Stack-Smashing Protector

← Back to Stories (view on slashdot.org)

Posted by timothy on Sunday August 4, 2002 @08:29AM from the plugging-holes dept.

XNormal writes "It's not exactly new but for some reason it doesn't seem to be getting the attention it deserves. The stack smashing-protector developed by Hiroaki Etoh at IBM's Tokyo Research Lab is a patch for GCC that provides effective protection against buffer overflows. It protects against cases not covered by StackGuard and StackShield. It it well-supported on multiple versions of GCC and multiple platforms. Why is it not getting enough attention? Perhaps it needs a CatchyName instead of 'ssp'? I'll ponder this question while I'm recompiling all my executables that have an open port and the libraries they depend on."

28 comments

Min score:

Reason:

Sort:

This vs. Non-executable Stack? by Anonymous Coward · 2002-08-04 08:40 · Score: 2, Interesting

How does this compare to OpenBSD's new non-executable stack? I am confused by how this works, and also how a non-executable stack works. I would appreciate it if someone could explain this in laymans terms.
1. Re:This vs. Non-executable Stack? by btellier · 2002-08-04 18:36 · Score: 4, Informative
  
  Basically it's like this:
  
  both OpenBSD's non-exec stack and this new stackguard nonsense protect against one form of of a particular class of vulnerabilities: Stack Based Buffer Overflows. The way these usually work is that by stuffing too much data into a variable you are able to cause the program to overwrite other variables which control what the program will do next. You can, in effect, tell the program to not execute whatever it was going to execute before, but instead execute your code. Typically this is accomplished by putting some low-level machine language inside that original variable you overflowed and then pointing the program to that machine code.
  
  This will fail with obsd's method because you aren't allowed to execute machine code if it lies in the memory region that holds the special variables that control program flow.
  
  This is the most ridiculously trivial of all "protections" to defeat because you can execute machine code from other portions of memory. All you have to do is figure out a way to get the program to, at some point, load that machine code into memory. It might get slightly tricky if it's a remote exploit but when it's a local one you can usually just set an environment variable to some machine code. Since these vars get loaded onto the heap you can simply point the control variable to them and it'll execute anything you want.
  
  This will fail with this new method because between the variable you overflow and the variable that controls program flow there is a random number. Before looking to see where the control variable is pointing to the program will check to see if the random number is the same as it was before the function started. If you overwrote it in order to modify the control variable the program will stop.
  
  Meanwhile this protection won't stop other kinds of buffer overflows, such as .data based overflows and heap overflows that smash memory trees.. that's a bit more complicated though and difficult to describe in layman's terms.
2. Re:This vs. Non-executable Stack? by Anonymous Coward · 2002-08-04 22:01 · Score: 2, Informative
  
  This approach catches a different variation of buffer overflow attacks. Basically, the stack of a function holds information local to that function, such as its data and where to go(return) when the function completes.
  
  Stack attacks are possible when a function allocates a fixed amount of data on the stack for input, and more data is stored than fits in this buffer. The extra data could then overwrite all kinds of data following the buffer.
  
  This protection mives the buffer(s) to the last position in the stack. This will protect the return address of the function. Even if the attacker manages to put (executable) code in this buffer, he is unable to reach it. He's also unable to jump to existing sensitive areas in your code.
  
  In comparison, the non-executable stack protection allows you to reach that code but the moment you reach it the OS faults your program.
  It can't protect you against existing code in your program.
3. Re:This vs. Non-executable Stack? by oliverthered · 2002-08-05 00:39 · Score: 2
  
  On the intel 0x86 arch you can set memory so that:-
  
  It's executable,
  and or
  Read/Writable.
  
  So if the stack/heap was set to R+W not but X
  and the main application set to X but not R+W, then bufferover flows(or self modifying code)
  would never be possible
  
  The problem is that most kernels are tooo crap to handle this properly or to put it another way, the kernel doesn't provide sufficent architecture to allow you to write all of your code that way.
  
  --
  thank God the internet isn't a human right.
4. Re:This vs. Non-executable Stack? by jtdubs · 2002-08-06 00:22 · Score: 2
  
  So, when your app allocates memory in which to load a dynamically-linked library, and this goes on the heap, and the heap is set to RW but not X, how will you make calls to the library?
  
