Smashing the Stack Protector for Fun and Profit View Full Text


Ontology type: schema:Chapter      Open Access: True


Chapter Info

DATE

2018-08-26

AUTHORS

Bruno Bierbaumer , Julian Kirsch , Thomas Kittel , Aurélien Francillon , Apostolis Zarras

ABSTRACT

Software exploitation has been proven to be a lucrative business for cybercriminals. Unfortunately, protecting software against attacks is a long-lasting endeavor that is still under active research. However, certain software-hardening schemes are already incorporated into current compilers and are actively used to make software exploitation a complicated procedure for the adversaries. Stack canaries are such a protection mechanism. Stack canaries aim to prevent control flow hijack by detecting corruption of a specific value on the program’s stack. Careful design and implementation of this conceptually straightforward mechanism is crucial to defeat stack-based control flow detours. In this paper, we examine 17 different stack canary implementations across multiple versions of the most popular Operating Systems running on various architectures. We systematically compare critical implementation details and introduce one new generic attack vector which allows bypassing stack canaries on current Linux systems running up-to-date multi-threaded software altogether. We release an open-source framework (CookieCrumbler) that identifies the characteristics of stack canaries on any platform it is compiled on and we propose mitigation techniques against stack-based attacks. Although stack canaries may appear obsolete, we show that when they are used correctly, they can prevent intrusions which even the more sophisticated solutions may potentially fail to block. More... »

PAGES

293-306

Book

TITLE

ICT Systems Security and Privacy Protection

ISBN

978-3-319-99827-5
978-3-319-99828-2

Identifiers

URI

http://scigraph.springernature.com/pub.10.1007/978-3-319-99828-2_21

DOI

http://dx.doi.org/10.1007/978-3-319-99828-2_21

DIMENSIONS

https://app.dimensions.ai/details/publication/pub.1106357584


Indexing Status Check whether this publication has been indexed by Scopus and Web Of Science using the SN Indexing Status Tool
Incoming Citations Browse incoming citations for this publication using opencitations.net

JSON-LD is the canonical representation for SciGraph data.

TIP: You can open this SciGraph record using an external JSON-LD service: JSON-LD Playground Google SDTT

