4.15. Protecting against buffer overflows
Buffer overflow is the name of a common attack to software
which makes use of insufficient boundary checking (a programming error, most commonly in the C language) in order to execute machine code through program inputs. These attacks, against server software which listen to connections remotely and against local software which grant higher privileges to users (
setuid
or
setgid
) can result in the compromise of any given system.
There are mainly four methods to protect against buffer overflows:
patch the kernel to prevent stack execution. You can use either: Exec-shield, OpenWall or PaX (included in the Grsecurity and Adamantix patches).
fix the source code by using tools to find fragments of it that might introduce this vulnerability.
Debian GNU/Linux, as of the 3.0 release, provides software to introduce all of these methods except for the protection on source code compilation (but this has been requested in
http://bugs.debian.org/213994).
Notice that even if Debian provided a compiler which featured stack/buffer overflow protection all packages would need to be recompiled in order to introduce this feature. This is, in fact, what the Adamantix distribution does (among other features). The effect of this new feature on the stability of software is yet to be determined (some programs or some processor architectures might break due to it).
If you want to test out your buffer overflow protection once you have implemented it (regardless of the method) you might want to install the paxtest and run the tests it provides.
4.15.1. Kernel patch protection for buffer overflows
Kernel patches related to buffer overflows include the Openwall patch provides protection against buffer overflows in 2.2 linux kernels. For 2.4 or newer kernels, you need to use the Exec-shield implementation, or the PaX implementation (provided in the grsecurity patch,
kernel-patch-2.4-grsecurity, and in the Adamantix patch,
kernel-patch-adamantix). For more information on using these patches read the the section
第 4.14 節「カーネルパッチを追加する」.
4.15.2. Testing programs for overflows
The use of tools to detect buffer overflows requires, in any case, of programming experience in order to fix (and recompile) the code. Debian provides, for example: bfbtester (a buffer overflow tester that brute-forces binaries through command line and environment overflows). Other packages of interest would also be rats, pscan, flawfinder and splint.