19 Nov 2008 (updated 12 Dec 2008 at 09:53 UTC)
»
kernel stack-smashing protection in
freebsd-8.0-current-200811
Stack-smashing detection and protection for the kernel has
been enabled
by default in the latest snapshot of FreeBSD 8.0-CURRENT
(200811).
This was accomplished by utilizing the incorporation of
SSP
(also known
as ProPolice) in gcc version 4.1 and later (the 200811
snapshot uses gcc
4.2.1).
Specifically, src/sys/kern/stack_protector.c
,
which is
compiled with gcc's -fstack-protector
option,
registers
an event handler that generates a random canary value (the
``guard'' variable
in SSP terminology) placed between the local variables and
the saved frame
pointer of a kernel process's stack during a function's
prologue. When the
function exits, the canary is checked against its original
value. If it has
been altered the kernel calls
panic(9)
bringing down the whole system, but also stopping any
execution flow redirection
caused by manipulation of the function's saved frame pointer
or saved return
address.
In contrast to StackGuard and StackShield (or even
Microsoft's /GS), SSP has
been effective against attacks aiming to directly bypass it.
This relates to
research
I have done in the near past on the subject of kernel
stack-smashing attacks.
However, SSP can be indirectly bypassed by several methods,
for example heap
overflows, integer and/or signedness vulnerabilities, and
stack overflows on
buffers smaller than 8 bytes, among others.