vendicatorat_private wrote: > >Perhaps I don't see your point. How is this more secure >than StackGuard? > > StackGuard protection system has an extremaly grave bug > with the terminator and null canaries. In certain circumstances (not rare) this bug can be exploited > preventing StackGuard to detect stack corruption. I'm not > the autor of this exploit howewer, so I will not post it without > his autorization. So to refine your claim, this means that you believe StackShield is more secure than the terminator version of StackGuard. I see no way in which it is more secure than the random version. We have a new release of the StackGuard compiler that fully supports random canaries even for shared libraries. Release is imminent, pending completion of the web site & documentation. To be fair, once you fix StackShield's response to a detected stack smash, I know of no way in which StackGuard is more secure than StackShield. At that point it comes down to the practical issues I mentioned. Addressing the vulnerability of the terminator version: we hypothesized that the terminator StackGuard defense could be exploited if you could find a vulnerable buffer that lets you overflow the buffer multiple times before the affected function returns. Here's a straw-man example of vulnerable code: foo() { char mybuf[25]; do { gets(mybuf); } while (!ok(mybuf)); } If you find code like this, then you can "laminate" a terminator canary in place after perpetrating the overflow to change the return address in the activation record. There are problems with this, though: * the string function (in this case, gets()) must use the low-order symbol in the Terminator Canary as a termination symbol * you have to get your allignment *exactly* right * you have to find code of this form. It's not impossible, but it is relatively rare. I'd be very interested in posted examples of code of this form (or any other form claimed to be vulnerable) found in production programs. Presumably you can point to the vulnerable code without violating the ownership on your friend's exploit? > Stack Shield provides a front end for GCC and G++ to > automatize the compilation. So you have just to each occourrence of "gcc" or "g++" with "shieldgcc" or "shieldg++" respectively.Also in future versions a front end for make will added. You will find in practice that this is not sufficient to re-build large volumes of SRPMs with your tool. You have to have a program that is called "cc" and behaves exactly like "cc", or else some packages will weasle their way around your protecting compiler. Crispin ----- Crispin Cowan, Research Assistant Professor of Computer Science, OGI NEW: Protect Your Linux Host with StackGuard'd Programs :FREE http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:02:04 PDT