Bugtraq mailing list archives
Re: machine independent protection from stack-smashing attack
From: Hiroaki Etoh <ETOH () JP IBM COM>
Date: Tue, 15 Aug 2000 13:55:47 +0900
On 2000/08/11 01:05:57 John Viega wrote:
In particular, you fall prone to the problem that Crispan recently had to fix with StackGuard; the canary is not bound to the actual return address, so in some cases it is possible to "jump" the canary. You are using boundary canarys instead of xor canarys. Sure, you're lining up arrays next to each other, but that doesn't solve every case. Consider the following example, slightly modified from the StackGuard page: foo(char * arg) { char * p[1]; // a vulnerable pointer char a[25]; // the buffer that makes the pointer vulnerable p[0] = arg; gets(a); // using gets() makes you vulnerable gets(p[0]); // this is the good part }
ProPolice generates the following activation record for the above program. | arg | return address | previous frame pointer | GUARD | array a | array *p | It means that you can not change the value of char *p[0] after the buffer overflow of the array a. This protection is derived from the analysis of the vulnerability of XOR random canary protection. I will post the vulnerability memo after Crispan's permission. As for the portability of ProPolice, ProPolice uses a termination canary if it fails to open the device "/dev/random". I think the terminator canary protection introduced by Crispin Cowan is as safe as the random canary protection IF the previous frame pointer of the activation record is protected. Speaking the implementation of ProPolice, When ProPolice fails to open the device "/dev/random", it uses a series of characters "00", "00", "0a" and "ff" as a terminator canary. I think this is portable. Hiroaki Etoh, Tokyo Research Laboratory TELEPHONE: +81-46-215-5066 FAX: +81-462-73-7413
Current thread:
- machine independent protection from stack-smashing attack Hiroaki Etoh (Aug 09)
- Re: machine independent protection from stack-smashing attack John Viega (Aug 10)
- Re: machine independent protection from stack-smashing attack Yarrow Charnot (Aug 15)
- Re: machine independent protection from stack-smashing attack Ariel Waissbein (Aug 18)
- PRNGs (was Re: machine independent protection from stack-smashing attack) John Viega (Aug 18)
- Re: PRNGs (was Re: machine independent protection from stack-smashingattack) Crispin Cowan (Aug 18)
- Re: PRNGs (was Re: machine independent protection from stack-smashingattack) Andrea Glorioso (Aug 21)
- Re: PRNGs (was Re: machine independent protection from stack-smashingattack) John Viega (Aug 22)
- Re: machine independent protection from stack-smashing attack Yarrow Charnot (Aug 15)
- Re: machine independent protection from stack-smashing attack John Viega (Aug 10)
- Re: machine independent protection from stack-smashing attack Gerardo Richarte (Aug 18)
- <Possible follow-ups>
- Re: machine independent protection from stack-smashing attack Hiroaki Etoh (Aug 15)
- Re: machine independent protection from stack-smashing attack John Viega (Aug 15)
- Re: machine independent protection from stack-smashing attack der Mouse (Aug 18)