From: antirez [antirez@linuxcare.com] Sent: Monday, September 04, 2000 4:08 AM To: VULN-DEV@SECURITYFOCUS.COM Subject: stackguard-like embedded protection Hi, This is trivial, maybe also world-wide known, anyway: a stackguard-like protection can be implemented in a quite portable way: /* This code is Copyright (C) 2000 by Salvatore Sanfilippo * and is shipped under the GPL license. * comments to: */ #include #include int __save_rand; #define RANDNUM 0x33992288 #define safe_enter int aux = get_rand() #define safe_leave \ do { \ if (aux != __save_rand) { \ printf("bof\n"); \ _exit(1); \ } \ } while(0) int get_rand() { __save_rand = RANDNUM; /* WARNING: not reentrant */ return RANDNUM; /* /dev/urandom can be ok */ } int main(int argc, char **argv) { safe_enter; char buffer[10]; if (argc == 1) exit(1); strcpy(buffer, argv[1]); safe_leave; return 0; } example: $ ./a.out aaaaaaaa $ ./a.out aaaaaaaaaaaaaaaaaaaaa bof This works at least under i386 and under sparc (probably _a lot_ of others), as you can see the major portability problem is the order of variables in the stack. The reentrancy problem may be solved using dynamic allocation for the saved pseudo-random number. This can be extended I think, anyway there are some advantages: - Doesn't require patched compiler - It's less intrusive and more portable. - Protects the sensible functions, not all functions. this prevents performance degradation of trivial-to-audit functions. Obviously the version presented is NOT secure as stackguard. This want not be a stackguard replacement -- it's just an idea. As suggested by Alessandro Rubini there is also a problem with this approach: it seems directed to the programmer. The programmer should not think in terms of stack protection tricks, but in terms of good programming. Agreed at all, even if from the state of view of the redundancy this helps. So, sorry for this bad coding example. regards, antirez -- Salvatore Sanfilippo, Open Source Developer, Linuxcare Italia spa +39.049.80 43 411 tel, +39.049.80 43 412 fax antirez@linuxcare.com, http://www.linuxcare.com/ Linuxcare. Support for the revolution.