Stack overflow Attack is a very common code attack ,armcc and gcc When the compiler is implemented stack protector To avoid stack overflow attack . although armcc and gcc There are some differences in assembly code generation , But the principle is the same . This article uses armcc For example , Take a look at the compiler stack protector.

armcc Three compilation options are provided to open / close stack protector.

• –no_protect_stack close stack protector
• –protect_stack by armcc Functions considered dangerous open stack protector
• –protect_stack_all Open... For all functions stack protector

armcc How to prevent stack overflow attack ？

armcc A number is inserted between the context and local variables in the function stack to monitor stack corruption , This value is commonly referred to as canary word, stay armcc Define this value as __stack_chk_guard. Before the function returns , Will check the function canary word Is it modified , If canary word It was modified , Then prove that the function stack is broken , This is the time armcc Will call a function to deal with this stack breaking behavior ,armcc For us __stack_chk_fail This callback function handles stack corruption .

therefore , stay armcc open - –protect_stack You need to set... In the code before __stack_chk_guard and __stack_chk_fail. I started from ARM Their description is excerpted from their official website .

void *__stack_chk_guard

You must provide this variable with a suitable value, such as a random value. The value can change during the life of the program. For example, a suitable implementation might be to have the value constantly changed by another thread.

void __stack_chk_fail(void)

It is called by the checking code on detection of corruption of the guard. In general, such a function would exit, possibly after reporting a fault.

armcc stack protector What code is generated to prevent stack overflow？

First, let's take a look at a written c code snippet , The code is simple ,__stack_chk_guard Set to a constant , Of course, it's just an example , The best way is to set this value to a random number . And then rewrite __stack_chk_fail This callback interface .test_stack_overflow This function is very simple , Only allocated... On the function stack i and c_arr These two local variables , And assign values to some members .

void __stack_chk_fail()
{
    print_uart0("__stack_chk_fail()\n");
    while(1);
}

void *__stack_chk_guard = (void *)0;

int test_stack_overflow(int a, int b, int c, int d, int e)
{
    int i;
    int c_arr[15];
    int *p = c_arr;
    i = 15;
    c_arr[0] = 2;
    c_arr[1] = 3;
    return 0;
}

OK, First of all, take a look at –no_protect_stack Under the circumstances armcc Generated assembly code , Just allocate on the stack c_arr This local array , and i This variable uses r1 Register to save .

60010044 <test_stack_overflow>:
60010044:   e92d4070    push    {
   r4, r5, r6, lr}
60010048:   e24dd03c    sub sp, sp, #60 ; 0x3c
6001004c:   e1a04000    mov r4, r0
60010050:   e1a05001    mov r5, r1
60010054:   e1a06002    mov r6, r2
60010058:   e59dc04c    ldr ip, [sp, #76] ; 0x4c
6001005c:   e1a0200d    mov r2, sp
60010060:   e3a0100f    mov r1, #15
60010064:   e3a00002    mov r0, #2
60010068:   e58d0000    str r0, [sp]
6001006c:   e3a00003    mov r0, #3
60010070:   e58d0004    str r0, [sp, #4]
60010074:   e3a00000    mov r0, #0
60010078:   e28dd03c    add sp, sp, #60 ; 0x3c
6001007c:   e8bd8070    pop {
   r4, r5, r6, pc}

The memory on its stack map As shown in the figure below

Then take a look at using –protect_stack_all Option to compile the assembly code

600100a0 <test_stack_overflow>:
600100a0:   e92d47f0    push    {
   r4, r5, r6, r7, r8, r9, sl, lr}
600100a4:   e24dd040    sub sp, sp, #64 ; 0x40
600100a8:   e1a07000    mov r7, r0
600100ac:   e1a08001    mov r8, r1
600100b0:   e1a09002    mov r9, r2
600100b4:   e1a0a003    mov sl, r3
600100b8:   e59d6060    ldr r6, [sp, #96] ; 0x60
600100bc:   e59f0094    ldr r0, [pc, #148] ; 60010158 <c_entry+0x58>
600100c0:   e5904000    ldr r4, [r0]
600100c4:   e58d403c    str r4, [sp, #60] ; 0x3c
600100c8:   e1a00000    nop         ; (mov r0, r0)
600100cc:   e1a00000    nop         ; (mov r0, r0)
600100d0:   e3a00002    mov r0, #2
600100d4:   e58d0000    str r0, [sp]
600100d8:   e3a00003    mov r0, #3
600100dc:   e3a05000    mov r5, #0
600100e0:   e58d0004    str r0, [sp, #4]
600100e4:   e59d003c    ldr r0, [sp, #60] ; 0x3c
600100e8:   e1500004    cmp r0, r4
600100ec:   0a000000    beq 600100f4 <test_stack_overflow+0x54>
600100f0:   ebffffc2    bl  60010000 <__stack_chk_fail>
600100f4:   e1a00005    mov r0, r5
600100f8:   e28dd040    add sp, sp, #64 ; 0x40
600100fc:   e8bd87f0    pop {
   r4, r5, r6, r7, r8, r9, sl, pc}

