The Guarded Memory Move tool assists in detecting and analyzing buffer overflows by capturing both the problematic stack image and the corresponding 'good' stack image, making it a valuable asset for study and defense against these vulnerabilities.
The GMM library uses dynamic function call interception to catch the most common functions that attackers use to exploit stack buffers. It achieves this using the LD_PRELOAD capability and offers two services to the user. Firstly, it prevents buffer overflow, which stops the attacker from executing shell-code on your machine. Secondly, in case an exploit is detected, the stack content is saved, and a segmentation fault is triggered. The resulting core dump will have all the necessary information to debug the exploit and fix the software.
Internally, the library inserts itself between the application and the glibc library and intercepts functions that might lead to buffer overflow exploits. Before calling the glibc core function, the GMM layer saves part of the stack frame above the caller to a temporary location in its frame. It also stores the previous three return addresses in its local storage before calling the glibc core function. When the core function returns, the GMM code samples the previously recorded return addresses. If they differ, it restores the previously saved stack frame and issues a segmentation fault with a clean stack frame so that it can be inspected with a debugger.
While other solutions exist to detect buffer overflow exploits, they differ from GMM in many ways. GMM works everywhere there are stack frames and the gcc and glibc duo, which means that it is not limited to i386 only. Unlike other solutions, GMM does not require you to rebuild your application to use its functionalities. In addition, it only protects the functions that are likely to be exploited for a buffer overflow. This means that there is no unnecessary performance regression on the whole application.
Another solution that is similar to GMM is LibSafe, but it does not save and restore the stack frame, making it unusable for debugging. The latest release of GMM fixes the issue where GCC's __builtin_return_address and __builtin_frame_address return garbage instead of NULL at the last frame.
Overall, Guarded Memory Move is a powerful tool for detecting buffer overflow exploits and debugging software. Its innovative approach to solving the problem makes it stand out from other solutions.
Version 0.6: N/A