Vulnerability Development mailing list archives
Re: stackguard-like embedded protection
From: Crispin Cowan <crispin () WIREX COM>
Date: Fri, 8 Sep 2000 00:22:06 -0700
antirez wrote:
This is trivial, maybe also world-wide known, anyway: a stackguard-like protection can be implemented in a quite portable way:
I finally got around to carefully reading this code (I apologize for the delay).
int __save_rand;
a static variable, hence ...
int get_rand() { __save_rand = RANDNUM; /* WARNING: not reentrant */ return RANDNUM; /* /dev/urandom can be ok */ }
... as you say, not reentrant, and therefore not recursive. Furthermore, you can't use "safe_enter" and "safe_leave" in more than one function at a time. This is not just a detail; it is a critical issue in designing a stack smashing defense. To do integrity checking on the stack, you need to insert canaries that have these properties: * you can decide whether your integrity marks are still intact when you return * you can do so through a sequence of recursive calls * you are not depending on the stack itself to detect these factors (because the attacker can corrupt the stack) There are three obvious solutions to this: * totally static canary: we used the "terminator" hack because we conjecture that it is hard for buffer overflows to generate terminator symbols * load-time static canaries: we bind values from /dev/random to functions at load time * use an alternate stack: StackShield uses this approach. We also thought of that, but discarded it because the first two solutions seemed easier than the alternate stack, and we could not find any way in which the alternate stack was safer So the provided code is an interesting experiment, but is not practical until it chooses one of these solutions (or invents a new one) that addresses the recursive problem in a way that is robust against stack smashing. Crispin -- Crispin Cowan, Ph.D. Chief Research Scientist, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org Olympics: The Corruption Games
Current thread:
- Re: stackguard-like embedded protection, (continued)
- Re: stackguard-like embedded protection Benjamin Karas (Sep 05)
- Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 05)
- Re: stackguard-like embedded protection Greg KH (Sep 05)
- Re: stackguard-like embedded protection Juliano Rizzo (Sep 06)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 05)
- Re: stackguard-like embedded protection H D Moore (Sep 05)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 06)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 06)
- Re: stackguard-like embedded protection Slawek (Sep 07)
- Re: stackguard-like embedded protection antirez (Sep 08)
- Message not available
- Re: stackguard-like embedded protection antirez (Sep 12)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 12)
- Re: stackguard-like embedded protection antirez (Sep 12)
- Re: stackguard-like embedded protection antirez (Sep 12)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 12)
- Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 07)
- Re: stackguard-like embedded protection typo (Sep 07)
- Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 08)