Stack smash protection: Automated (de)bugging?

John Richard Moser nigelenki at comcast.net
Tue Jul 11 03:57:09 UTC 2006 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I posted a bug on GCC's bugzilla but it's hard to convince the
developers to do anything special, so I am looking to see if there's any
support for this idea.  The bug is:

http://gcc.gnu.org/bugzilla/show_bug.cgi?id=28328

The basic idea is that in the original ProPolice, a fair amount of
debugging data was spit out at a stack smash.  This included the source
file and function that the buffer that was smashed was created in.  This
is highly useful; it points almost directly at the bug, no debugging needed.

Currently gcc's __stack_chk_fail() takes no arguments.  To get this
information, we need to pass it to the stack smash handler.  Modifying
__stack_chk_fail() distro-side makes our distro incompatible with
generic stack smashed protected binaries; while adding a new handler and
modifying the output of gcc makes our binaries incompatible with other
distros.  Because of this, we *need* an upstream-supported handler.

I have proposed a __stack_chk_fail2() that takes the file, function, and
the value of the canary as debugging data.  Passing this data to
__stack_chk_fail2() would be safe and have impact only on size of output
(by a few bytes) and execution speed of the stack smash handler (which
only matters when the program is terminating due to a stack smash).

Interestingly, with a gcc that passes the needed information, upstream
can step back and leave this problem alone.  It doesn't matter if the
information is printed, ignored, or whatever; we can modify the handler
distro-side and keep the same interface to do interesting things.

The interesting things I WANT the modified handler and code generator
for are:

 * Automatically log stack smashing.  This can be done now, as far as
   "stack smash in /usr/bin/xmms"; but I want "stack smash in
   /usr/bin/xmms foo.c:bar() (Damage: 0xdeadbeef)"

 * Alert the user at first stack smash, asking if he would like a stack
   smash detecting daemon to automatically send stack smash logs to
   Ubuntu.  This would pass enough information to Ubuntu (and then to
   upstream) to quickly find and fix highly obscure problems.

My line of thought is that sometimes bugs appear that satisfy one or
more of the following conditions:

 * The bugs are obscure, and only occur in very rare cases.

 * The bugs are hard to reproduce.

 * The bugs look like any normal crash and are typically ignored.

Thus, one or more of the following situations occurs:

 * The end user ignores the bug, because it only happens once to every
   millionth user.

 * The developer can't reproduce the bug, and it's back-burnered for
   months or years.

 * The end user can't reproduce the bug, and the developer doesn't even
   try for lack of useful info.

In Windows there were exploits that never caused problems in the real
world.  The one Blaster used existed in WinNT4SP3 all the way through
WinXPSP1, because nobody noticed it.  If it caused a single crash ever,
that was probably the only crash it ever caught.

If we can opportunisticly collect data about stack smashes, then the
first single crash they cause, no matter whether the bug is an attack or
just a stroke of really bad luck, no matter if the bug never manifests
again for 5 years, will expose the bug in great detail.  If we can alert
the user or even get them to agree (alert the first time, ASK them to
allow this to happen automatically) to automatically pass this data
back, we can quickly find and fix even the most obscure, hard to
reproduce vulnerabilities without bugging the user at all.

I may be really reaching here, but I think I may not be the only one who
would like this.  Does anyone else have any thoughts?  Good, bad,
flames, praise, support, comments on the gcc bugzilla, whatever.

- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.

    Creative brains are a valuable, limited resource. They shouldn't be
    wasted on re-inventing the wheel when there are so many fascinating
    new problems waiting out there.
                                                 -- Eric Steven Raymond

    We will enslave their women, eat their children and rape their
    cattle!
                  -- Bosc, Evil alien overlord from the fifth dimension
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.3 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQIVAwUBRLMhkws1xW0HCTEFAQLOzA//VbrsjPw4tmDsHjiluEaQgIObOQ+XzR5Z
e2DO12crKSRWkOU1xnuiMqEzGI7jAzb+HmhpStQ9PgALr+i6XxMXFgx6GXywzvzx
wMXrlESZX4nnomkOUsAoIBxCYKIPSUZDki2MQDBY60TPrk2qbd0gjj1F4YnD2s2w
Y1mzjuTd+xd1F4OLhvh26W++lvdAG21Ei/u0srcHlXGplW1LSjObU0on8sZpjg3Y
h9obkP+uVKW61QCwIXkeHVjFCl2D6S1N52LKpw6oVZ3SDApp9k39bFByvOuOenLv
d4LULVGq0oFH0i8v1b0SILaPC9xyWgPuSDrzHdubt7SWU4MmxS+Bok5kCwqojOZC
Y4hO9uo4sNpknzk0um6CHeRf74XD9vEouepL/IGJDtaUeq5HMkCEwm9w4xF7o3Qi
q9JiVi7DXVB9q3zpApC8V/M8lx1PFYJcNJ4o9SIBSaTLVqwrgHAV0dooXm1ZcH2T
suiM30r6B/HMBTIygMtfBkkTkYT6yJb71ll1QmwqDKE3wvxUClRSj2bwxEe9jIxn
haxtk1vFyEZY5TNV/5cPKhjASwYpjR6QcoeBmiwooe2uOaxTXjlT8G4YsVhCBuWJ
RviTsBvB5KSyU0ggSsNYEO6bgj85noBUX6MgRrZgY43qoRUlZPn9uU3hl73+mUdb
mZ6STXfSBOQ=
=TUKm
-----END PGP SIGNATURE-----

More information about the ubuntu-users mailing list