Visual C++: Protecting Against Buffer Overruns with the /GS Switch

Buffer overruns represent one of the most common security vulnerabilities that exist in software today. By allowing a hacker to modify the execution flow of a process by providing malicious input, buffer overruns can allow an entire process, machine, or domain to be compromised. If the identity that the process is running under is a highly trusted account, such as an administrator or the Local System account, the damage that the hackers can cause is severe and potentially widespread. Some of the more famous virus outbreaks in recent times, such as the Code Red and Blaster worms, were the result of buffer overruns in C/C++ code.

Buffer overruns are a simple programming mistake—they involve copying the contents of a region of memory into another region of memory that is too small to accommodate the source block. The code below demonstrates a simple example:

char* source = "A reasonably long string";
char dest[10];
::strcpy(dest, source);

In this case, the source string is 25 characters long (including the null terminator) and will be too large for the destination block of memory, which is declared on the stack. When this code executes, the stack will become corrupted, and the program typically will crash with an access violation. A security vulnerability exists if the source block of memory is provided by an external party because this allows a block of memory that modifies the stack in a specific way to be passed into the function.

When a function is called in C/C++, the return address of the calling function is placed on the stack so that execution can return to this point once the callee has completed. By calling a function that contains a potential buffer overrun, the return address can be changed and execution will jump to the location nominated by the data in the buffer. By changing the return address of the function, an attacker can get code at an arbitrary location in the process to execute. This is commonly exploited in two main ways:

  1. If the application with the vulnerability is known and widely available, the attacker can look for the address of a function that will be located at a fixed address in all process instances and modify the stack so this function is called.
  2. The instructions to execute can be passed into the process address space as part of the buffer, and an attacker can exploit this to carry out an attack.

Defending Against Buffer Overruns

The simplest defense against a buffer overrun is limiting the size of the data copied so that it is not greater than the size of the destination buffer. While applying this defense seems trivial—and, in fact, it is in contrived situations like the earlier example—experience has shown that totally eliminating the potential for buffer overruns in large C/C++ code bases is an extremely difficult undertaking. Using managed technologies such as .NET and Java can significantly reduce the potential for buffer overruns, but moving large code bases to these technologies is often impossible or inappropriate.

The reason that stack-based buffer overruns are so easily exploitable is that the return address for a function is stored on the stack by instructions that the compiler generates. Recognizing that the compiler plays a small part in causing the problem, the Visual C++ team took the approach with the release of Visual C++.NET (7.0) that the compiler could play a part in alleviating the problem. They inserted a generated cookie with a known value in the stack below the data that held the return address of a function. By using this technique, a buffer overrun that changes the value of the function's return address will also overwrite the cookie, which can be detected when the function returns. When a modified cookie is detected, a security exception is raised, and if the exception is not handled, the process that is running the code will exit. The code below shows a skeleton program with a security exception handler present:

void _cdecl sec_handler( int code, void *)
{
   if ( code == _SECERR_BUFFER_OVERRUN )
   {
      printf("You had a buffer overrun\n");
      exit(1);
   }
}

int main()
{
   _set_security_error_handler( sec_handler );
   //main application code here
}

Visual C++.NET 2003 (7.1) enhances the protection against buffer overruns by moving vulnerable data structures, such as the address of exception handlers, to a position in the call stack below the area where buffers are located. In the 7.0 release of the compiler, bypassing the protection offered by the security cookie could be accomplished by corrupting sensitive data between the buffers and the cookie. However, by moving this data to a region below the buffers in the new compiler version, modifying this data with buffer overruns is no longer possible.

Figure 1 shows the conceptual layouts of a stack in versions 6, 7.0, and 7.1 of the C++ compiler. The stacks are shown growing down from higher to lower address spaces, which is the way execution stacks grow when executing. Downward growth of the stack is the reason that buffer overruns work so well, because an overrun will write to memory addresses higher than that owned by the buffer, which is the location of the vulnerable data structures.

