Overflow defenses

Various defenses

• note, attackers may find ways around some of these — see advanced reading

(1) make stack and heap non-executable

• default with gcc — must turn off with -z execstack
• Windows allows you to turn on Data Execution Prevention
• details on how DEP works

(2) stack canary

• insert a randomly-chosen integer on the stack when a function is called
• check that the canary is intact before examining the return pointer
• can also use a heap canary
• default with gcc — must turn off with -fno stack-protector

(3) address space layout randomization (ASLR)

• kernel level

• randomly positions the stack, heap, libraries

• makes it more difficult for an attacker to predict where code is loaded when a buffer is overflowed

• prevents the attacker from knowing where code is located

• position-independent execution (PIE) randomizes the code block

• depends on the implementation being properly randomized — see The Illusion of Randomness: An Empirical Analysis of Address Space Layout Randomization Implementations

(5) position-independent execution (PIE)

• the binary is compiled so that each memory region has an offset from a fixed address, and the fixed address can change each time the binary is run
• PIE enables the text and data positions to be randomly positioned by ALSR

(6) type-safe languages

• see NIST safer languages
• type safety in Rust

(7) other

• compiler bounds checking
• safe C libraries
• static analysis tools — tools that analyze your code and warn you

Adoption Barriers

• no governing body
• backwards compatibility
• incomplete solutions

Advanced Reading

• Return-Oriented Programming: Systems, Languages, and Applications
• tutorial on return-oriented programming
• Practical Timing Side Channel Attacks against Kernel Space ASLR
• Position-Independent Code Reuse: On the Effectiveness of ASLR in the Absence of Information Disclosure