Smashing the Stack Protector for Fun and Profit View Full Text


Ontology type: schema:Chapter      Open Access: True


Chapter Info

DATE

2018-08-26

AUTHORS

Bruno Bierbaumer , Julian Kirsch , Thomas Kittel , Aurélien Francillon , Apostolis Zarras

ABSTRACT

Software exploitation has been proven to be a lucrative business for cybercriminals. Unfortunately, protecting software against attacks is a long-lasting endeavor that is still under active research. However, certain software-hardening schemes are already incorporated into current compilers and are actively used to make software exploitation a complicated procedure for the adversaries. Stack canaries are such a protection mechanism. Stack canaries aim to prevent control flow hijack by detecting corruption of a specific value on the program’s stack. Careful design and implementation of this conceptually straightforward mechanism is crucial to defeat stack-based control flow detours. In this paper, we examine 17 different stack canary implementations across multiple versions of the most popular Operating Systems running on various architectures. We systematically compare critical implementation details and introduce one new generic attack vector which allows bypassing stack canaries on current Linux systems running up-to-date multi-threaded software altogether. We release an open-source framework (CookieCrumbler) that identifies the characteristics of stack canaries on any platform it is compiled on and we propose mitigation techniques against stack-based attacks. Although stack canaries may appear obsolete, we show that when they are used correctly, they can prevent intrusions which even the more sophisticated solutions may potentially fail to block. More... »

PAGES

293-306

Book

TITLE

ICT Systems Security and Privacy Protection

ISBN

978-3-319-99827-5
978-3-319-99828-2

Identifiers

URI

http://scigraph.springernature.com/pub.10.1007/978-3-319-99828-2_21

DOI

http://dx.doi.org/10.1007/978-3-319-99828-2_21

DIMENSIONS

https://app.dimensions.ai/details/publication/pub.1106357584


Indexing Status Check whether this publication has been indexed by Scopus and Web Of Science using the SN Indexing Status Tool
Incoming Citations Browse incoming citations for this publication using opencitations.net

JSON-LD is the canonical representation for SciGraph data.

TIP: You can open this SciGraph record using an external JSON-LD service: JSON-LD Playground Google SDTT