[
  {
    "@context": "https://springernature.github.io/scigraph/jsonld/sgcontext.json", 
    "about": [
      {
        "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/08", 
        "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
        "name": "Information and Computing Sciences", 
        "type": "DefinedTerm"
      }, 
      {
        "id": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/0803", 
        "inDefinedTermSet": "http://purl.org/au-research/vocabulary/anzsrc-for/2008/", 
        "name": "Computer Software", 
        "type": "DefinedTerm"
      }
    ], 
    "author": [
      {
        "affiliation": {
          "alternateName": "Technical University of Munich, Munich, Germany", 
          "id": "http://www.grid.ac/institutes/grid.6936.a", 
          "name": [
            "Technical University of Munich, Munich, Germany"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Bierbaumer", 
        "givenName": "Bruno", 
        "id": "sg:person.011644142410.90", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.011644142410.90"
        ], 
        "type": "Person"
      }, 
      {
        "affiliation": {
          "alternateName": "Technical University of Munich, Munich, Germany", 
          "id": "http://www.grid.ac/institutes/grid.6936.a", 
          "name": [
            "Technical University of Munich, Munich, Germany"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Kirsch", 
        "givenName": "Julian", 
        "id": "sg:person.013105072001.38", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.013105072001.38"
        ], 
        "type": "Person"
      }, 
      {
        "affiliation": {
          "alternateName": "Technical University of Munich, Munich, Germany", 
          "id": "http://www.grid.ac/institutes/grid.6936.a", 
          "name": [
            "Technical University of Munich, Munich, Germany"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Kittel", 
        "givenName": "Thomas", 
        "id": "sg:person.013234237215.34", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.013234237215.34"
        ], 
        "type": "Person"
      }, 
      {
        "affiliation": {
          "alternateName": "EURECOM, Sophia Antipolis, France", 
          "id": "http://www.grid.ac/institutes/grid.28848.3e", 
          "name": [
            "EURECOM, Sophia Antipolis, France"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Francillon", 
        "givenName": "Aur\u00e9lien", 
        "id": "sg:person.015103646733.70", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.015103646733.70"
        ], 
        "type": "Person"
      }, 
      {
        "affiliation": {
          "alternateName": "Maastricht University, Maastricht, Netherlands", 
          "id": "http://www.grid.ac/institutes/grid.5012.6", 
          "name": [
            "Maastricht University, Maastricht, Netherlands"
          ], 
          "type": "Organization"
        }, 
        "familyName": "Zarras", 
        "givenName": "Apostolis", 
        "id": "sg:person.014323520725.79", 
        "sameAs": [
          "https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.014323520725.79"
        ], 
        "type": "Person"
      }
    ], 
    "datePublished": "2018-08-26", 
    "datePublishedReg": "2018-08-26", 
    "description": "Software exploitation has been proven to be a lucrative business for cybercriminals. Unfortunately, protecting software against attacks is a long-lasting endeavor that is still under active research. However, certain software-hardening schemes are already incorporated into current compilers and are actively used to make software exploitation a complicated procedure for the adversaries. Stack canaries are such a protection mechanism. Stack canaries aim to prevent control flow hijack by detecting corruption of a specific value on the program\u2019s stack. Careful design and implementation of this conceptually straightforward mechanism is crucial to defeat stack-based control flow detours. In this paper, we examine 17 different stack canary implementations across multiple versions of the most popular Operating Systems running on various architectures. We systematically compare critical implementation details and introduce one new generic attack vector which allows bypassing stack canaries on current Linux systems running up-to-date multi-threaded software altogether. We release an open-source framework (CookieCrumbler) that identifies the characteristics of stack canaries on any platform it is compiled on and we propose mitigation techniques against stack-based attacks. Although stack canaries may appear obsolete, we show that when they are used correctly, they can prevent intrusions which even the more sophisticated solutions may potentially fail to block.", 
    "editor": [
      {
        "familyName": "Janczewski", 
        "givenName": "Lech Jan", 
        "type": "Person"
      }, 
      {
        "familyName": "Kuty\u0142owski", 
        "givenName": "Miros\u0142aw", 
        "type": "Person"
      }
    ], 
    "genre": "chapter", 
    "id": "sg:pub.10.1007/978-3-319-99828-2_21", 
    "inLanguage": "en", 
    "isAccessibleForFree": true, 
    "isPartOf": {
      "isbn": [
        "978-3-319-99827-5", 
        "978-3-319-99828-2"
      ], 
      "name": "ICT Systems Security and Privacy Protection", 
      "type": "Book"
    }, 
    "keywords": [
      "stack canaries", 
      "software exploitation", 
      "multi-threaded software", 
      "open-source framework", 
      "current Linux systems", 
      "popular operating systems", 
      "critical implementation details", 
      "program stack", 
      "operating system", 
      "attack vectors", 
      "Linux system", 
      "current compilers", 
      "implementation details", 
      "multiple versions", 
      "sophisticated solutions", 
      "protection mechanisms", 
      "software", 
      "mitigation techniques", 
      "straightforward mechanism", 
      "implementation", 
      "active research", 
      "attacks", 
      "careful design", 
      "compiler", 
      "cybercriminals", 
      "adversary", 
      "lucrative business", 
      "architecture", 
      "platform", 
      "stack", 
      "system", 
      "scheme", 
      "framework", 
      "exploitation", 
      "complicated procedures", 
      "hijack", 
      "business", 
      "version", 
      "detour", 
      "fun", 
      "design", 
      "technique", 
      "vector", 
      "solution", 
      "specific values", 
      "detail", 
      "corruption", 
      "intrusion", 
      "profit", 
      "research", 
      "endeavor", 
      "mechanism", 
      "characteristics", 
      "procedure", 
      "values", 
      "canaries", 
      "protectors", 
      "paper", 
      "certain software-hardening schemes", 
      "software-hardening schemes", 
      "control flow hijack", 
      "flow hijack", 
      "stack-based control flow detours", 
      "control flow detours", 
      "flow detours", 
      "different stack canary implementations", 
      "stack canary implementations", 
      "canary implementations", 
      "new generic attack vector", 
      "generic attack vector", 
      "date multi-threaded software", 
      "stack-based attacks", 
      "Stack Protector"
    ], 
    "name": "Smashing the Stack Protector for Fun and Profit", 
    "pagination": "293-306", 
    "productId": [
      {
        "name": "dimensions_id", 
        "type": "PropertyValue", 
        "value": [
          "pub.1106357584"
        ]
      }, 
      {
        "name": "doi", 
        "type": "PropertyValue", 
        "value": [
          "10.1007/978-3-319-99828-2_21"
        ]
      }
    ], 
    "publisher": {
      "name": "Springer Nature", 
      "type": "Organisation"
    }, 
    "sameAs": [
      "https://doi.org/10.1007/978-3-319-99828-2_21", 
      "https://app.dimensions.ai/details/publication/pub.1106357584"
    ], 
    "sdDataset": "chapters", 
    "sdDatePublished": "2021-12-01T20:05", 
    "sdLicense": "https://scigraph.springernature.com/explorer/license/", 
    "sdPublisher": {
      "name": "Springer Nature - SN SciGraph project", 
      "type": "Organization"
    }, 
    "sdSource": "s3://com-springernature-scigraph/baseset/20211201/entities/gbq_results/chapter/chapter_322.jsonl", 
    "type": "Chapter", 
    "url": "https://doi.org/10.1007/978-3-319-99828-2_21"
  }
]
 

