Bugtraq mailing list archives

Re: Stack Shield: defending from

From: crispin () CSE OGI EDU (Crispin Cowan)
Date: Sun, 5 Sep 1999 06:17:29 +0000


vendicator () USA NET wrote:

Perhaps I don't see your point. How is this more secure >than StackGuard?


StackGuard protection system has an extremaly grave bug
with the terminator and null canaries. In certain circumstances (not rare) this bug can be exploited
preventing StackGuard to detect stack corruption. I'm not
the autor of this exploit howewer, so I will not post it without
his autorization.


So to refine your claim, this means that you believe StackShield is more
secure than the terminator version of StackGuard.  I see no way in which
it is more secure than the random version.  We have a new release of the
StackGuard compiler that fully supports random canaries even for shared
libraries.  Release is imminent, pending completion of the web site &
documentation.

To be fair, once you fix StackShield's response to a detected stack
smash, I know of no way in which StackGuard is more secure than
StackShield.  At that point it comes down to the practical issues I
mentioned.

Addressing the vulnerability of the terminator version:  we hypothesized
that the terminator StackGuard defense could be exploited if you could
find a vulnerable buffer that lets you overflow the buffer multiple
times before the affected function returns.  Here's a straw-man example
of vulnerable code:

foo() {
    char mybuf[25];

    do {
        gets(mybuf);
    } while (!ok(mybuf));
}

If you find code like this, then you can "laminate" a terminator canary
in place after perpetrating the overflow to change the return address in
the activation record.  There are problems
with this, though:

   * the string function (in this case, gets()) must use the low-order
symbol in the Terminator Canary as a termination symbol
   * you have to get your allignment *exactly* right
   * you have to find code of this form.  It's not impossible, but it is
relatively rare.

I'd be very interested in posted examples of code of this form (or any
other form claimed to be vulnerable) found in production programs.
Presumably you can point to the vulnerable code without violating the
ownership on your friend's exploit?

Stack Shield provides a front end for GCC and G++ to
automatize the compilation. So you have just to each occourrence of "gcc" or "g++" with "shieldgcc" or  "shieldg++" 
respectively.Also in future versions a front end for make will added.


You will find in practice that this is not sufficient to re-build large
volumes of SRPMs with your tool.  You have to have a program that is
called "cc" and behaves exactly like "cc", or else some packages will
weasle their way around your protecting compiler.

Crispin
-----
 Crispin Cowan, Research Assistant Professor of Computer Science, OGI
    NEW:  Protect Your Linux Host with StackGuard'd Programs  :FREE
       http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/

Current thread:

Re: Stack Shield: defending from vendicator () USA NET (Sep 01)
- Unix Virus list (fwd) silvio () BIG NET AU (Sep 04)
- Re: Stack Shield: defending from Crispin Cowan (Sep 04)
- [linux-security] buffer overflow in proftpd-1.2.0pre4, supposed to be 'safe' (fwd) Jan-Philip Velders (Sep 05)