Stack smashing protection not enforced

Stack smashing protection not enforced

Risk: hardening

Description

Stack Smashing Protection is an exploit mitigation that helps detect buffer overflows being exploited and abort execution before malicious code is executed. This feature is implemented by selecting appropriate functions, storing a canary at the function prologue, and checking the value at the epilogue

Recommendation

Enable Stack Smashing Protection (SSP) by specifying the -fstack-protector-all compiler flag.

gcc -o output_file source_file.c -fstack-protector-all

Links

• Stack Smashing Protection (OSdev)
• Xcode 3 supports Stack Canaries

Standards

• OWASP_MASVS_L1:
  • MSTG_CODE_9
• OWASP_MASVS_L2:
  • MSTG_CODE_9
• PCI_STANDARDS:
  • REQ_2_2
  • REQ_6_2
  • REQ_6_3
  • REQ_11_3
• OWASP_MASVS_v2_1:
  • MASVS_RESILIENCE_4