Re: StackGuard: Automatic Protection From Stack-smashing Attacks

Steve Bellovin (smb@RESEARCH.ATT.COM)
Fri, 19 Dec 1997 14:22:15 -0500

> StackGuard: Automatic Detection and Prevention of Buffer-Overflow At
tacks

>From the online paper:
> StackGuard detects and defeats stack smashing attacks by protecting
the
> return address on the stack from being altered. StackGuard has two
> mechanisms to protect the return address: one provides greater assu
rance,
> and the other provides greater performance.

You are only protecting the return address. This means many programs
will still be vulnerable to overflow attacks. In particular you
don't protect the overflow of locals in a procedure, nor the overflow
of globals in the data segment or heap. While it does stop the
"cookbook" stack overflow attacks, it does not really put an end
to the problem. Consider for example the following (contrived but
not entirely fictional) examples:

int save_uid;
char buf[10];

save_uid = getuid();
setuid(0);
fp = fopen("input", "r");
fscanf(fp, "%s", buf);
setuid(save_uid);

overflowing the buffer will allow the user to increase his priveledge
for the duration of the program execution, which may be a very bad thi
ng.

Yup. In fact, the first buffer overflow security problem I know of
was in an early version of UNIX -- 6th Edition, I think; possibly 5th --
where the 'logged in' flag in login.c was adjacent to an input buffer...