Stack smash protection: Automated (de)bugging?
John Richard Moser
nigelenki at comcast.net
Tue Jul 11 04:57:09 BST 2006
-----BEGIN PGP SIGNED MESSAGE-----
I posted a bug on GCC's bugzilla but it's hard to convince the
developers to do anything special, so I am looking to see if there's any
support for this idea. The bug is:
The basic idea is that in the original ProPolice, a fair amount of
debugging data was spit out at a stack smash. This included the source
file and function that the buffer that was smashed was created in. This
is highly useful; it points almost directly at the bug, no debugging needed.
Currently gcc's __stack_chk_fail() takes no arguments. To get this
information, we need to pass it to the stack smash handler. Modifying
__stack_chk_fail() distro-side makes our distro incompatible with
generic stack smashed protected binaries; while adding a new handler and
modifying the output of gcc makes our binaries incompatible with other
distros. Because of this, we *need* an upstream-supported handler.
I have proposed a __stack_chk_fail2() that takes the file, function, and
the value of the canary as debugging data. Passing this data to
__stack_chk_fail2() would be safe and have impact only on size of output
(by a few bytes) and execution speed of the stack smash handler (which
only matters when the program is terminating due to a stack smash).
Interestingly, with a gcc that passes the needed information, upstream
can step back and leave this problem alone. It doesn't matter if the
information is printed, ignored, or whatever; we can modify the handler
distro-side and keep the same interface to do interesting things.
The interesting things I WANT the modified handler and code generator
* Automatically log stack smashing. This can be done now, as far as
"stack smash in /usr/bin/xmms"; but I want "stack smash in
/usr/bin/xmms foo.c:bar() (Damage: 0xdeadbeef)"
* Alert the user at first stack smash, asking if he would like a stack
smash detecting daemon to automatically send stack smash logs to
Ubuntu. This would pass enough information to Ubuntu (and then to
upstream) to quickly find and fix highly obscure problems.
My line of thought is that sometimes bugs appear that satisfy one or
more of the following conditions:
* The bugs are obscure, and only occur in very rare cases.
* The bugs are hard to reproduce.
* The bugs look like any normal crash and are typically ignored.
Thus, one or more of the following situations occurs:
* The end user ignores the bug, because it only happens once to every
* The developer can't reproduce the bug, and it's back-burnered for
months or years.
* The end user can't reproduce the bug, and the developer doesn't even
try for lack of useful info.
In Windows there were exploits that never caused problems in the real
world. The one Blaster used existed in WinNT4SP3 all the way through
WinXPSP1, because nobody noticed it. If it caused a single crash ever,
that was probably the only crash it ever caught.
If we can opportunisticly collect data about stack smashes, then the
first single crash they cause, no matter whether the bug is an attack or
just a stroke of really bad luck, no matter if the bug never manifests
again for 5 years, will expose the bug in great detail. If we can alert
the user or even get them to agree (alert the first time, ASK them to
allow this to happen automatically) to automatically pass this data
back, we can quickly find and fix even the most obscure, hard to
reproduce vulnerabilities without bugging the user at all.
I may be really reaching here, but I think I may not be the only one who
would like this. Does anyone else have any thoughts? Good, bad,
flames, praise, support, comments on the gcc bugzilla, whatever.
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.
Creative brains are a valuable, limited resource. They shouldn't be
wasted on re-inventing the wheel when there are so many fascinating
new problems waiting out there.
-- Eric Steven Raymond
We will enslave their women, eat their children and rape their
-- Bosc, Evil alien overlord from the fifth dimension
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the ubuntu-devel