Stack smash protection: Automated (de)bugging?

John Richard Moser nigelenki at comcast.net
Wed Jul 12 05:01:19 BST 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This now has a spec:

https://launchpad.net/distros/ubuntu/+spec/gcc-ssp-automated-reporting




I have the necessary __stack_chk_fail2() function, I think.  It takes
filename, function, and damage value as its arguments:

void __stack_chk_fail2(char *fctn, char *srcfile, void *damage);

It worked in my unit tests, and spit out:

*** stack smashing detected ***: vuln.c:vuln() (damage: 0xdeadbeef)
Terminated

Note my unit tests called __stack_chk_fail2() directly; gcc doesn't
generate code for it.



I am planning to rewrite libssp0 clean and produce a version that takes
advantage of an external daemon, probably called libssp-ng.  It will
derive a stack dump, return pointer (__builtin_return_pointer(0)), and
/proc/self/maps from the process.  The return pointer and maps file will
be used by the external daemon to figure out what exact ELF binary
(library or executable) contains the vulnerable code (inspired by PaX).



I'll have to write a glibc patch that supplies __stack_chk_fail2() in a
tiny way, but this is not a problem.  Feeding it to upstream will be
easy because once gcc supports it they will have to take it, even though
gcc can fall back to using libssp0 if it's not in glibc.

I'll also patch glibc in some way to use libssp if some condition is met
(i.e. a file in /etc/ says so).  Getting this upstream may be difficult;
we have to justify the functionality.  This is not much of a problem;
the ABI will not change, so besides having to maintain a glibc patch
there's not really an issue here.



I'll take a shot at some parts of the message passing between libssp-ng
and the stack smash detection daemon, but not the UI code.  I'll help
design it but somebody else has to write that stuff, it's out of my area.



As for gcc actually emitting proper __stack_chk_fail2() calls in stack
smash protected code, good luck.  I have no clue, I took a shot this
morning and spent a couple hours at it, then realized that I really
didn't understand the basic process gcc takes to build the tree much
less the code.  I have regression tests that use a real self-exploit
(ret2libc style) so if someone else writes this I'll be able to test it.

- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.

    Creative brains are a valuable, limited resource. They shouldn't be
    wasted on re-inventing the wheel when there are so many fascinating
    new problems waiting out there.
                                                 -- Eric Steven Raymond

    We will enslave their women, eat their children and rape their
    cattle!
                  -- Bosc, Evil alien overlord from the fifth dimension
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBRLR0DQs1xW0HCTEFAQLwog/+Pva2CQHydlVMOSj5veUlh/ZJBeza5bQB
kqJ9FuLdfa4Bst2Am8SHyeK9GeTuJEcmOiz2OKjejLZxFZq+xwmObc36PAlPoAdg
FGriK54HKwPUP7qfguudXSL1EMY/LEBzE/Y8uMTGnrdTlVY2OQJtfeKmca9qIrTt
nConsKMHHvUT0tmy8PNT12LdGPplpSftBlY4CSPc5ItYT3HKqF+GxgqDK8U8lujJ
pkMkZkYcX/+HCeE51QnSuEuiHmo09BGgN6wcsDkH4irP/z3k/TbYNiRXiVFOMNYu
/Zb53uEdbbC60+SulkFi1T1bYL24DEJ0UcBF/raeEj0SghzezWgDIXvwG+J3PkX/
KrBWR/XjyL1Z38h5E6cXQ5Rs7Z5wC3/zHc+h5AXDXzW3I6wCyZPbHNfyu6VYiy+Z
5iwYBlSeXu9vzWLJebhQNZDSoPx4huTSFKnJwnvNxmt2XdFi/xS8hdQb4vP/JJwL
uICqhZYW/XaRAzBRyYq+QiFgCXqHxXxu4AWQR8hx6rjcf5bb2QxSRMyudxJMnEGg
Vgvom05nnmwe4kgDbQM7LSRLhN4T8AsszbymPfi47JZ2VUnCAnM0RO3OnQ8C4Cr+
xyWrb4OaYwYZY/sKS3ykop0G25I3b4X9A0JagA8X5z6X9TtPUPv2X4gHyyYsYbiv
AHWJbNX22Zs=
=ANjH
-----END PGP SIGNATURE-----

More information about the ubuntu-devel mailing list