Re: Stack Shield: defending from "stack smashing" attacks

[Valdis.Kletnieks () VT EDU (Valdis.Kletnieks () VT EDU)]

On Tue, 31 Aug 1999 17:13:21 -0000, Crispin Cowan <crispin () CSE OGI EDU>  said:
> Tobias Haustein wrote:
> > I was about to write a
> > binary translator, that reads an executeable, locates every function
> > prolog and epilog, adds the nescessary code to detect buffer
> > overflows, and writes a new version of the executeable.
>
> How do you make room for the extra code in prolog & epilog without re-linking
> the entire program?

The old-time IBM mainframe people would consider it a "piece of cake".
Basically, you replace one instruction with a branch to your code
stored someplace else, which would do your added code, then execute
the replaced instruction, then branch back to the next original opcode.

For example:

old code:
      STM R2,R12,12(R13)
      L   R5,24(,R1)
      ST  R6,20(,R1)

      new code:
      STM R2,R12,12(R13)
      B   2400(,R15)   ----->   SR  R2,R5
      ST  R6,20(,R1)   <---+    MVI 36(R3),C'+'
                           |    L   R5,24(,R1)
                           +--  B   8(,R15)

You get the idea.  Of course, quite often you had to first perform
*one* 'zap' to free up space inside the 4K-per-base-register
restriction, and then a second 'zap' to put code into there.  I've
personally hacked up HMASPZAP jobs that would end up replacing 5 or 6
different patches of code, 20 to 30 bytes at a stretch.  You would
quite often find a string of 16 to 32 bytes of zeros at the end of a
module, specifically intended for patch space.

                                Valdis Kletnieks
                                Computer Systems Senior Engineer
                                Virginia Tech