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User

Welcome to IWETHEY!

Post #32,361

by kmself

3/15/02 2:12:46 PM

It's a known class of exploit...

...touching a large number of programs and systems. Buffer overflows are a very common class of root causes for security exploits. Testing for, and avoiding, overflows is a (relatively) simple, prophilactic measure that can avoid many, many possible exploits.

[link|http://www.openbsd.org/|OpenBSD] uses modified C libraries to do just this. Proprietary products (IIRC, StackGuard is one) work similarly. I also believe that one of the ideas behind Java is to protect writeabe (and readable) memory. One of the classic explorations of comparative robustness of free software vs. proprietary software is [link|http://online.securityfocus.com/library/2087|Fuzz Revisited], uses the relatively simple test of throwing arbitrary junk input to a program and watching the results.

I suggest again looking at my "Risks" comment above.

zlib advisory - (ben_tilly) - (16) - March 11, 2002, 05:46:41 PM EST

Re: zlib advisory - a similar link. - (a6l6e6x) - March 11, 2002, 11:25:28 PM EST

Remedy? - (kmself) - (3) - March 12, 2002, 12:12:38 AM EST

Erg. - (static) - March 12, 2002, 12:27:49 AM EST

Well OpenBSD was never vulnerable. :-) - (ben_tilly) - (1) - March 12, 2002, 12:41:28 AM EST

OpenBSD as server - (kmself) - March 12, 2002, 01:51:32 PM EST

Re: zlib advisory - (pwhysall) - (1) - March 12, 2002, 02:29:24 AM EST

Re: zlib and up2date - (a6l6e6x) - March 12, 2002, 02:29:21 PM EST

Microsoft vulnerable too - uses zlib code - (admin) - (2) - March 14, 2002, 10:07:28 PM EST

Risk: adopting FS code without adopting FS practices - (kmself) - (1) - March 15, 2002, 01:45:18 AM EST

But note that MS doesn't update the build #'s - (tonytib) - March 15, 2002, 09:37:37 PM EST

I'm confused about the entire thing - (wharris2) - (5) - March 14, 2002, 11:08:50 PM EST

DoS is an attack - (ben_tilly) - (4) - March 14, 2002, 11:38:03 PM EST

Re: DoS is an attack - (wharris2) - (3) - March 15, 2002, 12:08:18 AM EST

Then I suggest... - (Yendor) - (1) - March 15, 2002, 09:56:32 AM EST

I've run into double-free problems before - (wharris2) - March 16, 2002, 10:05:44 AM EST

It's a known class of exploit... - (kmself) - March 15, 2002, 02:12:46 PM EST

iwethey.org

LRPD Who Must Be Obeyed.
68 ms