Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.lang.forth > #24419
| From | "Rod Pemberton" <do_not_have@notemailnotq.cpm> |
|---|---|
| Newsgroups | comp.lang.forth |
| Subject | Re: WWW-safe Forth? |
| Date | 2013-07-12 03:04 -0400 |
| Organization | Aioe.org NNTP Server |
| Message-ID | <kro9gl$vbm$1@speranza.aioe.org> (permalink) |
| References | (10 earlier) <kredus$lsg$1@speranza.aioe.org> <9P-dnY5wTdNgtkbMnZ2dnUVZ_ridnZ2d@supernews.com> <krhtud$65r$1@speranza.aioe.org> <WI2dncHJ98zEFUHMnZ2dnUVZ_oudnZ2d@supernews.com> <51ddd703$0$15893$e4fe514c@news2.news.xs4all.nl> |
"Hans Bezemer" <the.beez.speaks@gmail.com> wrote in message news:51ddd703$0$15893$e4fe514c@news2.news.xs4all.nl... > Elizabeth D. Rather wrote: > > An excellent reason to avoid using C strings and string > > functions in your secure Forth! > > I'm using C strings as well - and in all the years of programming > 4tH (and making errors, fixing bugs) I've never had a runaway > string. The solution is simple: I added an extra ZERO byte > beyond the end of the addressable string memory (addressable > by 4tH itself, not the host program), so even IF there was a > runaway string, it would stop there. Good architecture can > handle everything - but it must be part of the initial design. > That's typically not how they use C strings for abuse. They're looking for a buffer overflow to exploit. Specifically, most C compilers use a single stack for both data and control flow. So, if you can corrupt the data stack, you can change the control flow. Forth has a separate data stack and control flow stack, i.e., return stack. They find a function which stores user input or puts a string onto the stack. Next, they overflow the buffer area. The control flow, i.e., return address for the procedure, is overwritten with input data or a text string. Normally, the bad return address will cause a crash. With the correct input, however, it can transfer execution to where the hacker desires instead of crashing. In an ITC Forth, all you have to do is >R for the equivalent effect. Rod Pemberton
Back to comp.lang.forth | Previous | Next — Previous in thread | Next in thread | Find similar
WWW-safe Forth? papa@sdf.lNoOnSePsAtMar.org (David Meyer) - 2013-07-05 19:24 +0000
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-05 13:37 -0700
Re: WWW-safe Forth? papa@sdf.lNoOnSePsAtMar.org (David Meyer) - 2013-07-05 21:17 +0000
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-05 15:22 -0700
Re: WWW-safe Forth? papa@sdf.lNoOnSePsAtMar.org (David Meyer) - 2013-07-06 01:56 +0000
Re: WWW-safe Forth? Bernd Paysan <bernd.paysan@gmx.de> - 2013-07-06 14:42 +0200
Re: WWW-safe Forth? Andrew Haley <andrew29@littlepinkcloud.invalid> - 2013-07-06 07:56 -0500
Re: WWW-safe Forth? Bernd Paysan <bernd.paysan@gmx.de> - 2013-07-07 01:11 +0200
Re: WWW-safe Forth? Andrew Haley <andrew29@littlepinkcloud.invalid> - 2013-07-07 02:44 -0500
Re: WWW-safe Forth? anton@mips.complang.tuwien.ac.at (Anton Ertl) - 2013-07-07 10:28 +0000
Re: WWW-safe Forth? anton@mips.complang.tuwien.ac.at (Anton Ertl) - 2013-07-06 13:42 +0000
Re: WWW-safe Forth? Bernd Paysan <bernd.paysan@gmx.de> - 2013-07-07 01:40 +0200