The main differences between the two codes are as follows

600100bc:  e59f0094 ldr r0, [pc, #148] ; 60010158 <c_entry+0x58>
600100c0:  e5904000 ldr r4, [r0]
600100c4:  e58d403c str r4, [sp, #60] ; 0x3c

This code is very simple , It's from 60010158 Take a value from this address , Then take this value as the address and take out its value , Save it to sp, #60 This position , This position is located below the context and c_arr Above the array . You can take a look at the function stack memory at this time map What does it look like , Here's the picture

There is also a difference code as follows , It's very simple, just in the function return Take out this before stack_chk_guard I made a comparison , If this value is modified, it proves that the function stack is broken , If it is not modified, it means that the function can return normally .

600100e4:  e59d003c ldr r0, [sp, #60] ; 0x3c
600100e8:  e1500004 cmp r0, r4
600100ec:  0a000000 beq 600100f4 <test_stack_overflow+0x54>
600100f0:  ebffffc2 bl 60010000 <__stack_chk_fail>

armcc in stack protector The role of

A code is written in this paragraph to simulate this stack overflow attack , Most of the code is no different from before , stay test_stack_overflow in *(p + 15) = 1234 This sentence means to modify stack_chk_guard, From the picture 2 Can be seen in c_arr yes 15 An array of integer variables , that p+15 Just in c_arr upper , namely stack_chk_guard. It is also calculated from the above figure p+23 Is the return address saved in the stack , Here, change the return address to attack_attack This function address , To simulate that after the stack is attacked, jump to the address where the hacker wants to run .attack_attack Just printed a sentence .

int test_stack_overflow(int a, int b, int c, int d, int e)
{
    int i;
    int c_arr[15];
    int *p = c_arr;
    i = 15;
    c_arr[0] = 2;
    c_arr[1] = 3;
    *(p + 15) = 1234;            /* modify the guard word, see fig.2*/
    *(p + 23) = (int)attack_attack;     /* modify return address as the attack function, see fig.2*/
    return 0;
}
int c_entry() 
{
    print_uart0("befroe test_stack_overflow\n");
    test_stack_overflow(1, 2, 3, 4, 5);
    print_uart0("after test_stack_overflow\n");
    return 0;
}
void attack_attack()
{
    print_uart0("attack attack!\n");
}

Compile the code , To run on qemu-system-arm On , Get printed as follows , As we expected , because stack_chk_guard It was modified , Prove that the function stack has been destroyed , So it didn't run to attack_attack function , It's a jump to __stack_chk_fail To deal with .

But here's the thing , If an attacker can bypass stack_chk_guard Instead of directly modifying pc value , that stack protector It doesn't work , Any compiler is the same . But in fact, because stack overflow Characteristics of , Attackers are hard to bypass stack_chk_guard Change this value directly pc. Suppose he can bypass stack_chk_guard, In fact, he can modify the data in the stack at will , There is no need to use stack overflow To attack . Or do an experiment with the above code , stay test_stack_overflow Function will be *(p + 15) = 1234 Comment to , Then it can finally run to attack_attack function . The code is as follows ：

int test_stack_overflow(int a, int b, int c, int d, int e)
{
    int i;
    int c_arr[15];
    int *p = c_arr;
    i = 15;
    c_arr[0] = 2;
    c_arr[1] = 3;
    //*(p + 15) = 1234; /*no modify the guard word, see fig.2*/
    *(p + 23) = (int)attack_attack;     /* modify return address, see fig.2*/
    return 0;
}
int c_entry() {
    print_uart0("befroe test_stack_overflow\n");
    test_stack_overflow(1, 2, 3, 4, 5);
    print_uart0("after test_stack_overflow\n");
    return 0;
}

experimental result

Summary

armcc in stack protector It can be achieved through some simple settings , The implementation principles of other compilers are also similar , At least I've seen it gcc Of stack protector, Its implementation is similar to armcc Same .