Subject: Re: FreSSH and bounds checking
To: None <current-users@netbsd.org>
From: None <xs@kittenz.org>
List: current-users
Date: 03/08/2002 18:21:56
on Fri, Mar 08, 2002 at 06:46:13AM -0800, Wolfgang Rupprecht wrote:
>
> Gcc does have a patch for turning it into a run-time bounds checker.
>
> http://www.gnu.org/software/gcc/projects/bp/main.html
>
> I don't know if one would necessarily want to run with the bounds
> checks on in a production system, but running it on the development
> systems might flush out a few bounds violation bugs.
I doubt it would have found this bug, not unless you have a very large
test suite or a random one that runs for a long time and gets very lucky.
It might have stopped exploitation if you used it correctly, it had no
bugs, and was working in a production environment. At which point you
get efficiency/speed issues. :)
It should be possible to analyse source code and find such bugs in
an automatic way.
gcc-ssp strikes me as a nice fall back in some situations, but
I don't think it would have helped one bit with this bug, for that
you would need a malloc implementation that mprotect()'d
each side of the allocated area, so the program would die if the heap
overflowed or was accessed, but this is very inefficient and not so
portable and might fail too. (I think it would add 8192 bytes to each
malloc on i386.)