Debian SbD
Stack Smash Protection

Stack Smash Protection, or ProPolice, is a patch to gcc which allows the -fstack-protector switch to be used to protect stack-based buffers. The method used is explained in general in an article on Wikipedia. SSP can be acquired from the SSP Homepage .

Implementation

To stack smash protect a program or library, the source file must be compiled with the -fstack-protector switch. Implementing this protection will require recompiling each binary to be protected. This is proposed to be done by the Debian maintainers.

When building a patched gcc, the ./configure --enable-stack-protector option can be used to build a gcc which uses -fstack-protector by default. In this scenario, the -fno-stack-protector switch must be used to build a source file without SSP. note: I'm still trying to determine if this is -all or not; I've e-mailed the SSP author.

A modified specs file could also accomplish these goals, as detailed with Position Independent Executables.

It is currently planned to rebuild several packages with SSP. The packages used will be for demonstrating SSP, and so we are not focusing specifically on replacing packages that may become security holes. Instead, the demonstrative package tree will consist of programs that get every day usage, such as a WM and media player.

Features

SSP prevents stack based buffer overflows from leading to undefined behavior in programs, and in the worst case to elevated privilages or task hijacking. Buffer overflows are a common entry point for many classes of exploits; by effectively rendering them useless, we can by proxy render a large set of vulnerabilities into program crashes rather than illegitimate access.

It is important to note that by "exploits" we mean both known and unknown exploits. SSP is designed to curb the damage of currently unnoticed programmer error which leads to an exploitable utility. SSP should only be disabled for code which cannot function normally with it.

Overhead

SSP incurs a minor overhead, which may be similar to that measured by Immunix based on a similar technology called StackGuard. The two technologies are highly similar in implementation, and thus the runtime overhead should be similar if not identical. OpenBSD claims that SSP incurs an overhead of 1.3% in a presentation on their home page if using -fstack-protector-all.

Compatibility

Some programs will break with Stack Smash Protection enabled. The most considerable examples include X (Xorg as of 6.7.0) and anything gecko based, such as Mozilla, Firefox, or Thunderbird. The solution to this is simple: Don't use -fstack-protector when compiling these.

When stack smash protection is enabled, __SSP__ is #defined as 1. When -fstack-protector-all is used, __SSP_ALL__ is #defined as 2, and __SSP__ is #defined as 1.

Stack Smash Protection should not be able to affect third party vendor software. The vendor must compile his code with -fstack-protector for stack smash protection to be used. However, libraries compiled with -fstack-protector will be protected; and faults (attacks or otherwise) in these libraries will bring down any third party software utilizing the libraries if triggered.

It is recommended that SSP be disabled for software which triggers its own faults. For all other packages, SSP should be enabled. Any faults not triggered by the software in normal running can still be triggered by external methods (bad data from files or network), which leaves SSP as an effective barrier against attacks. If there are no exploits, SSP becomes a harmless cycle eater with no significan footprint.

It is important to note that by "exploits" we mean both known and unknown exploits. SSP is designed to curb the damage of currently unnoticed programmer error which leads to an exploitable utility. SSP should only be disabled for code which cannot function normally with it.

External Resources

Protecting from Stack Smashing Attacks is an article written by the creator(s) of ProPolice about Stack Smash Protection.

Debian is a registered trademark of Software in the Public Interest, Inc. Linux is a Registered Trademark of Linus Torvalds. All trademarks are property of their respective owners. For any questions, comments, or complaints, e-mail nigelenki@comcast.net.