Re: stackguard-like embedded protection

[antirez <antirez () linuxcare com>]

On Sun, Sep 10, 2000 at 03:50:30AM -0700, Crispin Cowan wrote:
> Yes, IMHO, this method is insecure.  To attack the redundant RET value stored as the last
> variable, I need to find an overflowable buffer in a function that is *called* by the
> victim function, so that I can get below your check variable.
>
> To make that work, I have actually *preserve* the return address in the function that
> contains the overflow, but since that return address will be highly predictable for known
> programs, this is not too hard.

Yes, this works, if you know this RET address you can effectively mount
the attack. And actually it's not hard. But maybe there is the old xor
solution for this: we can xor a random number with the var that contains
the saved RET, and rexor the same random number (global for the program and
fixed for all the program duration) in the RET once we needs to use it.
I must perform a serious analysis first, but maybe this may present
vantages from both the tester (canary) approach and direct RET checking.

> You only need one overflow.  Suppose foo() calls bar(), and bar() has an overflowable

Agreed again.

> I don't *think* that frame pointers present a problem for my proposed attack.

Not with your attack, but with the protection itself.

Anyway I'm attached to this mail a trivial stackguard-like / propolice like
(but simplest than both) stack protection, that should be secure enough for
most stack smashing prblems, that can be simply embedded in programs.
It's implemented as an header file and a little .c file that must be
linked to the program.

Don't use it if you are using stackguard, stackshield, propolice or other
stack protection programs "as user". You, as programmer,  may use it if you
want to protect some sensitive function without that your users are aware.
Please, report bugs and security problems of this few C lines.

Usage:

#include "stack-protection.h"

int main()
{
        stackback_init();

        var declaration;
        ...
}

int prtected()
{
        stackback_enter

        program

        stackback_leave
        return;
}

gcc file1.c file2.c fileN.c stackback.c

compile time:
 * SB_NO_SB disable the protection, 0 overhead.
 * SB_HAVE_DEV_URANDOM uses /dev/urandom to get the pseudorandom tester
   instead of the simple to break usec | sec | getpid().

antirez

--
Salvatore Sanfilippo, Open Source Developer, Linuxcare Italia spa
+39.049.80 43 411 tel, +39.049.80 43 412 fax
antirez () linuxcare com, http://www.linuxcare.com/
Linuxcare. Support for the revolution.

Attachment: stack-protection.c
Description:

Attachment: stack-protection.h
Description: