|
| |
| | Stack-smashing protection - Wikipedia, the free encyclopedia |
 | | As such, it is possible for the protection to alter the structure of the data on the stack frame. | | | It uses a unique hardware feature of the Sun Microsystems sparc and sparc64 architecture (that being: deferred on-stack in-frame register window spill/fill) to detect modifications of return pointers (a common way for an exploit to hijack execution paths) transparently, automatically protecting all applications without requiring binary or source modifications. | | | Following this event, the StackGhost code was integrated (and optimized) into OpenBSD/sparc. |
|
http://en.wikipedia.org/wiki/Stack_smashing
(1697 words)
|
|
| |
| | Buffer overflow - |
| | This sort of protection, however, cannot be applied to legacy code, and often technical, business, or cultural constraints call for a vulnerable language. | | | Constructing functional buffer overflow exploits in Windows typically requires knowledge of the precise location of various machine language opcodes in the compromised software or included DLLs, because the location of the stack cannot be reliably predicted. | | | As of 2006, among the most popular languages are C and its derivative, [[C++]], with an enormous body of software having been written in these languages. |
|
http://psychcentral.com/psypsych/Buffer_overflow
(2140 words)
|
|
| |
| | 11th Annual USENIX Security Symposium — Technical Paper |
| | Usually the first approach is taken and the attack code is implemented as new native code that is injected in the program address space as data [20]. | | | If the code cache is protected from malicious modification, future executions of the trusted cached code proceed with no security or emulation overhead. | | | Rather than attempt to stop a multitude of attack paths, where the protection is only as powerful as the weakest link, our approach is to prevent the execution of malicious code. |
|
http://www.usenix.org/publications/library/proceedings/sec02/full_papers/kiriansky/kiriansky_html
(8375 words)
|
|
| |
| | Dr. Dobb's Memory Matters December 15, 2005 |
| | The lesson to be drawn from all this resembles the lessons found in copy protection, digital-rights management, and Trusted Computing: The attackers are at least as smart as you are, they have better tools, and they will find a way around whatever technological measures you put in place. | | | Basically, an attacker can arrange the stack so that a RET instruction passes control to the last few instructions of a library function that pops the attacker's data into registers. | | | If you could manage to write arbitrary data into the stack segment, you could easily run it in the code segment without the hardware ever noticing. |
|
http://www.ddj.com/dept/64bit/184406443
(2811 words)
|
|
| |
| | Debian SbD: Stack Smash Protection |
| | However, libraries compiled with -fstack-protector will be protected; and faults (attacks or otherwise) in these libraries will bring down any third party software utilizing the libraries if triggered. | | | In this scenario, the -fno-stack-protector switch must be used to build a source file without SSP. | | | Buffer overflows are a common entry point for many classes of exploits; by effectively rendering them useless, we can by proxy render a large set of vulnerabilities into program crashes rather than illegitimate access. |
|
http://d-sbd.alioth.debian.org/www?page=ssp
(708 words)
|
|
| |
| | Gentoo Linux Documentation -- Introduction to Hardened Gentoo |
| | When an attacker has the ability to give input to an application that is inserted into memory but not checked there exists the possibility of an overflow. | | | For this reason we always recommended that you decide what your specific needs are and combine those solutions to protect your system. | | | So on x86 PaX emulates this behavior at a software level, which introduces overhead but is very helpful for security. |
|
http://www.gentoo.org/proj/en/hardened/primer.xml
(1238 words)
|
|
| |
| | Debian Administration :: Adding stack smashing protection to GCC v3.4 |
| | The IBM patch is available from its research homepage, although you won't need to fetch it from there if you're using Debian because the Debian GCC packages ship with the patch included in the source, although it's not enabled. | | | The best way to see this working is to use it to compile something with and without the protection, and see how they compare. | | | Download test-ssp.c, which is a simple program based around the vulnerable example code we used above. |
