Everhart, Glenn
From:	Crispin Cowan [crispin@CSE.OGI.EDU]
Sent:	Friday, August 28, 1998 1:27 AM
To:	BUGTRAQ@NETSPACE.ORG
Subject:	StackGuard-protected Linux and a New StackGuard Compiler
StackGuard is a compiler to protect programs against stack smashing
attacks.  When stack smashing exploits are deployed against
StackGuard-protected programs, the protected program halts and logs the
attack attempt in syslog, rather than yield control to the attacker's
code.

This post is to announce a new release of StackGuard, providing better
performance, and support for shared libraries.  We have re-compiled the
entire set of programs and libraries provided in the Red Hat 5.1
distribution.  In addition to providing the compiler, we are also
providing these protected programs and libraries in the form of binary
RPMs on our server:

        http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/

These 526 RPMs are drop-in replacements for the RPMs provided by
Red Hat, except that stack smashing is no longer an alternative means
of getting into the box when you forget the root password :-) There are
a few other errata covered in the README.SG file.

Note that StackGuard-protected programs are inter-operable with
un-protected shared libraries, and StackGuard-protected libraries are
inter-operable with un-protected programs.  This is a mixed blessing:
on one hand, it means that if you are concerned with glibc
vulnerabilities, you need only install the StackGuard-protected glibc
RPM.  On the other hand, if you are concerned with all shared library
vulnerabilities, the unprotected libraries will still function with
your new StackGuard-protected programs, and so you must be careful to
install all libraries used by all programs that you wish to protect.

The source code used for the re-build is the source code provided by
ftp.redhat.com as of July 13, 1998.  There were a small number of
changes that we had to make to the source to successfully re-build it,
documented in README.SG.

The StackGuard compiler itself is an enhancement to gcc 2.7.2.3, and
for the most part is a drop-in replacement for gcc.  The one major
caveat is that StackGuard protection must be turned OFF to build the
Linux kernel.  This is because the kernel knows what a function
activation record looks like to do context switching, and StackGuard
changes the format of an activation record to do the integrity check.

The support for shared libraries and the enhanced performance are
enabled by an enhancement originally proposed by der Mouse, to the
effect that a null next to a value is not possible to overflow
undetected, because string ops terminate on null.  However, some string
operations actually do copy through nulls, such as gets().  We have
enhanced der Mouse's technique so that the integrity word is a
combination of Null, CR, LF, and -1, which should cover the range of
termination symbols for C string operations.

A paper describing StackGuard appeared at the 1998 USENIX Security
Conference.  The paper is also on our web page.

Naturally, we would appreciate feedback on either security or
functionality problems with any of the RPMs that we have provided.

Crispin
-----
 Crispin Cowan, Research Assistant Professor of Computer Science, OGI
    StackGuard: protect your software against Stack Smashing Attack
       http://www.cse.ogi.edu/DISC/projects/immunix/StackGuard/

                 Support Justice:  Boycott Windows 98