Bugtraq mailing list archives
Re: Stack Shield: defending from
From: crispin () CSE OGI EDU (Crispin Cowan)
Date: Sun, 5 Sep 1999 06:17:29 +0000
vendicator () USA NET wrote:
Perhaps I don't see your point. How is this more secure >than StackGuard?StackGuard protection system has an extremaly grave bug with the terminator and null canaries. In certain circumstances (not rare) this bug can be exploited preventing StackGuard to detect stack corruption. I'm not the autor of this exploit howewer, so I will not post it without his autorization.
So to refine your claim, this means that you believe StackShield is more secure than the terminator version of StackGuard. I see no way in which it is more secure than the random version. We have a new release of the StackGuard compiler that fully supports random canaries even for shared libraries. Release is imminent, pending completion of the web site & documentation. To be fair, once you fix StackShield's response to a detected stack smash, I know of no way in which StackGuard is more secure than StackShield. At that point it comes down to the practical issues I mentioned. Addressing the vulnerability of the terminator version: we hypothesized that the terminator StackGuard defense could be exploited if you could find a vulnerable buffer that lets you overflow the buffer multiple times before the affected function returns. Here's a straw-man example of vulnerable code: foo() { char mybuf[25]; do { gets(mybuf); } while (!ok(mybuf)); } If you find code like this, then you can "laminate" a terminator canary in place after perpetrating the overflow to change the return address in the activation record. There are problems with this, though: * the string function (in this case, gets()) must use the low-order symbol in the Terminator Canary as a termination symbol * you have to get your allignment *exactly* right * you have to find code of this form. It's not impossible, but it is relatively rare. I'd be very interested in posted examples of code of this form (or any other form claimed to be vulnerable) found in production programs. Presumably you can point to the vulnerable code without violating the ownership on your friend's exploit?
Stack Shield provides a front end for GCC and G++ to automatize the compilation. So you have just to each occourrence of "gcc" or "g++" with "shieldgcc" or "shieldg++" respectively.Also in future versions a front end for make will added.
You will find in practice that this is not sufficient to re-build large volumes of SRPMs with your tool. You have to have a program that is called "cc" and behaves exactly like "cc", or else some packages will weasle their way around your protecting compiler. Crispin ----- Crispin Cowan, Research Assistant Professor of Computer Science, OGI NEW: Protect Your Linux Host with StackGuard'd Programs :FREE http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/
Current thread:
- Re: Stack Shield: defending from vendicator () USA NET (Sep 01)
- Unix Virus list (fwd) silvio () BIG NET AU (Sep 04)
- Re: Stack Shield: defending from Crispin Cowan (Sep 04)
- [linux-security] buffer overflow in proftpd-1.2.0pre4, supposed to be 'safe' (fwd) Jan-Philip Velders (Sep 05)