http://blogs.msdn.com/michael_howard/archive/2007/04/03/hardening-stack-based-buffer-overrun-detection-in-vc-2005-sp1.aspxAs y’all know, the Visual C++ /GS compiler flag adds prolog and epilog code to certain functions to help detect some classes of stack based buffer overruns at runtime. In VC++ 2005, the code looks like this: Function prolog sub esp, 8 mov eax, DWORD PTRen-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.msdn.com/michael_howard/archive/2007/04/03/hardening-stack-based-buffer-overrun-detection-in-vc-2005-sp1.aspx#2026423Wed, 04 Apr 2007 20:33:24 GMT91d46819-8472-40ad-a661-2c78acb4018c:2026423Hardening Stack-based Buffer Overrun Detection in VC++ 2005 SP1 « Software and web application security<p>PingBack from <a rel="nofollow" target="_new" href="http://chrisweber.wordpress.com/2007/04/04/hardening-stack-based-buffer-overrun-detection-in-vc-2005-sp1/">http://chrisweber.wordpress.com/2007/04/04/hardening-stack-based-buffer-overrun-detection-in-vc-2005-sp1/</a></p> http://blogs.msdn.com/michael_howard/archive/2007/04/03/hardening-stack-based-buffer-overrun-detection-in-vc-2005-sp1.aspx#2030192Thu, 05 Apr 2007 09:24:06 GMT91d46819-8472-40ad-a661-2c78acb4018c:2030192Yoink<p>Do Microsoft care to explain what 'If a parameter is used only in ways that are less likely to be exploitable in the event of a buffer overrun.' means?</p>http://blogs.msdn.com/michael_howard/archive/2007/04/03/hardening-stack-based-buffer-overrun-detection-in-vc-2005-sp1.aspx#2032831Thu, 05 Apr 2007 16:50:42 GMT91d46819-8472-40ad-a661-2c78acb4018c:2032831michael_HOWARD<p>The sample code above shows the main one - using non-chars as the buffer element type</p> http://blogs.msdn.com/michael_howard/archive/2007/04/03/hardening-stack-based-buffer-overrun-detection-in-vc-2005-sp1.aspx#2077798Wed, 11 Apr 2007 00:36:59 GMT91d46819-8472-40ad-a661-2c78acb4018c:2077798ddebug<p>Is this correct that /GS can make copies of vulnerable parameters on stack, and thus increase stack usage much more and less predictably than we could guess? (8 bytes per call frame)</p> <p>Is there any easy way to know when the compiler makes big allocations on stack? This may be important for kernel mode, where stack is limited.</p>http://blogs.msdn.com/michael_howard/archive/2007/04/03/hardening-stack-based-buffer-overrun-detection-in-vc-2005-sp1.aspx#2079814Wed, 11 Apr 2007 04:20:57 GMT91d46819-8472-40ad-a661-2c78acb4018c:2079814michael_HOWARD<p>ddebug,</p> <p>yes it's true, but in our experience, it's really not a big issue. We saw now perf problems or stack exhaustion.</p> http://blogs.msdn.com/michael_howard/archive/2007/04/03/hardening-stack-based-buffer-overrun-detection-in-vc-2005-sp1.aspx#2177436Wed, 18 Apr 2007 19:47:18 GMT91d46819-8472-40ad-a661-2c78acb4018c:2177436Alexander Sotirov<p>Does using this flag enable /GS cookies for the LoadAniIcon function which was responsible for the recent ANI vulnerability? It was a perfect example of a function which should have been protected by /GS, but the compiler failed to insert the cookie because the function was overwriting a structure on the stack, instead of an array.</p> <p>By the way, what exact version of VC2005 was used to compile Vista? Is it the same one that's included in the Vista release of the Windows SDK, or a private build of the compiler?</p>http://blogs.msdn.com/michael_howard/archive/2007/04/03/hardening-stack-based-buffer-overrun-detection-in-vc-2005-sp1.aspx#2178429Wed, 18 Apr 2007 21:19:07 GMT91d46819-8472-40ad-a661-2c78acb4018c:2178429michael_HOWARD<p>Hello Alexander</p> <p>re: /GS - yes, the #pragma would add the cookie to this func.</p> http://blogs.msdn.com/michael_howard/archive/2007/04/03/hardening-stack-based-buffer-overrun-detection-in-vc-2005-sp1.aspx#2291547Fri, 27 Apr 2007 01:56:58 GMT91d46819-8472-40ad-a661-2c78acb4018c:2291547The Security Development Lifecycle<p>Michael Howard here. A core tenet of the SDL is to take and incorporate lessons learned when we issue</p> http://blogs.msdn.com/michael_howard/archive/2007/04/03/hardening-stack-based-buffer-overrun-detection-in-vc-2005-sp1.aspx#2314966Sat, 28 Apr 2007 22:55:26 GMT91d46819-8472-40ad-a661-2c78acb4018c:2314966anonymous<p>I have VS2005 SP1 running, but the compiler complains that this pragma simply doesn't exist. What now?</p>