Descriptions
- The
STACK_PROTECTOR defines the default behavior of the
stack protection of the compiler. If set, it always
produces the stack protecton code. If not set, it produces the instrument
only at the use of -fstack-protector compiler option.
- We assume every variables on stack is pointed by the combination of
the start address of each variable and the offset from the start
address. It is necessary to distinguish a reference to a character array
and a reference to the other type of variable. So we modified a few portion of
source codes.
Since EXPAND_SUM directive in the expand_expr function
doesn't preserve the characteristics, we changed the use of such directives
as follows:
if (flag_propolice_protection && modifier ==EXPAND_SUM) modifier =EXPAND_NORMAL;
- There are
__guard_setup and
__stack_smach_handler defined in libgcc2.c.
The security strength
of the protection and the portability of the protection method is
influenced by the way how they are implemented. The device
/dev/urandom is used to determine the guard value, but it is not
portable. For only the case where the device can not be used, we decided
to change the protection strategy which uses the termination canary. The
canary is invented by Crispin Cowan. it is hard to overwrite the value
using string functions.
Though it isn't difficult to overwrite it in the case of using binary
copy functions (memcpy, bcopy, etc), such overflow
problems usually occur on the program that carelessly calculates the size
of copying buffer. I think such problem can be found and fixed at the
debug time.
fd = open ("/dev/urandom", 0);
if (fd != -1) {
ssize_t size = read (fd, &__guard, sizeof(__guard));
close (fd) ;
if (size == sizeof(__guard)) return;
}
/* If a random generator can't be used, the protector switches the guard
to the "terminator canary" */
__guard[0] = 0; __guard[1] = 0; __guard[2] = '\n'; __guard[3] = 255;
- The
assign_stack_temp function re-use the stack region
that has been used in the independent block. Because propolice protection
moves the location of character array to the opposite direction for the
other type of variable, it requests the use of stack region of character
array should be separate to the region of the other type of
variables. The function is modified to satisfy the requirement.
- We use the used flag of RTL in PLUS if this expression have already
moved the location in the processing of propolice protection. After
that, all flags in PLUS are cleared. The process will be invoked after
the first rtl generation, at the processing of purge_addressof, and at
the global_alloc processing that assigns the pseudo register to stack.
Change Logs
- gcc-3.0 (June 28, 2001)
- sparc-sun-solaris2.6 (June 12, 2001)
- syslog support (May 5, 2001)
|
