Stack smash protection: Automated (de)bugging?
John Richard Moser
nigelenki at comcast.net
Wed Jul 12 05:01:19 BST 2006
-----BEGIN PGP SIGNED MESSAGE-----
This now has a spec:
I have the necessary __stack_chk_fail2() function, I think. It takes
filename, function, and damage value as its arguments:
void __stack_chk_fail2(char *fctn, char *srcfile, void *damage);
It worked in my unit tests, and spit out:
*** stack smashing detected ***: vuln.c:vuln() (damage: 0xdeadbeef)
Note my unit tests called __stack_chk_fail2() directly; gcc doesn't
generate code for it.
I am planning to rewrite libssp0 clean and produce a version that takes
advantage of an external daemon, probably called libssp-ng. It will
derive a stack dump, return pointer (__builtin_return_pointer(0)), and
/proc/self/maps from the process. The return pointer and maps file will
be used by the external daemon to figure out what exact ELF binary
(library or executable) contains the vulnerable code (inspired by PaX).
I'll have to write a glibc patch that supplies __stack_chk_fail2() in a
tiny way, but this is not a problem. Feeding it to upstream will be
easy because once gcc supports it they will have to take it, even though
gcc can fall back to using libssp0 if it's not in glibc.
I'll also patch glibc in some way to use libssp if some condition is met
(i.e. a file in /etc/ says so). Getting this upstream may be difficult;
we have to justify the functionality. This is not much of a problem;
the ABI will not change, so besides having to maintain a glibc patch
there's not really an issue here.
I'll take a shot at some parts of the message passing between libssp-ng
and the stack smash detection daemon, but not the UI code. I'll help
design it but somebody else has to write that stuff, it's out of my area.
As for gcc actually emitting proper __stack_chk_fail2() calls in stack
smash protected code, good luck. I have no clue, I took a shot this
morning and spent a couple hours at it, then realized that I really
didn't understand the basic process gcc takes to build the tree much
less the code. I have regression tests that use a real self-exploit
(ret2libc style) so if someone else writes this I'll be able to test it.
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.
Creative brains are a valuable, limited resource. They shouldn't be
wasted on re-inventing the wheel when there are so many fascinating
new problems waiting out there.
-- Eric Steven Raymond
We will enslave their women, eat their children and rape their
-- Bosc, Evil alien overlord from the fifth dimension
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
-----END PGP SIGNATURE-----
More information about the ubuntu-devel