Figure 1: Logical Stack Layout

In addition to moving the exception handler information to a position in the stack below the data buffers, the linker in Visual C++.NET 2003 also emits the address of all structured exception handlers into the header of the executable file. When an exception occurs, the operating system can check that the address nominated in the exception information stored on the stack corresponds to an exception handler recorded in the executable's header information. If this is not the case, the exception handler will not execute. Windows Server 2003 shipped with the ability to check the structured exception information, and this technology has recently been back-ported to Windows XP in Service Pack 2.

Using Buffer Protection

Activating buffer protection is a simple matter of turning on the /GS compiler switch. Using Visual Studio, the switch can be activated from the Code Generation option page on the C/C++ tab (as shown in Figure 2). By default, the setting will be disabled for the Debug configuration and enabled for the Release configuration.

Figure 2: Setting the /GS Switch

Safe structured exception handling will be enabled by default if all the inputs to the linker, where compiled with the most recent version of the compiler and producing the structured exception information, makes sense for the target subsystem. The Windows CE operating system does not make use of the safe structured exception handling information, and it will not be included if this operating system is targeted. The /SAFESEH:NO command line switch can be used to disable safe structured exception handling. There is no Visual Studio project-setting item to disable safe structured exception handling, but it can be done for a Visual Studio project using the command line options for the linker.

/GS and the Wider Security Picture

Flipping a single compiler switch will not make an application secure. It can help make an application more secure, but security vulnerabilities come in many different forms. Overruns of stack-based buffers are an important class of security vulnerability, but they are far from the end of the story when it comes to the techniques that hackers will use to attack an application. Despite initially appearing relatively harmless, heap-based buffer overruns are now known to be an exploitable vulnerability, and other attacks like SQL injection, cross-site scripting, and Denial of Service can all happily succeed against an application that relies on /GS for security.

To use the formal terminology that has been adopted by Microsoft, /GS and SAFESEH are examples of software-enforced data execution prevention (DEP). Software-enforced DEP also can be complemented by hardware-enforced DEP, in which the processor will refuse to execute instructions if they are located within a memory page that has been marked as non-executable. Windows XP SP2 and Windows Server 2003 currently support these technologies, but few shipping processors have No Execute (NX) support. AMD and Intel have high-end offerings in the 64-bit world with NX technology, and future 32-bit processors may also ship with these security enhancements.

Any good security system has multiple layers of defense to defeat the bad guys. Compiler assistance, which can defeat or reduce the severity of common coding mistakes, is yet another layer that can be deployed in this ongoing battle, and given the ease and low cost of this defense, it is one worth deploying in your applications.



Comments

  • Wholesale Oakley Half Wire 2.0 sale for cheap

    Posted by kszliqktk on 06/28/2013 06:29pm

    Cheap oAkLeys ,Oakley sunglasses are a same sort of tacit understanding between you and wish to possess a multi-functional and their own fashion eyewear glasses produced? The exclusive edition of Oakley sunglasses, painter, charity, sports and athletes together to learn some favorite Oakley sunglasses sale, may be the world's best light. fake oakley sunglasses ,Oakley Sunglasses lenses are safe, no pressure, may get a new optical pause, so that you has to be truthful and accurate vision of premium clarity. Everybody desires to wear designer clothing and accessories, can offer detection in the appeal, because everyone really worship center of attention. Oakley Radar Path ,Yes , it is a primary and dissemination of solar ultraviolet illumination. Therefore, especially UVB rays of greater damage, is incredibly easy for UV. The sunglasses might be split up into several types, points prior to the functional use. Ordinary sunglasses, decorative sunglasses, driver sunglasses etcetera. Comfortable to be a set of two modest sunglasses sunglasses several dark lens held by way of framework, to be able to maintain within the Gulf harmful rays, it is not a way to that end. This can be the most suitable on your particular face shape, Iridium lens coating reduces glare and adjusts the transmission, and really create virtually any lighting conditions are appropriate. Jacket XLJ Polarized, Oakley anti-aircraft guns by strengthening the theory, it is completely satisfied to visit your face. In addition, you provide your electric solar sunroof. Oakley Holbrooke cheap sunglasses online to draw countless customers, create increasingly more boys business women boasts a state-of-the-art glasses gloss. The integration of science and art Oakley won greater than 600 patents worldwide. Today, Jannard's brand has turned into a prominent symbol of success. Oakley interchangeable lens technology, built to help you get caught up with changing light conditions, to increase the performance in almost any environment. The contours of 8.75 base lens curvature from the expansion of peripheral vision and improve side protection PLUTONITE lens material stops all UV cold. Fortunately, Oakley sunglasses have different prices to meet up with their quality, but much easier than trawling round shops to buy online suppliers.

