cvs commit: src/contrib/gcc protector.c protector.h Makefile.in calls.c combine.c cse.c explow.c expr.c flags.h function.c gcse.c integrate.c libgcc2.c loop.c optabs.c reload1.c toplev.c src/gnu/usr.bin/cc/cc_int Makefile
Matthew Dillon
dillon at apollo.backplane.com
Thu Dec 11 10:08:21 PST 2003
:-On [20031211 09:52], Matthew Dillon (dillon at xxxxxxxxxxxxxxxxxxxx) wrote:
:> huh? I don't think I understood a single word of this posting (!) :-)
:
:As far as I understand it:
:
:With Propolice you only disable smashing the stack. What Propolice and
:StackGuard and similar protections do is add a 'canary' (informer/decoy)
:value just before the return addresses on the run-time stack. Propolice
:and StackGuard add additional code in your binary which then checks if
:the canary value is present or not. If it is not a buffer overflow has
:occured.
:
:Thing is that SEBP or SEIP still is available before or after the canary
:value. You can place shellcode on the heap and just jump there.
:
:Hence OpenBSD also implemented W^X (Write XOR eXecutable). This also
:makes sure that memory get fine-grained permissions. Which thus limits
:executing in the stack and heap.
:
:This is at least my understanding, I could of course be way off with my
:interpretation.
:
:--
:Jeroen Ruigrok van der Werven <asmodai(at)wxs.nl> / asmodai / kita no mono
I still have no idea what SEBP or SEIP means.
In anycase, the propolice code also reorders local pointer declarations
so they occur before the buffer rather then after. It's not sure-fire
because it is possible that an earlier stack frame will contain
function pointer information that a later subroutine call uses,
prior to the return check, but it does cover 90% of the cases. What
this means is that even though you can temporarily overwrite the stack,
it is unlikely that you would be able to overwrite anything that the
code would call through or return through prior to the guard check.
And since the guard value is 'random' the hacker code cannot reliably
'fake' it.
I don't know who comes up with these names. W^X? IA32 does not support
fine-grained permissions, the only way to make the stack non-executable
is to modify the SS segment register and while this does work, it creates
severe restrictions on how threaded programs can operate.
-Matt
Matthew Dillon
<dillon at xxxxxxxxxxxxx>
More information about the Commits
mailing list