Re: machine independent protection from stack-smashing attack

[Hiroaki Etoh <ETOH () JP IBM COM>]

On 2000/08/11 01:05:57 John Viega wrote:

> In particular, you fall prone to the problem that Crispan recently had
> to fix with StackGuard; the canary is not bound to the actual return
> address, so in some cases it is possible to "jump" the canary.  You
> are using boundary canarys instead of xor canarys.
>
> Sure, you're lining up arrays next to each other, but that doesn't
> solve every case.  Consider the following example, slightly modified
> from the StackGuard page:
>
> foo(char * arg) {
>    char *  p[1];    // a vulnerable pointer
>    char a[25];    // the buffer that makes the pointer vulnerable
>    p[0] = arg;
>    gets(a);    // using gets() makes you vulnerable
>    gets(p[0]);    // this is the good part
> }

ProPolice generates the following activation record for the above program.
| arg | return address | previous frame pointer | GUARD | array a | array *p |

It means that you can not change the value of char *p[0] after the buffer
overflow of the array a. This protection is derived from the analysis of the
vulnerability of XOR random canary protection.  I will post the vulnerability
memo after Crispan's permission.

As for the portability of ProPolice, ProPolice uses a termination canary if it
fails to open the device "/dev/random". I think the terminator canary protection
introduced by Crispin Cowan is as safe as the random canary protection IF the
previous frame pointer of the activation record is protected.  Speaking the
implementation of ProPolice, When ProPolice fails to open the device
"/dev/random", it uses a series of characters "00", "00", "0a" and "ff" as a
terminator canary.  I think this is portable.

Hiroaki Etoh,  Tokyo Research Laboratory
TELEPHONE: +81-46-215-5066 FAX: +81-462-73-7413