|
http://www.debian-administration.org/articles/76
(1334 words)
|
|
| |
| | [No title] |
| | We know that the applications we use have yet to be discovered bugs, and this protection helps minimize the possibility of an exploit due to these bugs. | | | These ebuilds have been updated in portage to filter out the stack protection for now, so you should not have any problems with them. | | | This patch includes a diff against the GCC code, as well as two additional files (a source file and a header file). |
|
http://www.d-axel.dk/pub/mydesk/Stack-Protector.txt
(1068 words)
|
|
| |
| | Stack Shield |
| | Stack Shield is designed to support the GCC under a Linux Intel 386 class platform. | | | It is based on sending an unexpected amount of input data to a program causing a buffer overflow that allows the attacker to make the program execute arbitrary assembler code which can garant to him the access to the system, destroy the system files or do anything else. | | | Stack Shield is a tool for adding protection to programs from this kind of attacks at compile time whitout changing a line of code. |
|
http://www.angelfire.com/sk/stackshield
(137 words)
|
|
| |
| | ISS X-Force Database: stack-protection-frame-pointers(8982): Multiple "stack protection" programs fail to ... |
| | If the attacker overwrites the least significant byte in the frame pointer with 0x00, the attacker would then have control of the frame pointer's local variables and function arguments and can execute arbitrary code on the system by placing the frame pointer's local variables and function arguments in memory. | | | ISS X-Force Database: stack-protection-frame-pointers(8982): Multiple "stack protection" programs fail to protect frame pointers | | | Upgrade to the latest version of StackGuard (3.0 or later), when it becomes available, as listed in CORE SECURITY TECHNOLOGIES Advisory CORE-20020409. |
|
http://xforce.iss.net/xforce/xfdb/8982
(319 words)
|
|
| |
| | Securing Debian Manual - After Installation |
| | If you want to protect su, so that only some people can use it to become root on your system, you need to add a new group "wheel" to your system (that is the cleanest way, since no file has such a group permission yet). | | | The only method to have some kind of protection is to check your files every hour/day/month (I prefer daily) by comparing the actual and the old md5sum of this file. | | | Notice that even if Debian provided a compiler which featured stack/buffer overflow protection all packages would need to be recompiled in order to introduce this feature. |
|
http://www.debian.org/doc/manuals/securing-debian-howto/ch4.en.html#s-network-secure
(11438 words)
|
|
| |
| | Re: machine independent protection from stack-smashing attack |
| | 3) We do like your idea of moving variables around and protecting function pointers, even if it isn't perfect. | | | Prev by thread: machine independent protection from stack-smashing attack | | | Subject: Re: machine independent protection from stack-smashing attack |
|
http://cert.uni-stuttgart.de/archive/bugtraq/2000/08/msg00176.html
(740 words)
|
|
| |
| | 2CPU.com - The one stop source for everything SMP! |
| | Well I just meant that you wouldn't be able to execute arbitrary code if your stack wasn't executable in the first place, which is what I understand the x86+NX version of windows does by default, which is why a whole bunch of programs break. | | | Right, but this exploit is prevented without the NX-bit implementation. | | | Presumably then this exploit wouldn't be an issue on _any_ operating system built with stack-smashing protection, such as Gentoo Linux? |
|
http://www.2cpu.com/story.php?id=3270
(1146 words)
|
|
| |
| | Debian Developer : Steve Kemp [skx] ~ ProPolice / SSP Packages |
| | I've packaged a version of GCC for Debian's Sarge release, which can be found from the Sarge APT repository. | | | One of my recent interests has been inproving the security of packages contained in the Debian distribution by rebuilding them with a compiler which includes built in stack smashing protection. | | | Debian Developer : Steve Kemp [skx] ~ ProPolice / SSP Packages |
|
http://people.debian.org/~skx/ssp.html
(223 words)
|
|
| |
| | OpenBSD: Stack-Smashing Protection |
| | And it goes further: we've got stack smash protected install floppies! | | | Is there any way to tell the hardware what is executable and will it | | | Is there any way to tell the hardware this page/segment/bank is |
