StackGuard: Automatic Protection From Stack-smashing Attacks

Crispin Cowan (crispin@CSE.OGI.EDU)
Thu, 18 Dec 1997 21:34:39 -0800

StackGuard: Automatic Detection and Prevention of Buffer-Overflow Attacks

StackGuard provides a systematic solution to the persistent problem of
buffer overflow attacks. Buffer overflow attacks gained notoriety in
1988 as art of the Morris Worm incident on the Internet. While it is
fairly simple to fix individual buffer overflow vulnerabilities, buffer
overflow attacks continue to this day. Hundreds of attacks have been
discovered, and while most of the obvious vulnerabilities have now been
patched, more sophisticated buffer overflow attacks continue to emerge.

StackGuard is a simple compiler technique that virtually eliminates
buffer overflow vulnerabilities with only modest performance penalties.
Privileged programs that are recompiled with the StackGuard compiler
extension no longer yield control to the attacker, but rather enter
fail-safe state. These programs require no source code changes at all,
and are binary-compatible with existing operating systems and libraries.

StackGuard is intended to protect buggy software against stack smashing
attacks, even those attacks that have not yet been discovered. For
instance, even though StackGuard was developed prior to the public
announcement Samba stack smashing vulnerability, the same vulnerable
Samba code when compiled with StackGuard protection was not vulnerable
to the attack.

A paper describing StackGuard will appear in the 1998 USENIX Security
Conference. A pre-print of the paper is available (postscript and
HTML) here:

Source for the StackGuard-enhanced gcc is also here. This software is
available under the usual GPL (GNU Public License) rules. Security people
are invited to download and evaluate StackGuard.

StackGuard may be of particular interest to system administrators
seeking to protect their hosts from attack. The compiler is very stable;
for instance, a StackGuard-enhanced gcc can compile itself correctly.
Programs compiled with StackGuard should both compile and link without
complaint. However, since this is a first release of StackGuard, I
still recommend that privileged software be kept up to date with respect
to security announcements.

I am very interested in feedback on StackGuard. Naturally, all the usual
feedback is requested (bugs, security vulnerabilities, comments on the
design, etc.). Of *particular* interest is any alarms that StackGuard
sets off: if someone attempts to apply a stack-smashing attack to
a StackGuard-protected program, the program will halt with an error
message instead of yielding a root shell. This message *may* indicate
the discovery of a new stack-smashing vulnerability: please report it
both to me. If your version of the program is current, then you may
also wish to report the problem to the author of the program in question.

I wish to thank the many contributors to the BUGTRAQ mailing list. The
background information provided by BUGTRAQ was invaluable to this
research. I am aware that there are other stack smashing solutions,
and they are described and cited in the paper.

Crispin Cowan, Research Assistant Professor of Computer Science
Oregon Graduate Institute | Electronically:
Department of Computer Science | analog: 503-690-1265
PO Box 91000 | digital:
Portland, OR 97291-1000 | URL:
Knowledge is to Wisdom as Data is to Code