AD2037: PeEnableStackClashProtection¶

Summary¶

Description¶

PE binaries compiled with GCC or Clang should enable stack clash protection to prevent stack clash attacks that exploit the stack guard page.

How It Works¶

The rule checks for stack clash protection indicators:

1. Stack probing patterns in code
2. Compiler flags in debug information
3. Stack clash-related symbols

Why This Matters¶

Stack clash attacks bypass the stack guard page by making large allocations that "jump over" the guard page, potentially corrupting adjacent memory regions.

The Stack Clash Attack¶

Normal stack growth:
  [Guard Page]  ← Protects against overflow
  [Stack]

Stack clash attack:
  [Guard Page]  ← Jumped over!
  [  Large   ]  ← Single allocation
  [Allocation]
  [Heap/Other] ← Corrupted!

CVE-2017-1000364¶

The "Stack Clash" vulnerability affected most Unix-like systems:

Protection Mechanism¶

With -fstack-clash-protection:
  Large stack allocation → Multiple small probes
  Each probe touches guard → Guaranteed detection

Probe sequence:
  alloc 4KB → touch → alloc 4KB → touch → ...
  Cannot skip guard page

Performance Considerations¶

Stack clash protection has minimal runtime overhead for typical applications:

Typical overhead:

Why overhead is low: - Probing only occurs for large allocations (typically >4KB) - Probe cost is a single memory access per page - Most functions have small stack frames

When to consider trade-offs: - Performance-critical recursive algorithms with large stack frames - Heavy use of Variable Length Arrays (VLAs) - Real-time systems with strict latency requirements

Resolution¶

Enable stack clash protection:

# GCC
gcc -fstack-clash-protection program.c

# Clang
clang -fstack-clash-protection program.c

CMake Configuration¶

if(CMAKE_C_COMPILER_ID MATCHES "GNU|Clang")
    add_compile_options(-fstack-clash-protection)
endif()