AD2033: PeEnableStackProtectorDwarf¶

Summary¶

Description¶

PE binaries compiled with GCC/MinGW should enable stack protector (stack canaries) to detect stack buffer overflow attacks. This rule checks DWARF debug information for stack protection indicators.

How It Works¶

The rule examines DWARF debug information in PE binaries compiled with GCC/MinGW:

1. Checks for __stack_chk_fail symbol presence
2. Examines DWARF compilation unit attributes
3. Verifies stack protection is consistently applied

Why This Matters¶

PE binaries compiled with non-MSVC toolchains (MinGW, Clang with GNU-style output) may not use the Visual Studio security cookie mechanism. Instead, they should use GCC-style stack protectors.

Stack Protector Levels¶

How Stack Canaries Work¶

Function entry:
  Push random canary value on stack

Stack layout:
  [Return Address]
  [Saved Frame Pointer]
  [CANARY] ← Random value
  [Local Variables]
  [Buffer] ← Overflow starts here

Function exit:
  Verify canary unchanged
  If corrupted → __stack_chk_fail → abort

Cross-Compiler Security¶

Performance Considerations¶

Stack protector has minimal overhead:

Recommended setting: -fstack-protector-strong provides the best balance between coverage and performance.

Overhead breakdown: - Function prologue: Load canary from TLS (~2 instructions) - Function epilogue: Compare canary (~3 instructions) - Only applied to vulnerable functions with -fstack-protector-strong

MinGW-specific notes: - Uses GCC-style stack protector, not MSVC /GS - Performance characteristics match GCC on Linux - Thread-local storage access may be slightly slower on Windows

Resolution¶

Enable stack protector in your MinGW/GCC build:

CFLAGS += -fstack-protector-strong
LDFLAGS += -fstack-protector-strong

CMake Configuration¶

if(MINGW)
    add_compile_options(-fstack-protector-strong)
    add_link_options(-fstack-protector-strong)
endif()