Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Buffer overflow protection
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
==Implementations== ==={{Anchor|STACKGUARD|PROPOLICE}}GNU Compiler Collection (GCC)=== Stack-smashing protection was first implemented by ''StackGuard'' in 1997, and published at the 1998 [[USENIX Security Symposium]].<ref>{{cite web|url=http://www.usenix.org/publications/library/proceedings/sec98/full_papers/cowan/cowan_html/cowan.html |title=Papers - 7th USENIX Security Symposium, 1998 |publisher=Usenix.org |date=2002-04-12 |access-date=2014-04-27}}</ref> StackGuard was introduced as a set of patches to the Intel x86 backend of [[GNU Compiler Collection|GCC]] 2.7. StackGuard was maintained for the [[Immunix]] Linux distribution from 1998 to 2003, and was extended with implementations for terminator, random and random XOR canaries. StackGuard was suggested for inclusion in GCC 3.x at the GCC 2003 Summit Proceedings,<ref>{{cite web|url=http://www.linux.org.uk/~ajh/gcc/gccsummit-2003-proceedings.pdf |title=Proceedings of the GCC Developers Summit |date=May 2003 |access-date=2016-09-17 |url-status=bot: unknown |archive-url=https://web.archive.org/web/20040715225038/http://www.linux.org.uk/~ajh/gcc/gccsummit-2003-proceedings.pdf |archive-date=2004-07-15 }}</ref> but this was never achieved. From 2001 to 2005, [[IBM]] developed GCC patches for stack-smashing protection, known as ''ProPolice''.<ref>{{cite web|url=http://www.research.ibm.com/trl/projects/security/ssp/ |title=GCC extension for protecting applications from stack-smashing attacks |publisher=Research.ibm.com |access-date=2014-04-27}}</ref> It improved on the idea of StackGuard by placing buffers after local pointers and function arguments in the stack frame. This helped avoid the corruption of pointers, preventing access to arbitrary memory locations. [[Red Hat]] engineers identified problems with ProPolice though, and in 2005 re-implemented stack-smashing protection for inclusion in GCC 4.1.<ref>{{cite web|url=https://gcc.gnu.org/gcc-4.1/changes.html |title=GCC 4.1 Release Series β Changes, New Features, and Fixes - GNU Project - Free Software Foundation (FSF) |publisher=Gcc.gnu.org |access-date=2014-04-27}}</ref><ref>{{cite web|url=https://gcc.gnu.org/ml/gcc-patches/2005-05/msg01193.html |title=Richard Henderson - [rfc] reimplementation of ibm stack-smashing protector |publisher=Gcc.gnu.org |access-date=2014-04-27}}</ref> This work introduced the <kbd>-fstack-protector</kbd> flag, which protects only some vulnerable functions, and the <kbd>-fstack-protector-all</kbd> flag, which protects all functions whether they need it or not.<ref>{{cite web|url=https://gcc.gnu.org/onlinedocs/gcc-4.8.1/gcc/Optimize-Options.html#Optimize-Options |title=Optimize Options - Using the GNU Compiler Collection (GCC) |publisher=Gcc.gnu.org |access-date=2014-04-27}}</ref> In 2012, [[Google]] engineers implemented the <kbd>-fstack-protector-strong</kbd> flag to strike a better balance between security and performance.<ref>{{cite web|url=https://gcc.gnu.org/ml/gcc-patches/2012-06/msg00974.html |title=Han Shen(ææ) - [PATCH] Add a new option "-fstack-protector-strong" (patch / doc inside) |publisher=Gcc.gnu.org |date=2012-06-14 |access-date=2014-04-27}}</ref> This flag protects more kinds of vulnerable functions than <kbd>-fstack-protector</kbd> does, but not every function, providing better performance than <kbd>-fstack-protector-all</kbd>. It is available in GCC since its version 4.9.<ref>{{cite web|last1=Edge|first1=Jake|title="Strong" stack protection for GCC|url=https://lwn.net/Articles/584225/|website=Linux Weekly News|access-date=28 November 2014|date=February 5, 2014|quote=It has made its way into GCC 4.9}}</ref> All [[Fedora (operating system)|Fedora]] packages are compiled with <kbd>-fstack-protector</kbd> since Fedora Core 5, and <kbd>-fstack-protector-strong</kbd> since Fedora 20.