Install Google Chrome

www.google.com/chrome

A free browser that lets you do more of what you like online!
H o me About Free eB o o k
Geek

A r c h iv e s
Unix

B e s t o f t h e B lo g

C o n t act
Print in Unix

Ads by Google

Basic Unix Commands

How to Avoid Stack Smashing Attacks with GCC

by HI M A NS HU A RO RA on FE B RUA RY 7 , 2 0 1 3

Sign up for our free email newsletter you@address.com Sign Up

Like

Tw eet

RSS

Twitter

Facebook

Stack smashing is a fancy term used for stack buffer overflows. It refers to attacks that exploit bugs in code enabling buffer overflows. Earlier it was solely the responsibility of programmers/developers to make sure that there is no possibility of a buffer overflow in their code but with time compilers like gcc have got flags to make sure that buffer overflow problems are not exploited by crackers to damage a system or a program. I came to know about these flags when I was trying to reproduce a buffer overflow on my Ubuntu 12.04 with gcc 4.6.3 version. Here is what I was trying to do :
Search

#include <stdio.h> #include <string.h> int main(void) { int len = 0; char str[10] = {0};

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

printf("\n Enter the name \n"); gets(str); // Used gets() to cause buffer overflow printf("\n len = [%d] \n", len); len = strlen(str); printf("\n len of string entered is : [%d]\n", len); return 0; }

EBO O KS

In the code above, I have used gets() to accept a string from user. and then calculated the length of this string and printed back on stdout. The idea here is to input a string whose length is more than 10 bytes. Since gets() does not check array bounds so it will try to copy the input in the str buffer and this way buffer overflow will take place. This is what happened when I executed the program:

$ ./stacksmash Enter the name TheGeekStuff len = [0] len of string entered is : [12] *** stack smashing detected ***: ./stacksmash terminated ======= Backtrace: ========= /lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x45)[0xb76e4045] /lib/i386-linux-gnu/libc.so.6(+0x103ffa)[0xb76e3ffa] ./stacksmash[0x8048548] /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xb75f94d3] ./stacksmash[0x8048401] ======= Memory map: ========

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

08048000-08049000 r-xp 00000000 08:06 528260 08049000-0804a000 r--p 00000000 08:06 528260 0804a000-0804b000 rw-p 00001000 08:06 528260 0973a000-0975b000 rw-p 00000000 00:00 0 b75af000-b75cb000 r-xp 00000000 08:06 787381 b75cb000-b75cc000 r--p 0001b000 08:06 787381 b75cc000-b75cd000 rw-p 0001c000 08:06 787381 b75df000-b75e0000 rw-p 00000000 00:00 0 b75e0000-b7783000 r-xp 00000000 08:06 787152 b7783000-b7784000 ---p 001a3000 08:06 787152 b7784000-b7786000 r--p 001a3000 08:06 787152 b7786000-b7787000 rw-p 001a5000 08:06 787152 b7787000-b778a000 rw-p 00000000 00:00 0 b7799000-b779e000 rw-p 00000000 00:00 0 b779e000-b779f000 r-xp 00000000 00:00 0 b779f000-b77bf000 r-xp 00000000 08:06 794147 b77bf000-b77c0000 r--p 0001f000 08:06 794147 b77c0000-b77c1000 rw-p 00020000 08:06 794147 bfaec000-bfb0d000 rw-p 00000000 00:00 0 Aborted (core dumped)

/home/himanshu/practice/stacksmash /home/himanshu/practice/stacksmash /home/himanshu/practice/stacksmash [heap] /lib/i386-linux-gnu/libgcc_s.so.1 /lib/i386-linux-gnu/libgcc_s.so.1 /lib/i386-linux-gnu/libgcc_s.so.1 /lib/i386-linux-gnu/libc-2.15.so /lib/i386-linux-gnu/libc-2.15.so /lib/i386-linux-gnu/libc-2.15.so /lib/i386-linux-gnu/libc-2.15.so

[vdso] /lib/i386-linux-gnu/ld-2.15.so /lib/i386-linux-gnu/ld-2.15.so /lib/i386-linux-gnu/ld-2.15.so [stack]

Well, this came in as pleasant surprise that the execution environment was somehow able to detect that buffer overflow could happen in this case. In the output you can see that stack smashing was detected. This prompted me to explore as to how buffer overflow was detected. While searching for the reason, I came across a gcc flag -fstack-protector. Here is the description of this flag (from the man page) : -fstack-protector Emit extra code to check for buffer overflows, such as stack smashing attacks. This is done by adding a guard variable to functions with vulnerable objects. This includes functions that call alloca, and functions with buffers larger than 8 bytes. The guards are initialized when a function is entered and then checked when the function exits. If a guard check fails, an
P OP ULAR P OS TS 12 Amazing and Essential Linux Books To Enrich Your Brain and Library 50 UNIX / Linux Sysadmin Tutorials 50 Most Frequently Used UNIX / Linux Commands (With Examples) How To Be Productive and Get Things Done Using GTD 30 Things To Do When you are Bored and have a Computer

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

error message is printed and the program exits. NOTE: In Ubuntu 6.10 and later versions this option is enabled by default for C, C++, ObjC, ObjC++, if none of -fno-stack-protector, -nostdlib, nor -ffreestanding are found.

