[Software debugging Study Notes] cookie-based security check mechanism to prevent Stack Buffer Overflow

Buffer Overrun Definition

Buffer isProgramThe continuous memory area used to store data. Once the allocation is completed, the starting address and urine are fixed. When the program is running, if the buffer area is exceeded, buffer overflow or buffer overrun occurs ). If the buffer is allocated to a stack, it is called Stack Buffer Overrun. If the buffer is allocated to a heap, it is called heap overflow.

Stack Buffer Overrun will crash the stack information of the thread itself and its parent thread. We know that in the current stack frame, EBP + 4 is the function return address, and EBP + 8 is the last parameter, EBP + C: the second to last parameter .... If the content in EBP + 4 is written into an Invalid Address, the function will jump to an invalid address when calling and then execute an invalid program. This is the basic principle of using Stack Buffer Overrun for malicious attacks.

In vc6.0, if the program is debug, by default will enable the detection of stack buffer overrun. In the release version, the detection is disabled. In vc8 or later versions, the cookie-based stack buffer security check mechanism is used.

Measure to prevent Buffer Overrun

This article describes how to use the COOKIE Mechanism in vs8 and later compilers to prevent stack overrun.

First, we will briefly introduce the detection mechanism of stack orverrun (vc8 and later) in the debug version:

1. vc8 allocates four bytes at the position next to the stack pointer to store secure cookies. A security cookie is like a security guardrail used to protect the stack pointer and function return address under it. It is located in local variables and important stack frame information (stack frame pointer and function return address ). In this way, if the local variable on the cookie overflows, the cookie will be overwritten before it is extended to the stack frame information. Therefore, you can check the integrity of the cookie to detect overflow that may compromise the stack information.

2. when allocating space for each local variable, in addition to completing the zero-header part required by the memory space, the compiler will allocate 8 more bytes to each variable, the variables are placed at the front and back of each of the four bytes and initialized to 0 xcccccccc. In this way, each variable has two barriers. Once these two barrier blocks are damaged, they will interrupt (CC code ).

 

Cookie-based stack buffer Security Detection

However, the above overhead is large and is usually used only for debugging versions. To detect Stack Buffer Overrun in release version and prevent the program from being attacked, vs2005 and above support the cookie-based security check mechanism.

The principles of the cookie-based security check mechanism are as follows:

1. the compiler defines a special local variable when compiling a function that may have stack buffer orverrun, this local variable is assigned to all other local variables in the stack frame and between the stack frame and function return. This variable is used to save the cookie and we call it a cookie variable. The cookie variable is a 32-bit integer whose value is obtained from the global variable _ security_cookie. (The global variable is defined in the C Runtime Library. We can seeSource code: C: \ Program... \ visu .. 8 \ Vc \ CRT \ SRC \ gs_cookie.c:

# Define default_security_cookie 0xbb40e64e

Declspec_selectrany uint_prt _ security_cookie = default_security_cookie;

......

(Visible _ security_cookie variable assigned the default value ). In the startup function (such as winmaincrtstartup) started by the vc8 compiler, the _ security_init_cookie function is also called to initialize the variable. In crt0.c, the source code of the startup function is as follows:

Int _ tmaincrtstartup (void)

{

_ Security_init_cookie (); // initialize the cookie

......

}

Because the global variable _ security_cookie is initialized in the startup function, the cookie value remains unchanged during the running process after the process.

When the compiler inserts a secure cookie for a function, it performs an XOR operation with the current EBP and saves it to the cookie variable, these commands usually appear after the prolog of the function. The typical process is as follows:

Push EBP

MoV EBP, ESP

Sub ESP, 0x18 // allocate stack space for local variables

MoV eax, [applica! _ Security_cookie]; // save _ security_cookie to eax

XOR eax, EBP; // and EBP XOR

MoV [ebp-0x4], eax; // save cookie variable

......

Two advantages of EBP and XOR:

1. Increase the randomness of Security cookies and try to make the _ security_cookie of each function different.

2. Check whether the EBP value is damaged. When checking the cookie variable, the system performs XOR again with the EBP. If the EBP does not change, the value of the cookie variable after two XOR operations should be the value of the global security Variable _ security_cookie.

Its typicalCodeAs follows:

MoV ECx, [ebp-0x4];

Pop EDI;

XOR ECx, EBP; // XOR again

Pop ESI;

Call applica! _ Security_check_cookie (0x ***); // start to check _ security_cookie

MoV ESP, EBP

Pop EBP

RET;

The _ security_check_cookie is a function that contains only four pieces of assembly code. The function is defined in CRT \ intel \ secchk. C as follows:

Void _ security_check_cookie (uint _ PTR cookie)

{

_ ASM

{

CMP ECx, _ security_cookie;

JNE failure;

Rep ret;

Failure:

JMP _ report_gsfailure;

}

}

2. handle security check failures

Because Stack Buffer Overrun may overwrite the original return address of the function, so that the function returns to an unknown place, causing unexpected consequences to the program. Therefore, this exception is considered as a fatal error. Once this error is encountered, the program will be terminated immediately. But for debug, before terminate process, the _ report_gsfailure function records important information when an error occurs and provides JIT debugging opportunities.

[this article is excerpted from software debugging Zhang yinkui]