Friday 14 November 2014

Stack smashing protection by default on FreeBSD and other things ...

Hi folks,

Recently, the Stack Smashing Protection is enabled by default in ports, hence -fstack-protector flag is added which protects against stack buffer overflow (This feature is by default on OpenBSD since ... 12 years). So, concretally, what is the purpose ? Let's try by an example ... with our C wrapper for change ;-)

#include <mtld/devatlas-c.h>
#include <stdio.h>
int
main(int argc, char *argv[])
{
       mobi_devatlas *atlas;
       mobi_devatlas_ctx *ctx;
       mobi_http_header headers[1] = { 0 };
       char buf[10];
       printf("Please enter an user agent:\n");
       /* Bad idea !! but this is just for the sake of the example */
       gets(buf);
       atlas = mobi_mtld_da_init(NULL);
       if (atlas != NULL)
       {
               headers[0].name = "user-agent";
               headers[0].value = buf;
               ctx = mobi_mtld_da_ctx_init(atlas, NULL, headers, 1, NULL);
               ... etc ...
       }
}


In first glance, that looks good. Sure. But what if the user type more than 10 characters ? Buffer overflow. gets does not perform any boundaries checking ...
In that case, with this stack protection flag, you can get this kind of message "stack overflow detected" then the program aborts ... One detail ... that does NOT protect for attacks in the heap.

About HardenedBSD, I added recently my second syscall, getdtablecount which gives you the number of file descriptors open by the current process, that comes from OpenBSD (Linux has a similar function I think with a different name...) so hopefully the maintainer of the FreeBSD relayd port (load balancer from OpenBSD), for example, can find usefulness ... indeed OpenBSD version uses this to protect against Dos attacks. Unluckily, another syscall, ppoll (I think the Linux emulation layer needs this ...) arrived the same time, so we got some conflicts with syscalls ids on git at some point :-)

Working on both OpenBSD and FreeBSD is a great advantage for me as if I need to port something, it is quite fast in general !

Ah another small detail, my port of arc4random is merged in master branch :-)

Outside of pure technical topics, Shawn Webb began to get our development servers and began to play with Jenkins (which, honestly, I find it much better than I thought...). Now that he wants to take care of HardenedBSD communication, I prefer to let him speaks about what he and Oliver do specifically and the "biggest picture" as well ... But you can be sure they have numerous great ideas to add ;-)

Labels: , , , , , , ,

View David Carlier's profile on LinkedIn

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home