FORTIFY_SOURCE

In recent years Linux distributions started treating security more seriously. Out of many security features two are directly affecting C programmers: -fstack-protector and -D_FORTIFY_SOURCE=2. These GCC options are now enabled by default on Ubuntu and Fedora.

What do these options do?

-fstack-protector

Consider the following C function:

void
fun()
{

char
*buf
=
alloca(0x100);

/* Don't allow gcc to optimise away the buf */

asm
volatile(""
::
"m"
(buf));

}

Compiled without the stack protector, with -fno-stack-protector option, GCC produces the following assembly:

<fun>:

push %ebp ; prologue

mov %esp,%ebp

 

sub $0x128,%esp ; reserve 0x128B on the stack

lea 0xf(%esp),%eax ; eax = esp +
0xf

and $0xfffffff0,%eax ; align eax

mov %eax,-0xc(%ebp)
; save eax in the stack frame

 

leave ; epilogue

ret

On the other hand with -fstack-protector option GCC adds protection code to your functions that use alloca or have buffers larger than 8 bytes. Additional code ensures the stack did not overflow. Here's the generated assembly:

<fun>:

push %ebp ; prologue

mov %esp,%ebp

 

sub $0x128,%esp ; reserve 0x128B on the stack

 

mov %gs:0x14,%eax ; load stack canary using gs

mov %eax,-0xc(%ebp)
; save it in the stack frame

xor %eax,%eax ; clear the register

 

lea 0xf(%esp),%eax ; eax = esp +
0xf

and $0xfffffff0,%eax ; align eax

mov %eax,-0x10(%ebp) ; save eax in the stack frame

 

mov -0xc(%ebp),%eax ; load canary

xor %gs:0x14,%eax ; compare against one in gs

<fun+0x2f>

<__stack_chk_fail@plt>

 

leave ; epilogue

ret

After a function prologue a canary is loaded and saved into the stack. Later, just before the epilogue the canary is verified against the original. If the values don't match the program exits with an appropriate message. This can protect against some buffer overflow attacks. It incurs some performance penalty but it seems to be worth the benefit.

When the stack is overwritten and __stack_chk_fail branch is taken the program crashes with a message like this:

***
stack
smashing
detected
***:
./protected
terminated

=======
Backtrace:
=========

/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x45)[0xf76da0e5]

/lib/i386-linux-gnu/libc.so.6(+0x10409a)[0xf76da09a]

./protected[0x80484de]

./protected[0x80483d7]

/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xf75ef4d3]

./protected[0x8048411]

=======
Memory
map:
========

08048000-08049000
r-xp

00:13

./protected

08049000-0804a000
r--p

00:13

./protected

0804a000-0804b000
rw-p

00:13

./protected

092e5000-09306000
rw-p

00:00

[heap]

f759e000-f75ba000
r-xp

08:01

/lib/i386-linux-gnu/libgcc_s.so.1

f75ba000-f75bb000
r--p
0001b000
08:01

/lib/i386-linux-gnu/libgcc_s.so.1

f75bb000-f75bc000
rw-p
0001c000
08:01

/lib/i386-linux-gnu/libgcc_s.so.1

f75d5000-f75d6000
rw-p

00:00

f75d6000-f7779000
r-xp

08:01

/lib/i386-linux-gnu/libc-2.15.so

f7779000-f777b000
r--p
001a3000
08:01

/lib/i386-linux-gnu/libc-2.15.so

f777b000-f777c000
rw-p
001a5000
08:01

/lib/i386-linux-gnu/libc-2.15.so

f777c000-f777f000
rw-p

00:00

f7796000-f779a000
rw-p

00:00

f779a000-f779b000
r-xp

00:00

[vdso]

f779b000-f77bb000
r-xp

08:01

/lib/i386-linux-gnu/ld-2.15.so

f77bb000-f77bc000
r--p
0001f000
08:01

/lib/i386-linux-gnu/ld-2.15.so

f77bc000-f77bd000
rw-p

08:01

/lib/i386-linux-gnu/ld-2.15.so

ffeb2000-ffed3000
rw-p

00:00

[stack]

Aborted

-D_FORTIFY_SOURCE=2

Sample C code:

void
fun(char
*s)
{

char
buf[0x100];

strcpy(buf,
s);

