Vulnerability Development mailing list archives
Re: stackguard-like embedded protection
From: Crispin Cowan <crispin () WIREX COM>
Date: Sun, 10 Sep 2000 13:54:42 -0700
antirez wrote:
Yes, this works, if you know this RET address you can effectively mount the attack. And actually it's not hard. But maybe there is the old xor solution for this: we can xor a random number with the var that contains the saved RET, and rexor the same random number (global for the program and fixed for all the program duration) in the RET once we needs to use it. I must perform a serious analysis first, but maybe this may present vantages from both the tester (canary) approach and direct RET checking.
Excellent point. Yes, the XOR random canary should work here. However, for the XOR approach to work at all, you need non-stack storage for your XOR canary (if there's only one) or your XOR canary table (if you bind functions to different random canary values). What we did was compute a function's ordinal number mod 128 and use a table of 128 canary values.
Anyway I'm attached to this mail a trivial stackguard-like / propolice like (but simplest than both) stack protection, that should be secure enough for most stack smashing prblems, that can be simply embedded in programs. It's implemented as an header file and a little .c file that must be linked to the program.
I like it. With your subsequent errata applied, it looks very nice. You've got your random canary stored in non-stack space, so my 2-function one-overflow attack will fail. Crispin -- Crispin Cowan, Ph.D. Chief Research Scientist, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org Olympics: The Corruption Games
Current thread:
- Re: stackguard-like embedded protection, (continued)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 06)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 06)
- Re: stackguard-like embedded protection Slawek (Sep 07)
- Re: stackguard-like embedded protection antirez (Sep 08)
- Message not available
- Re: stackguard-like embedded protection antirez (Sep 12)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 12)
- Re: stackguard-like embedded protection antirez (Sep 12)
- Re: stackguard-like embedded protection antirez (Sep 12)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 12)
- Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 07)
- Re: stackguard-like embedded protection typo (Sep 07)
- Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 08)
- Re: stackguard-like embedded protection antirez (Sep 13)
- Re: stackguard-like embedded protection antirez (Sep 13)
- Re: stackguard-like embedded protection Crispin Cowan (Sep 13)
- Re: stackguard-like embedded protection Bluefish (P.Magnusson) (Sep 13)