The new compiler flag '-fstack-protector-strong' in Fedora 19's gcc achieves a better balance between security and performance (when compared against the default -fstack-protector and available -fstack-protector-all options). I am proposing to switch from using the '-fstack-protector' flag to '-fstack-protector-strong' in Fedora 20.
![]()
.I have enabled the -Wstack-protector warning when compiling the project I'm working on (a commercial multi-platform C game engine, compiling on Mac OS X 10.6 with GCC 4.2). This flag warns about functions that will not be protected against stack smashing even though -fstack-protector is enabled. GCC emits some warnings when building the project: not protecting function: no buffer at least 8 bytes long not protecting local variables: variable length buffer For the first warning, I found that it is possible to adjust the minimum size a buffer must have when used in a function, for this function to be protected against stack smashing: -param ssp-buffer-size=X can be used, where X is 8 by default and can be as low as 1. For the second warning, I can't suppress its occurrences unless I stop using -Wstack-protector. When should -fstack-protector be used? (as in, for instance, all the time during dev, or just when tracking bugs down?).
![]()
When should -fstack-protector-all be used?Stackguard: Byte-by-byte Attack Since each thread has the same canary value, we could try each byte. If the program doesn’t crash, it means the value is correct. 64bit canary: 64bit = 8 8bit Worst case: 8 28 = 2048 trails Average: 8 28/2 = 1024 trails DynaGuard: Renew after fork Upon fork is finished, renew the stack canary in stack and TLS. Use Fstack-protector-all (stack Canaries For Mac DownloadWhat is -Wstack-protector telling me? Is it suggesting that I decrease the buffer minimum size?
If so, are there any downsides to putting the size to 1? It appears that -Wstack-protector is not the kind of flag you want enabled at all times if you want a warning-free build. Is this right?Stack-protection is a hardening strategy, not a debugging strategy. If your game is network-aware or otherwise has data coming from an uncontrolled source, turn it on. If it doesn't have data coming from somewhere uncontrolled, don't turn it on. Here's how it plays out: If you have a bug and make a buffer change based on something an attacker can control, that attacker can overwrite the return address or similar portions of the stack to cause it to execute their code instead of your code. Stack protection will abort your program if it detects this happening.
Your users won't be happy, but they won't be hacked either. This isn't the sort of hacking that is about cheating in the game, it's the sort of hacking that is about someone using a vulnerability in your code to create an exploit that potentially infects your user.For debugging-oriented solutions, look at things like mudflap. As to your specific questions. Use stack protector if you get data from uncontrolled sources. The answer to this is probably yes. Even if you don't have data from uncontrolled sources, you probably will eventually or already do and don't realize it.Stack protections for all buffers can be used if you want extra protection in exchange for some performance hit. From: -fstack-protector Emit extra code to check for buffer overflows, such as stack smashing attacks.
This is done by adding a guard variable to functions with vulnerable objects. This includes functions that call alloca, and functions with buffers larger than 8 bytes.
The guards are initialized when a function is entered and then checked when the function exits. If a guard check fails, an error message is printed and the program exits.fstack-protector-all Like -fstack-protector except that all functions are protected.
The warnings tell you what buffers the stack protection can't protect.It is not necessarily suggesting you decrease your minimum buffer size, and at a size of 0/1, it is the same as stack-protector-all. It is only pointing it out to you so that you can, if you decide redesign the code so that buffer is protected.
No, those warnings don't represent issues, they just point out information to you. Don't use them regularly.
Debugging strategy for stack protection is possible and sometimes useful: (1) execute the binary compiled with stack protection and disable ASLR (address space layout randomization) in a debugger.(2) wait for a core. (3) the core will indicate the address of the stack canary that got clobbered. (4) re-run your binary in the debugger and set a hardware watch point on the address of the clobbered stack canary. (5) the debugger will stop when the memory located at culprit address is modified.– Jun 24 '16 at 17:27.GCC's stack protection is software-based, and isn't related to DEP's hardware-based protection.
When an OS enables DEP, all programs running on it (or some subset defined by the user) are automatically protected through hardware flags, regardless of any compiler flags used to build the binary. When the stack protection flags are enabled in GCC, it provides protection by placing additional guards and checks when a function is called or returns to ensure that the program aborts rather than violate its integrity. This increases the executable size slightly and causes the code to run slightly slower (take more CPU time). The loader nor the OS is aware of GCC's stack protection, nor does it need to be. As far as the OS is concerned, this is just normal executable code. Use Fstack-protector-all (stack Canaries For MacThe OS can provide DEP without stack protection enabled, and stack protection does not require DEP.
With DEP, if the IP (instruction pointer) lands outside of a CS (code segment), an exception is raised and the OS terminates the program.With GCC's stack protection, the stack is buffered with extra space that has certain values loaded, and checked to make sure that those buffered areas are not modified. If a function fails the guard check, the program is terminated to prevent further damage.@SFlow It's a kind of complicated subject, but basically there's an NX/XD (no execute/execute disable) bit that's loaded into the memory descriptor (which can be segments or pages), and then is loaded into the memory controller. There's a specific interrupt trap that the OS has to set up (loaded into GDT), which typically calls some interrupt that will eventually clean up the resources the app previously used. You'll want to start with the Intel Opcode manual, which is this huge PDF of internals. – May 3 '17 at 1:17.
![]() Comments are closed.
|
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
January 2023
Categories |