Ecole d'ingénieur et centre de recherche en Sciences du numérique

Smashing the stack protector for fun and profit

Bierbaumer, Bruno; Kirsch, Julian; Kittel, Thomas; Francillon, Aurélien; Zarras, Apostolis

IFIP SEC 2018, 33rd IFIP International Information Security and Privacy Conference, 18-20 September, 2018, Poznan, Poland

Software exploitation has been proven to be a lucrative business for cybercriminals. Unfortunately, protecting software against attacks is a long-lasting endeavor that is still under active research. However, certain software-hardening schemes are already incorporated into current compilers and are actively used to make software exploitation a complicated procedure for the adversaries. Stack canaries are such a protection mechanism. When employed, they try to detect control flow hijacking by examining the integrity of distinct values on the program's stack, during program execution. The careful design and implementation of this conceptual straightforward mechanism is crucial in defeating stack-based control flow detours. In this paper, we examine 17 different stack canary implementations across multiple versions of the most popular Operating Systems running on various architectures. We systematically compare critical implementation details and introduce one new generic attack vector which allows bypassing stack canaries on current Linux systems running up-to-date multi-threaded software altogether. We release an open-source framework (CookieCrumbler ) that identifies the characteristics of stack canaries on any platform it is compiled on and we propose mitigation techniques against stack-based attacks. Although these days stack canaries may appear obsolete, we show that when they are used correctly, they can prevent intrusions which even the more sophisticated solutions may potentially fail to block. 

Document Hal Bibtex

Titre:Smashing the stack protector for fun and profit
Type:Conférence
Langue:English
Ville:Poznan
Pays:POLOGNE
Date:
Département:Sécurité numérique
Eurecom ref:5588
Copyright: © IFIP. Personal use of this material is permitted. The definitive version of this paper was published in IFIP SEC 2018, 33rd IFIP International Information Security and Privacy Conference, 18-20 September, 2018, Poznan, Poland and is available at :
Bibtex: @inproceedings{EURECOM+5588, year = {2018}, title = {{S}mashing the stack protector for fun and profit}, author = {{B}ierbaumer, {B}runo and {K}irsch, {J}ulian and {K}ittel, {T}homas and {F}rancillon, {A}ur{\'e}lien and {Z}arras, {A}postolis}, booktitle = {{IFIP} {SEC} 2018, 33rd {IFIP} {I}nternational {I}nformation {S}ecurity and {P}rivacy {C}onference, 18-20 {S}eptember, 2018, {P}oznan, {P}oland}, address = {{P}oznan, {POLOGNE}}, month = {09}, url = {http://www.eurecom.fr/publication/5588} }
Voir aussi: