GCC extension for protecting applications from stack-smashing attacks

• gcc 3.4.4 support (22 August, 2005)
  • eliminate the protection instrument from the function that defines buffers, but doesn't use them.
  • fix buffer address corruptions in the case where multiple sub-blocks have buffers.
• gcc 4.1 stage2 incorporates "Reimplementation of IBM Pro Police Stack Detector." (17 July, 2005)
• cansecwest/core05 (3 May, 2005)
• add the section "compiler-based stack protection systems based on the "ideal stack layout" in Protected systems and Links
  • Microsoft /Gs option generates the stack frame based on the "ideal stack layout" as the default.
• pacsec.jp/core04 presentation (12 November, 2004)
  • Design goal:
    • Safe Stack Usage Model is redefined. It is a combination of an "ideal stack layout" and a way to check the stack integrity.
    • SSP Transforms a program to meet the "ideal stack layout" as much as possible.
• moves old news to Change Log page

It is a GCC (Gnu Compiler Collection) extension for protecting applications from stack-smashing attacks. Applications written in C will be protected by the method that automatically inserts protection code into an application at compilation time. The protection is realized by buffer overflow detection and the variable reordering feature to avoid the corruption of pointers. The basic idea of buffer overflow detection comes from StackGuard system.

The novel features are (1) the reordering of local variables to place buffers after pointers to avoid the corruption of pointers that could be used to further corrupt arbitrary memory locations, (2) the copying of pointers in function arguments to an area preceding local variable buffers to prevent the corruption of pointers that could be used to further corrupt arbitrary memory locations, and the (3) omission of instrumentation code from some functions to decrease the performance overhead.

It implemented as an intermediate language translator of GCC.

• Options
  • compiler option -fstack-protector, -fno-stack-protector enables and disables the protection.
  • compiler option -fstack-protector-all, -fno-stack-protector-all enables and disables the protection of every function, not only the function with character array.
• Download (August 22, 2005)
  • Patch file for gcc 3.4.4 (MD5)
  • Patch file for gcc 2.95.3 (MD5) from gcc-patchs mailing list
  • Useful macros for autoconf to check for ssp-patched gcc , thanks to Tiago Sousa
  • You can build the protected version of GCC 3.4 in the /usr/pp directory
    
    1. get the snapshot of gcc 3.4.4 from GCC main site.
    2. tar zxf gcc-3.4.4.tar.gz; cd gcc-3.4.4
    3. tar zxf protector-3.4.4-1.tar.gz
    4. patch -p0 < gcc_3_4_4.dif
    5. mkdir obj; cd obj
    6. ../configure --prefix=/usr/pp
    7. If you want to enable the stack protection as defaults,
       ../configure --prefix=/usr/pp --enable-stack-protector
    8. make bootstrap; make install prefix=/usr/pp
    9. add /usr/pp/bin in the beginning of the PATH environment
• How to build RedHat Linux with this protection.
• How to build FreeBSD with this protection.
• Implementation note
• Processor status chart
• Protected systems and Links
• Questions and comments

• Attack Scenarios and their Classification
• Related work
• Stack Protection Method
  • Safety Function Model
  • Pointer protection
  • Optimization
  • Limitation
  • Comparison of Protection Techniques
• Evaluation
  • Performance Overhead
• Bibliography

• For all questions and comments, send e-mail to Hiroaki Etoh (etoh@jp.ibm.com).