Next: Evaluation
Up: Implementation details
Previous: setjmp / longjmp
The C calling convention places all arguments to a function on the call stack.
Thus, calling a function with a sensitive value will place sensitive
information on the unprotected call stack. Our solution to this problem does
not require any effort on the part of the programmer; instead, a Scrash
transformation converts a sensitive argument into a pointer reference to the
sensitive data. Thus, the sensitive value is never placed on the call stack.
Naturally, all such function bodies, declarations, and call sites need to be
modified. To transform the call site, we first allocate space on the sensitive
stack for any sensitive arguments. Then, we make a copy to preserve the
call-by-value semantics of C and call the function with a pointer to the data.
Rewriting a function is not possible if the program exports a fixed API,
passes a function pointer to a library callback function, or has a variable
number of arguments. If Scrash detects that the address of a particular
function is ever passed as an argument, it will refuse to modify that
function, since changing its signature could yield unpredictable behavior.
Instead, Scrash prints a warning advising the user of the security
vulnerability. It is then up to the developer to modify the API to avoid
passing sensitive variables by value.
Next: Evaluation
Up: Implementation details
Previous: setjmp / longjmp
Naveen Sastry
2003-05-12