AD3003: EnableStackProtector¶

Summary¶

Description¶

Stack protector adds a 'canary' value between local variables and the return address on the stack. If a buffer overflow overwrites the canary, the program will detect this and abort before the corrupted return address is used.

Enable this protection by compiling with -fstack-protector-strong or -fstack-protector-all.

How It Works¶

The rule checks for the presence of stack canary symbols:

• __stack_chk_fail
• __stack_chk_guard

These symbols indicate stack protector is enabled and linked.

Why This Matters¶

Stack protectors (canaries) are one of the most effective and widely-deployed exploit mitigations. They detect stack buffer overflows before the attacker can hijack control flow, converting potential code execution into a controlled crash.

How Stack Canaries Work¶

Stack Layout with Canary:

  ┌─────────────────┐  High address
  │  Return Address │  ← Attacker target
  ├─────────────────┤
  │  Saved RBP      │
  ├─────────────────┤
  │  CANARY VALUE   │  ← Random value, checked on return
  ├─────────────────┤
  │  Local buffer   │  ← Overflow source
  └─────────────────┘  Low address

Overflow must pass through canary to reach return address.
Canary mismatch = abort before return.

Protection Levels¶

-fstack-protector-strong protects functions with: - Arrays of any size - Variables whose address is taken - Local struct/unions with arrays

Real-World Effectiveness¶

Stack canaries have stopped countless attacks:

Canary Types¶

Linux uses "terminator canaries":

Canary value includes: 0x00, 0x0a, 0x0d, 0xff

These bytes terminate:
  - String copy (0x00)
  - Line reads (0x0a, 0x0d)

Makes overflow with intact canary very hard.

Performance Considerations¶

For most applications, -fstack-protector-strong is the best trade-off.

Bypass Techniques (and Defenses)¶

Canaries aren't perfect, but bypass is hard:

Distribution Defaults¶

• Buffer overflow detection: Catches stack smashing at runtime
• Controlled abort: Crashes safely instead of executing attacker code
• Low overhead: Minimal performance impact with -fstack-protector-strong
• Standard protection: Enabled by default on most distributions

Resolution¶

GCC/Clang¶

# Recommended - protects most vulnerable functions
gcc -fstack-protector-strong source.c -o binary

# Maximum protection - all functions
gcc -fstack-protector-all source.c -o binary

# Basic protection - only functions with arrays
gcc -fstack-protector source.c -o binary

CMake¶

add_compile_options(-fstack-protector-strong)

# For specific target
target_compile_options(myapp PRIVATE -fstack-protector-strong)

Makefile¶

CFLAGS += -fstack-protector-strong

Autotools¶

./configure CFLAGS="-fstack-protector-strong"

When to Suppress¶

This rule may be suppressed for:

• Performance-critical code: After profiling shows significant impact
• Freestanding code: No libc (kernel, boot code)
• Minimal runtime: Embedded systems without stack protector support

Caveats¶

• Requires libc support (__stack_chk_fail)
• -fstack-protector-all has higher overhead
• Some very old compilers may not support -fstack-protector-strong

Stack Protector Variants¶

How It Works (Detailed)¶

Stack Layout with Canary:
┌─────────────────┐
│ Return Address  │ ← Target of overflow
├─────────────────┤
│ Saved Frame Ptr │
├─────────────────┤
│ Stack Canary    │ ← Random value checked on return
├─────────────────┤
│ Local Variables │ ← Buffer overflow starts here
└─────────────────┘

On function return:
1. Compare canary to expected value
2. Mismatch → call __stack_chk_fail()
3. __stack_chk_fail() aborts process

Related Rules¶

• AD3005: EnableStackClashProtection
• AD3030: UseGccCheckedFunctions

References¶

• Stack Smashing Protector
• GCC Instrumentation Options
• Strong Stack Protector