Comment Feed for Channel 9 - Louis Lafreniere: Next Generation Buffer Overrun Protection with /GS++ http://ecn.channel9.msdn.com/o9/previewImages/100/469150_100x75.jpg Channel 9 - Louis Lafreniere: Next Generation Buffer Overrun Protection with /GS++ From the C++ Team Blog: A lot of code written in C and C++ has vulnerabilities that leave their users open to buffer overrun attacks. There are two major reasons for this. One reason is that the languages provide unfettered access to the vulnerable memory; the other reason is that developers make mistakes. The simple fact is that even following the best practices and performing quality checks, by the end of the day, no developers can get 100 percent of their code right all the time. Thus, additional built-in layers of defense to help track down vulnerable areas of code are in order. The Visual C++ compiler’s GS switch, which is on by default, is one of the built-in defenses designed to mitigate the buffer overrun attacks. With VC 10, the next iteration of VC that ships with Visual Studio 2010, Louis Lafreniere and team have delivered the next iteration of /GS, /GS++. /GS proved to be invaluable for C++ developers wanting compile time checking for buffer overrun vulnerabilities in their code. specifically targetting string buffers. Well, turns out that certain structs proved to be a suitable exploit and /GS did not check data structures like structs. Louis et al, with /GS++, now check for certain typed of struct vulnerability (stack allocated). Here, Principal Developer Louis Lafreniere takes us through the history and future of /GS, in a deep way, of course. Most of the time is spent at the whiteboard mapping out exactly how /GS works and what to expect from /GS++. Enjoy! en Tue, 21 May 2013 13:45:02 GMT Tue, 21 May 2013 13:45:02 GMT Rev9 Re: Louis Lafreniere: Next Generation Buffer Overrun Protection with /GS++ Good video. It's been quite a while I had to write anything in C/C++, so excuse my ignorance.

But, is there a utility to quickly check if an executable or a DLL contains modules that were compiled with /gs or /gs++ flag? In another words to do some sort of a static analysis of program binaries to have at least some level of confidence that it was hardened against buffer overflows?

Cheers,

Seva.

posted by sokhaty

]]> http://channel9.msdn.com/Shows/Going+Deep/Louis-Lafreniere-Next-Generation-Buffer-Overrun-Protection-gs#c633796374570000000 Wed, 03 Jun 2009 14:50:57 GMT http://channel9.msdn.com/Shows/Going+Deep/Louis-Lafreniere-Next-Generation-Buffer-Overrun-Protection-gs#c633796374570000000 sokhaty Re: Louis Lafreniere: Next Generation Buffer Overrun Protection with /GS++ Microsoft does have an internal tool which groups are required to run before shipping binaries.  This tool ensures several things, and one of these is that /GS was enabled on each modules.  It also requires the binaries to be compiled by a certain minimum compiler version.  So once Dev10 ships and the tool sets the minimum bar to Dev10, it will guarantee all Microsoft products are compiled with /GS++.

This tool isn't available externally AFAIK, but someone could easily write their own.  The tool looks at the .pdb file.  Using DIA, you could look to make sure each module has /GS using IDiaSymbol::get_hasSecurityChecks().

        -- Louis Lafreniere

posted by louisl

]]> http://channel9.msdn.com/Shows/Going+Deep/Louis-Lafreniere-Next-Generation-Buffer-Overrun-Protection-gs#c633796415930000000 Wed, 03 Jun 2009 15:59:53 GMT http://channel9.msdn.com/Shows/Going+Deep/Louis-Lafreniere-Next-Generation-Buffer-Overrun-Protection-gs#c633796415930000000 louisl Re: Louis Lafreniere: Next Generation Buffer Overrun Protection with /GS++ Thank you for the pointers, Louis.

Is there anything that can be used in cases when binaries are coming not from the internal dev.team or a major vendor, like Microsoft, and there is no .pdbs immediately available? Is it possible to blindly search for a sequence of machine code instructions (naive signature matching)? Or in this case /gs injected code "optimized out beyond recognition"?

Best,

Seva.

posted by sokhaty

]]> http://channel9.msdn.com/Shows/Going+Deep/Louis-Lafreniere-Next-Generation-Buffer-Overrun-Protection-gs#c633796762710000000 Thu, 04 Jun 2009 01:37:51 GMT http://channel9.msdn.com/Shows/Going+Deep/Louis-Lafreniere-Next-Generation-Buffer-Overrun-Protection-gs#c633796762710000000 sokhaty Re: Louis Lafreniere: Next Generation Buffer Overrun Protection with /GS++ Plain GS frames are pretty easy to find in disassembly.  Plain GS frames look like:

sub     esp, 16
mov     eax, DWORD PTR ___security_cookie
xor       eax, ebp|esp
mov     DWORD PTR __$ArrayPad$[ebp|esp], eax

The scheduler can sometimes interleave some instructions in there.  EH frames are quite a bit trickier to find if compiled for size however, because we use helper calls (like __EH_prolog3_GS) to setup/unlink the frames.  But you could look for the helper code in the image (there are multiple versions to look for), and search for calls to it.  Depending on coding styles though, GS frames can be pretty rare...  Some code doesn't need stack buffers or local structs.  So not finding one doesn't mean the code isn't compiled with /GS.