[
  {
    "@context": "https://springernature.github.io/scigraph/jsonld/sgcontext.json", 
    "about": [
      {
        "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/08", 
        "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
        "name": "Information and Computing Sciences", 
        "type": "DefinedTerm"
      }, 
      {
        "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/0803", 
        "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
        "name": "Computer Software", 
        "type": "DefinedTerm"
      }
    ], 
    "author": [
      {
        "affiliation": {
          "alternateName": "Technical University of Munich, Munich, Germany", 
          "id": "http://www.grid.ac/institutes/grid.6936.a", 
          "name": [
            "Technical University of Munich, Munich, Germany"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Bierbaumer", 
        "givenName": "Bruno", 
        "id": "sg:person.011644142410.90", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.011644142410.90"
        ], 
        "type": "Person"
      }, 
      {
        "affiliation": {
          "alternateName": "Technical University of Munich, Munich, Germany", 
          "id": "http://www.grid.ac/institutes/grid.6936.a", 
          "name": [
            "Technical University of Munich, Munich, Germany"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Kirsch", 
        "givenName": "Julian", 
        "id": "sg:person.013105072001.38", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.013105072001.38"
        ], 
        "type": "Person"
      }, 
      {
        "affiliation": {
          "alternateName": "Technical University of Munich, Munich, Germany", 
          "id": "http://www.grid.ac/institutes/grid.6936.a", 
          "name": [
            "Technical University of Munich, Munich, Germany"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Kittel", 
        "givenName": "Thomas", 
        "id": "sg:person.013234237215.34", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.013234237215.34"
        ], 
        "type": "Person"
      }, 
      {
        "affiliation": {
          "alternateName": "EURECOM, Sophia Antipolis, France", 
          "id": "http://www.grid.ac/institutes/grid.28848.3e", 
          "name": [
            "EURECOM, Sophia Antipolis, France"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Francillon", 
        "givenName": "Aur\u00e9lien", 
        "id": "sg:person.015103646733.70", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.015103646733.70"
        ], 
        "type": "Person"
      }, 
      {
        "affiliation": {
          "alternateName": "Maastricht University, Maastricht, Netherlands", 
          "id": "http://www.grid.ac/institutes/grid.5012.6", 
          "name": [
            "Maastricht University, Maastricht, Netherlands"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Zarras", 
        "givenName": "Apostolis", 
        "id": "sg:person.014323520725.79", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.014323520725.79"
        ], 
        "type": "Person"
      }
    ], 
    "datePublished": "2018-08-26", 
    "datePublishedReg": "2018-08-26", 
    "description": "Software exploitation has been proven to be a lucrative business for cybercriminals. Unfortunately, protecting software against attacks is a long-lasting endeavor that is still under active research. However, certain software-hardening schemes are already incorporated into current compilers and are actively used to make software exploitation a complicated procedure for the adversaries. Stack canaries are such a protection mechanism. Stack canaries aim to prevent control flow hijack by detecting corruption of a specific value on the program\u2019s stack. Careful design and implementation of this conceptually straightforward mechanism is crucial to defeat stack-based control flow detours. In this paper, we examine 17 different stack canary implementations across multiple versions of the most popular Operating Systems running on various architectures. We systematically compare critical implementation details and introduce one new generic attack vector which allows bypassing stack canaries on current Linux systems running up-to-date multi-threaded software altogether. We release an open-source framework (CookieCrumbler) that identifies the characteristics of stack canaries on any platform it is compiled on and we propose mitigation techniques against stack-based attacks. Although stack canaries may appear obsolete, we show that when they are used correctly, they can prevent intrusions which even the more sophisticated solutions may potentially fail to block.", 
    "editor": [
      {
        "familyName": "Janczewski", 
        "givenName": "Lech Jan", 
        "type": "Person"
      }, 
      {
        "familyName": "Kuty\u0142owski", 
        "givenName": "Miros\u0142aw", 
        "type": "Person"
      }
    ], 
    "genre": "chapter", 
    "id": "sg:pub.10.1007/978-3-319-99828-2_21", 
    "inLanguage": "en", 
    "isAccessibleForFree": true, 
    "isPartOf": {
      "isbn": [
        "978-3-319-99827-5", 
        "978-3-319-99828-2"
      ], 
      "name": "ICT Systems Security and Privacy Protection", 
      "type": "Book"
    }, 
    "keywords": [
      "stack canaries", 
      "software exploitation", 
      "multi-threaded software", 
      "open-source framework", 
      "current Linux systems", 
      "popular operating systems", 
      "critical implementation details", 
      "program stack", 
      "operating system", 
      "attack vectors", 
      "Linux system", 
      "current compilers", 
      "implementation details", 
      "multiple versions", 
      "sophisticated solutions", 
      "protection mechanisms", 
      "software", 
      "mitigation techniques", 
      "straightforward mechanism", 
      "implementation", 
      "active research", 
      "attacks", 
      "careful design", 
      "compiler", 
      "cybercriminals", 
      "adversary", 
      "lucrative business", 
      "architecture", 
      "platform", 
      "stack", 
      "system", 
      "scheme", 
      "framework", 
      "exploitation", 
      "complicated procedures", 
      "hijack", 
      "business", 
      "version", 
      "detour", 
      "fun", 
      "design", 
      "technique", 
      "vector", 
      "solution", 
      "specific values", 
      "detail", 
      "corruption", 
      "intrusion", 
      "profit", 
      "research", 
      "endeavor", 
      "mechanism", 
      "characteristics", 
      "procedure", 
      "values", 
      "canaries", 
      "protectors", 
      "paper", 
      "certain software-hardening schemes", 
      "software-hardening schemes", 
      "control flow hijack", 
      "flow hijack", 
      "stack-based control flow detours", 
      "control flow detours", 
      "flow detours", 
      "different stack canary implementations", 
      "stack canary implementations", 
      "canary implementations", 
      "new generic attack vector", 
      "generic attack vector", 
      "date multi-threaded software", 
      "stack-based attacks", 
      "Stack Protector"
    ], 
    "name": "Smashing the Stack Protector for Fun and Profit", 
    "pagination": "293-306", 
    "productId": [
      {
        "name": "dimensions_id", 
        "type": "PropertyValue", 
        "value": [
          "pub.1106357584"
        ]
      }, 
      {
        "name": "doi", 
        "type": "PropertyValue", 
        "value": [
          "10.1007/978-3-319-99828-2_21"
        ]
      }
    ], 
    "publisher": {
      "name": "Springer Nature", 
      "type": "Organisation"
    }, 
    "sameAs": [
      "https://doi.org/10.1007/978-3-319-99828-2_21", 
      "https://app.dimensions.ai/details/publication/pub.1106357584"
    ], 
    "sdDataset": "chapters", 
    "sdDatePublished": "2022-01-01T19:08", 
    "sdLicense": "https://scigraph.springernature.com/explorer/license/", 
    "sdPublisher": {
      "name": "Springer Nature - SN SciGraph project", 
      "type": "Organization"
    }, 
    "sdSource": "s3://com-springernature-scigraph/baseset/20220101/entities/gbq_results/chapter/chapter_135.jsonl", 
    "type": "Chapter", 
    "url": "https://doi.org/10.1007/978-3-319-99828-2_21"
  }
]
 

