When stack protection does not protect the stack?

The majority of software vulnerabilities originate from buffer overflow. Techniques to eliminate buffer overflows and limit their damage include secure programming, source code audit, binary code audit, static and dynamic code generation features. Modern compilers implement compile-time and execution time protection schemes, that include variables reordering, inserting canary value, and separate stack for return addresses. Our research is targeted to finding the breaches in the compiler protection methods. We tested MSVC, gcc, and clang and found that two of these compilers have flaws that allow exploiting buffer overwrite under certain conditions.

buffer overflow, canary protection, gcc, msvc, clang

1. Y. Younan, “25 years of vulnerabilities: 1988–2012,” Tech. Rep., 2012. [Online]. Available: https://courses.cs.washington.edu/courses/cse484/14au/reading/25-years-vulnerabilities.pdf

2. M. Vallentin, “On the evolution of buffer overflows,” 2007.

3. D. Baca, K. Petersen, B. Carlsson, and L. Lundberg, “Static code analysis to detect software security vulnerabilities - does experience matter?” in Availability, Reliability and Security, 2009. ARES ’09. International Conference on, March 2009, pp. 804–810.

4. A. Austin and L. Williams, “One technique is not enough: A comparison of vulnerability discovery techniques,” in 2011 International Symposium on Empirical Software Engineering and Measurement, Sept 2011, pp. 97–106.

5. N. Rutar, C. B. Almazan, and J. S. Foster, “A comparison of bug finding tools for java,” in Proceedings of the 15th International Symposium on Software Reliability Engineering, ser. ISSRE ’04. Washington, DC, USA: IEEE Computer Society, 2004, pp. 245–256. [Online]. Available: http://dx.doi.org/10.1109/ISSRE.2004.1

6. H. Sun, X. Zhang, C. Su, and Q. Zeng, “Efficient dynamic tracking technique for detecting integer-overflow-to-buffer-overflow vulnerability,” in Proceedings of the 10th ACM Symposium on Information, Computer and Communications Security, ser. ASIA CCS ’15. New York, NY, USA: ACM, 2015, pp. 483–494. [Online]. Available: http://doi.acm.org/10.1145/2714576.2714605

7. J. Wilander and M. Kamkar, “A comparison of publicly available tools for dynamic buffer overflow prevention,” in IN NDSS, 2003.

8. B. Bray, “Visual studio .net 2003: Compiler security checks in depth,” February 2002. [Online]. Available: https://msdn.microsoft.com/enus/library/Aa290051

9. “Stack smashing protector.” [Online]. Available: http://wiki.osdev.org/Stack_Smashing_Protector

10. Bulba and Kil3r, “Bypassig stackguard and stackshield,” Phrack Magazine, vol. 56, May 2000. [Online]. Available: http://phrack.org/issues/56/5.html

11. C. Team, “Exploit writing tutorial part 6: Bypassing stack cookies, safeseh, sehop, hw dep and aslr,” 2009. [Online]. Available: https://www.corelan.be/index.php/2009/09/21/exploit-writingtutorial-part-6-bypassing-stack-cookies-safeseh-hw-dep-and-aslr/

12. G. Richarte, “Four different tricks to bypass stackshield and stackguard protection,” World Wide Web, vol. 1, 2002.

13. A. Sotirov and M. Dowd, “Bypassing browser memory protections,” in In Proceedings of BlackHat, 2008. [Online]. Available: http://www.blackhat.com/presentations/bh-usa-08/Sotirov_Dowd/bh08-sotirov-dowd.pdf

14. A. One, “Smashing the stack for fun and profit,” Phrack Magazine, vol. 49, November 1996. [Online]. Available: http://phrack.org/issues/49/14.html

15. klog, “The frame pointer overwrite,” Phrack Magazine, vol. 55, September 1999. [Online]. Available: http://phrack.org/issues/55/8.html

16. C. Cowan, C. Pu, D. Maier, H. Hinton, J. Walpole, P. Bakke, S. Beattie, A. Grier, P. Wagle, and Q. Zhang, “Stackguard: Automatic adaptive detection and prevention of buffer-overflow attacks,” in In Proceedings of the 7th USENIX Security Symposium, 1998, pp. 63–78.

17. A. Seredinschi, Drago¸s-Adrian; Sterca, “Enhancing the stack smashing protection in the gcc,” Studia Universitatis Babe¸s-Bolyai, Informatica, vol. LV, Number 1, 2010.

18. Y. WU, “Enhancing security check in visual studio c/c++ compiler,” in Software Engineering, 2009. WCSE ’09. WRI World Congress on, vol. 4, May 2009, pp. 109–113.

19. P. Silberman and R. Johnson, “A comparison of buffer overflow prevention implementations and weaknesses.” [Online]. Available: https://www.blackhat.com/presentations/bh-usa-04/bh-us-04-silberman/bh-us-04-silberman-paper.pdf

20. C. Evans, “glibc alloca() memory corruption,” 2011. [Online]. Available: https://packetstormsecurity.com/files/98720/