|
http://kerneltrap.org/node/516
(1367 words)
|
|
| |
| | Server attacks |
| | While this approach is a good first line of defense against future problems it's not a complete cure-all. | | | In combination this is known as a "root exploit". | | | Stackguard is a gcc variant which can protect programs from stack-smashing attacks, programs compiled using Stackguard dies without executing the stack code. |
|
http://users.ev1.net/~starfan/howto/proftpd/x293.html
(274 words)
|
|
| |
| | OSGalaxy |
| | Right now I simply disable the stack protection on the whole libc, that is non optimal. | | | For this reason, tomorrow my blog might be offline for a while, in the time I do the update, but shouldn’t be much. | | | While working on adding the ssp implementation I found what the problem was, and finally fixed it, now I have a C++ crosscompiler from Linux to FreeBSD. |
|
http://osgalaxy.com/v2/index.php/tag/gentooenglishgentoofreebsdsspgcc
(537 words)
|
|
| |
| | Return-to-libc attack - Wikipedia, the free encyclopedia |
| | A return-to-libc attack is a computer security attack usually starting with a buffer overflow, in which the return address on the stack is replaced by the address of another function in the program. | | | This allows attackers to call pre-existing functions without the need to inject malicious code into a program. | | | A non-executable stack can prevent some buffer overflows, but not a return-to-libc attack: only existing, executable code is used. |
|
http://en.wikipedia.org/wiki/Return-to-libc_attack
(163 words)
|
|
| |
| | smashing - OneLook Dictionary Search |
| | smashing : WordNet 1.7 Vocabulary Helper [home, info] | | | smashing : ODLIS: Online Dictionary of Library and Information Science [home, info] | | | Tip: Click on the first link on a line below to go directly to a page where "smashing" is defined. |
|
http://www.onelook.com/?w=smashing
(237 words)
|
|
| |
| | [No title] |
| | Can not provide a complete solution The dynamic checking method: Program Testing Executing program with specific inputs. | | | ��¡�È���������������U�
���������U�2�����������U�)���������U�������������U�������������U���������������������
�������������������������������������������)�������������� ��� ��������������������������������������ª�����n������� ������������������ó�����ì�����������^�������������������� �D���P�r�e�v�i�o�u�s� �w�o�r�k� �� �P�o�i�n�t�e�r� �P�r�o�t�e�c�t�i�o�n���¡�����#���������#������� ��������������¨�D���Array & Pointer Boundary Checking Compiler adds instructions Too much overhead Security Checking is not considered PointerGuard: encrypting pointer values while they are in memory and decrypting pointer values before de-reference. | | | Even it is not enough: system will be crashed when a warm exploits a stack overflow vulnerability. |
|
http://www.utdallas.edu/~zlshao/presentations/Zili_Course_Talk_2004_Fall.ppt
(351 words)
|
|
| |
| | TrustixFAQ - TrustixWiki |
| | Are all the packages in TSL built with the IBM stack smashing attack protection? | | | 15 Are all the packages in TSL built with the IBM stack smashing attack protection? | | | When installing a 2.6.x kernel on TSL 2.x, the klogd process runs wild! |
|
http://www.trustix.net/wiki/index.php/TrustixFAQ
(727 words)
|
|
| |
| | GCC extension for protecting applications from stack-smashing attacks |
| | Patch file for gcc 3.2 from gcc-patchs mailing list | | | SSP Transforms a program to meet the "ideal stack layout" as much as possible. | | | Applications written in C will be protected by the method that automatically inserts protection code into an application at compilation time. |
|
http://www.trl.ibm.com/projects/security/ssp
(342 words)
|
|
| |
| | GCC extensions - GNU Project - Free Software Foundation (FSF) |
| | In this section you will find extensions which do not (directly) apply to current GCC sources but are of historical interest or may be helpful to consult for future development. | | | Here is a compilation and execution of an example program. | | | ProPolice automatically inserts stack-smashing protection code into an application at compile time to detect buffer overflow and corruption of pointers. |
|
http://www.gnu.org/software/gcc/extensions.html
(351 words)
|
|
| |
| | Richard Henderson - [rfc] reimplementation of ibm stack-smashing protector |
