Geek Answers Handbook

Is there a way around the SSP (StackSmashing Protection) / Propolice?

After some research, I did not find a single article describing a method for this (even unreliable). SSP (StackSmashing Protection / Propolice protection seems to be

+6
source share
3 answers

Canaries are a very good security measure against buffer overflows. Over the years, various canaries were broken and then made safer. The important thing is that even though the memory protection buffer overflows, it is still used in Vista, Windows 7, and Fedora 11 ...

It is very important to note that Canary only protects a functional frame (which includes powerful EIP!). Buffer overflows may occur in another memory segment, such as a heap, and the canary will not be affected. Moreover, an application can be hacked using buffer overflows without overwriting EIP. Managing EIP is a very simple and easy way to turn a buffer overflow into an exploit killer, which is why it is the most common exploitation method.

These operating methods, as well as others, are described in detail in Using software: how to break code .

+3
source

I'm more familiar with Microsoft GS stack protection, but the two approaches look similar .

The following Microsoft blog post shows one example where an attacker can take control even when stack cookies are used (the first example should be applicable to non-Windows systems):


This blog post talks about some of the upcoming stack protection improvements:

+1
source

If the application has an array / buffer on the stack and uses controlled indexes of the index value without border checks, then the caller can access arbitrary memory locations, and the stack protection cannot prevent or detect it.

0
source

More articles:


All Articles