SQ18104
Detected Linux executable files compiled without any kind of buffer overrun protection.
| priority | CI/CD status | severity | effort | RL level | RL assessment |
|---|---|---|---|---|---|
 | pass | medium | low | None | hardening: warning Reason: baseline mitigations missing |
About the issueโ
Buffer overrun protection on Linux is achieved in two ways. The most common solution is to use the stack canary (also called cookie). The stack canary is a special value written onto the stack that allows the operating system to detect and terminate the program if a stack overrun occurs. In most cases, compilers will apply the stack canary conservatively in order to avoid a negative performance impact. Therefore, stack canaries are often used together with another stack overrun mitigation - fortified functions. Fortified functions are usually wrappers around standard glibc functions (such as memcpy) which perform boundary checks either at compile time or run time to determine if a memory violation has occurred. The compiler needs additional context to generate such calls (for example, array size that needs to be known at compile time). Because of this, the compiler will virtually never substitute all viable functions with their fortified counterparts in complex programs. However, when combined with the stack canary, fortified functions provide a good measure of buffer overrun protection.
How to resolve the issueโ
- In GCC, enable fortified functions with -fstack-protector and -D_FORTIFY_SOURCE=2 flag, while using at least -O1 optimization level.
Incidence statisticsโ
ReversingLabs periodically collects and analyzes the contents of popular software package repositories for threat research purposes.
For every repository, the chart shows the percentage of projects that triggered the software assurance policy. In other words, it shows how many projects were found to have the specific issue described on this page.
The percentages are calculated from the total amount of packages analyzed:
- RubyGems: 174K
- Nuget: 189K
- PyPi: 403K
- NPM: 2.1M
Recommended readingโ
- Buffer Overflow Attack (External resource - Imperva)
- Stack Canaries (External resource - CTF101)