1

As a consequence of an programming error we get segmentation faults . But as a necessary tool we try the same thing but the kernel detects it as smashing the stack . How exactly does the kernel see the difference ?

AstroCB
  • 12,337
  • 20
  • 57
  • 73
wanttomasterpython
  • 149
  • 2
  • 10

2 Answers2

3

Briefly, no. Segmentation faults are when the kernel is able to detect an invalid memory access and then kills the process. Some invalid memory accesses cannot be detected by the kernel, and stack overflows are built on these. However, stack overflows can be detected by the compiler and are in recent versions of gcc (4.1+), which have built-in protection against stack smashing attacks. Basically, a "canary" value is placed on the stack between stack frames. There are checks to make sure the canary still has the correct value; if it doesn't (because it was overwritten and the overwriter couldn't guess the correct value) then the stack smashing protection routines execute. For more information, see: http://en.wikipedia.org/wiki/Buffer_overflow_protection#GCC_Stack-Smashing_Protector_.28ProPolice.29 and http://wiki.osdev.org/GCC_Stack_Smashing_Protector

You can disable the gcc protection with "-fno-stack-protector", for more on this see: Stack smashing code not working on Linux kernel 2.6.38.7... Please help

Conversely, a segmentation fault is just an invalid memory access that happens anywhere in the program, meaning the kernel detects access to memory that is not in the program's allowed memory region. AFAIK this is checked using a combination of x86 segments and virtual memory. There's no real way for the kernel/OS to know whether an access was in the original program code or the code was exploited somehow; either way, the program is attempting to access memory it cannot and so it is forcibly terminated.

Community
  • 1
  • 1
Paul
  • 1,800
  • 2
  • 17
  • 17
  • Without bringing down the stack boundary cant I successfully smash the stack ? – wanttomasterpython Dec 15 '12 at 16:26
  • No, how could you? The whole idea of "stack smashing" is that you smash past (i.e., overwrite) the edge of the memory that was supposed to be used for this variable. As a first approximation, we can assume that can only be done contiguously. Moreover, you have to overwrite the current frame so that you can change the prior frame so that when the program tries to return to the prior frame it instead executes your shellcode. – Paul Dec 15 '12 at 16:30
  • http://en.wikipedia.org/wiki/Stack_buffer_overflow is a pretty good overview of this topic; you should study it. – Paul Dec 15 '12 at 16:37
  • wanttomasterpython, if you find my answer or melpomene's answers your question, you should mark it as an answer. If you don't mark answers to your questions, people will eventually stop answering them. – Paul Dec 15 '12 at 17:15
  • The Linux kernel does have protection against stack overflows that occur inside the kernel itself. I imagine those are the gcc protections, since the Linux kernel is compiled with gcc. – Paul Dec 15 '12 at 17:20
0

Isnt Segmentation fault the same as the smashing the stack?

No, a segmentation fault is when the operating system detects an invalid memory access and terminates your process. Smashing the stack refers to the act of overwriting (return) addresses on the stack, typically by overflowing a locally declared array.

When you're smashing the stack (as an attacker), your goal is to get the process to execute code of your choice. You want to avoid segmentation faults because they would kill the process you're trying to take over.

As a consequence of an programming error we get segmentation faults .

Well, some errors cause segmentation faults, yes. Other errors do nothing or just cause wrong results (such as when an attacker successfully exploits a buffer overflow and makes the program run completely different code).

But as a necessary tool we try the same thing but the kernel detects it as smashing the stack .

I have no idea what you just said but the kernel does not detect "smashing the stack".

How exactly does the kernel see the difference ?

Difference between what?

melpomene
  • 84,125
  • 8
  • 85
  • 148
  • Difference between Segmentation Faults and stack smashing . Wont the canary value that is preserved to protect the stack alter either way ? – wanttomasterpython Dec 15 '12 at 16:32
  • Canary values are those that are used in the memory near the return address so that the very disturbance caused to the return address changes the canary value too , and a change in the canary value is detected and the program is aborted. – wanttomasterpython Dec 15 '12 at 16:35
  • Why do you think there will be a canary value? – melpomene Dec 15 '12 at 16:39
  • wanttomasterpython, the stack smashing protection for user applications is not provided by the Linux kernel, it's provided by the gcc compiler. See my answer. – Paul Dec 15 '12 at 17:19
  • Ya , knew that, wrote down by mistake . All along the canary values confused me . There was a different offset( offset from the first variable in the stack and the return address ) everytime I changed the variable sizes . Never thought it was the canary value hiding there :) – wanttomasterpython Dec 15 '12 at 17:23