logo
Published on KernelTrap (http://kerneltrap.org)

OpenBSD: StackGhost On OpenBSD/sparc

By Jeremy
Created May 23 2004 - 09:12

Theo de Raadt [interview [1]] announced that StackGhost [2] has been enabled on the OpenBSD/sparc [3] architecture. Theo explains:

"The above paper by Mike Frantzen describes a ProPolice-like security technology for protecting the stack on sparc (v6 v7 v8) machines. While ProPolice is a compiler modification (ie. the compiler produces "stack checking" code) -- StackGhost is a very small modification to the register window spill/fill handlers.. used to gain a similar security benefit, this is all possible because of the particular (curious, strange, weird) method of same-stack register window saving used by the sparc calling convention."

Essentially, StackGhost provides return-address modification protection (frequently used in buffer overflow attacks), at basically no cost. The original code was written several years ago for OpenBSD 2.8 by Mike Frantzen, but only enabled now thanks to the merging of gdb 6.1 and some code written by Mark Kettenis. The paper linked above describes some performance costs associated with this protection functionality, but these costs have been nearly entirely optimized away by Mike and Theo since the paper was written.

From: Theo de Raadt [4] [email blocked]
To:  tech
Subject: StackGhost enabled (sparc)
Date: Sat, 22 May 2004 21:15:14 -0600

http://stackghost.cerias.purdue.edu/stackghost.pdf [5]

The above paper by Mike Frantzen describes a ProPolice-like security
technology for protecting the stack on sparc (v6 v7 v8) machines.
While ProPolice is a compiler modification (ie. the compiler produces
"stack checking" code) -- StackGhost is a very small modification to
the register window spill/fill handlers.. used to gain a similar
security benefit, this is all possible because of the particular
(curious, strange, weird) method of same-stack register window saving
used by the sparc calling convention.

As some of you have noted, gdb was just upgraded to 6.1, which allows
me to ... do the following commit:


CVSROOT:        /cvs
Module name:    src
Changes by: [email blocked] 2004/05/22 20:59:06

Modified files:
        sys/arch/sparc/sparc: machdep.c 

Log message:
Three years ago, Mike Frantzen invented StackGhost -- a simple tweak
to the register window spill/fill routines which made buffer overflows
much more difficult to exploit.  This code was integrated (and optimized)
into OpenBSD/sparc, but could not be enabled because the interface changes
affected gdb deeply.  Mike and I (independently) failed to write gdb
support, so StackGhost was left disabled. Until today, two years later..
because Mark Kettenis has written the neccessary code!  Here comes the 1
line diff that enables StackGhost!  Thanks Mark!


This means that lx/ss4/ss5/ss10/ss20 machines now have three
technologies together:

	W^X
	ProPolice
	StackGhost


Related Links:

Source URL:
http://kerneltrap.org/node/3179

Links:
[1] http://kerneltrap.org/node/view/6
[2] http://stackghost.cerias.purdue.edu/stackghost.pdf
[3] http://www.openbsd.org/sparc.html
[4] http://kerneltrap.org/node/view/6
[5] http://stackghost.cerias.purdue.edu/stackghost.pdf
[6] http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&th=899fc21cca63474d&rnum=1
[7] http://kerneltrap.org/node/view/6