Path: utzoo!utgpu!news-server.csri.toronto.edu!cs.utexas.edu!yale!mintaka!bloom-beacon!bloom-beacon!wesommer
From: wesommer@athena.mit.edu (Bill Sommerfeld)
Newsgroups: alt.hackers
Subject: Re: Execute only files on Novell
Message-ID: <1990Jun9.004628.10634@athena.mit.edu>
Date: 9 Jun 90 00:45:58 GMT
References: <445@ria.ccs.uwo.ca> <224@rossignol.Princeton.EDU>
	<136935@sun.Eng.Sun.COM>
Sender: news@athena.mit.edu (News system)
Distribution: alt
Organization: None.
Lines: 27
Approved: wesommer@athena.mit.edu
In-Reply-To: cmcmanis@stpeter.Eng.Sun.COM's message of 8 Jun 90 21:19:54 GMT

pruss@ria.ccs.uwo.ca claims that the security of Novell "execute only"
could be improved if the fileserver relocated the program before
sending it to the client.

Now, I'm not really familiar with the subtleties of MS-DOS or Novell,
but it seems as if it wouldn't be too hard to reverse engineer this,
given a chance to load the program at two or three different base
addresses.  MP/M-80 -- anyone remember that system?  -- generated
"page relocatable" files by assembling something at two different base
addresses separated by 100H, and then "diff"ing the two binaries.

The only way you can have a secure "execute only" facility is if the
CPU and program loader are within the "security perimeter"; I get the
impression that in normal operation, an MS-DOS system running the
client side of the Novell networking package is most definitely
outside the perimeter.

Anything else, and you're just setting up challenges for crackers..

					- Bill


--
"The chance of mit-eddie relaying       |    Bill Sommerfeld at MIT/Athena
something before that hyperactive IBM   |    sommerfeld@mit.edu
RT with a thyroid condition gets a hold |
of it is pretty slim."                  |