Download the RDF metadata as:  json-ld nt turtle xml License info

HOW TO GET THIS DATA PROGRAMMATICALLY:

JSON-LD is a popular format for linked data which is fully compatible with JSON.

curl -H 'Accept: application/ld+json' 'https://scigraph.springernature.com/pub.10.1007/978-3-319-99828-2_21'

N-Triples is a line-based linked data format ideal for batch operations.

curl -H 'Accept: application/n-triples' 'https://scigraph.springernature.com/pub.10.1007/978-3-319-99828-2_21'

Turtle is a human-readable linked data format.

curl -H 'Accept: text/turtle' 'https://scigraph.springernature.com/pub.10.1007/978-3-319-99828-2_21'

RDF/XML is a standard XML format for linked data.

curl -H 'Accept: application/rdf+xml' 'https://scigraph.springernature.com/pub.10.1007/978-3-319-99828-2_21'


 

This table displays all metadata directly associated to this object as RDF triples.

172 TRIPLES      23 PREDICATES      98 URIs      91 LITERALS      7 BLANK NODES

Subject Predicate Object
1 sg:pub.10.1007/978-3-319-99828-2_21 schema:about anzsrc-for:08
2 anzsrc-for:0803
3 schema:author Nf9dd78d5bcf3403d94aa430aac89eb62
4 schema:datePublished 2018-08-26
5 schema:datePublishedReg 2018-08-26
6 schema:description Software exploitation has been proven to be a lucrative business for cybercriminals. Unfortunately, protecting software against attacks is a long-lasting endeavor that is still under active research. However, certain software-hardening schemes are already incorporated into current compilers and are actively used to make software exploitation a complicated procedure for the adversaries. Stack canaries are such a protection mechanism. Stack canaries aim to prevent control flow hijack by detecting corruption of a specific value on the program’s stack. Careful design and implementation of this conceptually straightforward mechanism is crucial to defeat stack-based control flow detours. In this paper, we examine 17 different stack canary implementations across multiple versions of the most popular Operating Systems running on various architectures. We systematically compare critical implementation details and introduce one new generic attack vector which allows bypassing stack canaries on current Linux systems running up-to-date multi-threaded software altogether. We release an open-source framework (CookieCrumbler) that identifies the characteristics of stack canaries on any platform it is compiled on and we propose mitigation techniques against stack-based attacks. Although stack canaries may appear obsolete, we show that when they are used correctly, they can prevent intrusions which even the more sophisticated solutions may potentially fail to block.
7 schema:editor Nb4acd7af123c452b8d11aae5f9267221
8 schema:genre chapter
9 schema:inLanguage en
10 schema:isAccessibleForFree true
11 schema:isPartOf N598b8b362ba8485ab42f91e4a0a4daa1
12 schema:keywords Linux system
13 Stack Protector
14 active research
15 adversary
16 architecture
17 attack vectors
18 attacks
19 business
20 canaries
21 canary implementations
22 careful design
23 certain software-hardening schemes
24 characteristics
25 compiler
26 complicated procedures
27 control flow detours
28 control flow hijack
29 corruption
30 critical implementation details
31 current Linux systems
32 current compilers
33 cybercriminals
34 date multi-threaded software
35 design
36 detail
37 detour
38 different stack canary implementations
39 endeavor
40 exploitation
41 flow detours
42 flow hijack
43 framework
44 fun
45 generic attack vector
46 hijack
47 implementation
48 implementation details
49 intrusion
50 lucrative business
51 mechanism
52 mitigation techniques
53 multi-threaded software
54 multiple versions
55 new generic attack vector
56 open-source framework
57 operating system
58 paper
59 platform
60 popular operating systems
61 procedure
62 profit
63 program stack
64 protection mechanisms
65 protectors
66 research
67 scheme
68 software
69 software exploitation
70 software-hardening schemes
71 solution
72 sophisticated solutions
73 specific values
74 stack
75 stack canaries
76 stack canary implementations
77 stack-based attacks
78 stack-based control flow detours
79 straightforward mechanism
80 system
81 technique
82 values
83 vector
84 version
85 schema:name Smashing the Stack Protector for Fun and Profit
86 schema:pagination 293-306
