{"id":3347,"date":"2021-07-30T15:07:59","date_gmt":"2021-07-30T13:07:59","guid":{"rendered":"https:\/\/andreas-klingler.de\/infosec\/?p=3347"},"modified":"2021-07-30T20:20:37","modified_gmt":"2021-07-30T18:20:37","slug":"stack-protection","status":"publish","type":"post","link":"https:\/\/infosec.andreas-klingler.de\/?p=3347","title":{"rendered":"Stack protection"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">The stack can be pro\u00adtect\u00aded against buffer overflows.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Stack protection with canaries<\/h2>\n\n\n\n<div class=\"wp-block-image\"><figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"570\" height=\"330\" src=\"https:\/\/andreas-klingler.de\/infosec\/wp-content\/uploads\/2021\/07\/canaries.png\" alt class=\"wp-image-3348\" srcset=\"https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/07\/canaries.png 570w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/07\/canaries-300x174.png 300w\" sizes=\"auto, (max-width: 570px) 100vw, 570px\"><\/figure><\/div>\n\n\n\n<p class=\"wp-block-paragraph\">Like in a coal mine, a canary can pro\u00advide an indi\u00adca\u00adtion if some\u00adthing goes wrong. Here, a canary is a defined val\u00adues which is added between the buffer (where an attack\u00ader will start writ\u00ading the pay\u00adload) and the <span class=\"caps\">SFP<\/span> Stack Frame Point\u00ader and <span class=\"caps\">RP<\/span> Return point\u00ader. To over\u00adwrite the <span class=\"caps\">RP<\/span> Return Point\u00ader, an attack\u00ader has to over\u00adwrite the canary as well. In the func\u00adtion epi\u00adlog, the canary is always val\u00adi\u00addat\u00aded. If it con\u00adtains not the expect\u00aded val\u00adue, the pro\u00adgram terminates.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Microsoft calls canaries <em>secu\u00adri\u00adty cook\u00adies<\/em> (?!).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">If <span class=\"caps\">SSP<\/span> Stack Smash\u00ading Pro\u00adtec\u00adtion is active and a process ter\u00admi\u00adnates because of <span class=\"caps\">SSP<\/span>, the error mes\u00adsage will be the following:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">*** stack smashing detected ***: &lt;unknown&gt; terminated<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\">Types of canaries<\/h3>\n\n\n\n<ul class=\"wp-block-list\"><li>A <strong>null canary<\/strong> con\u00adtains only null bytes. (<code>0x00000000<\/code>)<\/li><li>A <strong>ter\u00admi\u00adna\u00adtor canary<\/strong> con\u00adtains \u201cbad char\u00adac\u00adters\u201d for many func\u00adtions like line\u00adbreak, bina\u00adry zero, car\u00adriage return, etc. (e.g. <code>0x000a0dff<\/code>)<\/li><li>A <strong>ran\u00addom canary<\/strong> con\u00adsists out of ran\u00addom bytes which are defined when the process starts.<ul><li>To deter\u00admine a ran\u00addom canaries val\u00adue, an attack\u00ader could try to guess the first byte 0x03 by over\u00adwrit\u00ading only one byte after the buffer. If the pro\u00adgram exe\u00adcu\u00adtion stops, then this byte was wrong. If not, the val\u00adue was guess\u00ades and he can repeat it until the whole canary is&nbsp;known.<br><img loading=\"lazy\" decoding=\"async\" width=\"500\" height=\"351\" class=\"wp-image-3356\" style=\"width: 500px;\" src=\"https:\/\/andreas-klingler.de\/infosec\/wp-content\/uploads\/2021\/07\/random-canary.png\" alt srcset=\"https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/07\/random-canary.png 470w, https:\/\/infosec.andreas-klingler.de\/wp-content\/uploads\/2021\/07\/random-canary-300x211.png 300w\" sizes=\"auto, (max-width: 500px) 100vw, 500px\"><\/li><\/ul><\/li><\/ul>\n\n\n\n<h3 class=\"wp-block-heading\">Canaries in action<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s see how a canary works by dis\u00adas\u00adsem\u00adbling a func\u00adtion with&nbsp;gdb.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">   ...\n   0x08048541 &lt;+18&gt;:\tmov    eax,DWORD PTR [ebp+0x8]\n   0x08048544 &lt;+21&gt;:\tmov    DWORD PTR [ebp-0x2c],eax\n   0x08048547 &lt;+24&gt;:\tmov    eax,DWORD PTR [ebp+0xc]\n   0x0804854a &lt;+27&gt;:\tmov    DWORD PTR [ebp-0x30],eax\n   0x0804854d &lt;+30&gt;:\tmov    eax,DWORD PTR [ebp+0x10]\n   0x08048550 &lt;+33&gt;:\tmov    DWORD PTR [ebp-0x34],eax\n   0x08048553 &lt;+36&gt;:\tmov    eax,gs:0x14\n   <strong>0x08048559<\/strong> &lt;+42&gt;:\tmov    DWORD PTR [ebp-0xc],eax\n   ...