InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

Defending method of stack smashing attack

IP.com Disclosure Number: IPCOM000245305D
Publication Date: 2016-Feb-29
Document File: 6 page(s) / 149K

Publishing Venue

The IP.com Prior Art Database


A common point in all possible stack smashing attacks is overwriting the return address of a function and thereafter enforcing the function's return to some malicious code. This invention devises a method to separate the return address from the local data on stack. In such a way, adversary has no way to overwrite the return address and therefore stack smashing attachs are defended.

This text was extracted from a PDF file.
This is the abbreviated version, containing approximately 37% of the total text.

Page 01 of 6

Defending method of stack smashing attack

Generally, the stack smashing types of attacks arise when an adversary manipulates the call stack by taking advantage of a bug in the program, often a stack overrun. In a buffer overrun, a function will accept more input data than it can store properly. The excess data may overwrite the return address to change the program control flow. The attackers can make the program to branch into the malicious code by overwriting the return address by stack overflow attack. The malicious code can be loaded into stack by stack overflow or the existed code chunks of library functions or entire library functions. There are 4 kinds of attack evolved from stack smashing attack. The common point of the attacks is branching into the malicious code by overwriting the return address.

The evolved stack smashing attacks are described below:

The standard buffer overrun attack is to write attack code (the "payload") onto the stack and overwrite the return address with the location of the "payload".

The return-into-library attack is to hijack program control flow by exploiting a buffer overrun vulnerability. Instead of attempting to write an attack payload onto the stack,the attacker chooses an available library function and overwrites the return address with its entry location. Further stack locations are then overwritten to pass the proper parameters to perform the functionality useful to the attacker.

The borrowed code chunks attack is to use chunks of library functions instead of entire functions themselves.This technique looks for functions that contain instruction sequences that pop values from the stack to into registers.The attacker can take advantage of these instruction sequences to put suitable argument into the register to perform a function call.

The return-oriented programming attack builds on the borrowed code chunks approach and extends it to provide Turing Complete functionality to the attacker. It is to search for an opcode that alters control flow, most notably the return instruction and then look backwards in the binary for preceding bytes that form possibly useful instructions. These sets of instruction "gadgets" can then be chained by overwriting the return address. By chaining the small instruction sequences, an attacker is able to produce arbitrary program behavior from pre-existing library code. Given any sufficiently large quantity of code (including, but not limited to, the C standard library), sufficient gadgets will exist for Turing-complete functionality.

In this invention a method is devised to defense the stack smashing attacks:

1) Separate the stack into 2 independent stacks, one is to contain data information, such as automatic variables and the parameters to the called functions, the other is to contain the context information, such as return address and register values.


Page 02 of 6

2) The 2 stacks are non-continuous. To protect the context stack from overlaying from the data...