  What if your code, as a fun optimization or hack, wants to store executable code in a variable and execute the code stored in the variable?
  
  Should we disallow an entire class of actions because people are too stupid and lazy to check the length of their data before they write it to memory?
  
  Justin Dubs
5. Re:This vs. Non-executable Stack? by fizbin · 2002-08-06 06:07 · Score: 2
  
  So what about function pointers? These need to be on the heap, right? What if you want to call one function but the function pointer is corrupted, causing you to call something else?
  
  Granted, this would severely narrow the window that the Phrack article mentioned, (it talked about overwriting function pointers in the GOT, which in your scheme would presumably be on a read-only page) but so long as buffers are overrunable, there will be some code that experiences some type of exploit.
  
  Looking at the patch, it doesn't seem that this patch fully addresses this issue - it deals with reordering local variables to avoid some of the less desireable effects of overruns, but what about function pointers stored in classes or structs? Those can't be reordered.
6. Re:This vs. Non-executable Stack? by capnjack41 · 2002-08-06 13:18 · Score: 1
  
  To further elaborate, you can set it so only certain regions are read/write or executable/(read optional) - the only thing is, dividing your code/data/stack into "segments" like this isn't at all used, because it's easier just to use all the pages in memory in one big segment, aliased into code/data/stack. It's just convenient. The memory itself (page tables) don't contain such attributes (rw, x). Therefore it's easy to write code into the stack and execute it in the "code" segment (which is really the same chunks of memory).
7. Re:This vs. Non-executable Stack? by efagerho · 2002-08-06 21:37 · Score: 1
  
  You don't call the code in a function pointer. The function pointer is just a variable and it only contains the address of the code you want to run. The machine instruction only gets the address of the function pointer, loads the value of the address from memory and jumps to the memory location given by the function pointer's value. The only thing you'll need to do is to read the function pointer's value (no executable memory needed).
  
  Of course you probably want to modify the function pointer's value, so it has to be in writable memory, thus the kernel has really no way to protect it. So it doesn't have to be on the heap, but that doesn't help you much.
8. Re:This vs. Non-executable Stack? by fizbin · 2002-08-07 01:24 · Score: 2
  
  Exactly - my point was that one doesn't need write access to code that is also marked as executeable in order to alter the program's execution. Of course function pointers have no need to be on executeable pages; however, if they are writeable at all, we have a problem. One just needs write access to something that is used in determining the path of execution. The phrack article pointed out that the GOT (which is essentially a whole load of function pointers - one for every function called in a dynamic library) is loaded to a page that is left writeable. Without adjusting things so that ld-linux.so is much more tightly tied to the kernel, I don't see how it's possible to avoid that. (I suppose there could be some kernel call that would remove the writeable bits from a given page of memory so that that process could never make the pages writeable again - is there such a call?)
  
  While function pointers are the most flexible variable used in determining execution flow, even in a scenario without a writeable GOT or any function pointers (which would require major redesign of at least libc and gcc), you may still be in trouble. As long as a variable that can be overwritten is used in a decision (i.e. if or switch) or as an array index a buffer overrun can affect the program flow. For example, it might be possible in some poorly written program to overwrite some piece of the program's configuration information through a complicated buffer overflow attack - many of even the most secure programs can be made insecure by a bad configuration.
  
  The only absolute solution to containing the potential damage from buffer overflows is to avoid buffer overflows altogether. Each of these steps simply minimizes the number of ways to exploit buffer overruns, which raises the bar and may even shrink the pool of potentially exploitable programs.
Microsoft Visual C++ .NET has a similar feature by cpeterso · 2002-08-04 09:10 · Score: 5, Informative

Microsoft Visual C++ .NET (aka MSVC7) has a similar feature called Buffer Security Check. This is for "unmanaged" C++ code, not C#/.NET/CLR code. This new compiler option /GS is on by default.
/GS (Buffer Security Check)

The /GS option is used to detect buffer overruns, which overwrite the return address -- a common technique for exploiting code that does not enforce buffer size restrictions. This is achieved by injecting security checks into the compiled code.

On functions subject to buffer overrun problems, the compiler will allocate space on the stack before the return address. On function entry, the allocated space is loaded with a security cookie that is computed once at module load. Then, on function exit, a compiler helper is called to make sure the cookie's value is still the same. If the value is not the same, an overwrite of the return address has potentially occurred, and so an error will be reported and the process (or at least the thread) terminated.

