[hardening-discuss] Bug#771056: Bug#771056: ICC stack protection false negative
Cornea, Alexandru
alexandru.cornea at intel.com
Mon Dec 8 15:52:34 UTC 2014
X-Debbugs-CC: kevin.b.smith at intel.com
Hello Kees,
I am not part of the ICC team, I just observed the reported behavior.
However, I got in touch with Kevin (CC'ed) from the ICC team, and he informed me that it uses a GCC style stack protection, so there should not be concerns of a weak stack protector scheme.
Regarding the stack canary, it is obtained by xor'ing with the esp register value.
Here is the transcript of Kevin's reply:
"""
using the option --fstack-protector or --fstack-protector-all will use a gcc style stack protection mechanism, and calls to
__stack_chk_fail will be generated (and executed) if the check fails. Using the option --fstack-security-check will generate code that uses
__intel_security_cookie, and which will xor that value with the current %esp to produce the stack canary value. The routine
__intel_security_check_cookie will be called to check the security cookie on the stack.
__intel_security_cookie variable and __intel_security_check_cookie are defined in the libirc.a that is shipped with the Intel compiler.
"""
If you need additional information, I hope Kevin can helps us with it.
Regards,
Alex
-----Original Message-----
From: Kees Cook [mailto:kees at debian.org]
Sent: Wednesday, November 26, 2014 6:05 PM
To: Cornea, Alexandru; 771056 at bugs.debian.org
Cc: Maxim, Costel
Subject: Re: [hardening-discuss] Bug#771056: ICC stack protection false negative
Tags: moreinfo
Hi,
On Wed, Nov 26, 2014 at 11:30:42AM +0000, Cornea, Alexandru wrote:
> The script hardening-check can give a false negative result if the binary analyzed was compiled with ICC (with stack protection).
> Hardening-check looks for __stack_chk_fail, but in ICC compiled binaries the correct functions to be searched for should be __intel_security_cookie or __intel_security_check_cookie.
Thanks for the report! Can you point me to documentation on ICC's stack protection implementation? If the ICC-compiled binaries are using something other than __stack_chk_fail, then they may not be using glibc's canary, which I would view as a regression. (As in, I would like to be convinced that this is actually a false negative -- this may be reporting a weak stack protector scheme instead.)
> Below is a naive patch:
>
> diff --git a/usr/bin/hardening-check b/hardening-check-intel index
> 799943c..f40eda7 100755
> --- a/usr/bin/hardening-check
> +++ b/hardening-check-intel
> @@ -302,6 +302,7 @@ foreach my $file (@ARGV) {
> # Stack-protected
> $name = " Stack protected";
> if (defined($functions->{'__stack_chk_fail'}) ||
> + defined($functions->{'__intel_security_cookie'}) ||
You mentioned __intel_security_check_cookie as well. I assume this is the canary? How is it chosen, what is its value?
> (!$elf && defined($functions->{'__stack_chk_fail_local'}))) {
> good($name, "yes")
> }
>
> Regards,
> Alex
Thanks!
-Kees
--
Kees Cook @debian.org
More information about the hardening-discuss
mailing list