When we compile c program with gcc, we have to inlude "-z execstack" option to enable stack overflow attack. The question I want to ask is how does gcc implement this . Without this option, how does gcc guard the stack? Please explain me in detail if possible.
-
https://security.stackexchange.com/questions/158609/how-is-the-stack-protection-enforced-in-a-binary/158616#158616 – julian May 27 '18 at 18:48
2 Answers
In a classical stack overflow attack the attacker manages to place its own code (processor instructions) on the stack by overflowing some stack based data structures with attacker controlled content. Now, the attacker needs to have this content on the stack to be taken as instructions by the processor and get it executed. But, the processor will only execute code from memory pages marked as executable. Only, modern OS and compilers will mark the pages of the stack as non-executable in order to prevent such stack overflows. The -z execstack
option disables this protection.
- 184,332
- 29
- 363
- 424
The OS and the compiler does two things to prevent BOF.
The OS deny's to execute code stored in the stack(it only allows the CPU to execute instructions stored in .text section) but you are injecting your malicious code in the stack, so you can disable this option by specifying -
z execstack
.The compiler adds a secret int variable(guard) before vulnerable variables like buffer, so as to check if the secret value is changed, when we copy elements into the buffer. So you must disable this option in order to perform a BOF. To do that you have to specify
-fno stack-protector
when you compile your program.
- 427
- 4
- 10