--
cpeterso
1. Re:Microsoft Visual C++ .NET has a similar feature by cpeterso · 2002-08-04 13:50 · Score: 2
  
  I forgot to mention that the "security cookie" pushed on the stack before the return address is called a canary. I thought that was pretty clever. :-)
  
  --
  cpeterso
2. Re:Microsoft Visual C++ .NET has a similar feature by Anonymous Coward · 2002-08-04 13:57 · Score: 1, Interesting
  
  Right, and if I recall correctly this was the subject the the 1st .Net "exploit".
  
  True it was hyped as an exploit when it really isn't, but it goes to show that there is no replacement for skilled and careful coding.
  
  See http://www.cigital.com/news/mscompiler-tech.html for more info.
  
  Jesse
3. Re:Microsoft Visual C++ .NET has a similar feature by Mr.+Slippery · 2002-08-05 01:18 · Score: 2, Interesting
  
  On functions subject to buffer overrun problems
  
  How is this determination made? Is it just looking for functions that make certain calls, or what?
  Seems to me all the attacker has to do is figure out how to spoof the security cookie. What prevents this?
  
  --
  Tom Swiss | the infamous tms | my blog
  You cannot wash away blood with blood
Heh by Anonymous Coward · 2002-08-04 09:11 · Score: 1, Funny

When I saw the headline, for some reason I read "Smashing Pocket Protector". I was beginning to think that this really is "News for nerds". :P
I don't think it's the name... by funkhauser · 2002-08-04 09:39 · Score: 4, Interesting

I really don't think the name is the problem. I mean, gcc gets by fine with a rather non-descript name.
It seems like it would be difficult to get a whole lot of developers to move over to this at once, so perhaps that's why it's not catching on? If one major group of developers (Red Hat, Debian, whoever) started using this patch, perhaps their influence could sway others? It's not like the world of M$ where the necessary constant upgrading forces users to switch to technologies that Microsoft thinks are important. (Although buffere overflows are a very important issue, I'm just commenting on the fact that it's Microsoft that pushes the technologies, not the needs of the developers.)

--
Learn to Play Go
1. Re:I don't think it's the name... by Wumpus · 2002-08-05 06:50 · Score: 2
  
  I suspect that most people will be turned off of these tools because installing them involves recompiling their copy of GCC. If didstributions started packaging patched copies of GCC, this may change.
2. Re:I don't think it's the name... by Arandir · 2002-08-05 11:32 · Score: 2
  
  I mean, gcc gets by fine with a rather non-descript name.
  
  You also have to consider that gcc is the only option on most non-Windows systems. GNU could rename it "FUA" and people would still use it.
  
  --
  A Government Is a Body of People, Usually Notably Ungoverned
Many developers just don't want it by maeglin · 2002-08-04 10:19 · Score: 5, Interesting

The reason stack protection stuff isn't being widely used isn't because it's got an obscure name or something simple like that. It's because not everyone can agree whether it's effective or just lures people into a false sense of security. There have been a couple of "discussions" of this on the Linux Kernel Mailing List and the end result is always a stalemate.

dan
1. Re:Many developers just don't want it by moncyb · 2002-08-05 02:08 · Score: 3, Interesting
  
  Why does the Linux kernel set the exec flag for stack pages? I don't see any reason why it should. If the program needs to load code, then it can just use one of the lower level calls to allocate the memory as executable. Pages used only for storing data should not be executable. I think I'll try to find this patch...
2. Re:Many developers just don't want it by p3d0 · 2002-08-05 14:57 · Score: 2
  
  It's a matter of principle. It's the kernel's job to protect programs from each other, not from themselves. To remove execute permission from the stack would be the start of a slippery slope, whereby the kernel starts to coddle buggy programs, resulting in a false sense of security.
  The problem, of course, occurs when a program trusted with security responsibilities contains a bug. In such cases, the answer is to fix the bug. This is not, and should not be, the kernel's responsibility.
  Having said that, if you want to apply the non-executable stack patch because you don't trust your "trusted" programs, go ahead. :-)
  
  --
  Patrick Doyle
  I mod down every jackass who puts his moderation policy in his sig. Oh, wait a sec....
3. Re:Many developers just don't want it by pthisis · 2002-08-08 06:23 · Score: 2
  
  Why does the Linux kernel set the exec flag for stack pages?
  
