Weird memory problems in C – or – “how to smash the stack”.

The Unix operating system defines a number of different incidents relating to memory access.

A fandango on core is a generic term for all bugs involving a wild pointer that has run out of bounds, causing core dumps or corruption of dynamic memory allocation space.  A variety of fandango on core; an overrun screw is a generic term for C programming bugs that scribble past the end of an array.  A lack of bounds checking makes this a fairly common occurrence in the C programming language. A variety of overrun screw, smashing, trashing and scribbling  the stack is reserved for a C programming case in which the execution stack is corrupted by writing past the end of a data structure such as a local array.  Smashing, trashing or scribbling the stack is said to happen when a C function or routine jumps to a random address, and overruns a fixed-size buffer with excessively large input data.

Fun eh?

So how does one “smash the stack”? The easiest way is to write a piece of code like this:

#include <stdio.h>

void smashStack()
{
    char str[20];
    gets(str);
}

int main(void)
{
    smashStack();
}

Smashing the stack occurs due to a protection mechanism used by gcc to detect buffer overflow errors. The function smashStack works quite well if the number of characters input is less than 20. However if the number of characters entered is more than 20, then buffer overflow will occur. The code can then be compiled in the following manner:

gcc -fstack-protector smash_stack.c

The flag -fstack-protector creates extra code to check for buffer overflows, such as stack smashing attacks. When the program is run, with input “Doordonotthereisnotry.”, the stack smashes.

$ ./a.out
Doordonotthereisnotry.
*** stack smashing detected ***: ./a.out terminated
Aborted (core dumped)

The Stack Smashing Protector (SSP) was first developed by IBM. If there is no explicit mention of whether SSP should be engaged or not, then it is determined by the system configuration (Linux for instances, turns it off). The use of “buffer protectors” helps thwart attacks which focus on the use of buffer overflows, such as a “buffer overflow attack“. I’ll refer those interested in the details to a posting on Dr.Dobb’s: Anatomy of a Stack Smashing Attack and How GCC Prevents It.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s