<ref>{{cite web|url=https://fedoraproject.org/wiki/Security_Features#Stack_Smash_Protection.2C_Buffer_Overflow_Detection.2C_and_Variable_Reordering |title=Security Features |publisher=FedoraProject |date=2013-12-11 |access-date=2014-04-27}}</ref><ref>{{cite web|url=https://fedorahosted.org/fesco/ticket/1128 |title=#1128 (switching from "-fstack-protector" to "-fstack-protector-strong" in Fedora 20) β FESCo |publisher=Fedorahosted.org |access-date=2014-04-27}}</ref> Most packages in [[Ubuntu]] are compiled with <kbd>-fstack-protector</kbd> since 6.10.<ref>{{cite web|url=https://wiki.ubuntu.com/Security/Features#stack-protector |title=Security/Features - Ubuntu Wiki |publisher=Wiki.ubuntu.com |access-date=2014-04-27}}</ref> Every [[Arch Linux]] package is compiled with <kbd>-fstack-protector</kbd> since 2011.<ref>{{cite web|url=https://bugs.archlinux.org/task/18864 |title=FS#18864 : Consider enabling GCC's stack-smashing protection (ProPolice, SSP) for all packages |publisher=Bugs.archlinux.org |access-date=2014-04-27}}</ref> All Arch Linux packages built since 4 May 2014 use <kbd>-fstack-protector-strong</kbd>.<ref>{{cite web |url=https://projects.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/pacman&id=695ca25d4c24f3bd3b8c350d64f2697c733d5169 |archive-url=https://archive.today/20140718035407/https://projects.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/pacman&id=695ca25d4c24f3bd3b8c350d64f2697c733d5169 |url-status=dead |archive-date=July 18, 2014 |title=svntogit/packages.git - Git clone of the 'packages' repository }}</ref> Stack protection is only used for some packages in [[Debian]],<ref>{{cite web |url=http://outflux.net/debian/hardening/ |title=Debian Security Hardening Statistics |publisher=Outflux.net |access-date=2014-04-27 |archive-date=2014-04-28 |archive-url=https://web.archive.org/web/20140428012424/http://outflux.net/debian/hardening/ |url-status=dead }}</ref> and only for the [[FreeBSD]] base system since 8.0.<ref>{{cite web|url=http://www.freebsd.org/releases/8.0R/relnotes.html |title=FreeBSD 8.0-RELEASE Release Notes |publisher=Freebsd.org |date=2013-11-13 |access-date=2014-04-27}}</ref> Stack protection is standard in certain operating systems, including [[OpenBSD]],<ref>{{cite web| url = https://man.openbsd.org/gcc-local.1| title = OpenBSD's gcc-local(1) manual page| quote = gcc comes with the ''ProPolice'' stack protection extension, which is enabled by default.}}</ref> [[Hardened Gentoo]]<ref>{{cite web|url=https://wiki.gentoo.org/wiki/Hardened/Toolchain#Default_addition_of_the_Stack_Smashing_Protector_.28SSP.29|title=Hardened/Toolchain - Gentoo Wiki|quote=The Gentoo hardened GCC switches on the stack protector by default unless explicitly requested not to.|date=2016-07-31}}</ref> and [[DragonFly BSD]].{{Citation needed|date=September 2013}} StackGuard and ProPolice cannot protect against overflows in automatically allocated structures that overflow into function pointers. ProPolice at least will rearrange the allocation order to get such structures allocated before function pointers. A separate mechanism for [[pointer protection]] was proposed in PointGuard<ref>{{cite web|url=http://www.usenix.org/events/sec03/tech/full_papers/cowan/cowan_html/index.html|title=12th USENIX Security Symposium β Technical Paper}}</ref> and is available on Microsoft Windows.<ref>{{cite web|url=http://blogs.msdn.com/michael_howard/archive/2006/08/16/702707.aspx|title=MSDN Blogs β Get the latest information, insights, announcements, and news from Microsoft experts and developers in the MSDN blogs.|date=6 August 2021 }}</ref> ===Microsoft Visual Studio=== The compiler suite from Microsoft implements buffer overflow protection since version 2003 through the {{Mono|/GS}} command-line switch, which is enabled by default since version 2005.