[rescue] A perverse thought (SGI security division)
Francisco Javier Mesa-Martinez
lefa at ucsc.edu
Fri Mar 12 17:00:37 CST 2004
On Fri, 12 Mar 2004, Nathan Raymond wrote:
> I imagine SPARC (and perhaps most RISC architectures) + OpenBSD must be a
> fairly excellent combination, considering how SPARC alone is more
> difficult to exploit than, say, x86:
>
> http://ouah.kernsh.org/UNF-sparc-overflow.html
>
> "6 - Conclusion
> We need a bit more luck to be able to exploit Sparc buffer overflows than
> their brothers/sisters on x86. In general it is not enough to be able to
> overwrite just a few bytes of the buffer. Additionaly we saw that the way
> the stack is handled has a great influence on the exploitability issue of
> its buffer overrun vulnerabilities. This class of vulnerablities can not
> always be exploited on Sparc as there must exist at least one level of
> subroutine calls nesting, so that two concurrent ret/restore pairs can be
> executed by a vulnerable program after its stack got overrun."
Well, the article jist is correct but some of the details are not, SPARC
may need a few more than levels of procedure nesting before running out of
register windows to store state information for the thread and having to
generate the exception to tell the OS to put the contents on the stack.
Plain i386 has very few registers so it has to really use the stack
continuously, plus the stack in the 386 grows from high to low, hence
being prone to underruns exposing some of the return addresses. I
believe the stack in the SPARC grows "high" but still there is
vulnerability because the stack is limited so overrun can happen there
too. It just takes a little more of code density to generate some of that
behavior on a SPARC. Also current x86 microarchitectures have a large set
of hidden physical registers (not architectural) which the control logic
can remap on the fly to limit the amount of stack related excemptions.
Plus I think they already integrated good stack checking policies on the
latest GCC.
So the answer is that they are roughly equally vulnerable to malicious
code, the SPARC is a tad more consistant and elegant in the way it offers
a cenrtain degree of protection as an architectural side effect.
I believe that the openBSD people went a step further and made the stack
non executable, openBSD is still rather annoying in some things but maybe
is just because I have had to read posts from Theo taling out of his arse
sometimes on architectural concepts. But I sort of understand what they
are aiming for and I must respect that (then again I am also old school
netBSD and freeBSD so I stick to those BSDs whenever possible).
More information about the rescue
mailing list