Stack Overflow Defense--windows security mechanism GS compilation option

In the face of this stack overflow, Windows defaults to a secure compilation option--gs (the feature that overrides the function return address for buffer overflow) in VS 7.0 (Visual Studio 2003) and later versions of Visual Studio. To increase the difficulty of stack overflow.

(GS break----Configuration Properties----C/C + +----code generation----Buffer Security check)

(Obviously, there is no protection for software that has not been recompiled and there is still this security vulnerability.) ）

The GS compilation option adds additional data and operations to each function call to check for overflow in the stack:

1. When all function calls occur, an additional random DWORD is pressed into the stack frame, which is called Canary (to enclose the stack frame data as a canary), and if Ida is disassembled, it will be seen that IDA will mark this random number as a security Cookie.

2. Before the security cookie is located in EBP, the system will also hold a copy of the security cookie in the memory area of. data for verification;

3, when overflow occurs in the stack, Security cookie will be drowned first, then the EBP and return address;

4, before the function returns, the system will perform an additional security verification operation, called Security Check;

5. During security check, the system compares the security cookie stored in the stack frame with the value of the copy in. data, and if the two do not match, the security cookie in the stack has been compromised, i.e. an overflow occurred in the stack;

6, when overflow detected in the stack, the system will enter the exception processing process, the function will not be returned normally, RET instructions will not be executed.

However, the direct result of additional data and operations is the degradation of the system performance, in order to minimize the impact on performance, the compiler does not apply to all functions when compiling the program GS, the situation will not apply GS:

1. The function does not contain buffers;

2, function is defined as refueling face parameter list;

3, the function uses the non-protected keyword mark;

4, the function in the first statement contains an inline assembly code;

5, the buffer is not a 8-byte type and the size is not greater than 4 bytes.

(with the exception, there is a GS breakout using the relative characteristics.) ）

In addition to adding security cookies to the return address money, in Visual Studio 2005 and later versions, variable rearrangement techniques were used to move the string variable to the high address of the stack frame at compile time, depending on the type of the local variable in the stack frame. This prevents other local variables from being broken when the string overflows. It also drops pointer parameters and string arguments to low addresses in memory, preventing function arguments from being corrupted.

The GS security cookie produces some details:

1. The system uses the first double word of the. Data section as the seed of the cookie, or the original cookie (the cookie for the function is generated with this DWORD)

2, in the program every time the cookie seed is not used, so the seed refueling very strong randomness;

3, after the stack frame initialization system with the EBP XOR seed, as the current function of the cookie, as the difference between the different functions, and increase the randomness of the cookie;

4. Use EBP to restore the seeds of (XOR) cookies before the function returns.

Breakthrough method:

1, the use of unprotected memory breakthrough GS. In order to minimize the impact of the GS on performance, not all functions will be protected, all can use some of these unprotected functions to bypass the GS protection;

2, based on the rewrite function pointer attacks, such as C + + virtual function attack;

3, for the exception handling mechanism of attack;

4, heap overflow is not protected.

Stack Overflow Defense--windows security mechanism GS compilation option