In this simple vulnerable C code, an array of char is introduced in the function called ‘silly’. The first argument passed by the terminal is passed on to ‘silly’ and is stored in the array ‘buf’, and then the array is printed on the screen. The first trial is irrelevant, it returns a segfault since no args were caught. The second and the third trials show that without any breach the program works alas with a breach the buffer is overwhelmed and a segfault is provoked.
The first two trials are done without any protection by default. As I have found out this is equivalent to a compilation with ‘–fno-stack-protector’, it can be seen when the assembly outputs of both without any protection flags and ‘-fno-stack-protector’ flag are compared that they are actually the same. The existence of ‘-fno-stack-protector’ flag might be related to gcc compilation defaults on different variations or mediums. As a segfault does not necessarily terminate the program, the breach actually is valid therefore the overflow has been caused.
Since we want the overflow to be unreal, the third trial sets the known flag ‘-fstack-protector-all’ while compiling, causing the program to be terminated when introduced an argument that breaches the buffer size.
—
Furthermore, about the use of the word ‘all’ at the protection flag; As I have found out ‘-fstack-protector’ flag does not do any protection if the buffer is less than 8bytes, hence rendering the buffer vulnerable to overflows, alas, the ‘protector-all’ flag does consume more performance hence it may not always be the matter of choice. There are several other ways to customize protection options, but ‘all’ does protect all anyway. I have changed the size of the ‘buf[8]’ at the simple program I have introduced, to be ‘buf[4]’ (any size being ‘x’; 4<x /proc/sys/kernel/randomize_va_space’
Line can be executed to enable this feature in linux. To disable it, the integer value can be replaced with ‘0’.
İlhami Selamet
10/5/2016