Stack Frame Protection

456 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
456
On SlideShare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
11
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Stack Frame Protection

  1. 1. Stack Frame Protection with LD_PRELOAD @auth: pancake @place: FIST @date: 20040507
  2. 2. Outlook● Buffer overflows and stack basics;● Protection methods;● Target on preload;● LibSFP {aka my testing lib};● Internal work;● Few code examples;● Links and EOF;
  3. 3. Buffer overflows basics● The first cause of insecurity;● Every function is closed into an stack frame.● The stack frame saves information about local variables and return pointer.● Programmers must focus in secure code, not just external security.
  4. 4. Protection methods● Development stage. – Patches to Gcc that uses canary-based methods to ensure the SF integrity. – Use lint to clean insecure function calls.● Runtime – Ptrace-based security. 3x slower, but the most secure. – Library-based security. Faster and protects almost basic bugs.
  5. 5. Preload method● Dynamically load of a library with LD_PRELOAD or ld.so.conf by ld.so;● Replacement for the most buggy function symbols by secure ones (strcpy, memcpy, strlen, ...);● Exists some libraries that do that: – Libsafe – secure libc functions. – Libformat - secure format strings.● Main problem: non-portable.
  6. 6. LibSFP● I decide to write a libformat/libsafe replacement.● Target on: – UNIX-OSes portability (GNU,*BSD,...) – Architecture portability (endian, stack) – Open, active development. Its GPLd.● Actually its development is stopped. But ill be happy to receive contributions and follow the project.
  7. 7. Internal work● Basically its a library that rewrites every symbol.● Cross all stack frames layers until find the current one.● Measures the current SF size and limits calls to this size.● Library can be configured at runtime – Offset: Change overflow margins. – Action: alert, ignore, force CoreDump...
  8. 8. Internal work● There are 3 kind of variables: – Local – stored in the stack frame. (easy to protect). – Global – stored in Heap. (difficult to know the limits). – Malloc – stored in Heap space with chunk header information. (the assigned space limits could be read from chunk headers).● Malloc techniques: – LibSFP stores a magic value into the chunk header to separate global variables from chunked ones. – Chunks are memory-aligned, it means that size isnt exact.
  9. 9. Internal work● There are 3 kind of variables: – Local – stored in the stack frame. (easy to protect). – Global – stored in Heap. (difficult to know the limits). – Malloc – stored in Heap space with chunk header information. (the assigned space limits could be read from chunk headers).● Malloc techniques: – LibSFP stores a magic value into the chunk header to separate global variables from chunked ones. – Chunks are memory-aligned, it means that size isnt exact.
  10. 10. Few examplesNow its the moment for going to theterminal and show some examples...
  11. 11. Links and EOF● Libsafe – http://www.research.avayalabs.com/project/libsafe/● Immunix Gcc StackGuard – http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/● Libsfp isnt released yet, but if I receive interest I would probably upload into: – http://www.nopcode.org/ – http://pancake.host.sk/altres/src/
  12. 12. EOF[questions,tips,apologise..]

×