Bug 80002 - Please add stack smashing protection (e.g., IBM ProPolice)
Please add stack smashing protection (e.g., IBM ProPolice)
Status: CLOSED WONTFIX
Product: Red Hat Linux
Classification: Retired
Component: gcc3 (Show other bugs)
8.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jakub Jelinek
http://www.trl.ibm.com/projects/secur...
: FutureFeature
: 133031 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2002-12-18 12:45 EST by David A. Wheeler
Modified: 2007-04-18 12:49 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-10-07 09:37:03 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description David A. Wheeler 2002-12-18 12:45:40 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:0.9.4.1) Gecko/20020518
Netscape6/6.2.3

Description of problem:
The most common type of security vulnerability is a
buffer overflow of the stack; exploiting this vulnerability is called
"stack smashing". Stack smashing usually
allows attackers to completely take over the vulnerable application,
and often the entire machine, so they're extremely dangerous.
Although finding individual vulnerabilities is worthwhile, I
believe Red Hat should include mechanisms to reduce the
effectiveness of unknown stack overflow vulnerabilities.

Thus, please add mechanisms to protect against stack smashing,
and please at least use them on the major network-exposed servers
(Apache, openssh, sendmail, Postfix, etc.) & possibly all
setuid root programs.  The text below adds more detail.

A few years ago, Crispen Cowan developed a technique to do this
called "StackGuard" - it prevents attackers from taking over a
program via stack overflows (attackers can halt the program,
but that's it). This was implemented as a gcc patch; see:
 http://immunix.org/documentation.html
Basically, to protect a program, you recompile the program
with a modified gcc & use a modified library; this can all
be controlled by compile-time switches.
Immunix is essentially a Red Hat, with Stackguard used to
recompile everything among other changes, so this is clearly
a possibility.

More recently, IBM has developed patches for gcc called
"ProPolice" that use the same approach, but with some refinements.
See: http://www.trl.ibm.com/projects/security/ssp
Like StackGuard, ProPolice
is a GCC (Gnu Compiler Collection) extension for
protecting applications from stack-smashing attacks. However,
Propolice does some reordering to improve protection, and it
protects functions more selectively to improve performance.
Also, the original implementation of StackGuard changed the
framesize, which meant that there were problems using the
symbolic debugger; ProPolice doesn't have that problem.

OpenBSD has already added ProPolice to their distribution, see:
 http://www.deadly.org/article.php3?sid=20021202175508
The IBM website on ProPolice includes information on how to
build Red Hat Linux and FreeBSD with ProPolice.

Microsoft has already built a similar capability into their
compiler, and I understand that they're using it to prevent
future stack smashing attacks from having as strong an effect.

I don't care much about "StackGuard vs. ProPolice"
(vs. some other solution).  My real concern is that I'd like
to see Linux distributions have a stronger, multi-layer defense
against attackers.

Just think of the positive spin/publicity.  "Buy our next version,
it now includes enhanced security to protect against
stack overflow attacks."  I think it could be enabled by default,
but at least protect the most critical components to start with.




Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
N/A.

Additional info:
Comment 1 Richard Henderson 2004-10-05 17:24:44 EDT
*** Bug 133031 has been marked as a duplicate of this bug. ***
Comment 2 Jakub Jelinek 2004-10-07 09:37:03 EDT
We are going to add object size checking instead, see
http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html

Note You need to log in before you can comment on or make changes to this bug.