87 schema:productId N25e3a3693dfc454abad2f21ddb2ffa7f
88 N92fb65d8445c453f83719bed8426be50
89 schema:publisher N3a99268e2ce6431ba4dd36c7d200c916
90 schema:sameAs https://app.dimensions.ai/details/publication/pub.1106357584
91 https://doi.org/10.1007/978-3-319-99828-2_21
92 schema:sdDatePublished 2022-01-01T19:08
93 schema:sdLicense https://scigraph.springernature.com/explorer/license/
94 schema:sdPublisher Nc88af99de8d54437bb32834c1eab5abe
95 schema:url https://doi.org/10.1007/978-3-319-99828-2_21
96 sgo:license sg:explorer/license/
97 sgo:sdDataset chapters
98 rdf:type schema:Chapter
99 N0c72c4e83f0b4a138f592d1286db7b56 schema:familyName Janczewski
100 schema:givenName Lech Jan
101 rdf:type schema:Person
102 N1e9c74dc72d24dae822753dedd32b69b rdf:first sg:person.013105072001.38
103 rdf:rest Nc09e9f72e7cb4d1cba33a2fd33d563f8
104 N25e3a3693dfc454abad2f21ddb2ffa7f schema:name dimensions_id
105 schema:value pub.1106357584
106 rdf:type schema:PropertyValue
107 N3a99268e2ce6431ba4dd36c7d200c916 schema:name Springer Nature
108 rdf:type schema:Organisation
109 N52e447d347e3417ea3a7dfa1d8d2a662 schema:familyName Kutyłowski
110 schema:givenName Mirosław
111 rdf:type schema:Person
112 N598b8b362ba8485ab42f91e4a0a4daa1 schema:isbn 978-3-319-99827-5
113 978-3-319-99828-2
114 schema:name ICT Systems Security and Privacy Protection
115 rdf:type schema:Book
116 N809fd5f2c8b5420895c376a503252c00 rdf:first sg:person.014323520725.79
117 rdf:rest rdf:nil
118 N92fb65d8445c453f83719bed8426be50 schema:name doi
119 schema:value 10.1007/978-3-319-99828-2_21
120 rdf:type schema:PropertyValue
121 Nb123c6248f1a4c689bdadcbf7eb2c696 rdf:first sg:person.015103646733.70
122 rdf:rest N809fd5f2c8b5420895c376a503252c00
123 Nb4acd7af123c452b8d11aae5f9267221 rdf:first N0c72c4e83f0b4a138f592d1286db7b56
124 rdf:rest Ne2cc8c4c0e8e4721935ade84680dec4f
125 Nc09e9f72e7cb4d1cba33a2fd33d563f8 rdf:first sg:person.013234237215.34
126 rdf:rest Nb123c6248f1a4c689bdadcbf7eb2c696
127 Nc88af99de8d54437bb32834c1eab5abe schema:name Springer Nature - SN SciGraph project
128 rdf:type schema:Organization
129 Ne2cc8c4c0e8e4721935ade84680dec4f rdf:first N52e447d347e3417ea3a7dfa1d8d2a662
130 rdf:rest rdf:nil
131 Nf9dd78d5bcf3403d94aa430aac89eb62 rdf:first sg:person.011644142410.90
132 rdf:rest N1e9c74dc72d24dae822753dedd32b69b
133 anzsrc-for:08 schema:inDefinedTermSet anzsrc-for:
134 schema:name Information and Computing Sciences
135 rdf:type schema:DefinedTerm
136 anzsrc-for:0803 schema:inDefinedTermSet anzsrc-for:
137 schema:name Computer Software
138 rdf:type schema:DefinedTerm
139 sg:person.011644142410.90 schema:affiliation grid-institutes:grid.6936.a
140 schema:familyName Bierbaumer
141 schema:givenName Bruno
142 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.011644142410.90
143 rdf:type schema:Person
144 sg:person.013105072001.38 schema:affiliation grid-institutes:grid.6936.a
145 schema:familyName Kirsch
146 schema:givenName Julian
147 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.013105072001.38
148 rdf:type schema:Person
149 sg:person.013234237215.34 schema:affiliation grid-institutes:grid.6936.a
150 schema:familyName Kittel
151 schema:givenName Thomas
152 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.013234237215.34
153 rdf:type schema:Person
154 sg:person.014323520725.79 schema:affiliation grid-institutes:grid.5012.6
155 schema:familyName Zarras
156 schema:givenName Apostolis
157 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.014323520725.79
158 rdf:type schema:Person
159 sg:person.015103646733.70 schema:affiliation grid-institutes:grid.28848.3e
160 schema:familyName Francillon
161 schema:givenName Aurélien
162 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.015103646733.70
163 rdf:type schema:Person
164 grid-institutes:grid.28848.3e schema:alternateName EURECOM, Sophia Antipolis, France
165 schema:name EURECOM, Sophia Antipolis, France
166 rdf:type schema:Organization
167 grid-institutes:grid.5012.6 schema:alternateName Maastricht University, Maastricht, Netherlands
168 schema:name Maastricht University, Maastricht, Netherlands
169 rdf:type schema:Organization
170 grid-institutes:grid.6936.a schema:alternateName Technical University of Munich, Munich, Germany
171 schema:name Technical University of Munich, Munich, Germany
172 rdf:type schema:Organization
 




Preview window. Press ESC to close (or click here)


...