Vulnerability Development mailing list archives
Re: stackguard-like embedded protection
From: antirez <antirez () linuxcare com>
Date: Sun, 10 Sep 2000 13:53:08 +0200
On Sun, Sep 10, 2000 at 03:50:30AM -0700, Crispin Cowan wrote:
Yes, IMHO, this method is insecure. To attack the redundant RET value stored as the last variable, I need to find an overflowable buffer in a function that is *called* by the victim function, so that I can get below your check variable. To make that work, I have actually *preserve* the return address in the function that contains the overflow, but since that return address will be highly predictable for known programs, this is not too hard.
Yes, this works, if you know this RET address you can effectively mount the attack. And actually it's not hard. But maybe there is the old xor solution for this: we can xor a random number with the var that contains the saved RET, and rexor the same random number (global for the program and fixed for all the program duration) in the RET once we needs to use it. I must perform a serious analysis first, but maybe this may present vantages from both the tester (canary) approach and direct RET checking.
You only need one overflow. Suppose foo() calls bar(), and bar() has an overflowable
Agreed again.
I don't *think* that frame pointers present a problem for my proposed attack.
Not with your attack, but with the protection itself. Anyway I'm attached to this mail a trivial stackguard-like / propolice like (but simplest than both) stack protection, that should be secure enough for most stack smashing prblems, that can be simply embedded in programs. It's implemented as an header file and a little .c file that must be linked to the program. Don't use it if you are using stackguard, stackshield, propolice or other stack protection programs "as user". You, as programmer, may use it if you want to protect some sensitive function without that your users are aware. Please, report bugs and security problems of this few C lines. Usage: #include "stack-protection.h" int main() { stackback_init(); var declaration; ... } int prtected() { stackback_enter program stackback_leave return; } gcc file1.c file2.c fileN.c stackback.c compile time: * SB_NO_SB disable the protection, 0 overhead. * SB_HAVE_DEV_URANDOM uses /dev/urandom to get the pseudorandom tester instead of the simple to break usec | sec | getpid(). antirez -- Salvatore Sanfilippo, Open Source Developer, Linuxcare Italia spa +39.049.80 43 411 tel, +39.049.80 43 412 fax antirez () linuxcare com, http://www.linuxcare.com/ Linuxcare. Support for the revolution.
Attachment:
stack-protection.c
Description:
Attachment:
stack-protection.h
Description:
Current thread:
- Re: stackguard-like embedded protection, (continued)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 05)
- Re: stackguard-like embedded protection H D Moore (Sep 05)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 06)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 06)
- Re: stackguard-like embedded protection Slawek (Sep 07)
- Re: stackguard-like embedded protection antirez (Sep 08)
- Message not available
- Re: stackguard-like embedded protection antirez (Sep 12)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 12)
- Re: stackguard-like embedded protection antirez (Sep 12)
- Re: stackguard-like embedded protection antirez (Sep 12)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 12)
- Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 07)
- Re: stackguard-like embedded protection typo (Sep 07)
- Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 08)
- Re: stackguard-like embedded protection antirez (Sep 13)
- Re: stackguard-like embedded protection antirez (Sep 13)