    Reply
  • Your Feet Will Enjoy The nike jordan Sneakers and relish the Skills

    Posted by NopFrufFElurl on 02/27/2013 01:03am

    Cheap air jordan footwear throughout winter season,we've got! In case you are chased for your critical month roughly,inexpensive nike air jordan in case you like baseball or you almost all required information in the golf ball World Pageant. The actual a lot more your own with that perform had distributed that it had another shoe, in order that we can think about the actual refreshing memory. This is not an declare of our own facet in all assaulting footwear in which were established totally free about this package had been just about all quite good. Nowadays we all take a act in the New AJ This year assembly within this Increase U . s . All of us Version. That have to become said in which Jordani? This year provides one on the greatest years within the new past itemising involving novel versions on the Nike jordan four collection. Many regarding the actual males had at present cold Jordans footwear that you're promote up to now this particular year and also involves a new diagram in our quite republican retro classics that people tends to make dirty on their own palms.Add neglect come seal six as well as 7 many years, has been soon after you had to carry out by having an indication of the phrase Melo anyplace close to the actual which means inside a consequence as well as Jordani? Tennis shoes inside the racquet regarding irrepressible approach right away occupants received? Properly, merchandise are generally somewhat more while really rousing, however right now there you've an excellent number of skate footwear Melo to draw seal, these days he or she was within the personality to the Jordani? Hearth prolonged, a new style regarding created came to exist a bit. Obviously, your product that almost all AJ Footwear comes in yellowish fails sky-blue and more material popular color ways. The particular Nike AJ Hearth created the Air Jordans 2010 in order to rate the musical legacy involving Jordan in golf ball, where the short-term around the social in the wearing activities to the gifted Team Jordan athletes. The environment Jordan This year Fashion gleaming Nike jordan Take Trip commemoration honors Functionality Plastic materials along with pinnacle Black/Yellow leather-based in order to include for the seal off no-sew technological expertise for any smooth motivate tale. [url=http://iooaer.mex.tl/blog_19555_Advancement-Regarding-Brogue-Sneakers.html]air jordan fusion[/url]|

    Reply
  • Quite Informative !!

    Posted by santoshthankach on 10/07/2004 04:17am

    A Good article Can someone let me know how to track and avoid compiler heap limit error in VC++. Santosh Thankachan

    Reply
Leave a Comment
  • Your email address will not be published. All fields are required.

Top White Papers and Webcasts

  • Live Event Date: September 17, 2014 @ 1:00 p.m. ET / 10:00 a.m. PT Another day, another end-of-support deadline. You've heard enough about the hazards of not migrating to Windows Server 2008 or 2012. What you may not know is that there's plenty in it for you and your business, like increased automation and performance, time-saving technical features, and a lower total cost of ownership. Check out this upcoming eSeminar and join Rich Holmes, Pomeroy's practice director of virtualization, as he discusses the …

  • Best-in-Class organizations execute on a strategy that supports the multi-channel nature of customer requests. These leading organizations do not just open up their service infrastructures to accommodate new channels, but also empower their teams to deliver an effective and consistent experience regardless of the channel selected by the customer. This document will highlight the key business capabilities that support a Best-in-Class customer engagement strategy.

Most Popular Programming Stories

More for Developers

Latest Developer Headlines

RSS Feeds