stack smashing Was: Re: Scanning Formats (TIFF vs. JPEG)

Don THX1138 at dakotacom.net
Sat Aug 19 01:25:51 CDT 2006


Chuck Guzis wrote:
> On 8/19/2006 at 12:49 AM Alexey Toptygin wrote:
> 
>> This is computationally expensive and complicated. Every time you have to 
>> cross a privilege boundary you have to switch context, validate any data 
>> going across and verify permissions. You also need an exact specification 
>> of the interface for every such interface - if the system doesn't know 
>> what your DLL is allowed to do, how can it stop it from doing what it 
>> shouldn't? This is why this sort of pain is usually reserved for the 
>> user-kernel interface.
> 
> I don't think so.  There is a subset of all DLLs that can be classified as
> "trusted"--they know to check arguments and the operation is well-defined.
> One might classify these as "friendly" DLLs and omit any sort of checking.
> For all others, the calling program can specify a tighter degree of control
> at the expense of more overhead.

You're still relying on the application ("the calling program")
to do this properly.  It's yet another place for bugs to creep in.

OTOH, if you can treat the features/facilities provided by
that DLL as a *service* and can encapsulate that service
within a protection domain, then the service can be robust
(at the added expense of yet another protection domain
to cross)



More information about the cctech mailing list