ADI-Based Stack Protection Using adistack
The SPARC M7, SPARC M8, SPARC S7, SPARC T7, and SPARC T8 processors support Application Data Integrity (ADI), a hardware feature that helps prevent software exploitation threats such as linear buffer overflows and stray pointer dereferences.
The adistack
security extension manages and supports ADI-based detection of stack buffer overflows. These overflows can overwrite the register save area of a stack frame in a SPARC 64-bit user process. When active, adistack
, together with ADI, leverages SPARC register window spill and fill handling to detect this type of buffer overflow and generate SEGV signals.
adistack
is not enabled by default. Applications can enable adistack
through binary tagging, supported by the following linker option:
-z sx=adistack[=enable|disable]
For more information about this option, see Example 2-3, Specifying Per-Object Security Extensions and the
ld
(1) man page.
Note:
The model=all
property is not supported for adistack
because some applications or interpreted languages may directly read or modify their own stack. In particular, C++ and Java applications do not yet support adistack
.
For more information, see Protecting Against Malware With Security Extensions and the
sxadm
(8) man page.
Example 2-3 Compiling an Application With adistack
Enabled
Using a basic makefile with the linker option, this example specifies adistack
as a per-object security extension with the extension mode set to enable
.
Specify a makefile rule that describes a dependency and how to resolve it as follows:
CFLAGS=-m64 -O LDFLAGS = -z sx=adistack=enable prog: prog.o ${CC} ${CFLAGS} ${LDFLAGS} -o prog prog.o
In this example:
-
The
CFLAGS
variable specifies that the object created will be a 64-bit object. -
The
LDFLAGS
variable enablesadistack
as a security extension for the object created. -
The prog binary depends on the existence of the
prog.o
object file.prog.o
depends onprog.c
.
Using the preceding makefile rule, you can execute the following command to fulfill the dependencies and create the prog
binary with adistack
enabled:
$ make
Without writing the makefile rule, you would execute the following commands to enable adistack
:
$ cc -m64 -O -c prog.c $ cc -m64 -O -z sx=adiheap=enable -o prog prog.o
For more information, see the
make
(1S) and the cc
(1) man pages.