(repost from internal mail from yesterday, i have removed only internal
mailingaddresses referenced).
Hi folks,
We decided to offer and use an additional method of stack overflow protection
for the next products.
We are currently using the "Fortify Source" lightweight buffer overflow
checking (you will know the -D_FORTIFY_SOURCE=2 defines that get used
by autobuild). I explained it in my previous mail.
With gcc 4.1 there is an new additional method of stack overflow detection.
It was formerly called "ProPolice" or "Stack Smash Protection (SSP)"
but is now usually refered to as "Stack Protector".
It protects against stack based buffer overflows using following
heuristics:
- On function entry a canary ("Kanarienvogel") is put onto the stack.
(Canary in tribute to the canary birds that early coalminers took
into the mines to detect poisonous gases ... when the canaries die
they still had time to leave.)
x86 generated code:
mov %gs:0x14,%eax (fetch random canary from TLS)
mov %eax,0xffffffec(%ebp) (store on stack)
xor %eax,%eax (clear value)
- On function exit the canary is compared with the value on the stack.
If it is no longer the same, the program is aborted.
x86 generated code:
mov 0xffffffec(%ebp),%edx (retrieve canary from stack)
xor %gs:0x14,%edx (xor against original value, if same
it will be 0 (equal))
jne ....aborting... (if not equal ... jump to abort)
... normal return assembler code...
- The code will change the order of variables on the stack to put
character arrays on top of the stack.
This avoids overwrite of other function variables by stack overflows
of character arrays which might go undetected by this protector otherwise.
This checking code can be enabled in two modes:
- normal (-fstack-protector)
In this mode it will use a heuristic to determine the functions that
need the above wrapper.
The current heuristic is "uses a character array at least 8 byte long"
This number of bytes can be changed by using this compiler option:
--param ssp-buffer-size=8
- full (-fstack-protector-all)
The wrapper will be generated for all functions.
Performance loss:
There will be some small performance loss (due to the approx 6
instructions added).
But the number of functions with characters arrays is usually
limited and not in the fast path.
I have two apps already compiled with -fstack-protector:
gaim has 76 functions out of 2022 instrumented.
ethereal has 141 functions out of 1973 instrumented.
What YOU need to do:
If you think your application or library might have stack buffer
overflows, you can add it to your global optflags.
I have created a list of suggested RPMs to instrument, generated
by the following criteria:
- Had security updates in the last years.
- Processes input got from the network, especially pdf, images,
multimedia.
- Might be used for local privilege escalation.
Ciao, Marcus
dcraw
mDNSResponder
rrdtool
webalizer
libopensync
libsyncml
gaim-otr
novell-openwbem-authenticator
novell-openwbem-authorizer
novell-provider-base
openwbem
id3v2
hal
snort
abiword
avahi
banshee
beagle
dia
epiphany-extensions
epiphany
evince
evolution
f-spot
gaim-galago
gaim
galeon
gdk-pixbuf
gedit
gobby
gpdf
gtk2
inkscape
libsoup
libsvg-cairo
libsvg
liferea
NetworkManager
obby
poppler
xchat
sim
grip
libvisual
libvisual-plugins
ppp
pure-ftpd
qpopper
vsftpd
xntp
konversation
hp2xx
hplip
hp-officeJet
imlib2
kdegraphics3
kdegraphics
kdenetwork3
kdenetwork3
kipi-plugins
koffice-wordprocessing
ktorrent
libkexif
libextractor
openh323
pwlib
sfftobmp
cups-backends
cups-drivers
cups
foomatic-filters
lynx
unace
licq
unarj
unrar
xli
zoo
pdftohtml
libmng
pam_krb5
libexif
freetype2
freetype2
uim
xine-lib
gnokii
kismet
tcpdump
openslp
curl
cron
mutt
pcre
wget
irssi
net-snmp
gd
giflib
id3lib
ImageMagick
ImageMagick
jpeg
libpng
libpng
libtiff
libtiff
libwmf
mc
netpbm
netpbm
sox
xpdf
xpdf
novell-ldapext
novell-smash
cvs
librpcsecgss
subversion
OpenOffice_org
OpenOffice_org
dhcpcd
dhcp
dhcp-server
openssl
openvpn
ethereal
exif
exiftool
imgvtopgm
openssh
ufraw
easytag
imlib
zip
cyrus-imapd
cyrus-sasl
pam_ldap
mailman
at
libosip2
libsidplay
arc
exifprobe
fetchmail
gftp
ghostpcl
lha
libsidplay1
gawk
openmotif21-libs
openmotif
imap
gpsdrive
cabextract
freeradius
MozillaFirefox
MozillaThunderbird
seamonkey
dbus-1
libid3tag
libogg
libvorbis
bind
postfix
a2ps
enscript
filters
ghostscript-library
lpdfilter
lpdfilter
man
procmail
texinfo
xv
sylpheed-claws
performace critical perhaps:
mysql
postgresql
apache2