RenewSSP
(Renew Stack Smashing Protector)
renewssp
Prevent SSP Brute Force Attacks

Do not be left behind in the race of security, particularly in network applications that are exposed to the wild.
[Close]
  • The problem
  • Benefits
  • FAQ
  • Downloads & Docs
  • Contact
Don't let others use your system

Current network server architectures (forking and pre-forking), used by most servers like Apache, Samba, Lighttpd, etc., are prone to brute force attacks against the Stack Smashing Protector.

The forking server architecture is not limited to networking servers, but it is also widely used in desktop applications (Firefox, Chrome, etc.) and applications launchers as Android's Zygote.

If the vulnerability can be exploited using the byte-for-byte attack then, a system without RenewSSP can be defeated in just a few seconds. Using RenewSSP, it is close to impossible.

Among others, RenewSSP thwarts:

  • The offset2lib attack which bypasses the ASLR on 64-bit Linux in less than one second. The video on the right shows how the RenewSSP thwarts a brute force attack.
  • The PoC presented in the Blind ROP attack is also blocked.
  • Note that RenewSSP was prior to these kind of attacks.

The Renew Stack Smashing Protector (renewSSP) is a modification of the stack-smashing protector (SSP) technique which:
  1. It eliminates brute force attacks against the canary.
  2. The technique is not intrusive, and can be implemented as:
    • A small library which is pre-loaded with protected application.
      No need to recompile the application.
    • Modifying 2 lines of code of the protected application.
    • In a GNU/Linux system, it can be included as an extension to the clone() library call.
  3. The overhead is negligible. Only when a new procees is created, and during the execution of the application the cost is zero.
  4. When used with the ASLR techique, the combined protection has a multiplicative effect.
What is RenewSSP ?
The Renew Stack Smashing Protector (renewSSP) is a modification of the stack-smashing protector.

Why I should use RenewSSP ?
Using the RenewSSP you can help to prevent your computer from being infected and disseminating spyware, adware, and other unwanted junk.
RenewSSP eliminates brute force attacks, specially the dangerous byte-for-byte attack. Using it on your servers and applications improves your protection against these threats with a negligible overhead.

What can I protect with RenewSSP ?
Any application that creates children processes. Network servers or applications which use the forking server achitecture will get the best from the renewssp.

Do I need to change the binary or the source code ?
No. All applications can use the RenewSSP protection technique without requiring binary or source modifications.

Do I need to change the compiler ?
No. RenewSSP use (but do not change) the stack-protector code generated by the compiler.

What operating systems are supported ?
This technique can be employed on any operating systems which support the SSP protection technique. Currently modern operating systems as for example Windows, GNU/Linux, OS X or Android support the RenewSSP.

Isn't the canary already a random value ?
Yes, but every child process has the same canary reference value. So from the point of view of the attackers, in forking servers the value is unknown but the same for every trial (in case of brute-force). The renewSSP puts a new reference canary value which is also a random value. Every child process have a different reference canary.

Donwload the RenewSSP as a shared library

[renewSSP.tgz]
A simple implementation of RenewSSP using a preload shared library.
[canaryDump64.tgz]
Utility to print the value of the canaries on x86_64.

Documents

[Tutorial]
Step by step tutorial which shows how to use renewSSP with Apache2.
[Technical brief]
Summary of the RenewSSP technique.
[Paper] [Slides] [DOI]
H. Marco-Gisbert and I. Ripoll, Preventing brute force attacks against stack canary protection on networking servers, in Network Computing and Applications (NCA), 2013 12th IEEE International Symposium on, 2013, pp. 243-250.

Related papers

[Paper] [Slides] [DOI]
H. Marco-Gisbert and I. Ripoll, On the Effectiveness of NX, SSP, RenewSSP, and ASLR against Stack Buffer Overflows, in Network Computing and Applications (NCA), 2014 13th IEEE International Symposium on, 2014, pp. 145-152.
[Paper] [Slides] [Site]
H. Marco-Gisbert and I. Ripoll, On the effctiveness of Full-ASLR on 64-bit Linux, DeepSec 2014 Vienna.

This and other developments has been donde by the Cybersecurity Research group at Universitat Politecnica de Valencia.


To get in touch with us, please, the Cyber Intel.

Learm more about it!
Why do I need it?
  • Buffer overflow attacks is (according to MITRE) the third most dangerous SW errors.
  • Immediate benefit.
  • No need to change your software development process.