DoubleLi

qq: 517712484 wx: ldbgliet

  博客园 :: 首页 :: 博问 :: 闪存 :: 新随笔 :: 联系 :: 订阅 订阅 :: 管理 ::

关键词:stack-protector、stack-protector-strong、stack-protector-all等等。

1. gcc栈保护机制stack-protector简介

gcc提供了栈保护机制stack-protector。关于stack-protector包含三个选项,分别是stack-protector、stack-protector-all、stack-protector-strong、stack-protector-explicit四种。

关于stack-protector原理、实现、效果、局限参考《GCC 中的编译器堆栈保护技术》。

gcc中对这几种选项的介绍如下:

复制代码
-Wstack-protector
     This option is only active when -fstack-protector is active.  It warns about functions that are not protected against stack smashing.

-fstack-protector
    Emit extra code to check for buffer overflows, such as stack smashing attacks.  This is done by adding a guard variable to functions with vulnerable objects.
This includes functions that call "alloca", and functions with buffers larger than 8 bytes.
The guards are initialized when a function is entered and then checked when the function exits.
If a guard check fails, an error message is printed and the program exits. -fstack-protector-all Like -fstack-protector except that all functions are protected.
-fstack-protector-strong Like -fstack-protector but includes additional functions to be protected --- those that have local array definitions, or have references to local frame addresses. -fstack-protector-explicit Like -fstack-protector but only protects those functions which have the "stack_protect" attribute.
复制代码

stack-protector:保护函数中通过alloca()分配缓存以及存在大于8字节的缓存。缺点是保护能力有限。

stack-protector-all:保护所有函数的栈。缺点是增加很多额外栈空间,增加程序体积。

stack-protector-strong:在stack-protector基础上,增加本地数组、指向本地帧栈地址空间保护。

stack-protector-explicit:在stack-protector基础上,增加程序中显式属性"stack_protect"空间。

如果要停止使用stack-protector功能,需要加上-fno-stack-protector。

stack-protector性能:stack-protector > stack-protector-strong > stack-protector-all。

stack-protector覆盖范围:stack-protector < stack-protector-strong < stack-protector-all。

2. stack-protector测试

针对stack-protector的测试,主要对比stack-protector、stack-protector-strong、stack-protector-all三个选项的区别。

复制代码
#include <string.h>
#include <stdio.h>

int main(void)
{
    char array[2] = {0};

    strcpy(array, "stackwilloverflow");

    return 0;
}
复制代码

分别使用如下编译选项:(1) gcc stack.c -o stack -ggdb -fstack-protector、(2)gcc stack.c -o stack -ggdb -fstack-protector-strong、(3)gcc stack.c -o stack -ggdb -fstack-protector-all。

(1)未能检查出栈溢出,(2)、(3)都检查出了stack smashing detected。结论:可以看出stack-protector-strong和stack-protector-all相对于stack-protector更多的检测了栈溢出。

*** stack smashing detected ***: ./stack terminated
Aborted (core dumped)

查看core文件的bt full,可以勘测处发生栈溢出的点在array。

复制代码
...
#3  0x000014653e07915c in __GI___fortify_fail (msg=<optimized out>, msg@entry=0x14653e0ef481 "stack smashing detected") at fortify_fail.c:37
        do_abort = 1
#4  0x000014653e079100 in __stack_chk_fail () at stack_chk_fail.c:28
No locals.
#5  0x00000000004005a1 in main () at stack.c:11
        array = "st"
复制代码

修改array大小超过8字节之后,重新使用stack-protector进行测试。结论:当数组大小超过8字节过后,stack-protector才能检测出栈溢出。

复制代码
#include <string.h>
#include <stdio.h>

int main(void)
{
    char array[10] = {0};

    strcpy(array, "stackwilloverflowoooooooooo");

    return 0;
}
复制代码

发现了stack smashing:

*** stack smashing detected ***: ./stack terminated
Aborted (core dumped)

gdb查看backtrace如下:

复制代码
...
#3  0x000015062304c15c in __GI___fortify_fail (msg=<optimized out>, msg@entry=0x1506230c2481 "stack smashing detected") at fortify_fail.c:37
        do_abort = 1
#4  0x000015062304c100 in __stack_chk_fail () at stack_chk_fail.c:28
No locals.
#5  0x00000000004005b8 in main () at stack.c:11
        array = "stackwillo"
复制代码

3. 内核中使用stack-protector

首先需要定义HAVE_CC_STACKPROTECTOR,然后通过make menuconfig进行配置。

路径为General setup->Stack Protector buffer overflow detection。

参考文档:《stack-protector-strong》、《-fstack-protector-strong》、《"Strong" stack protection for GCC》。

posted on 2023-04-21 09:50  DoubleLi  阅读(861)  评论(0编辑  收藏  举报