Research And Implementation On The Defense Method Against Stack-overflow Attack Based On GCC Plug-in

With the development of information technology,the security of system and software is paid more and more attention by the public.Stack overflow as the most harmful vulnerability in the buffer overflow has been difficult to eradicate.Many scholars have proposed some effective solutions,among which the simple and efficient methods such as stack non-execution mechanism,memory address randomization and stack protection SSP mechanism based on compiler extension have been widely recognized.However,as time goes by,these methods gradually show some limitations in the face of attackers' elaborate attack methods.Taking the SSP defense mechanism as an example,in a program called using the fork system,it is possible to bypass the SSP defense by creating child processes to break the stack overflow defense detection flag,namely canary detection bytes,by creating verbatim sections.This vulnerability is currently used for remote access to WEB servers such as Nginx.Therefore,it is of great practical significance and practical value to research on stack overflow attack protection methods.This paper starts from the analysis of stack overflow vulnerability,and studies the working principle of SSP and its shortcomings through experimental verification.Second section crack canary for word for word attack methods,we design a solution,its core idea is after the fork system call,the child process to perform before to create a lightweight buffer used for storing the addresses of the canary in the stack,and update the child within the stack of canary value,thus realize the diversity of the canary in the process of father and son,finally by instrumenting code change canary access as well as the function returns when the check stage,so as to complete the word by word section cracking attack defense.Based on the above ideas,this paper implements a set of plug-ins based on the GCC compiler,whose action object is the source code of the program.The plug-in can be compatible with the SSP mechanism,while defending against verbatim attacks.The plug-in contains an instrumentation module and a dynamic Shared library module.The function of the instrumentation module is to register a new compilation optimization pass at the GCC compiler optimization back end,which is used to insert the authentication code for information about canary push and push.Dynamic Shared library is to provide environment support for the program execution after compiled by the plug-in,including environment Settings,rewritten library functions and plug-in self-check functions.In order to verify the effectiveness of stack overflow protection method,the function and performance of the prototype system are tested.Experimental results show that the performance loss introduced by the plug-in in the WEB server is less than 0.5%,and the performance loss in the ordinary application is less than 2.5%,which is within the acceptable range.This method can not only enhance the stack protection but also satisfy the deployment of practical application scenarios.