\n   0x080485ab &lt;+124&gt;:\tmov    edx,DWORD PTR [ebp-0xc]\n   0x080485ae &lt;+127&gt;:\txor    edx,DWORD PTR gs:0x14\n   0x080485b5 &lt;+134&gt;:\tje     0x80485bc &lt;testfunc+141&gt;\n   0x080485b7 &lt;+136&gt;:\tcall   0x80486b0 &lt;__stack_chk_fail_local&gt;\n   0x080485bc &lt;+141&gt;:\tmov    ebx,DWORD PTR [ebp-0x4]<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">In the first block, the canary is writ\u00adten. The sec\u00adond block is at the end of a func\u00adtion and checks the canary. To see the canary, we can add a break\u00adpoint at the last instruc\u00adtion of the \u201ccanary pro\u00adlog\u201d at <code>0x08048559<\/code> and inspect the con\u00adtent of the eax reg\u00adis\u00adter, which then con\u00adtains the canary.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">gdb-peda$ break *0x08048559\nBreakpoint 1 at 0x8048559\ngdb-peda$ run AAAAAAAAAAAAAAAAAAA BBB CCC\n...\nBreakpoint 1, 0x08048559 in testfunc ()\ngdb-peda$ x\/i $eip\n=&gt; 0x8048559 &lt;testfunc+42&gt;:\tmov    DWORD PTR [ebp-0xc],eax\ngdb-peda$ i r $eax\neax            0xff0a0000\t<strong>0xff0a0000<\/strong>     &lt;= Canary<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Let\u2019s try it again with eight A\u2019s \u2014 which still should be possible.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">gdb-peda$ run AAAAAAAA BBBB CCCC\n...\nBreakpoint 2, 0x0804856d in testfunc ()\ngdb-peda$ x\/20x $esp\n0xffffd480:\t0xffffd4b4\t0xffffd709\t0x00000000\t0x0804853b\n0xffffd490:\t0xf7fb3c40\t0xffffd717\t0xffffd712\t0xffffd709\n0xffffd4a0:\t0x080499f0\t0xf7ffd940\t0xf7e0ff65\t0x0804851c\n0xffffd4b0:\t0x080486e0\t<strong>0x41414141\t0x41414141<\/strong>\t0xff0a0000\n0xffffd4c0:\t0xf7fb33fc\t0x080499f0\t0xffffd4e8\t0x08048621<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Here are our A\u2019s and the canary lies behind it. Good. Now lets try to fur\u00adther over\u00adwrite the stack and set the prop\u00ader canary.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">gdb-peda$ run \"AAAAAAAA `echo -e '\\x00\\x00\\x0a\\xffAAAAAAAASSSSRRRR'`\" BBBBBBBB CCCCCCCC\n...\nBreakpoint 2, 0x0804856d in testfunc ()\ngdb-peda$ x\/20x $esp\n0xffffd470:\t0xffffd4a4\t0xffffd6ee\t0x00000000\t0x0804853b\n0xffffd480:\t0xf7fb3c40\t0xffffd713\t0xffffd70a\t0xffffd6ee\n0xffffd490:\t0x080499f0\t0xf7ffd940\t0xf7e0ff65\t0x0804851c\n0xffffd4a0:\t0x080486e0\t0x41414141\t0x41414141\t<strong>0x41ff0a20<\/strong>\n0xffffd4b0:\t0x41414141\t0x53414141\t0x52535353\t0x00525252<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">That is not our canary. Bad. The prob\u00adlem is that our bina\u00adry zeros were not copies because <code>strcpy<\/code> sees them as terminators.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The stack can be pro\u00adtect\u00aded against buffer over\u00adflows. Stack pro\u00adtec\u00adtion with canaries Like in a coal mine, a canary can pro\u00advide an indi\u00adca\u00adtion if some\u00adthing goes wrong. Here, a canary is a defined val\u00adues which is added between the buffer (where an attack\u00ader will start writ\u00ading the pay\u00adload) and the <span class=\"caps\">SFP<\/span> Stack Frame Point\u00ader&nbsp;and&nbsp;[\u2026]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"wp_typography_post_enhancements_disabled":false,"footnotes":""},"categories":[355],"tags":[431,426,409,428,430,429],"class_list":["post-3347","post","type-post","status-publish","format-standard","hentry","category-reverse-engineering","tag-canary","tag-libc","tag-reverse-engineering","tag-rop","tag-security-cookie","tag-stack-protection"],"_links":{"self":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3347","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3347"}],"version-history":[{"count":9,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3347\/revisions"}],"predecessor-version":[{"id":3366,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=\/wp\/v2\/posts\/3347\/revisions\/3366"}],"wp:attachment":[{"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3347"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3347"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infosec.andreas-klingler.de\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3347"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}