      -- Louis Lafreniere

posted by louisl

]]> http://channel9.msdn.com/Shows/Going+Deep/Louis-Lafreniere-Next-Generation-Buffer-Overrun-Protection-gs#c633797496880000000 Thu, 04 Jun 2009 22:01:28 GMT http://channel9.msdn.com/Shows/Going+Deep/Louis-Lafreniere-Next-Generation-Buffer-Overrun-Protection-gs#c633797496880000000 louisl Re: Louis Lafreniere: Next Generation Buffer Overrun Protection with /GS++ Outstanding, it doesn't even look all that scary Smiley A lot of thanks, Louis!

posted by sokhaty

]]> http://channel9.msdn.com/Shows/Going+Deep/Louis-Lafreniere-Next-Generation-Buffer-Overrun-Protection-gs#c633797660260000000 Fri, 05 Jun 2009 02:33:46 GMT http://channel9.msdn.com/Shows/Going+Deep/Louis-Lafreniere-Next-Generation-Buffer-Overrun-Protection-gs#c633797660260000000 sokhaty Re: Louis Lafreniere: Next Generation Buffer Overrun Protection with /GS++ Great video!  At the end you mention that Windows 7 was built using /GS++ to some extent.  For the record, so to speak, can you say more about what percentage and/or types of binaries in Windows 7 and Server 2008-R2 were compiled with /GS++ please?  And how much would you attribute the improved performance of Win7 over Vista to the new compiler optimizations? 

 

It would be good for Windows 7 if you could provide some definitive detail here, since security enhancements are one of the main reasons a company would choose to migrate from XP to 7 sooner rather than later, and things like /GS++ might be important to a CISO at a large organization who needs to justify his/her recommendation to upper management. 

 

Thank You!

 

posted by Jason Fossen

]]> http://channel9.msdn.com/Shows/Going+Deep/Louis-Lafreniere-Next-Generation-Buffer-Overrun-Protection-gs#c633840434470000000 Fri, 24 Jul 2009 14:44:07 GMT http://channel9.msdn.com/Shows/Going+Deep/Louis-Lafreniere-Next-Generation-Buffer-Overrun-Protection-gs#c633840434470000000 Jason Fossen Re: Louis Lafreniere: Next Generation Buffer Overrun Protection with /GS++ Well, not really. Windows was used for /gs++ testing. That's what Louis was referring to. The actual shipping version of Windows 7 was not compiled with /gs++ (because /gs++ doesn't ship until VS 2010 ships - would we use a beta compiler technology to build a shipping product?) 

 

So, to be clear: /gs++ was not used for compiling any part of shipping versions of Windows 7.

C

posted by Charles

]]> http://channel9.msdn.com/Shows/Going+Deep/Louis-Lafreniere-Next-Generation-Buffer-Overrun-Protection-gs#c633844773480000000 Wed, 29 Jul 2009 15:15:48 GMT http://channel9.msdn.com/Shows/Going+Deep/Louis-Lafreniere-Next-Generation-Buffer-Overrun-Protection-gs#c633844773480000000 Charles Re: Louis Lafreniere: Next Generation Buffer Overrun Protection with /GS++ >is there a utility to quickly check if an executable or a DLL contains modules that were compiled with /gs or /gs++ flag?

in fact, there is! we just released BinScope that does exactly this check, along with a number of other security checks.

 

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=90e6181c-5905-4799-826a-772eafd4440a 

posted by mattthom

]]> http://channel9.msdn.com/Shows/Going+Deep/Louis-Lafreniere-Next-Generation-Buffer-Overrun-Protection-gs#c633935675410000000 Wed, 11 Nov 2009 20:19:01 GMT http://channel9.msdn.com/Shows/Going+Deep/Louis-Lafreniere-Next-Generation-Buffer-Overrun-Protection-gs#c633935675410000000 mattthom Re: Louis Lafreniere: Next Generation Buffer Overrun Protection with /GS++ thanks a lot

 

comlandcomputerslanditcomputer
computerslookup
batchsevenwebhosting.org

posted by petersan

]]> http://channel9.msdn.com/Shows/Going+Deep/Louis-Lafreniere-Next-Generation-Buffer-Overrun-Protection-gs#c634156150500000000 Sun, 25 Jul 2010 00:37:30 GMT http://channel9.msdn.com/Shows/Going+Deep/Louis-Lafreniere-Next-Generation-Buffer-Overrun-Protection-gs#c634156150500000000 petersan