Vulnerability Development mailing list archives

Re: stackguard-like embedded protection

From: Crispin Cowan <crispin () WIREX COM>
Date: Fri, 8 Sep 2000 00:22:06 -0700

antirez wrote:

This is trivial, maybe also world-wide known, anyway:
a stackguard-like protection can be implemented
in a quite portable way:


I finally got around to carefully reading this code (I apologize for the
delay).

int __save_rand;


a static variable, hence ...

int get_rand()
{
        __save_rand = RANDNUM; /* WARNING: not reentrant */
        return RANDNUM; /* /dev/urandom can be ok */
}


... as you say, not reentrant, and therefore not recursive.  Furthermore, you
can't use "safe_enter" and "safe_leave" in more than one function at a time.

This is not just a detail; it is a critical issue in designing a stack smashing
defense.  To do integrity checking on the stack, you need to insert canaries
that have these properties:

   * you can decide whether your integrity marks are still intact when you
     return
   * you can do so through a sequence of recursive calls
   * you are not depending on the stack itself to detect these factors (because
     the attacker can corrupt the stack)

There are three obvious solutions to this:

   * totally static canary:  we used the "terminator" hack because we
     conjecture that it is hard for buffer overflows to generate terminator
     symbols
   * load-time static canaries:  we bind values from /dev/random to functions
     at load time
   * use an alternate stack:  StackShield uses this approach.  We also thought
     of that, but discarded it because the first two solutions seemed easier
     than the alternate stack, and we could not find any way in which the
     alternate stack was safer

So the provided code is an interesting experiment, but is not practical until
it chooses one of these solutions (or invents a new one) that addresses the
recursive problem in a way that is robust against stack smashing.

Crispin

--
Crispin Cowan, Ph.D.
Chief Research Scientist, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution:                    http://immunix.org
                Olympics:  The Corruption Games

Current thread:

Re: stackguard-like embedded protection, (continued)
- - - Re: stackguard-like embedded protection Benjamin Karas (Sep 05)
    - Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 05)
    - Re: stackguard-like embedded protection Greg KH (Sep 05)
    - Re: stackguard-like embedded protection Juliano Rizzo (Sep 06)
    - Re: stackguard-like embedded protection Crispin Cowan (Sep 05)
    - Re: stackguard-like embedded protection H D Moore (Sep 05)
    - Re: stackguard-like embedded protection Crispin Cowan (Sep 06)
    - Re: stackguard-like embedded protection Crispin Cowan (Sep 06)
    - Re: stackguard-like embedded protection Slawek (Sep 07)
- Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 05)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 08)
  - Re: stackguard-like embedded protection antirez (Sep 08)
    - Message not available
    - Re: stackguard-like embedded protection antirez (Sep 12)
    - Re: stackguard-like embedded protection Crispin Cowan (Sep 12)
    - Re: stackguard-like embedded protection antirez (Sep 12)
    - Re: stackguard-like embedded protection antirez (Sep 12)
    - Re: stackguard-like embedded protection Crispin Cowan (Sep 12)
- Re: stackguard-like embedded protection Michael Wojcik (Sep 06)
  - Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 07)
    - Re: stackguard-like embedded protection typo (Sep 07)
    - Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 08)

(Thread continues...)