How to take advantage of stack protection features in modern embedded development tools

When developing embedded systems with MCUs at their core, a stack buffer overflow occurs when a software program writes data to the memory address range of the program call stack outside of a preset data structure (usually a fixed-length buffer). This will almost certainly corrupt nearby data or even change the return function. If this is intentional, it is known as stack smashing. One way to protect against stack buffer overflows is to use a stack canary, so named because it is similar to using canaries in coal mines to detect poison gas. Stack protection is now supported in all recent versions of leading development tools, represented by IAR Embedded Workbench.

Stack protection has become a must-have feature in the latest embedded development tools, but to implement stack protection in industry benchmark tools such as IAR Embedded Workbench for Arm, a heuristic algorithm is used to determine whether a function needs stack protection. If any local variable defined in a function is an array type or a structure type containing an array type member, then the function needs stack protection. In addition, if the address of any local variable is propagated outside the function, then the function also needs stack protection.

If a function needs stack protection, then the local variables of the function are arranged in order, placing the variables of array type at the highest possible address in the function stack. After these variables, a canary element is placed. At the function entry, the canary is initialized. The initialization value is taken from the global variable __stack_chk_guard. At function exit, the code verifies whether the canary element still contains the initialization value. If the value is changed, the function __stack_chk_fail is called.

Taking the widely used IAR Embedded Workbench for Arm embedded development tool as an example, use the Project>Options>C/C++ Compiler>Code>Stack protection option to enable stack protection for functions identified as requiring protection.

Alternatively, you can use the Project>Options>C/C++ Compiler>Extra Options page to enable stack protection by specifying the --stack_protection command line option.

Implementing stack protection in practical applications

To use stack protection, developers must define the following objects in their application:

• extern uint32_t __stack_chk_guard

The global variable __stack_chk_guard must be initialized before the first use. If the initialization value is random, it will be safer.

• __interwork __nounwind __noreturn void __stack_chk_fail(void)

The purpose of the __stack_chk_fail function is to notify that an error has occurred and then terminate the application. Please note that the return address of this function will point to the failure function.

The file stack_protection.c in the armsrclibruntime directory provides reference templates for the __stack_chk_guard and __stack_chk_fail functions.

Summarize

As the tight global semiconductor supply chain has not been alleviated, many embedded applications such as MCUs need to use development tools to maintain flexibility in the supply of core technologies and devices and maximize the reuse of completed software on different hardware platforms. In this case, both MCU chip developers and embedded system engineers need to use the most widely used development tools in the industry, such as IAR Embedded Workbench for Arm. Since these tools are also the result of years of cooperation between their developers and industry-leading MCU suppliers, they can provide corresponding assistance for different hardware resource systems and application environments, such as the stack protection function in IAR Embedded Workbench, so that embedded developers can achieve their R&D goals with a shorter R&D cycle.