  Executing code on the stack isn't unheard of in legitimate programs--it's sometimes used for performance reasons and sometimes to simplify implementation. Usually it's done in cases where the program's control flow is somewhat complicated:
  
  * Linux puts signal handlers on the stack. They need to be executable.
  * Kaffe and other vms put code on the stack for efficiency reasons.
  * Many functional programming languages write code on the stack for performance reasons.
  * Some garbage collectors write code on the stack
  * Some user-space threading libraries put code on the stack
  
  I'm sure there are others. I know Solar Designer's noexec stack patch had some workarounds for gcc's trampolines, I'm not sure if they worked with everything or not.
  
  Sumner
  
  --
  rage, rage against the dying of the light
g++ write/wrote code on the stack by Per+Abrahamsen · 2002-08-06 00:38 · Score: 2

It was thought to be the most efficient way to implement some C++ constructs (I don't remember which).

Some other (Lisp?) compilers use similar tricks.
It should be bundled with GCC by Per+Abrahamsen · 2002-08-06 00:42 · Score: 2

It is much easier to convince someone to use a specific flag, than to install a third party patch. The later takes more time, and require you to trust more people.
app allocates memory by oliverthered · 2002-08-06 00:43 · Score: 2

Loading of dynamically-linked library should be handled by the kernel not the application.

The kernel should provide the architecture so that the application never has to do any of this stuff, all relocation etc... should be handled by the kernel and not the application.

If the kernel does all of this then you can say that the operating system is secure to buffer overrun exploits, the apps will still crash though and could be comprimised in other ways.

Ring 0(should only be the kernel) can change the W+R+X of a memory address if it want's to.

--
thank God the internet isn't a human right.
Not quite by fizbin · 2002-08-06 05:52 · Score: 2

So what you mean is that /GS behaves the way StackGuard does. (calling the cookie a canary is not a practice Microsoft initiated).

If you read the phrack article linked to in the story, they discuss situations where this manner of buffer overrun protection is insufficient. True, most exploits out there today do use straight overruns onto the return address, but that's only because they can.

That being said, I imagine that the conditions described in the phrack article for getting a manipulable pointer are less common than the authors would like to think.
nested functions by Anonymous Coward · 2002-08-06 18:59 · Score: 0

I don't know if GCC generates code on the stack for C++ constructs. It does that for pointers to nested functions though. For example:

int call(int (*p)(void)) { return p(); } int f(int a) { int g(void) { return a; } return call(g); }

g needs the address of the stack frame of f in order to access a. If f called g directly, it would pass the address as a hidden parameter. The problem is, call does not know about the extra parameter. GCC solves this by making the function pointer p point to a trampoline that loads the correct address in a register and jumps to the real g. f generates this trampoline on the stack at runtime, so it is reentrant.

The Hurd uses lots of nested functions.
1. Re:nested functions by moncyb · 2002-08-08 14:11 · Score: 2
  
  I didn't realize there were so many programs still using stuff like self modifying code and code on the stack. I thought that was old school stuff.
  As for trampolines, the kernel patch I found has a work around to emulate them. It also allows you to set a flag in the executable so that if they need exec on the stack, you can configure it.
  The patch is a part of the Openwall Project. That patch also has some other apparently useful security features. Too bad it lags the kernel development in a big way...
There's a kenel solution to this by oliverthered · 2002-08-07 04:58 · Score: 1

Prevent applictaions proccess from running in memory ranges they havn't requested privilage for.

If you can't write directly into the application, and you can't redirect the application to execute outside it's requested space. Then it becomes very difficult to get those m$ type exploits.

I think Microsoft is doing something like this with paladium? (I only said like mind you!)

The kernel is responsible for loading executables
You can request access mode change for a page of memory from the kernel.

The Kernel won't permit the applications EIP be in pages that the application hasn't requested access for.

when you malloc you request your access mode.

This kinde of model also helps threading,because the kernel knows where self modifying code is, where read-only pages are etc... and can make far better use of caches and page flushes between threads.

--
thank God the internet isn't a human right.