Your SlideShare is downloading. ×
Stack Frame Protection
Stack Frame Protection
Stack Frame Protection
Stack Frame Protection
Stack Frame Protection
Stack Frame Protection
Stack Frame Protection
Stack Frame Protection
Stack Frame Protection
Stack Frame Protection
Stack Frame Protection
Stack Frame Protection
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Stack Frame Protection

184

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
184
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
9
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Stack Frame Protection with LD_PRELOAD @auth: pancake @place: FIST @date: 20040507
  • 2. Outlook● Buffer overflows and stack basics;● Protection methods;● Target on preload;● LibSFP {aka my testing lib};● Internal work;● Few code examples;● Links and EOF;
  • 3. Buffer overflows basics● The first cause of insecurity;● Every function is closed into an stack frame.● The stack frame saves information about local variables and return pointer.● Programmers must focus in secure code, not just external security.
  • 4. Protection methods● Development stage. – Patches to Gcc that uses canary-based methods to ensure the SF integrity. – Use lint to clean insecure function calls.● Runtime – Ptrace-based security. 3x slower, but the most secure. – Library-based security. Faster and protects almost basic bugs.
  • 5. Preload method● Dynamically load of a library with LD_PRELOAD or ld.so.conf by ld.so;● Replacement for the most buggy function symbols by secure ones (strcpy, memcpy, strlen, ...);● Exists some libraries that do that: – Libsafe – secure libc functions. – Libformat - secure format strings.● Main problem: non-portable.
  • 6. LibSFP● I decide to write a libformat/libsafe replacement.● Target on: – UNIX-OSes portability (GNU,*BSD,...) – Architecture portability (endian, stack) – Open, active development. Its GPLd.● Actually its development is stopped. But ill be happy to receive contributions and follow the project.
  • 7. Internal work● Basically its a library that rewrites every symbol.● Cross all stack frames layers until find the current one.● Measures the current SF size and limits calls to this size.● Library can be configured at runtime – Offset: Change overflow margins. – Action: alert, ignore, force CoreDump...
  • 8. Internal work● There are 3 kind of variables: – Local – stored in the stack frame. (easy to protect). – Global – stored in Heap. (difficult to know the limits). – Malloc – stored in Heap space with chunk header information. (the assigned space limits could be read from chunk headers).● Malloc techniques: – LibSFP stores a magic value into the chunk header to separate global variables from chunked ones. – Chunks are memory-aligned, it means that size isnt exact.
  • 9. Internal work● There are 3 kind of variables: – Local – stored in the stack frame. (easy to protect). – Global – stored in Heap. (difficult to know the limits). – Malloc – stored in Heap space with chunk header information. (the assigned space limits could be read from chunk headers).● Malloc techniques: – LibSFP stores a magic value into the chunk header to separate global variables from chunked ones. – Chunks are memory-aligned, it means that size isnt exact.
  • 10. Few examplesNow its the moment for going to theterminal and show some examples...
  • 11. Links and EOF● Libsafe – http://www.research.avayalabs.com/project/libsafe/● Immunix Gcc StackGuard – http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/● Libsfp isnt released yet, but if I receive interest I would probably upload into: – http://www.nopcode.org/ – http://pancake.host.sk/altres/src/
  • 12. EOF[questions,tips,apologise..]

×