<ref>{{cite web|url=http://msdn.microsoft.com/en-us/library/8dbf701c(VS.80).aspx |title=/GS (Buffer Security Check) (C++) |website=msdn.microsoft.com |access-date=2014-04-27}}</ref> Using {{Mono|/GS-}} disables the protection. ===IBM Compiler=== Stack-smashing protection can be turned on by the compiler flag <code>-qstackprotect</code>.<ref>{{cite web|url=http://publib.boulder.ibm.com/infocenter/comphelp/v111v131/topic/com.ibm.xlc111.aix.doc/compiler_ref/opt_stackprotect.html |title=qstackprotect |publisher=Publib.boulder.ibm.com |access-date=2014-04-27}}</ref> ===Clang/[[LLVM]]=== Clang supports the same <kbd>-fstack-protector</kbd> options as GCC<ref>{{cite web|url=https://lists.llvm.org/pipermail/cfe-dev/2017-April/053662.html |publisher=Clang.llvm.org |title=Clang mailing list |date=28 April 2017 |access-date=2022-11-16}}</ref> and a stronger "safe stack" ({{tt|1=-fsanitize=safe-stack}}) system with similarly low performance impact.<ref>{{cite web |title=SafeStack β Clang 17.0.0git documentation |url=https://releases.llvm.org/15.0.0/tools/clang/docs/SafeStack.html |website=clang.llvm.org}}</ref> Clang also has three buffer overflow detectors, namely [[AddressSanitizer]] (<code>-fsanitize=address</code>),<ref name="asan"/> UBSan (<code>-fsanitize=bounds</code>),<ref>{{cite web|url=http://clang.llvm.org/docs/UsersManual.html |title=Clang Compiler User's Manual β Clang 3.5 documentation |publisher=Clang.llvm.org |access-date=2014-04-27}}</ref> and the unofficial SafeCode (last updated for LLVM 3.0).<ref>{{cite web|url=http://safecode.cs.illinois.edu/ |title=SAFECode |publisher=Safecode.cs.illinois.edu |access-date=2014-04-27}}</ref> These systems have different tradeoffs in terms of performance penalty, memory overhead, and classes of detected bugs. Stack protection is standard in certain operating systems, including [[OpenBSD]].<ref>{{cite web| url = https://man.openbsd.org/clang-local.1| title = OpenBSD's clang-local(1) manual page| quote = clang comes with stack protection enabled by default, equivalent to the ''-fstack-protector-strong'' option on other systems.}}</ref> ===Intel Compiler=== Intel's C and C++ compiler supports stack-smashing protection with options similar to those provided by GCC and Microsoft Visual Studio.<ref>{{cite web|url=https://software.intel.com/en-us/node/523162 |title=User and Reference Guide for the Intel C++ Compiler 15.0: fstack-security-check, GS |access-date=2015-02-13 |website=software.intel.com}}</ref> === {{Anchor|FSC}}Fail-Safe C === ''Fail-Safe C''<ref name="failsafec"/> is an open-source memory-safe ANSI C compiler that performs bounds checking based on fat pointers and object-oriented memory access.<ref>{{cite web|url=http://staff.aist.go.jp/y.oiwa/publications/2005-PhDthesis.pdf |title=thesis.dvi |website=Staff.aist.go.jp |access-date=2016-09-17}}</ref> ===StackGhost (hardware-based)=== Invented by [[Mike Frantzen]], StackGhost is a simple tweak to the register window spill/fill routines which makes buffer overflows much more difficult to exploit. It uses a unique hardware feature of the [[Sun Microsystems]] [[SPARC]] architecture (that being: deferred on-stack in-frame register window spill/fill) to detect modifications of return [[Pointer (computer programming)|pointers]] (a common way for an [[exploit (computer security)|exploit]] to hijack execution paths) transparently, automatically protecting all applications without requiring binary or source modifications. The performance impact is negligible, less than one percent. The resulting [[gdb]] issues were resolved by [[Mark Kettenis]] two years later, allowing enabling of the feature. Following this event, the StackGhost code was integrated (and optimized) into [[OpenBSD]]/SPARC.
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)