From bf1ce11401d476a2adeebc7f7279b5f2c314b5b8 Mon Sep 17 00:00:00 2001 From: Gabor Pali Date: Wed, 23 Jul 2008 21:40:57 +0000 Subject: [PATCH] - A couple of updates to the "Secure Programming" section of the developers handbook PR: docs/125485 Submitted by: gavin Reviewed by: trhodes, gabor, Ben Kaduk Approved by: gabor --- .../developers-handbook/secure/chapter.sgml | 55 +++++++------------ 1 file changed, 21 insertions(+), 34 deletions(-) diff --git a/en_US.ISO8859-1/books/developers-handbook/secure/chapter.sgml b/en_US.ISO8859-1/books/developers-handbook/secure/chapter.sgml index 6e04d31bac..6c0bca826d 100644 --- a/en_US.ISO8859-1/books/developers-handbook/secure/chapter.sgml +++ b/en_US.ISO8859-1/books/developers-handbook/secure/chapter.sgml @@ -57,13 +57,7 @@ Morris Internet worm - effective today. Of the 17 CERT security advisories of 1999, 10 - - - CERTsecurity advisories - - - of them were directly caused by buffer-overflow software bugs. + effective today. By far the most common type of buffer overflow attack is based on corrupting the stack. @@ -258,40 +252,32 @@ int main() { Unfortunately there is still a very large assortment of code in public use which blindly copies memory around without using any of the bounded copy routines we just discussed. - Fortunately, there is another solution. Several compiler - add-ons and libraries exist to do Run-time bounds checking in - C/C++. + Fortunately, there is a way to help prevent such attacks — + run-time bounds checking, which is implemented by several + C/C++ compilers. + ProPolice StackGuard gcc - StackGuard is one such add-on that is implemented as a - small patch to the gcc code generator. From the StackGuard - website: + ProPolice is one such compiler feature, and is integrated + into &man.gcc.1; versions 4.1 and later. It replaces and + extends the earlier StackGuard &man.gcc.1; extension. -
"StackGuard detects and defeats stack - smashing attacks by protecting the return address on the stack - from being altered. StackGuard places a "canary" word next to - the return address when a function is called. If the canary - word has been altered when the function returns, then a stack - smashing attack has been attempted, and the program responds - by emitting an intruder alert into syslog, and then - halts."
- -
"StackGuard is implemented as a small patch - to the gcc code generator, specifically the function_prolog() - and function_epilog() routines. function_prolog() has been - enhanced to lay down canaries on the stack when functions - start, and function_epilog() checks canary integrity when the - function exits. Any attempt at corrupting the return address - is thus detected before the function - returns."
- + ProPolice helps to protect against stack-based buffer + overflows and other attacks by laying pseudo-random numbers in + key areas of the stack before calling any function. When a + function returns, these canaries are checked + and if they are found to have been changed the executable is + immediately aborted. Thus any attempt to modify the return + address or other variable stored on the stack in an attempt to + get malicious code to run is unlikely to succeed, as the + attacker would have to also manage to leave the pseudo-random + canaries untouched. buffer overflow - Recompiling your application with StackGuard is an + Recompiling your application with ProPolice is an effective means of stopping most buffer-overflow attacks, but it can still be compromised. @@ -378,7 +364,8 @@ int main() { should also be noted that a process can easily break out of a chroot environment if it has root privilege. This could be accomplished by creating device nodes to read kernel memory, - attaching a debugger to a process outside of the jail, or in + attaching a debugger to a process outside of the &man.chroot.8; + environment, or in many other creative ways. The behavior of the chroot() system