Re: Libsafe Protecting Critical Elements of Stacks

[andr () NIZHNY RU (Andrey Kolishak)]

JP>  http://www.bell-labs.com/org/11356/html/security.html

JP> It protects against stack-based attacks (buffer overruns, primarily),
JP> which is the largest percentage of security holes.  Easy to setup;
JP> easy to install.
I implemented protection from stack smashing for windows nt binary some time
ago. As I see Bell's protection based on one of two technique that is
used in my protection. But I very surprised that Bell's version is so
limited decision this technique. They didn't use all possible features
given method. For example, they limited vulnerable function list only
ordinal: strcpy, strcat, sprintf and so on. However there are other
potential vulnerable functions: strncpy, strncat, memcpy etc. Also
isn't needed produce own implementation vulnerable functions but enough
make integrity checks of local variable frame base or return address situated
after this frame base after original function call.
In my implementation is used patch export vulnerable functions of any
DLL. Is planned implement patch statically linked functions (not
exported) of standard C comlilers for NT.
Test results were very successful. But protection doesn't work for
binary compiled with some compiler optimization options when insead of
ebp based offset is used direct esp based offset.
Another technique of my protection is block exported functions call
from writable memory areas. This method will allow reliable protect
from existing but not from future exploits that know about given
protect. Also universal exploit for every attacked box will not
possible.

--
 Andrey Kolishak                           mailto:andr () sandy ru