Download the RDF metadata as:  json-ld nt turtle xml License info

HOW TO GET THIS DATA PROGRAMMATICALLY:

JSON-LD is a popular format for linked data which is fully compatible with JSON.

curl -H 'Accept: application/ld+json' 'https://scigraph.springernature.com/pub.10.1007/978-3-319-99828-2_21'

N-Triples is a line-based linked data format ideal for batch operations.

curl -H 'Accept: application/n-triples' 'https://scigraph.springernature.com/pub.10.1007/978-3-319-99828-2_21'

Turtle is a human-readable linked data format.

curl -H 'Accept: text/turtle' 'https://scigraph.springernature.com/pub.10.1007/978-3-319-99828-2_21'

RDF/XML is a standard XML format for linked data.

curl -H 'Accept: application/rdf+xml' 'https://scigraph.springernature.com/pub.10.1007/978-3-319-99828-2_21'


 

This table displays all metadata directly associated to this object as RDF triples.

172 TRIPLES      23 PREDICATES      98 URIs      91 LITERALS      7 BLANK NODES

Subject Predicate Object
1 sg:pub.10.1007/978-3-319-99828-2_21 schema:about anzsrc-for:08
2 anzsrc-for:0803
3 schema:author Nea58d1ffe05f4f2abad91b875a5e8eb8
4 schema:datePublished 2018-08-26
5 schema:datePublishedReg 2018-08-26
6 schema:description Software exploitation has been proven to be a lucrative business for cybercriminals. Unfortunately, protecting software against attacks is a long-lasting endeavor that is still under active research. However, certain software-hardening schemes are already incorporated into current compilers and are actively used to make software exploitation a complicated procedure for the adversaries. Stack canaries are such a protection mechanism. Stack canaries aim to prevent control flow hijack by detecting corruption of a specific value on the program’s stack. Careful design and implementation of this conceptually straightforward mechanism is crucial to defeat stack-based control flow detours. In this paper, we examine 17 different stack canary implementations across multiple versions of the most popular Operating Systems running on various architectures. We systematically compare critical implementation details and introduce one new generic attack vector which allows bypassing stack canaries on current Linux systems running up-to-date multi-threaded software altogether. We release an open-source framework (CookieCrumbler) that identifies the characteristics of stack canaries on any platform it is compiled on and we propose mitigation techniques against stack-based attacks. Although stack canaries may appear obsolete, we show that when they are used correctly, they can prevent intrusions which even the more sophisticated solutions may potentially fail to block.
7 schema:editor N84091ced0f3043febf0d7040fe11a69a
8 schema:genre chapter
9 schema:inLanguage en
10 schema:isAccessibleForFree true
11 schema:isPartOf Nd4b223458fc248878f412eeba7a1442f
12 schema:keywords Linux system
13 Stack Protector
14 active research
15 adversary
16 architecture
17 attack vectors
18 attacks
19 business
20 canaries
21 canary implementations
22 careful design
23 certain software-hardening schemes
24 characteristics
25 compiler
26 complicated procedures
27 control flow detours
28 control flow hijack
29 corruption
30 critical implementation details
31 current Linux systems
32 current compilers
33 cybercriminals
34 date multi-threaded software
35 design
36 detail
37 detour
38 different stack canary implementations
39 endeavor
40 exploitation
41 flow detours
42 flow hijack
43 framework
44 fun
45 generic attack vector
46 hijack
47 implementation
48 implementation details
49 intrusion
50 lucrative business
51 mechanism
52 mitigation techniques
53 multi-threaded software
54 multiple versions
55 new generic attack vector
56 open-source framework
57 operating system
58 paper
59 platform
60 popular operating systems
61 procedure
62 profit
63 program stack
64 protection mechanisms
65 protectors
66 research
67 scheme
68 software
69 software exploitation
70 software-hardening schemes
71 solution
72 sophisticated solutions
73 specific values
74 stack
75 stack canaries
76 stack canary implementations
77 stack-based attacks
78 stack-based control flow detours
79 straightforward mechanism
80 system
81 technique
82 values
83 vector
84 version
85 schema:name Smashing the Stack Protector for Fun and Profit
86 schema:pagination 293-306
87 schema:productId N84e379ded7d84408821ab75de9053615
