OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: stackguard-like embedded protection
From: Crispin Cowan (crispinWIREX.COM)
Date: Sun Sep 10 2000 - 15:54:42 CDT

antirez wrote:

> Yes, this works, if you know this RET address you can effectively mount
> the attack. And actually it's not hard. But maybe there is the old xor
> solution for this: we can xor a random number with the var that contains
> the saved RET, and rexor the same random number (global for the program and
> fixed for all the program duration) in the RET once we needs to use it.
> I must perform a serious analysis first, but maybe this may present
> vantages from both the tester (canary) approach and direct RET checking.

Excellent point. Yes, the XOR random canary should work here. However, for the XOR approach
to work at all, you need non-stack storage for your XOR canary (if there's only one) or your
XOR canary table (if you bind functions to different random canary values). What we did was
compute a function's ordinal number mod 128 and use a table of 128 canary values.

> Anyway I'm attached to this mail a trivial stackguard-like / propolice like
> (but simplest than both) stack protection, that should be secure enough for
> most stack smashing prblems, that can be simply embedded in programs.
> It's implemented as an header file and a little .c file that must be
> linked to the program.

I like it. With your subsequent errata applied, it looks very nice. You've got your random
canary stored in non-stack space, so my 2-function one-overflow attack will fail.

Crispin 

--
Crispin Cowan, Ph.D.
Chief Research Scientist, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution:                    http://immunix.org
                Olympics:  The Corruption Games