| | The following is a functional re-implementation of the IBM stack smashing protection patch described here: http://www.research.ibm.com/trl/projects/security/ssp/ This version is *much* less intrusive than the IBM version: Makefile.in | | | Instead I layout all variables up front (easy with tree-ssa) and require that new stack slots be placed at lower addresses. | | | Which does mean that FRAME_GROWS_DOWNWARD must be defined by the target in order for this pass to be enabled. |
|
http://gcc.gnu.org/ml/gcc-patches/2005-05/msg01193.html
(363 words)
|
|
| |
| | News Archive - The Community's Center for Security |
| | Understanding the ways you can secure your home has much in common with understanding how to protect the security of your computer network. | | | Vendors are looking to simplify this important task by processing multiple security applications on a. | | | Imagine that it's summertime, and you are getting ready to go on vacation. |
|
http://www.linuxsecurity.com/content/blogcategory/0/74/20/6900
(1144 words)
|
|
| |
| | SELinux Mailing List: by thread |
| | Why would it need read access to the directory but not to files inside it? | | | The above rule is redundant, you also have it in macros/program/tvtime_macros.te. | | | Also you have put in comments indicating that several programs have been compiled with SSP (Stack Smashing Protection). |
|
http://www.nsa.gov/selinux/list-archive/0410/thread_body88.cfm
(1102 words)
|
|
| |
| | .:[ packet storm ]:. - http://packetstormsecurity.org/ |
| | Protection requires no source code changes at all. | | | StackGuard is a compiler approach for defending programs and systems against "stack smashing" attacks. |
|
http://packetstormsecurity.nl/UNIX/utilities/stackguard
(335 words)
|
|
| |
| | Stack Shield |
| | The system configuration required to compile and run Stack Shield is an Intel 386 or highter CPU and the Linux operating system with the Gnu C Compiler (GCC). | | | The Stack Shield protected programs also require the same configuration. | | | A "stack smashing" technique protection tool for Linux |
|
http://www.angelfire.com/sk/stackshield/download.html
(84 words)
|
|
| |
| | OpenBSD - LearnThis.Info Enclyclopedia |
| | More recently, several new technologies have been integrated into the system, further increasing its security. | | | Systrace can now be used to protect the system while building ports. | | | A static bounds checker was added to the toolchain, which attempts to find common programming mistakes at compile time. |
|
http://encyclopedia.learnthis.info/o/op/openbsd.html
(592 words)
|
|
| |
| | Building FreeBSD 5.4 or 6.0 with Propolice |
| | SSP gives the program a kill SIGABORT (signal 6). | | | An executable is protected when you see __stack_smash_handler with strings. | | | (Such executable will NOT run on a system without SSP in LIBC) |
|
http://www.paranoid.nl/~eilander/freebsd/propolice
(264 words)
|
|
| |
| | Re: gcc 4.1 with stack smashing protection in etch? |
| | As ever, wait and see :) > If it will be 4.1, will every debian package > automatically be compiled with the SSP in etch? | | | Let's see what SSP breaks in terms of old code _first_ :) > It seems that Redhat will release RHEL 5 in the end of > 2006 with a gcc 4.1 compiler. | | | Let's see it first :) There is currently a transition going on to get GCC 4.0x as the default compiler across all architectures that Debian supports. |
|
http://lists.debian.org/debian-gcc/2005/10/msg00307.html
(370 words)
|
|
| |
| | [No title] |
| | - rebuild as much of system as possiblewith propolice/stack-smashing protection and update all versions with new versions and security fixes availible. |
|
http://www.sonic.net/~someone/slothware/TODO
(69 words)
|
|
| |
| | bugtraq: Re: CORE-20020409: Multiple vulnerabilities in stack s |
| | Re: CORE-20020409: Multiple vulnerabilities in stack smashing protection technologies | | | The MS /GS switch has an equally fatal flaw in its stack | | | Maybe in reply to: Iván Arce: "CORE-20020409: Multiple vulnerabilities in stack smashing protection technologies" |
|
http://www.dataguard.no/bugtraq/2002_1/1520.html
(229 words)
|
|
| |
| | [No title] |
| | > python: stack smashing attack in function symtable_node() > error: command '/usr/bin/python' terminated by signal 6 > > !!! |
|
http://www.egenix.com/mailman-archives/egenix-users/2004-September.txt
(10987 words)
|
|
| |
| | Links |
| | Email Safety Tips Spam Protection, Email Scams, Virus Protection and Basic Email Tips |
|
http://www.abtrusion.com/links.asp
(211 words)
|
|
|