Re: WWW-safe Forth? albert@spenarnc.xs4all.nl (Albert van der Horst) - 2013-07-05 20:20 +0000
Re: WWW-safe Forth? "Rod Pemberton" <do_not_have@notemailnotq.cpm> - 2013-07-06 12:41 -0400
Re: WWW-safe Forth? Howerd <howerdo@yahoo.co.uk> - 2013-07-06 12:03 -0700
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-06 12:41 -0700
Re: WWW-safe Forth? Howerd <howerdo@yahoo.co.uk> - 2013-07-06 14:01 -0700
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-06 14:26 -0700
Re: WWW-safe Forth? "Elizabeth D. Rather" <erather@forth.com> - 2013-07-06 12:32 -1000
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-06 19:58 -0700
Re: WWW-safe Forth? "Elizabeth D. Rather" <erather@forth.com> - 2013-07-06 18:14 -1000
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-06 21:51 -0700
Re: WWW-safe Forth? "Elizabeth D. Rather" <erather@forth.com> - 2013-07-06 21:01 -1000
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-07 00:36 -0700
Re: WWW-safe Forth? Howerd <howerdo@yahoo.co.uk> - 2013-07-07 01:25 -0700
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-07 01:56 -0700
Re: WWW-safe Forth? "Elizabeth D. Rather" <erather@forth.com> - 2013-07-07 08:34 -1000
Re: WWW-safe Forth? "Rod Pemberton" <do_not_have@notemailnotq.cpm> - 2013-07-07 07:08 -0400
Re: WWW-safe Forth? "Elizabeth D. Rather" <erather@forth.com> - 2013-07-07 08:41 -1000
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-07 12:59 -0700
Re: WWW-safe Forth? albert@spenarnc.xs4all.nl (Albert van der Horst) - 2013-07-07 20:18 +0000
Re: WWW-safe Forth? albert@spenarnc.xs4all.nl (Albert van der Horst) - 2013-07-09 01:09 +0000
Re: WWW-safe Forth? Bernd Paysan <bernd.paysan@gmx.de> - 2013-07-08 00:09 +0200
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-07 18:15 -0700
Re: WWW-safe Forth? "Elizabeth D. Rather" <erather@forth.com> - 2013-07-07 17:22 -1000
Re: WWW-safe Forth? "Elizabeth D. Rather" <erather@forth.com> - 2013-07-07 17:20 -1000
Re: WWW-safe Forth? Howerd <howerdo@yahoo.co.uk> - 2013-07-07 13:13 -0700
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-07 14:02 -0700
Re: WWW-safe Forth? Bernd Paysan <bernd.paysan@gmx.de> - 2013-07-08 01:25 +0200
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-07 18:26 -0700
Re: WWW-safe Forth? Bernd Paysan <bernd.paysan@gmx.de> - 2013-07-09 19:21 +0200
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-10 01:55 -0700
Re: WWW-safe Forth? Bernd Paysan <bernd.paysan@gmx.de> - 2013-07-10 23:51 +0200
Re: WWW-safe Forth? Howerd <howerdo@yahoo.co.uk> - 2013-07-07 21:10 -0700
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-07 22:03 -0700
Re: WWW-safe Forth? Howerd <howerdo@yahoo.co.uk> - 2013-07-07 22:27 -0700
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-08 00:30 -0700
Re: WWW-safe Forth? Hannu Vuolasaho <hannu.vuolasaho@nospam.tut.fi.invalid> - 2013-07-08 13:08 +0000
Re: WWW-safe Forth? "Rod Pemberton" <do_not_have@notemailnotq.cpm> - 2013-07-08 09:18 -0400
Re: WWW-safe Forth? Howerd <howerdo@yahoo.co.uk> - 2013-07-08 07:02 -0700
Re: WWW-safe Forth? Andrew Haley <andrew29@littlepinkcloud.invalid> - 2013-07-08 09:46 -0500
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-08 11:04 -0700
