Stack growing and buffer overflows

Stack growing and buffer overflows

[Felipe Alfaro Solana]

Hi `who | cut -f1 d' '`, 
 
Lately, I have been reading some articles on buffer overflows. Many of them seem to be caused by using local 
variables that are allocated on the stack and then written to with no proper bounds checking. I don't know of 
other architectures, but on x86, the stack grows downwards (from higher memory addresses to lower memory 
addresses). This makes buffer overflows attacks easy to exploit: if a function uses strcpy() instead of strncpy() to 
copy data (or memset or anything else that normally works upwards), due to the downwards nature of the stack 
implementation, it's possible to overwrite the function's return address, or even another function local data 
waiting in the call stack -> the stack grows downwards, but strcpy() works upwards, thus being able to cross 
stack function boundaries (overwritting other functions local data or even its return address). 
 
However, what would happen if the stack was implemented to grow upwards (from lower memory addresses to 
higher memory addresses)? With this kind of implementation, if the last function in the call stack invokes 
strcpy() over a local variable (allocated onto the stack) without checking bounds, the extra data would not 
overwrite neither the own function's return address nor any other function waiting onto the call stack -> the 
stack grows upwards and so does strcpy() when writting memory. 
 
I know there are hardware implementation details involved in this issue, like the way PUSH and POP work, but 
this is just an idea :-) 
 
Comments on this? Could this be viable? Is the whole idea stupid in general? 
 
Thanks! 
 
   Felipe Alfaro 
 
-- 
______________________________________________
http://www.linuxmail.org/
Now with e-mail forwarding for only US$5.95/yr

Powered by Outblaze

Re: Stack growing and buffer overflows

[Patrick E Kane]

The OpenBSD guys have been working on closing  buffer overflow holes.
Slashdot has this pointer to a msg from Theo de Raadt: 
http://groups.google.com/groups?selm=b1aq2h%242q9g%241%40FreeBSD.csie.NCTU.edu.tw&output=gplain

    In the last while, a couple of people in OpenBSD have
    been putting some buffer overflow "solutions" into our 
    source tree; under my continual prodding.  I thought I 
    would summarize some of these and how they fit together, 
    since what I have seen written up so far has been
    wildly inaccurate.  (Bad reporter, no cookie).

    These are, in short form:

       1) PROT_* purity
       2) W^X
       3) .rodata
       4) propolice

    ...

I like the idea of turning off execute permission on the stack pages.

PEK
---




  

Re: Stack growing and buffer overflows

[Helge Hafting]

Patrick E Kane wrote:

> I like the idea of turning off execute permission on the stack pages.

It has been shown before that this has these disadvantages:
1. More work settting up those access bits   (bloat & perf. degradation)
2. Some programs actually need an exec stack (loss of features)
3. It don't buy you _any_ security at all!   (didn't help anyway)

About (3): Of course it stops some of the current exploits, but there is
a trivial way to "enhance" stack-smashing exploits to work around the
non-exec stack:

You can still overwrite the function's return address, on that non-exec 
stack.  The cracker can no longer upload code and make the function 
return to that, but crackers don't need to!  All they need is to return 
to a place containing exec("/bin/sh") *and such places exist*, 
paritcularly in every program using libc.  So writing the the exploit
becomes a little harder, using it is as trivial as ever.

Spend the time fixing broken apps, or get them right from the start.  It 
is not as if writing safe C is _hard_.

Helge Hafting

Re: Stack growing and buffer overflows

[=?unknown-8bit?Q?J=F6rn?= Engel]

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset=unknown-8bit, Size: 616 bytes --]

On Tue, 11 March 2003 00:00:12 +0100, Felipe Alfaro Solana wrote:
>  
> on x86, the stack grows downwards (from higher memory addresses to
> lower memory addresses). This makes buffer overflows attacks easy to
> exploit: if a function uses strcpy() instead of strncpy() to copy
> data [...]
>  
> However, what would happen if the stack was implemented to grow
> upwards [...]

Stack overflows by mistake would go unnoticed, bad.
Stakc overflows in order to gain root privileges take only little more
effort, no change.

Nothing gained, something lost.

Jörn

-- 
Geld macht nicht glücklich.
Glück macht nicht satt.