WinXP SP2 Non executable stack

Printable View

December 11th, 2003, 11:07 PM
ammo

WinXP SP2 Non executable stack

Ok, so I've been reading on the upcoming SP2 for XP (wonder if it'll apply to Server 2003 too... anyways) and I see that they're introducing stack protection features (non executable stack...) which I think is *really* interesting when you consider that other security oriented OSes, like OpenBSD, just commited to these security features in their latest versions...

Does anyone have more details on the exact implementations they're using for stack protection?

While MS's reputation for security is less than great, to me this seems like a important step forward... What do you all make of it?

Ammo
December 12th, 2003, 12:13 AM
phishphreek

Did you check out m$'s docs on it? I haven't read up on it as of yet... but will do so shortly.

Sorry I don't have any more to add at this time.

Check out the following doc.

http://msdn.microsoft.com/library/de...ityinxpsp2.asp
December 12th, 2003, 12:36 AM
Tiger Shark

If you read it there's a _lot_ of good in that.... Does it mean that M$ will become impregnable???? Not a chance.... But it's a serious attempt at restricting the "lame" from simply exploiting "any old box that is connected to the net".

I offer applause to M$..... Even if that applause may not be deafening..... ;)
December 12th, 2003, 01:40 PM
SirDice

If it's the same stuff thats build into W2K3 David Litchfield already defeated it. You can read his paper here.

I guess it'll thwart textbook buffer-overflows but anybody above a scriptkiddie in larval stage is probably able to circumvent it.
December 12th, 2003, 01:49 PM
ghostofanonion

I think your all just looking for someone to blame and give your life and choice of hobby meaning.

if the other guys only just started doing it then MS aint that far bhind. what they done wrong, they are improving.. dammit at least it works. I still can't find a fix to my linux problem
December 12th, 2003, 03:01 PM
phishphreek

Quote:

Originally posted here by ghostofanonion
I think your all just looking for someone to blame and give your life and choice of hobby meaning.

if the other guys only just started doing it then MS aint that far bhind. what they done wrong, they are improving.. dammit at least it works. I still can't find a fix to my linux problem

You sound like Jorge Lopez. You aren't by any chance him, are you?

http://www.divisiontwo.com/articles/mcse2.htm

(I "borrowed" that link from someone in GCC)
December 12th, 2003, 03:08 PM
SirDice

Talk about a biased article sjees. It's also riddled with FUD.
December 12th, 2003, 04:39 PM
ammo

Quote:

Originally posted here by SirDice
If it's the same stuff thats build into W2K3 David Litchfield already defeated it. You can read his paper here.

I guess it'll thwart textbook buffer-overflows but anybody above a scriptkiddie in larval stage is probably able to circumvent it.

Correct me if I'm wrong, but I don't think W2K3 has the non-exec stack; it only was compiled with the stack-gard-like feature (/gs switch) of MS's compiler. At least the author of that paper doesn't mention either...

Besides, you'll have to admit that writing an exploit for something compiled with this feature is much harder than just sending a bunch of NOOPs, jump and a piece of shell code...

And with a non-exec stack and heap this becomes even more difficult...

Still, how many other OSes use nx stacks and stack protecting compilers by default? Only one I know of is OpenBSD (maybe trustix and/or trusted solaris?)
Anyways, we all know no security is absolute...

Ammo
December 13th, 2003, 03:52 PM
ghostofanonion

Whoever that Joge Lope dude is I probably aint him, at least not to my knowledge. BTW I have got linux working.. i still think it sux... Maybe when I get it properly configured I might be happy, but i doubt it
December 15th, 2003, 05:00 PM
SirDice

Quote:

Originally posted here by ammo
Correct me if I'm wrong, but I don't think W2K3 has the non-exec stack; it only was compiled with the stack-gard-like feature (/gs switch) of MS's compiler. At least the author of that paper doesn't mention either...

I think you're right. AFAIK it uses a canary (MS calls it a cookie) based protection.

Quote:

Besides, you'll have to admit that writing an exploit for something compiled with this feature is much harder than just sending a bunch of NOOPs, jump and a piece of shell code...

Like I said, it'll prevent textbook buffer-overflows.

Quote:

And with a non-exec stack and heap this becomes even more difficult...

Not really. Read Non-Stack overflows on Windows also by David Litchfield.