argp         posts     research     bugs

Kernel stack-smashing protection in FreeBSD-8.0-current-200811

Stack-smashing detection and protection for the kernel has been enabled by default in the latest snapshot of FreeBSD 8.0-CURRENT (200811). This was accomplished by utilizing the incorporation of SSP (also known as ProPolice) in GCC version 4.1 and later (the 200811 snapshot uses GCC 4.2.1).

Specifically, src/sys/kern/stack_protector.c, which is compiled with GCC’s -fstack-protector option, registers an event handler that generates a random canary value (the “guard” variable in SSP terminology) placed between the local variables and the saved frame pointer of a kernel process’s stack during a function’s prologue. When the function exits, the canary is checked against its original value. If it has been altered the kernel calls panic(9) bringing down the whole system, but also stopping any execution flow redirection caused by manipulation of the function’s saved frame pointer or saved return address.

In contrast to StackGuard and StackShield (or even Microsoft’s /GS), SSP has been effective against attacks aiming to directly bypass it. This relates to research I have done in the near past on the subject of kernel stack-smashing attacks. However, SSP can be indirectly bypassed by several methods, for example stack overflows on buffers smaller than 8 bytes.