Smashing the Stack Protector for Fun and Profit 1 1996: Smashing - - PowerPoint PPT Presentation
Smashing the Stack Protector for Fun and Profit 1 1996: Smashing The Stack for Fun and Profit ... overflow direction / higher addresses int main(int argc, char **argv) buf { stack growth char buf[0x10]; gets(buf); saved return address
1
int main(int argc, char **argv) { char buf[0x10]; gets(buf); return 0; }
2
saved return address argc argv buf stack growth
... ...
int main(int argc, char **argv) { char buf[0x10]; gets(buf); return 0; }
3
saved return address argc argv buf stack growth
... ... stack canary
Function Prologue: Place canary on stack Function Epilogue: Check canary integrity
4
int a(void) { char loc[0x10];
char __thread tls[0x10];
static char sta[0x10];
char *dyn = malloc(0x10);
5
6
... (kernel) ... ... ... stack reference canary tls heap ... Code / Static Data
○ Distances ○ Gaps / Permissions
○ OK ✓ ○ Weak ✗ ○ Vulnerable ✗
7
... (kernel) (Guard page) ---p (Guard page) ---p ... stack reference canary tls heap ... Code / Static Data ... (kernel) (Guard page) ---p ... stack reference canary tls heap ... Code / Static Data ... (kernel) ... ... stack reference canary tls heap ... Code / Static Data
OK ✓ Weak ✗ Vulnerable ✗
8
9
=========================================================================== ASIACCS’17 Review #386A
Reviewer expertise: 4. Expert (...) ===== Weaknesses of paper ===== With the rise of CFI mechanisms that will protect the backward edge through some form of stack integrity, defenses that rely on stack cookies are on their way out, therefore this paper has low novelty and impact.
10
⇒ Fallacy!
11
int auth(char * valid) { char password[32]; gets(password); return strcmp(valid, crypt(password, valid)) == 0; } void main(void) { char admin_hash[] = "$6$..."; // long hash value if (auth(admin_hash)) { puts("Welcome to the Admin Area"); } }
12
SafeStack: Canaries: SafeStack + Canaries:
13