The Microsoft Visual C++ 7 and Visual C++.Net compilers shipped by Microsoft include a feature to help protect against stack-based buffer overflow conditions. The technology is similar to StackGuard, which was developed by Crispin Cowan. The buffer overflow protection is implemented using special values (called 'security cookies') positioned next to function stack frames when procedures are called. When a procedure exits, the value is checked for it's integrity. If the check fails, it is assumed that the value was overwritten due to an overflow condition and either the process terminates or a developer-specified handler executes. A function pointer for this handler is stored in a global variable. Some overflow conditions may allow for arbitrary addresses to be overwritten. If such a condition exists, an attacker can overwrite the handler variable with a pointer to shellcode. If this is accomplished, the protection mechanism can be circumvented and the shellcode will be executed...
The Microsoft Visual C++ 7 and Visual C++.Net compilers shipped by Microsoft include a feature to help protect against stack-based buffer overflow conditions. The technology is similar to StackGuard, which was developed by Crispin Cowan. The buffer overflow protection is implemented using special values (called 'security cookies') positioned next to function stack frames when procedures are called. When a procedure exits, the value is checked for it's integrity. If the check fails, it is assumed that the value was overwritten due to an overflow condition and either the process terminates or a developer-specified handler executes. A function pointer for this handler is stored in a global variable. Some overflow conditions may allow for arbitrary addresses to be overwritten. If such a condition exists, an attacker can overwrite the handler variable with a pointer to shellcode. If this is accomplished, the protection mechanism can be circumvented and the shellcode will be executed when the handler function is called. This is not a vulnerability in itself. This condition is a weakness in the design of this protection mechanism that may lead to a false sense of security. The perception of security at the compiler level may lead to some programmers using insecure programming techniques. It should be noted that the weaknesses of similar systems are well documented.
