On Dec 3, 2007, at 4:51 PM, Michael Crawford wrote: I thought I should point out a gcc feature that's new in XCode 3: Stack Canaries. I learned about them just now in a discussion of security on Slashdot. I don't recall them ever being mentioned in any of the Xcode release notes.
A Stack Canary is a bit of data with a known value that's added to a stack frame when it's entered, and checked just before function return. If the value has been changed, a message is printed and the program exits.
This can protect against buffer overflow attacks on stack variables.
The name comes from the use of real canaries in mines to warn miners of toxic gases; canaries are more sensitive to them than humans are, so a passed-out canary can save lives.
To use Stack Canaries, add the -fstack-protector flag to your GCC command line. In an Xcode project, add that to your "other C flags" or "Other C++ flags" in the build settings. See "man gcc" for more information.
They are explained in detail at http://en.wikipedia.org/wiki/Stack-smashing_protection
The article claims that they have a very minimal performance impact; they'll add a small amount to function call overhead, but on today's processors that would be quite miniscule.
One thing I'd like to see is a way to override the function that prints the message and exits, so that one can show an alert instead, and possibly try to save the user's document.
Stack canaries, as you can see from the above, are supported in the gcc compiler but there's no explicit UI for them in Xcode's project interface or debugger. We expect that in the future, but you can still use the feature in Xcode 3.0 on Leopard.
Session 109 at WWDC (available online to ADR members) described this technique,but otherwise, the only documentation is in that obscure, hidden place known as the man page for the compiler:
-fstack-protector
Emit extra code to check for buffer overflows, such as stack
smashing attacks. This is done by adding a guard variable to
functions with vulnerable objects. This includes functions that
call alloca, and functions with buffers larger than 8 bytes. The
guards are initialized when a function is entered and then checked
when the function exits. If a guard check fails, an error message
is printed and the program exits.
-fstack-protector-all
Like -fstack-protector except that all functions are protected.
|