Canary-Based Protection StackGuard Soltware Security Idea: Background arg 2 e prologue introduces a arg 1 Cattary Codenas SckGuird canary word between ⑧ return addr StaCianf Waaanat DnG return addr and locals caller's ebp ←-%ebp Pulmnishie Cinin callee-save Data Execution epilogue checks canary Prevention CANARY Dutindan before function returns locals ASLR ASLR %esp
57 Software Security Background Control Flow Hijack Control Flow Hijack Defense Canary Defense 11 StackGuard StackGuard Weakness DiffGuard Polymorphic Canary Data Execution Prevention Definition DEP Scorecard Return-to-libc Attack ASLR ASLR Randomization ASLR Dept. of Computer Science, Nanjing University Canary-Based Protection StackGuard
Canary-Based Protection StackGuard Soltware Security Background Idea: arg2 t prologue introduces a Cattary Dodenzs arg 1 SnckGuird canary word between return addr StaCianf Waaanat DnG return addr and locals caller's ebp Puymnishie Cinin ←一%ebp callee-save Data Execution Prevention epilogue checks canary CANARY Dh6的 before function returns locals ASLR ASLR Wrong Canary =Overflow -%esp
57 Software Security Background Control Flow Hijack Control Flow Hijack Defense Canary Defense 12 StackGuard StackGuard Weakness DiffGuard Polymorphic Canary Data Execution Prevention Definition DEP Scorecard Return-to-libc Attack ASLR ASLR Randomization ASLR Dept. of Computer Science, Nanjing University Canary-Based Protection StackGuard
Canary-Based Protection StackGuard Soltware Security gcc Stack-Smashing Protector Background Dump of assembler code for function main: eae时AmHa 8x88048446《+6>:push ebp Compiled with v4.6.1: Delinie 8x88048441《+1>:mov xesp,xebp gcc -fstack-protector -01.. Cattary Codenas 8x88048443<+3>:5ub $76.xesp 8 SckGuird 8x88048446《+6》:0w Rgs:20.%eax StaCiarf Waaanata DnG 0×0884844c<+12)0V e4(ebp】 return addr Puymnishie Cinin 8x0804844f《+15):x0r 写e1x,名e0K caller's ebp Data Execution 8x88048451<+17>:m0v 12(%ebp),Xeax 8x88048454<+28>:moy 4(%eax),%eax CANARY Prevention Dutidan 8x88048457<+23>:mov eax,4(%esp) 8x8884845b<+27>:1ea -68(%ebp),%eax 8x8884845e<+38>:ov eax,(%esp) ASLR Bx88048461<+33>:ca11 0x8048350 <strcpyeplt> ASLR 8x08048466《+38>:©W 4(Xebp)edx 8x88848469《+41>:×0g gs:20 Yedn buf 9x08348470《+48,:1性 0x8048477cm4h+55 (64 bytes) 8x88048472(+5B:Cd11 8x8848340 <stack_chk_fallgplt> 8x08048477《+55>:1eave 8x88048478<+56>:ret Nanjng Uivarsiy
57 Software Security Background Control Flow Hijack Control Flow Hijack Defense Canary Defense 13 StackGuard StackGuard Weakness DiffGuard Polymorphic Canary Data Execution Prevention Definition DEP Scorecard Return-to-libc Attack ASLR ASLR Randomization ASLR Dept. of Computer Science, Nanjing University Canary-Based Protection StackGuard gcc Stack-Smashing Protector
Canary-Based Protection StackGuard Soltware Security Setting up canary Background Before coll to gets /Echo Line*/ Stack Frame void echo() Delinie Cattary Dodenzs for main char but[4]: /Way too amall!/ SckGuird gets (but); StaCiarf Waaanata DnG puts(buf): Puymnishie Cinin Return Address Data Execution Saved ebp 号ebp Prevention Saved ebx Dutidan Canary [3]t2]t1]t0]buE ASLR Stack Frame ASLR for echo echo: movl gs:20,%eax #Get canary movl Beax,-8(%ebp) Put on stack xorl heax,名eax Erase canary Nanjng Uivarsity
57 Software Security Background Control Flow Hijack Control Flow Hijack Defense Canary Defense 14 StackGuard StackGuard Weakness DiffGuard Polymorphic Canary Data Execution Prevention Definition DEP Scorecard Return-to-libc Attack ASLR ASLR Randomization ASLR Dept. of Computer Science, Nanjing University Canary-Based Protection StackGuard Setting up canary
Canary-Based Protection StackGuard Soltware Security Checking canary Background Before call to gets /Echo Line eae时AmHa Stack Frame void echo() Delinie Cattary Dodenzs for main char bu[]i/*Way too amall!*/ SckGuird gets(buf): StaCiarf Waaanata puts(buf): DnG Return Address Puymnishie Cinin Saved sebp -号ebp Data Execution Prevention Saved是ebx Dutidan Canary 3[2▣0] Fghim-ta-soc Arad buf ASLR Stack Frame for echo echo: ASLR 。0·4 movl -8(生ebp),号eax Retrieve from stack ×or1 g3:20,鲁ea× Compare with Canary je .L24 Same:skip ahead call -stack_chk_fail ERROR .124: Nanjng Uivarsity
57 Software Security Background Control Flow Hijack Control Flow Hijack Defense Canary Defense 15 StackGuard StackGuard Weakness DiffGuard Polymorphic Canary Data Execution Prevention Definition DEP Scorecard Return-to-libc Attack ASLR ASLR Randomization ASLR Dept. of Computer Science, Nanjing University Canary-Based Protection StackGuard Checking canary