Re: WWW-safe Forth? Andrew Haley <andrew29@littlepinkcloud.invalid> - 2013-07-08 12:49 -0500
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-08 11:26 -0700
Re: WWW-safe Forth? Andrew Haley <andrew29@littlepinkcloud.invalid> - 2013-07-08 16:28 -0500
Re: WWW-safe Forth? "Elizabeth D. Rather" <erather@forth.com> - 2013-07-08 11:15 -1000
Re: WWW-safe Forth? "Rod Pemberton" <do_not_have@notemailnotq.cpm> - 2013-07-09 17:09 -0400
Re: WWW-safe Forth? "Elizabeth D. Rather" <erather@forth.com> - 2013-07-09 12:02 -1000
Re: WWW-safe Forth? Hans Bezemer <the.beez.speaks@gmail.com> - 2013-07-10 23:52 +0200
Re: WWW-safe Forth? "Rod Pemberton" <do_not_have@notemailnotq.cpm> - 2013-07-12 03:04 -0400
Re: WWW-safe Forth? gavino_himself <visploveslisp@gmail.com> - 2013-07-28 02:32 -0700
Re: WWW-safe Forth? gavino_himself <visploveslisp@gmail.com> - 2013-07-27 22:18 -0700
Re: WWW-safe Forth? "Rod Pemberton" <do_not_have@notemailnotq.cpm> - 2013-07-12 03:31 -0400
Re: WWW-safe Forth? "Elizabeth D. Rather" <erather@forth.com> - 2013-07-11 23:03 -1000
Re: WWW-safe Forth? "Rod Pemberton" <do_not_have@notemailnotq.cpm> - 2013-07-14 18:15 -0400
Re: WWW-safe Forth? "Elizabeth D. Rather" <erather@forth.com> - 2013-07-14 13:50 -1000
Re: WWW-safe Forth? anton@mips.complang.tuwien.ac.at (Anton Ertl) - 2013-07-15 14:12 +0000
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-15 10:22 -0700
Re: WWW-safe Forth? anton@mips.complang.tuwien.ac.at (Anton Ertl) - 2013-07-15 17:07 +0000
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-17 01:12 -0700
Re: WWW-safe Forth? anton@mips.complang.tuwien.ac.at (Anton Ertl) - 2013-07-17 09:43 +0000
Re: WWW-safe Forth? Bernd Paysan <bernd.paysan@gmx.de> - 2013-07-17 15:04 +0200
Re: WWW-safe Forth? albert@spenarnc.xs4all.nl (Albert van der Horst) - 2013-07-17 13:50 +0000
Re: WWW-safe Forth? "Elizabeth D. Rather" <erather@forth.com> - 2013-07-15 07:57 -1000
Re: WWW-safe Forth? "Rod Pemberton" <do_not_have@notemailnotq.cpm> - 2013-07-15 22:45 -0400
Re: WWW-safe Forth? "Elizabeth D. Rather" <erather@forth.com> - 2013-07-15 18:21 -1000
Re: WWW-safe Forth? "Elizabeth D. Rather" <erather@forth.com> - 2013-07-15 07:52 -1000
Re: WWW-safe Forth? anton@mips.complang.tuwien.ac.at (Anton Ertl) - 2013-07-16 16:15 +0000
Re: WWW-safe Forth? "Elizabeth D. Rather" <erather@forth.com> - 2013-07-16 08:17 -1000
Re: WWW-safe Forth? anton@mips.complang.tuwien.ac.at (Anton Ertl) - 2013-07-17 09:33 +0000
Re: WWW-safe Forth? "Rod Pemberton" <do_not_have@notemailnotq.cpm> - 2013-07-15 22:40 -0400
Re: WWW-safe Forth? Andrew Haley <andrew29@littlepinkcloud.invalid> - 2013-07-10 03:26 -0500
Re: WWW-safe Forth? Howerd <howerdo@yahoo.co.uk> - 2013-07-07 01:46 -0700
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-07 02:39 -0700
Re: WWW-safe Forth? AKK <akk@nospam.org> - 2013-07-07 11:56 +0200
Re: WWW-safe Forth? Paul Rubin <no.email@nospam.invalid> - 2013-07-07 03:20 -0700
Re: WWW-safe Forth? Bernd Paysan <bernd.paysan@gmx.de> - 2013-07-07 01:21 +0200
Re: WWW-safe Forth? Hans Bezemer <the.beez.speaks@gmail.com> - 2013-07-09 23:22 +0200
Re: WWW-safe Forth? gavino_himself <visploveslisp@gmail.com> - 2013-07-27 21:34 -0700
csiph-web