Geek Answers Handbook

Freeze frame protection and stack shock protection - canaries, memory

I have a few questions about stack protection and SSP. The first question about the Stack Guard and its three types of canaries, if I say correctly, is the terminator, random and random XOR.

  1. I would like to know how to disable Stack Guard on x86 Linux? I read somewhere, this is possible with this command, when compiling with gcc ' -disable-stackguard-randomization ', just like with this command to enable ' -enable-stackguard-randomization ', both do not work. If necessary, my gcc version will be 4.8.2.

  2. The next question is about the Stack Guard, when I can turn it on / off, how can I set what type of canaries I want to use? What I read, canary terminators are used by default, for random I have to compile with -enable-stackguard-randomization ', but what about random XOR? (Or with zero 0x00000000)

  3. Now about SSP (ProPolice), I know, for a random canary, I have to compile with fstack-protector -a ll ', but what about the terminator, is it the same as in Stack Guard, by default?

  4. The latter, if any of you, can tell me where I can find a random canary in my memory. For example, I have such a scenario - a compiled C program, for example, gcc -g example.c -o example -fstack-protector -a ll ', that is, with random canaries. Suppose I can get the canary address after each execution. So expect, I have: Canary = 0x1ae3f900 . From various newspapers, I learn that the canary is in the .bss segment. This way I get the address of the .bss segment with readelf : ' readelf -a./example | grep bss'. This is 080456c9. In GDB, I set some breakpoints to get the address of the canary, but when I check the address .bss x / 20x 0x080456c9, all I see is only the addresses 0x00000000, but the canary is nowhere. In addition, I checked __stack_chk_fail if it is not there, but with the same result, I do not see it there. I get the address of stack_chk_fail from PLT / GOT.

Thank you in advance for your reply and time.

+7
source share
1 answer

Stack Smashing Protection (SSP) is an improvement over StackGuard. SSP was first implemented in gcc 4.1.

I would like to know how to disable Stack Guard on x86 Linux system?

-fno-stack-protector, SSP .

--disable-stackguard-randomization --enable-stackguard-randomization glibc.

/ , , , ?

, gcc. glibc 2.10, _dl_setup_stack_chk_guard. :

  if (dl_random == NULL)
    {
      ret.bytes[sizeof (ret) - 1] = 255;
      ret.bytes[sizeof (ret) - 2] = '\n';
    }
  else
    {
      memcpy (ret.bytes, dl_random, sizeof (ret));
      ret.num &= ~(uintptr_t) 0xff;
    }

dl_random AT_RANDOM, 16- , . , AT_RANDOM, dl_random == NULL , , 255 \n, . . AT_RANDOM , 7 AT_RANDOM. .

, , glibc.

@PeterCordes %%fs:0x28 (. ) main main.

SSP (ProPolice), , 'fstack-protector-all', ? Stack Guard ?

-fstack-protector SSP. , .

, - , , .

; readelf, . , , i386:

int read_canary()
{
  int val = 0;
  __asm__("movl %%gs:0x14, %0;"
          : "=r"(val)
          :
          :);
  return val;
}

x86_64:

long read_canary()
{
  long val = 0;
  __asm__("movq %%fs:0x28, %0;"
          : "=r"(val)
          :
          :);
  return val;
}
+2

More articles:


All Articles