RenewSSP
(Renew Stack Smashing Protector)
renewssp
Prevent SSP Brute Force Attacks

Do not be left behind in the race of security, particularly in network applications that are exposed to the wild.

Technical Information

The Renew Stack Smashing Protector (renewSSP) is a modification of the stack-smashing protector (SSP) technique which eliminates brute force attacks against the canary. The technique is not intrusive, and can be applied by just pre-loading a shared library. The overhead is almost negligible.
The technique has been tested on several web servers and on a complete GNU/Linux distribution by patching the standard C library. This prevention technique solve a very significant problem that appeared around 2006.

Full paper: H. Marco-Gisbert I. Ripoll, Preventing brute force attacks against stack canary protection on networking servers, in Network Computing and Applications (NCA), 2013 12th IEEE International Symposium on, 2013, pp. 243-250 [DOI]


Problem solved

Since 2006 forked and pre-forked networking servers architecture are specially prone to brute force attacks. The problem appears when the main process creates a new process by duplicating the calling process. In this situation the children processes inherit/share the same memory layout and the canary value. The attacker can try in bounded time all the possible values of canary (for SSP) and memory layouts (for ASLR) until the correct ones are found. The attacker can first attack the canary value and later using the same strategy attack the ASLR. During this process the attacker can discard previous guessed values which is called brute force attack. This attack can be modeled as a statistical problem called "sampling without replacing" and follow a uniform distribution.

The renewSSP solution prevents brute force attacks against the stack canary by re-randomizing the canary value upon every child is created.

Using the renwSSP technique we can obtain the following benefits:

  • The canary brute force attack, specially the byte-for-byte variant, is not longer possible.
  • The attack can not be split. The attacker can not attack first the canary and later the ASLR. The attackers are forced to bypass all protection mechanisms at once which increases the effectiveness of the protection mechanisms (multiplicative effect).
  • The renewSSP thecnique has a negligible overhead in real systems.
  • While the attack to the standard SSP follows a Uniform distribution, the attack to the renewSSP is a Geometric distribution.
  • The solution can be implemented by means of a preloaded share library, therefore it does not require to modify the source code of the server or recompile it, nor modify the operating system, neither the system libraries.
  • The renewSSP has been validated with several network servers: apache2, lighttpd, proftpd and samba without modifying the source code nor recompiling.


Impact

This prevention technique can be applied to any server independently of the operating system. Brute forcing the stack buffer overflow is a real problem which affect mainly to servers but is not limited to them. Therefore an incalculable number of servers and user applications around the world could be benefited by the renewSSP technique.

There is a very dangerous form of SSP attack, called byte-for-byte brute force attack, which allows the attacker to try each byte of the canary independently, which allows to find the value of the canary with just a few hundreds of trials (the system is defeated in seconds). The renewSSP prevent brute force attacks against the canary which has a serious impact on current exploitation techniques by disallowing every attack based on brute force and exploits that relies on that.


Applicability

The renewSSP technique can be applied to any server application or by modifying the libraries. Since the technique can be used just pre-loading shared library. There is no need to modify the source code of the networking servers, nor recompile the server, nor modify system libraries nor the compiler. The renewSSP technique is specially useful for networked servers, but it is not limited to them.

We have tested it on a complete Linux distribution by modifying the standard C library, with full functionality and no appreciable performance penalty. In concrete we have modified the eglibc (with the renewSSP enabled at fork) in a Ubuntu Linux distribution, and all the tested applications worked correctly: all graphical services, several browsers, several text editors (LibreOffice), java Open JDK interpreter, etc. We have checked that every child process had a different canary reference and no any error was manifested.


Effectiveness

In order to show an idea about the effectiveness of the renewSSP protection mechanisms the following is short comparison between the current SSP and the renewSSP. The following code snippet is a real stack buffer overflow vulnerability which could be found in real vulnerable system. 

  void vulnerable_function(char *srcbuff, int lsrcbuff, int sock_c) {
  char buff[48];
  ...
  memcpy(buff, srcbuff, lsrcbuff);
  ...
  }

To exploit this function we will assume a real system protected with the Non-Executable (NX) or Data Execution Protection (DEP), Stack Smashing Protector (SSP) and Address Space Layout Randomization (ASLR).

One of the best attacks to bypass the three protection techniques in a real system are:

  • NX/DEP: No execute the injected code/data but reuse the already existing mapped code.
  • SSP: Since the vulnerability allow to the attackers control the number of bytes to overflow then a byte-for-byte brute force attack is feasible. This attack can obtain the canary in fewer attempts [SSP attack].
  • ASLR: We assume that to to bypass the ASLR a brute force attack is performed by the attackers.

In this scenario the attackers could break-in the system in a very low reasonable number of attempts. The following table compare the time to break-in a real system with the renewSSP protection mechanism vs the traditional SSP at 1000 trials per second.

32-bit systems64-bit systems Best possible
Protections100% Mean 100% Mean attack
NX + SSP + ASLR < 1 Sec. < 1 Sec. 74 Hours 37 Hours Brute force
NX + renewSSP + ASLR Infinite 34 Days Infinite 431 Tyr Trial and test

When the renewSSP protection mechanism is present the attack strategy can not be to brute force the SSP or the ASLR but trial and test. This attack is modeled as a Bernoulli trial experiment. Both protection mechanisms need to be bypassed at once. Because a brute force attack is not possible each attempt has the same probability to success. As table shows we think that the renewSSP is good enough to deter the attackers.