zoukankan      html  css  js  c++  java
  • gcc栈溢出保护机制:stack-protector

    关键词:stack-protector、stack-protector-strong、stack-protector-all等等。

    1. gcc栈保护机制stack-protector简介

    gcc提供了栈保护机制stack-protector。关于stack-protector包含三个选项,分别是stack-protector、stack-protector-all、stack-protector-strong、stack-protector-explicit四种。

    关于stack-protector原理、实现、效果、局限参考《GCC 中的编译器堆栈保护技术》。

    gcc中对这几种选项的介绍如下:

    -Wstack-protector
         This option is only active when -fstack-protector is active.  It warns about functions that are not protected against stack smashing.
    
    -fstack-protector
        Emit extra code to check for buffer overflows, such as stack smashing attacks.  This is done by adding a guard variable to functions with vulnerable objects.
    This includes functions that call "alloca", and functions with buffers larger than 8 bytes.
    The guards are initialized when a function is entered and then checked when the function exits.
    If a guard check fails, an error message is printed and the program exits. -fstack-protector-all Like -fstack-protector except that all functions are protected.
    -fstack-protector-strong Like -fstack-protector but includes additional functions to be protected --- those that have local array definitions, or have references to local frame addresses. -fstack-protector-explicit Like -fstack-protector but only protects those functions which have the "stack_protect" attribute.

    stack-protector:保护函数中通过alloca()分配缓存以及存在大于8字节的缓存。缺点是保护能力有限。

    stack-protector-all:保护所有函数的栈。缺点是增加很多额外栈空间,增加程序体积。

    stack-protector-strong:在stack-protector基础上,增加本地数组、指向本地帧栈地址空间保护。

    stack-protector-explicit:在stack-protector基础上,增加程序中显式属性"stack_protect"空间。

    如果要停止使用stack-protector功能,需要加上-fno-stack-protector。

    stack-protector性能:stack-protector > stack-protector-strong > stack-protector-all。

    stack-protector覆盖范围:stack-protector < stack-protector-strong < stack-protector-all。

    2. stack-protector测试

    针对stack-protector的测试,主要对比stack-protector、stack-protector-strong、stack-protector-all三个选项的区别。

    #include <string.h>
    #include <stdio.h>
    
    int main(void)
    {
        char array[2] = {0};
    
        strcpy(array, "stackwilloverflow");
    
        return 0;
    }

    分别使用如下编译选项:(1) gcc stack.c -o stack -ggdb -fstack-protector、(2)gcc stack.c -o stack -ggdb -fstack-protector-strong、(3)gcc stack.c -o stack -ggdb -fstack-protector-all。

    (1)未能检查出栈溢出,(2)、(3)都检查出了stack smashing detected。结论:可以看出stack-protector-strong和stack-protector-all相对于stack-protector更多的检测了栈溢出

    *** stack smashing detected ***: ./stack terminated
    Aborted (core dumped)

    查看core文件的bt full,可以勘测处发生栈溢出的点在array。

    ...
    #3  0x000014653e07915c in __GI___fortify_fail (msg=<optimized out>, msg@entry=0x14653e0ef481 "stack smashing detected") at fortify_fail.c:37
            do_abort = 1
    #4  0x000014653e079100 in __stack_chk_fail () at stack_chk_fail.c:28
    No locals.
    #5  0x00000000004005a1 in main () at stack.c:11
            array = "st"

    修改array大小超过8字节之后,重新使用stack-protector进行测试。结论:当数组大小超过8字节过后,stack-protector才能检测出栈溢出

    #include <string.h>
    #include <stdio.h>
    
    int main(void)
    {
        char array[10] = {0};
    
        strcpy(array, "stackwilloverflowoooooooooo");
    
        return 0;
    }

    发现了stack smashing:

    *** stack smashing detected ***: ./stack terminated
    Aborted (core dumped)

    gdb查看backtrace如下:

    ...
    #3  0x000015062304c15c in __GI___fortify_fail (msg=<optimized out>, msg@entry=0x1506230c2481 "stack smashing detected") at fortify_fail.c:37
            do_abort = 1
    #4  0x000015062304c100 in __stack_chk_fail () at stack_chk_fail.c:28
    No locals.
    #5  0x00000000004005b8 in main () at stack.c:11
            array = "stackwillo"

    3. 内核中使用stack-protector

    首先需要定义HAVE_CC_STACKPROTECTOR,然后通过make menuconfig进行配置。

    路径为General setup->Stack Protector buffer overflow detection。

    参考文档:《stack-protector-strong》、《-fstack-protector-strong》、《"Strong" stack protection for GCC》。

  • 相关阅读:
    二分+RMQ/双端队列/尺取法 HDOJ 5289 Assignment
    思维题 HDOJ 5288 OO’s Sequence
    树形DP Codeforces Round #135 (Div. 2) D. Choosing Capital for Treeland
    最大流增广路(KM算法) HDOJ 1853 Cyclic Tour
    最大流增广路(KM算法) HDOJ 1533 Going Home
    最大流增广路(KM算法) HDOJ 2255 奔小康赚大钱
    Complete the Word CodeForces
    Gadgets for dollars and pounds CodeForces
    Vasya and Basketball CodeForces
    Carries SCU
  • 原文地址:https://www.cnblogs.com/arnoldlu/p/11630979.html
Copyright © 2011-2022 走看看