88 N88f3d881c11e47a98d1a55706cf29eb1
89 schema:publisher N396b566ae6d742ffa8b66895f27cefb8
90 schema:sameAs https://app.dimensions.ai/details/publication/pub.1106357584
91 https://doi.org/10.1007/978-3-319-99828-2_21
92 schema:sdDatePublished 2021-12-01T20:05
93 schema:sdLicense https://scigraph.springernature.com/explorer/license/
94 schema:sdPublisher Na42102f225034f68b171b9e5a2c2a4b9
95 schema:url https://doi.org/10.1007/978-3-319-99828-2_21
96 sgo:license sg:explorer/license/
97 sgo:sdDataset chapters
98 rdf:type schema:Chapter
99 N2251e307427c4ed8a28eeeb7d89ff795 rdf:first sg:person.013105072001.38
100 rdf:rest N4cbbdb3b552f4f8d9a52b77c8904f8a2
101 N396b566ae6d742ffa8b66895f27cefb8 schema:name Springer Nature
102 rdf:type schema:Organisation
103 N4580ef62f11a48ecbdc687d9262eff4e schema:familyName Janczewski
104 schema:givenName Lech Jan
105 rdf:type schema:Person
106 N4bdea38597114e1199481e88cd3aaffc rdf:first sg:person.014323520725.79
107 rdf:rest rdf:nil
108 N4cbbdb3b552f4f8d9a52b77c8904f8a2 rdf:first sg:person.013234237215.34
109 rdf:rest N4ee19f50a9b843889b617d4f2cecb653
110 N4ee19f50a9b843889b617d4f2cecb653 rdf:first sg:person.015103646733.70
111 rdf:rest N4bdea38597114e1199481e88cd3aaffc
112 N84091ced0f3043febf0d7040fe11a69a rdf:first N4580ef62f11a48ecbdc687d9262eff4e
113 rdf:rest Nffb14a7ad7974194a6f9e3482e56ca8f
114 N84e379ded7d84408821ab75de9053615 schema:name doi
115 schema:value 10.1007/978-3-319-99828-2_21
116 rdf:type schema:PropertyValue
117 N88f3d881c11e47a98d1a55706cf29eb1 schema:name dimensions_id
118 schema:value pub.1106357584
119 rdf:type schema:PropertyValue
120 N9e0014974cff4fa19ca71a875479dc67 schema:familyName Kutyłowski
121 schema:givenName Mirosław
122 rdf:type schema:Person
123 Na42102f225034f68b171b9e5a2c2a4b9 schema:name Springer Nature - SN SciGraph project
124 rdf:type schema:Organization
125 Nd4b223458fc248878f412eeba7a1442f schema:isbn 978-3-319-99827-5
126 978-3-319-99828-2
127 schema:name ICT Systems Security and Privacy Protection
128 rdf:type schema:Book
129 Nea58d1ffe05f4f2abad91b875a5e8eb8 rdf:first sg:person.011644142410.90
130 rdf:rest N2251e307427c4ed8a28eeeb7d89ff795
131 Nffb14a7ad7974194a6f9e3482e56ca8f rdf:first N9e0014974cff4fa19ca71a875479dc67
132 rdf:rest rdf:nil
133 anzsrc-for:08 schema:inDefinedTermSet anzsrc-for:
134 schema:name Information and Computing Sciences
135 rdf:type schema:DefinedTerm
136 anzsrc-for:0803 schema:inDefinedTermSet anzsrc-for:
137 schema:name Computer Software
138 rdf:type schema:DefinedTerm
139 sg:person.011644142410.90 schema:affiliation grid-institutes:grid.6936.a
140 schema:familyName Bierbaumer
141 schema:givenName Bruno
142 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.011644142410.90
143 rdf:type schema:Person
144 sg:person.013105072001.38 schema:affiliation grid-institutes:grid.6936.a
145 schema:familyName Kirsch
146 schema:givenName Julian
147 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.013105072001.38
148 rdf:type schema:Person
149 sg:person.013234237215.34 schema:affiliation grid-institutes:grid.6936.a
150 schema:familyName Kittel
151 schema:givenName Thomas
152 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.013234237215.34
153 rdf:type schema:Person
154 sg:person.014323520725.79 schema:affiliation grid-institutes:grid.5012.6
155 schema:familyName Zarras
156 schema:givenName Apostolis
157 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.014323520725.79
158 rdf:type schema:Person
159 sg:person.015103646733.70 schema:affiliation grid-institutes:grid.28848.3e
160 schema:familyName Francillon
161 schema:givenName Aurélien
162 schema:sameAs https://app.dimensions.ai/discover/publication?and_facet_researcher=ur.015103646733.70
163 rdf:type schema:Person
164 grid-institutes:grid.28848.3e schema:alternateName EURECOM, Sophia Antipolis, France
165 schema:name EURECOM, Sophia Antipolis, France
166 rdf:type schema:Organization
167 grid-institutes:grid.5012.6 schema:alternateName Maastricht University, Maastricht, Netherlands
168 schema:name Maastricht University, Maastricht, Netherlands
169 rdf:type schema:Organization
170 grid-institutes:grid.6936.a schema:alternateName Technical University of Munich, Munich, Germany
171 schema:name Technical University of Munich, Munich, Germany
172 rdf:type schema:Organization
 




Preview window. Press ESC to close (or click here)


...