/* Don't allow gcc to optimise away the buf */

asm
volatile(""
::
"m"
(buf));

}

Compiled without the code fortified, with -U_FORTIFY_SOURCE option:

<fun>:

push %ebp ; prologue

mov %esp,%ebp

 

sub $0x118,%esp ; reserve 0x118B on the stack

mov 0x8(%ebp),%eax ; load parameter `s` to eax

mov %eax,0x4(%esp)
; save parameter for strcpy

lea -0x108(%ebp),%eax ; count `buf`
in eax

mov %eax,(%esp)
; save parameter for strcpy

<strcpy@plt>

 

leave ; epilogue

ret

With -D_FORTIFY_SOURCE=2:

<fun>:

push %ebp ; prologue

mov %esp,%ebp

 

sub $0x118,%esp ; reserve 0x118B on the stack

movl $0x100,0x8(%esp) ; save value 0x100 as parameter

mov 0x8(%ebp),%eax ; load parameter `s` to eax

mov %eax,0x4(%esp) ; save parameter for strcpy

lea -0x108(%ebp),%eax ; count `buf` in eax

mov %eax,(%esp)
; save parameter for strcpy

<__strcpy_chk@plt>

 

leave ; epilogue

ret

You can see GCC generated some additional code. This time instead of calling strcpy(dst, src) GCC automatically calls __strcpy_chk(dst, src, dstlen). With FORTIFY_SOURCE whenever possible GCC tries to uses buffer-length aware replacements for functions like strcpy, memcpy, memset, etc.

Again, this prevents some buffer overflow attacks. Of course you should avoidstrcpy and always use strncpy, but it's worth noting that FORTIFY_SOURCE can also help with strncpy when GCC knows the destination buffer size. For example:

void
fun(char
*s,
int
l)
{

char
buf[0x100];

strncpy(buf,
s,
l);

asm
volatile(""
::
"m"
(buf[0]));

}

Here GCC instead of calling strncpy(dst, src, l) will call__strncpy_chk(dst, src, l, 0x100) as GCC is aware of the size of the destination buffer.

When the buffer is overrun the program fails with a message very similar to the one seen previously. Instead of "stack smashing detected" you'll see "buffer overflow detected" headline:

***
buffer
overflow
detected
***:
./fortified
terminated

=======
Backtrace:
=========

/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x45)[0xf76d30e5]

/lib/i386-linux-gnu/libc.so.6(+0x102eba)[0xf76d1eba]

/lib/i386-linux-gnu/libc.so.6(+0x1021ed)[0xf76d11ed]

./fortified[0x8048488]

./fortified[0x80483a7]

/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xf75e84d3]

./fortified[0x80483e1]

=======
Memory
map:
========

08048000-08049000
r-xp

00:13

./fortified

08049000-0804a000
r--p

00:13

./fortified

0804a000-0804b000
rw-p

00:13

./fortified

08d6b000-08d8c000
rw-p

00:00

[heap]

f7597000-f75b3000
r-xp

08:01

/lib/i386-linux-gnu/libgcc_s.so.1

f75b3000-f75b4000
r--p
0001b000
08:01

/lib/i386-linux-gnu/libgcc_s.so.1

f75b4000-f75b5000
rw-p
0001c000
08:01

/lib/i386-linux-gnu/libgcc_s.so.1

f75ce000-f75cf000
rw-p

00:00

f75cf000-f7772000
r-xp

08:01

/lib/i386-linux-gnu/libc-2.15.so

f7772000-f7774000
r--p
001a3000
08:01

/lib/i386-linux-gnu/libc-2.15.so

f7774000-f7775000
rw-p
001a5000
08:01

/lib/i386-linux-gnu/libc-2.15.so

f7775000-f7778000
rw-p

00:00

f778f000-f7793000
rw-p

00:00

f7793000-f7794000
r-xp

00:00

[vdso]

f7794000-f77b4000
r-xp

08:01

/lib/i386-linux-gnu/ld-2.15.so

f77b4000-f77b5000
r--p
0001f000
08:01

/lib/i386-linux-gnu/ld-2.15.so

f77b5000-f77b6000
rw-p

08:01

/lib/i386-linux-gnu/ld-2.15.so

fff8d000-fffae000
rw-p

00:00

[stack]

Aborted

 

SRC=https://idea.popcount.org/2013-08-15-fortify_source/