CookieCrumbler

This is the support material for the paper "Smashing the Stack Protector for Fun and Profit".

CookieCrumbler is a program that allows to measure various characteristics of current Stack Protector implementations.
The program measures address distances of all possible user-controllable types of memory.
Additionally, it determines the amount of bytes behind the memory location that are writable in a contiguously manner.
This information allows us to determine if an attacker can bypass the Stack Protector.

Slides

Download

Paper

Download

Source Code

Download
Compatible with various UNIX variants and Windows.

Results

LOC: a variable residing on the stack the function
TLS: a variable residing in Thread Local Storage (TLS)
GLO: a global variable residing in statically allocated memory
DYN: a variable residing in dynamically memory

main: main thread
sub: sub thread

✘ - Vulnerable implementation: a long buffer overflow on the stack allows for a complete stack canary bypass
✘ - Weak implementation: the reference value is located next to this memory class, which potentially allows an attacker to bypass the protection
✔ - Secure implementation: the reference value can't be overwritten from this memory class

Measurement Data

Operating System	Architecture	C Standard Library	Data
All Data	-	-	Download
Android 7.0	ARM	Bionic	Download
Android 7.0	x86_64	Bionic	Download
macOS 10.12.1	x86_64	libSystem.dylib	Download
FreeBSD 11.00	x86_64	libc.so.7	Download
OpenBSD 6.0	x86_64	libc.so.88.0	Download
Windows 10	x86	msvcr1400.dll	Download
Windows 10	x86_64	msvcr1400.dll	Download
Windows 7	x86	msvcr1400.dll	Download
Windows 7	x86_64	msvcr1400.dll	Download
Arch Linux	x86_64	libc-2.26.so	Download
Debian Jessie	x86	libc-2.19.so	Download
Debian Jessie	ARM	libc-2.19.so	Download
Debian Jessie	PowerPC	libc-2.19.so	Download
Debian Jessie	s390x	libc-2.19.so	Download
Debian Stretch	x86_64	dietlibc 0.33	Download
Debian Stretch	x86_64	musl-libc 1.1.16	Download
Ubuntu 14.04 LTS	x86_64	EGLIBC 2.15	Download