4,6 The Native API

moveax, DWORD PTR _1ocalValue$[ebp]

movecx, DWORD PTR _$ArrayPad$[ebp]

xorecx, ebp

call @_secun'ty_check_cooki e@4

mov&sp, ebp

popebp

retO

By default, the Visual Studio compiler uses a heuristic algorithm to decide

which routines need stack frame protection. To make the compiler more ag¬

gressive with respect to chccking for buffer overflows, the following direc¬

tives can be used:

fpragma strict_gs_check(on)

#pragma strict_gs_check[off)

If the strict_gs_check pragma is activated, the compiler injects a OS cookie

to all routines that manipulate the address of a local variable.

/SAFESEH Linker Option

This linker opdon is intended to protect excepdon handler records on the

stack from being overwritten. Attackers will sometimes use this tactic in an

effort to redirect the path of execution. If the /SAFESEH option is specified on

IA-32 systems, the linker will insert a special table into the binary's header

that contains a listing of the module's valid exception handlers. At rundme,

when an exception occurs, the code in ntdl 1 .dl 1 responsible for dispatch¬

ing exceptions will confirm that the corresponding exception handler record

currently on the stack is one of the handlers listed in the header's table. If it's

not, the code in ntdl 1. dl 1 will bring things to a grinding halt.

4.6 The Native API

The core services that an operadng system offers to user-mode applications

are defined by a set of routines called the system call interface. These are

the building blocks used to create user-mode APIs like the ANSI C standard

library. Traditionally, operating systems like UNIX have always had a well-

documented, clearly defined set of system calls. The Minix operating system,

for example, has a system call interface consisting of only 53 routines. Every¬

thing that the Minix operating system is capable of doing ultimately can be

resolved into one or more of these system calls.

Parti I 155