- A couple of updates to the "Secure Programming" section of the
developers handbook PR: docs/125485 Submitted by: gavin Reviewed by: trhodes, gabor, Ben Kaduk <minimarmot (at) gmail (dot) com> Approved by: gabor
This commit is contained in:
Gabor Pali
parent
9e5f8f91e6
commit
bf1ce11401
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=32576
1 changed files with 21 additions and 34 deletions
|
|
@ -57,13 +57,7 @@
|
||||||
|
|
||||||
<indexterm><primary>Morris Internet worm</primary></indexterm>
|
<indexterm><primary>Morris Internet worm</primary></indexterm>
|
||||||
|
|
||||||
effective today. Of the 17 CERT security advisories of 1999, 10
|
effective today.
|
||||||
|
|
||||||
<indexterm>
|
|
||||||
<primary>CERT</primary><secondary>security advisories</secondary>
|
|
||||||
</indexterm>
|
|
||||||
|
|
||||||
of them were directly caused by buffer-overflow software bugs.
|
|
||||||
By far the most common type of buffer overflow attack is based
|
By far the most common type of buffer overflow attack is based
|
||||||
on corrupting the stack.</para>
|
on corrupting the stack.</para>
|
||||||
|
|
||||||
|
|
@ -258,40 +252,32 @@ int main() {
|
||||||
<para>Unfortunately there is still a very large assortment of
|
<para>Unfortunately there is still a very large assortment of
|
||||||
code in public use which blindly copies memory around without
|
code in public use which blindly copies memory around without
|
||||||
using any of the bounded copy routines we just discussed.
|
using any of the bounded copy routines we just discussed.
|
||||||
Fortunately, there is another solution. Several compiler
|
Fortunately, there is a way to help prevent such attacks —
|
||||||
add-ons and libraries exist to do Run-time bounds checking in
|
run-time bounds checking, which is implemented by several
|
||||||
C/C++.</para>
|
C/C++ compilers.</para>
|
||||||
|
|
||||||
|
<indexterm><primary>ProPolice</primary></indexterm>
|
||||||
<indexterm><primary>StackGuard</primary></indexterm>
|
<indexterm><primary>StackGuard</primary></indexterm>
|
||||||
<indexterm><primary>gcc</primary></indexterm>
|
<indexterm><primary>gcc</primary></indexterm>
|
||||||
|
|
||||||
<para>StackGuard is one such add-on that is implemented as a
|
<para>ProPolice is one such compiler feature, and is integrated
|
||||||
small patch to the gcc code generator. From the <ulink
|
into &man.gcc.1; versions 4.1 and later. It replaces and
|
||||||
url="http://immunix.org/stackguard.html">StackGuard
|
extends the earlier StackGuard &man.gcc.1; extension.</para>
|
||||||
website</ulink>:
|
|
||||||
|
|
||||||
<blockquote><para>"StackGuard detects and defeats stack
|
<para>ProPolice helps to protect against stack-based buffer
|
||||||
smashing attacks by protecting the return address on the stack
|
overflows and other attacks by laying pseudo-random numbers in
|
||||||
from being altered. StackGuard places a "canary" word next to
|
key areas of the stack before calling any function. When a
|
||||||
the return address when a function is called. If the canary
|
function returns, these <quote>canaries</quote> are checked
|
||||||
word has been altered when the function returns, then a stack
|
and if they are found to have been changed the executable is
|
||||||
smashing attack has been attempted, and the program responds
|
immediately aborted. Thus any attempt to modify the return
|
||||||
by emitting an intruder alert into syslog, and then
|
address or other variable stored on the stack in an attempt to
|
||||||
halts."</para></blockquote>
|
get malicious code to run is unlikely to succeed, as the
|
||||||
|
attacker would have to also manage to leave the pseudo-random
|
||||||
<blockquote><para>"StackGuard is implemented as a small patch
|
canaries untouched.</para>
|
||||||
to the gcc code generator, specifically the function_prolog()
|
|
||||||
and function_epilog() routines. function_prolog() has been
|
|
||||||
enhanced to lay down canaries on the stack when functions
|
|
||||||
start, and function_epilog() checks canary integrity when the
|
|
||||||
function exits. Any attempt at corrupting the return address
|
|
||||||
is thus detected before the function
|
|
||||||
returns."</para></blockquote>
|
|
||||||
</para>
|
|
||||||
|
|
||||||
<indexterm><primary>buffer overflow</primary></indexterm>
|
<indexterm><primary>buffer overflow</primary></indexterm>
|
||||||
|
|
||||||
<para>Recompiling your application with StackGuard is an
|
<para>Recompiling your application with ProPolice is an
|
||||||
effective means of stopping most buffer-overflow attacks, but
|
effective means of stopping most buffer-overflow attacks, but
|
||||||
it can still be compromised.</para>
|
it can still be compromised.</para>
|
||||||
|
|
||||||
|
|
@ -378,7 +364,8 @@ int main() {
|
||||||
should also be noted that a process can easily break out of a
|
should also be noted that a process can easily break out of a
|
||||||
chroot environment if it has root privilege. This could be
|
chroot environment if it has root privilege. This could be
|
||||||
accomplished by creating device nodes to read kernel memory,
|
accomplished by creating device nodes to read kernel memory,
|
||||||
attaching a debugger to a process outside of the jail, or in
|
attaching a debugger to a process outside of the &man.chroot.8;
|
||||||
|
environment, or in
|
||||||
many other creative ways.</para>
|
many other creative ways.</para>
|
||||||
|
|
||||||
<para>The behavior of the <function>chroot()</function> system
|
<para>The behavior of the <function>chroot()</function> system
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue