Uninformed: Informative Information for the Uninformed

Vol 7» 2007.May

Frame Pointer

While the frame pointer does not influence an image file's global cookie, it does influence a stack frame's version of the cookie. For that reason, the frame pointer must be considered as an overall contributor to the effective entropy of the cookie. With the exception of Windows Vista, the frame pointer should be a deterministic value that could be deduced at the time that a vulnerability is triggered. As such, the frame pointer should be considered a known value for the majority of stack-based buffer overflows. Granted, in multi-threaded applications, it may be more challenging to accurately guess the value of the frame pointer.

In the Windows Vista environment, the compile-time GS implementation gets a boost in security due to the introduction of ASLR. This helps to ensure that the frame pointer is actually an unknown quantity. However, it doesn't introduce equal entropy in all bits. In particular, octet 4, and potentially octet 3, may have predictable values due to the way that the randomization is applied to dynamic memory allocations. In order to prevent fragmentation of the address space, Vista's ASLR implementation attempts to ensure that stack regions are still allocated low in the address space. This has the side effect of ensuring that a non-trivial number of bits in the frame pointer will be predictable. Additionally, while Vista's ASLR implementation makes an effort to shift the lower bits of the stack pointer, there may still be some bits that are always predictable in octet 2.