GCC Stack Protector options

The following options come from GCC4.9.3 Manual

-fno-stack-protector

Disable Stack Protector Check

-fstack-protector

Emit extra code to check for buffer overflows, such as stack smashing attacks. This is done by adding a guard variable to functions with vulnerable objects. This includes functions that call alloca, and functions with buffers larger than 8 bytes. The guards are initialized when a function is entered and then checked when the function exits. If a guard check fails, an error message is printed and the program exits.

-fstack-protector-all

Like -fstack-protector except that all functions are protected.

-fstack-protector-strong

Like -fstack-protector but includes additional functions to be protected — those that have local array definitions, or have references to local frame addresses.

Comment 1: The 8 bytes can be configured by “–param=ssp-buffer-size=N” N=8 by default in GCC upstream. Various distributions ended up lowering their default –param=ssp-buffer-size option down to 4, since there were still cases of functions that should have been protected but the conservative gcc upstream default of 8 wasn’t covering them.

Comment 2: Overflow doesn’t always happen in buffer, for example, member in struct can be a target of overflow. This kind of overflow can’t be protected by -fstack-protector.

Comment 3:

  • performance: -fstack-protector > -fstack-protector-strong > -fstack-protector-all
  • coverage: -fstack-protector < -fstack-protector-strong < -fstack-protector-all

Comment 4: From References 2, we learn from the condition in which we add stack protector check:

  • local variable’s address used as part of the right hand side of an assignment or function argument
  • local variable is an array (or union containing an array), regardless of array type or length
  • uses register local variables

(Why contains the third condition? From Kees’s Comment: It was to catch unusual ways to get a reference to the frame address, with things like “register unsigned rsp __asm__(“rsp”);”, etc”)

There is also an example in Reference 2 to prove the functionability of -fstack-protector-strong. I also have an analysis about stack protector options in my blog

References:

[1] “Strong” stack protection for GCC

[2] -fstack-protector-strong from Kees Cook