Computer Linux Directory Structure (File System Structure) Explained with Examples Linux Crontab: 15 Awesome Cron Job Examples Get a Grip on the Grep! 15 Practical Grep Command Examples Unix LS Command: 15 Practical Examples

So you see that gcc has got this flag that emits extra code to check buffer overflows. Now the next question that came into my mind was that I never included this flag while compilation then how this functionality got enabled. Then I read the last two lines that said for Ubuntu 6.10 this functionality is enabled by default. Then, as a next step, I decided to deactivate this functionality by using the flag -fno-stackprotector while compilation and then try to execute the same use-case that I was doing earlier. Here is how I did it :

15 Examples To Master Linux Command Line History Top 10 Open Source Bug Tracking System Vi and Vim Macro Tutorial: How To Record and Play Mommy, I found it! -- 15 Practical Linux Find Command Examples 15 Awesome Gmail Tips and Tricks 15 Awesome Google Search Tips and Tricks RAID 0, RAID 1, RAID 5, RAID 10 Explained with Diagrams Can You Top This? 15 Practical Linux Top Command Examples Top 5 Best System Monitoring Tools Top 5 Best Linux OS Distributions How To Monitor Remote Linux Host using Nagios 3.0 Awk Introduction Tutorial 7 Awk Print Examples How to Backup Linux? 15 rsync Command Examples

$ gcc -Wall -fno-stack-protector stacksmash.c -o stacksmash $ ./stacksmash Enter the name TheGeekStuff len = [26214] len of string entered is : [12]

So we see that once the code was compiled with this flag then with the same input, the execution environment was not able to detect buffer overflow that actually happened and corrupted the value of variable len. Also, if you are new to gcc, you should understand the most frequently used gcc compiler open in browser PRO version Are you a developer? Try out the HTML to PDF API

The Ultimate Wget Download Guide With 15 Awesome Examples Top 5 Best Linux Text Editors Packet Analyzer: 15 TCPDUMP Command Examples The Ultimate Bash Array Tutorial with 15 Examples

pdfcrowd.com

options that we discussed earlier.

7 Tw eet 1 Like 5

3 Steps to Perform SSH Login Without Password Using ssh-keygen & ssh-copy-id

Share

Comment

Unix Sed Tutorial: Advanced Sed Substitution Examples UNIX / Linux: 10 Netstat Command Examples

If you enjoyed this article, you might also like..

1. 50 Linux Sysadmin Tutorials 2. 50 Most Frequently Used Linux Commands (With Examples) 3. Top 25 Best Linux Performance Monitoring and Debugging Tools 4. Mommy, I found it! 15 Practical Linux Find Command Examples 5. Linux 101 Hacks 2nd Edition eBook Awk Introduction 7 Awk Print Examples Advanced Sed Substitution Examples 8 Essential Vim Editor Navigation Fundamentals 25 Most Frequently Used Linux IPTables Rules Examples Turbocharge PuTTY with 12 Powerful Add-Ons

The Ultimate Guide for Creating Strong Passwords 6 Steps to Secure Your Home Wireless Network Turbocharge PuTTY with 12 Powerful Add-Ons

Tags: Buffer Overflow Tutorial, Buffer Overrun Detec ted, Prevent Buffer Overflow, Stack Smashing Detec ted

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

Leave a Comment
Name E-mail Website

Notify me of followup comments via e-mail

Submit

P RE V IOUS P OS T :

How to Encrypt and Decrypt a File using GnuPG in Linux

About The Geek Stuff

My name is Ramesh Natarajan. I will be posting instruction guides, how-to, troubleshooting tips and tricks on Linux, database, hardware, security and web. My focus is to

Contact Us
Email Me : Use this Contact Form to get in touch me with your comments, questions or suggestions about this site. You can also simply drop me a line to say hello!.

Support Us
Support this blog by purchasing one of my ebooks. Bash 101 Hacks eBook

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com

write articles that will either teach you or help you resolve a problem. Read more about Ramesh Natarajan and the blog.

Follow us on Twitter Become a fan on Facebook

Sed and Awk 101 Hacks eBook Vim 101 Hacks eBook Nagios Core 3 eBook

Copyright 20082013 Ramesh Natarajan. All rights reserved | Terms of Service | Advertise

open in browser PRO version

Are you a developer? Try out the HTML to PDF API

pdfcrowd.com