2003-03-10 22:50:16

by Felipe Alfaro Solana

[permalink] [raw]
Subject: Stack growing and buffer overflows

Hi `who | cut -f1 d' '`,

Lately, I have been reading some articles on buffer overflows. Many of them seem to be caused by using local
variables that are allocated on the stack and then written to with no proper bounds checking. I don't know of
other architectures, but on x86, the stack grows downwards (from higher memory addresses to lower memory
addresses). This makes buffer overflows attacks easy to exploit: if a function uses strcpy() instead of strncpy() to
copy data (or memset or anything else that normally works upwards), due to the downwards nature of the stack
implementation, it's possible to overwrite the function's return address, or even another function local data
waiting in the call stack -> the stack grows downwards, but strcpy() works upwards, thus being able to cross
stack function boundaries (overwritting other functions local data or even its return address).

However, what would happen if the stack was implemented to grow upwards (from lower memory addresses to
higher memory addresses)? With this kind of implementation, if the last function in the call stack invokes
strcpy() over a local variable (allocated onto the stack) without checking bounds, the extra data would not
overwrite neither the own function's return address nor any other function waiting onto the call stack -> the
stack grows upwards and so does strcpy() when writting memory.

I know there are hardware implementation details involved in this issue, like the way PUSH and POP work, but
this is just an idea :-)

Comments on this? Could this be viable? Is the whole idea stupid in general?

Thanks!

Felipe Alfaro

--
______________________________________________
http://www.linuxmail.org/
Now with e-mail forwarding for only US$5.95/yr

Powered by Outblaze


2003-03-10 23:18:57

by Patrick E Kane

[permalink] [raw]
Subject: Re: Stack growing and buffer overflows

The OpenBSD guys have been working on closing buffer overflow holes.
Slashdot has this pointer to a msg from Theo de Raadt:
http://groups.google.com/groups?selm=b1aq2h%242q9g%241%40FreeBSD.csie.NCTU.edu.tw&output=gplain

In the last while, a couple of people in OpenBSD have
been putting some buffer overflow "solutions" into our
source tree; under my continual prodding. I thought I
would summarize some of these and how they fit together,
since what I have seen written up so far has been
wildly inaccurate. (Bad reporter, no cookie).

These are, in short form:

1) PROT_* purity
2) W^X
3) .rodata
4) propolice

...

I like the idea of turning off execute permission on the stack pages.

PEK
---





2003-03-11 09:54:32

by Helge Hafting

[permalink] [raw]
Subject: Re: Stack growing and buffer overflows

Patrick E Kane wrote:

> I like the idea of turning off execute permission on the stack pages.

It has been shown before that this has these disadvantages:
1. More work settting up those access bits (bloat & perf. degradation)
2. Some programs actually need an exec stack (loss of features)
3. It don't buy you _any_ security at all! (didn't help anyway)

About (3): Of course it stops some of the current exploits, but there is
a trivial way to "enhance" stack-smashing exploits to work around the
non-exec stack:

You can still overwrite the function's return address, on that non-exec
stack. The cracker can no longer upload code and make the function
return to that, but crackers don't need to! All they need is to return
to a place containing exec("/bin/sh") *and such places exist*,
paritcularly in every program using libc. So writing the the exploit
becomes a little harder, using it is as trivial as ever.

Spend the time fixing broken apps, or get them right from the start. It
is not as if writing safe C is _hard_.

Helge Hafting


2003-03-11 12:13:14

by Jörn Engel

[permalink] [raw]
Subject: Re: Stack growing and buffer overflows

On Tue, 11 March 2003 00:00:12 +0100, Felipe Alfaro Solana wrote:
>
> on x86, the stack grows downwards (from higher memory addresses to
> lower memory addresses). This makes buffer overflows attacks easy to
> exploit: if a function uses strcpy() instead of strncpy() to copy
> data [...]
>
> However, what would happen if the stack was implemented to grow
> upwards [...]

Stack overflows by mistake would go unnoticed, bad.
Stakc overflows in order to gain root privileges take only little more
effort, no change.

Nothing gained, something lost.

J?rn

--
Geld macht nicht gl?cklich.
Gl?ck macht nicht satt.