RenewSSP
(Renew Stack Smashing Protector) |
||
Prevent SSP Brute Force Attacks
Do not be left behind in the race of security,
particularly in network applications that are exposed to the wild.
|
The RenewSSP relies on the already existing SSP
infrastructure, and so, only minor modifications are needed in
the system. It can be implemented in several ways:
The last solution provides a way of using the RenewSSP that is
transparent to users and applications. In just a few seconds, you can
give it a try.
This PoC shows how the renewSSP works. The following example prints the canary values of the process and its child, in both with the standard SSP and with the renewSSP.
$ wget http://hmarco.org/renewssp/download/renewSSP.tgz $ tar xvf renewSSP.tgz renewSSP/ renewSSP/librenewssp.c renewSSP/Makefile renewSSP/test_renewssp.c $ cd renewSSP $ make gcc -O2 test_renewssp.c -o test_renewssp gcc -O2 -fno-stack-protector -shared -fPIC -o librenewssp.so librenewssp.c -ldlThere will be two ELF files: test_renewssp and librenewssp.so.
$ ldd ./test_renewssp
linux-vdso.so.1 => (0x00007fff241fe000)
libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f52fbd2a000)
/lib64/ld-linux-x86-64.so.2 (0x00007f52fc10e000)
$ ./test_renewssp Canary before fork(): 0xc5dff361e98fe700 Reference-canary of the parent: 0xc5dff361e98fe700 Reference-canary of the child: 0xc5dff361e98fe700As expected, the parent and its child have (share) the same canary value.
$ LD_PRELOAD=./librenewssp.so ./test_renewssp Canary before fork(): 0x20f9625237f42200 Reference-canary of the parent: 0x20f9625237f42200 Reference-canary of the child: 0xe954ae35970ba300As can be seen, the child process has a different reference canary and it exits normally.
$ sudo apt-get install apache2-mpm-prefork
$ cd ~ $ wget http://hmarco.org/renewssp/download/canaryDump64.tgz $ tar xvf canaryDump64.tgz canaryDump64/ canaryDump64/Makefile canaryDump64/canarydump_x86_64.c $ cd canaryDump64/ $ make gcc canarydump_x86_64.c -o canarydump_x86_64 -m64This tool prints the value of the reference canary of the process whose PID is passed as parameter.
$ for pid in `pidof apache2`; do sudo ./canarydump_x86_64 ${pid}; done Canary: [0x6fa5c4a7d4a1ba00] Pid [21946] /usr/sbin/apache2 Canary: [0x6fa5c4a7d4a1ba00] Pid [21945] /usr/sbin/apache2 Canary: [0x6fa5c4a7d4a1ba00] Pid [21942] /usr/sbin/apache2All the apache processes have the same reference canary value (0x6fa5c4a7d4a1ba00).
$ cd ~ $ wget http://hmarco.org/renewssp/download/renewSSP.tgz $ tar xvf renewSSP.tgz renewSSP/ renewSSP/librenewssp.c renewSSP/Makefile renewSSP/test_renewssp.c $ cd renewSSP $ make gcc -O2 test_renewssp.c -o test_renewssp gcc -O2 -fno-stack-protector -shared -fPIC -o librenewssp.so librenewssp.c -ldl $ sudo cp librenewssp.so /lib/
$ sudo sed -i 's/APACHE2CTL="$ENV/RENEWSSP="LD_PRELOAD=\/lib\/librenewssp.so"\ APACHE2CTL="$ENV $RENEWSSP/g' /etc/init.d/apache2 $ sudo service apache2 restart $ cd ~/canaryDump64/ $ for pid in `pidof apache2`; do sudo ./canarydump_x86_64 ${pid}; done Canary: [0xee735adece8cfc00] Pid [23402] /usr/sbin/apache2 Canary: [0x04e6609d9707ec00] Pid [23401] /usr/sbin/apache2 Canary: [0x4e84ad51a92f9100] Pid [23398] /usr/sbin/apache2
Note that the default configuration of the pre-forked Apache2 is to launch two working servers. As showed in the previous output, every child process has a different reference canary and the apache web server works accordingly.
Now you can test the Apache2 using the ab (Apache Benchmark) utility. Our results show that the time per request (across all concurrent requests) is the same in both cases. In order to avoid network interference, we ran the benchmark in the same computer than the Apache2 server.
There is no significant performance difference between the standard SSP and the RenewSSP.