Re: OpenVMS security?
From: Keith Cayemberg (keith.cayemberg_at_arcor.de)
Date: 07/22/04
- Next message: Richard Brodie: "Re: Telnet without timestamp"
- Previous message: Nigel Barker: "Re: Looking for a Video Card"
- In reply to: Undisclosed: "Re: OpenVMS security?"
- Next in thread: Bob Koehler: "Re: OpenVMS security?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Date: Thu, 22 Jul 2004 10:59:50 +0200
Undisclosed wrote:
<skipped>
>
> uh...
>
> http://www.phrack.org/phrack/60/p60-0x0a.txt
>
> ---
<skipped>
> ---
>
> http://www.phrack.org/phrack/60/p60-0x06.txt
>
<skipped>
> ---
>
> by "integer overflows", I also included *signed/unsigned vulnerabilities*
OK, now I understand what you meant by "integer overflows" in connection
with security issues. It's not the overflow of the integer which is the
connection to a security issue. It is the changing of a buffer size or
buffer index value. I consider this to be correctly described as a
"buffer overflow" class of exploit. That a mathematical operation causes
the change of a buffer description value serves only to obfuscate the
cause, but is not materially different than writing the new value
directly to the buffer description value. The "integer overflow" is just
a potential error (intentional or unintentional) leading to the same
result (buffer overflow).
In reference to security, I would say "buffer overflows" are certainly a
class of exploits which can (and has) caused security problems.
Within an application they can certainly cause errors and problems even
on OpenVMS. But to use "buffer overflows" (including those obfuscated
with an "integer overflow" error on a buffer size or buffer index value)
is a case which has been handled by the design of the OpenVMS system
services (and RTL) call interfaces. Without going through the descriptor
mechanism the user application can't use a privileged operation, access
a privileged resource, or change system, kernel or other user's memory
values. Services with dynamic descriptors, where the user can set the
size of the buffer, the system attempts to allocate the space (if it
can't for some reason, then you get an exception). To change the size of
the buffer the same descriptor mechanism must be used. Try to write
beyond the allocated buffer size into system, kernel or another user's
memory, you'll get an exception. However, many of the OpenVMS privileged
services have static descriptors inwhich the size of the buffer is fixed
or controlled by OpenVMS privileged code. The user-mode application has
no influence over the buffer size in this case.
Perhaps, I am missing some special cases in the OpenVMS Calling Standard
as implemented for some specific service, but just having these
architectural principals implemented in OpenVMS has greatly enhanced the
stability and security of the OS well above that which is attainable by
patching and reviewing those Operating Systems (along with their
complete pool of potential applications) which have not.
Cheers!
Keith Cayemberg
- Next message: Richard Brodie: "Re: Telnet without timestamp"
- Previous message: Nigel Barker: "Re: Looking for a Video Card"
- In reply to: Undisclosed: "Re: OpenVMS security?"
- Next in thread: Bob Koehler: "Re: OpenVMS security?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Relevant Pages
|
|
