4.15. Protegendo-se contra estouros de buffer
Buffer overflow is the name of a common attack to software
which makes use of insufficient boundary checking (a programming error, most commonly in the C language) in order to execute machine code through program inputs. These attacks, against server software which listen to connections remotely and against local software which grant higher privileges to users (
setuid
or
setgid
) can result in the compromise of any given system.
Existem basicamente quatro métodos de se proteger contra estouro de buffer:
patch the kernel to prevent stack execution. You can use either: Exec-shield, OpenWall or PaX (included in the Grsecurity and Adamantix patches).
corrigir o código fonte usando ferramentas para encontrar fragmentos de onde pode introduzir esta vulnerabilidade.
Debian GNU/Linux, as of the 3.0 release, provides software to introduce all of these methods except for the protection on source code compilation (but this has been requested in
http://bugs.debian.org/213994).
Notice that even if Debian provided a compiler which featured stack/buffer overflow protection all packages would need to be recompiled in order to introduce this feature. This is, in fact, what the Adamantix distribution does (among other features). The effect of this new feature on the stability of software is yet to be determined (some programs or some processor architectures might break due to it).
If you want to test out your buffer overflow protection once you have implemented it (regardless of the method) you might want to install the paxtest and run the tests it provides.
4.15.1. Patches de kernel para proteção contra estouros de buffer
Kernel patches related to buffer overflows include the Openwall patch provides protection against buffer overflows in 2.2 linux kernels. For 2.4 or newer kernels, you need to use the Exec-shield implementation, or the PaX implementation (provided in the grsecurity patch,
kernel-patch-2.4-grsecurity, and in the Adamantix patch,
kernel-patch-adamantix). For more information on using these patches read the the section
Seção 4.14, “Adicionando patches no kernel”.
4.15.2. Testando problemas de estouro em programas
The use of tools to detect buffer overflows requires, in any case, of programming experience in order to fix (and recompile) the code. Debian provides, for example: bfbtester (a buffer overflow tester that brute-forces binaries through command line and environment overflows). Other packages of interest would also be rats, pscan, flawfinder and splint.