• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: -fstack-protector
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: -fstack-protector

  • Subject: Re: -fstack-protector
  • From: "Michael Crawford" <email@hidden>
  • Date: Thu, 11 Sep 2008 14:57:10 -0700
On Thu, Sep 11, 2008 at 12:03 PM, Rich Collyer <email@hidden> wrote:
> I am using 10.4 (SDK & Deployment) because my product requirement is that I
> run on 10.4 machines.
>
> If this is true, I guess I will not be able to use this feature yet.

What I recommend you do is set up a Debug Build target with
-fstack-protector that's set to use the 10.5 SDK.  Then create test
cases that attempt to overflow your product's buffers in as many ways
as you can think of.

To do this, you might have to create purposefully-corrupt documents,
either by creating them with one-off programmatic tools, or by hacking
on otherwise compliant documents with a hex editor.

Or you might need to create hacked network clients that feed your
product bad data over your LAN.

If any of your corrupt documents really are able to overflow your
product's buffers, then builds made with -fstack-protector will abort.
 I've never used it, but I imagine running your tests within the Xcode
debugger will enable you to pinpoint the faulty code.

Once you have fixed all your buffer overflows, there will no longer be
any need to build production software with stack protection; your
stack will be perfectly protected by your now flawless
buffer-management code!  The icing on the cake is that there will no
longer be the (admittedly small) runtime overhead of the protection.

For those unfamiliar with -fstack-protector, it's a particular
implementation of what's generally known as a Stack Canary.  Stack
Canaries protect your software in the way real canaries protect miners
from poison gas.  Wikipedia has a really good piece about them:

http://en.wikipedia.org/wiki/Buffer_overflow_protection

I think Stack Canaries are the best thing since sliced bread.  I
haven't used them yet, but I'm developing a Free Software product of
my own, and you can be sure it will be rigorously tested with
-fstack-protector and lots of non-compliant input before I ever offer
it for download from my website.

If you found this advice helpful, you could pay me back by linking my
website below from your blog:
---------------------------------------------------------------V

(Yeah, I know link-whoring is rude.  But I'm gonna be famous someday,
and not because of my 1337 coding chops! :-D )

-- Mike
--
Michael David Crawford
mdcrawford at gmail dot com

 Enjoy my art, photography, music and writing at
http://www.geometricvisions.com/
 --- Free Compact Disc ---
 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Xcode-users mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >-fstack-protector (From: Rich Collyer <email@hidden>)
 >Re: -fstack-protector (From: "Sean McBride" <email@hidden>)
 >Re: -fstack-protector (From: Rich Collyer <email@hidden>)

  • Prev by Date: iPhone SDK
  • Next by Date: Re: iPhone SDK
  • Previous by thread: Re: -fstack-protector
  • Next by thread: Re: -fstack-protector
  • Index(es):
    • Date
    • Thread