Among the exploits we have presented, some are very theoretical and have been studied to show it is possible to use a given vulnerability. But most of the well-known attacks are based on buffer overflows allowed by programmers' lack of security concern.
So, avoiding the known vulnerable functions is a first step which is not difficult and may greatly increase the code reliability. Moreover, gcc now warns coders when such functions are used! A good approach is to replace:
• strcpy with strncpy
• strcat with strncat
• gets with fgets
• sprintf with snprintf
• ...
Compiling this code with Stack shield would improve the security to a higher level.
Of course this will only protect programs compiled on the machine, and cannot be applied to precompiled packages such as .deb or .rpm. That is why it cannot replace a more general, system-based, solution.
No comments:
Post a Comment