Share via


/GS - Enable Security Checks (Windows Embedded CE 6.0)

1/5/2010

When you build with the /GS build option on, the compiler tries to detect any direct buffer overruns into the return address. When a buffer overrun overwrites a return address, it provides an opportunity to exploit code that does not enforce buffer size restrictions.

The following sample overruns a buffer. When built with /GS, this sample displays a message box, and then terminates the process.

#include <cstring>

// Vulnerable function
void vulnerable(const char *str)
{
   char buffer[10];
   strcpy(buffer, str); // overrun buffer !!!
}

int main()
{
   // declare buffer that is bigger than expected
   char large_buffer[] = "This string is longer than 10 characters!!!";
   vulnerable(large_buffer);
}

Remarks

Buffer overruns are more easily exploited on computers that have microprocessors, such as x86, with calling conventions that pass the return address of function calls on the stack.

To prevent buffer overrun exploitation when a function is compiled with /GS, the compiler identifies functions that might be subject to buffer overrun problems. If the compiler identifies such a function, it inserts a security cookie on the stack before the associated return address. If, on function exit, the security cookie has changed, the compiler reports an error and terminates the process.

In order for /GS to reliably protect against malicious attacks, the C Runtime (CRT) Library must be initialized during program startup. To correctly initialize the library, set the image entry point to one of the CRT startup routines. For more information, see CRT Entry Points.

If you decide not to use one of the CRT entry points, you must call the function __security_init_cookie as early as possible in code execution. The function must be called before any function that contains a buffer or exception handling is added to the callstack.

/GS does not protect against all buffer overrun security attacks. For example, buffer overrun attacks are still possible by overwriting into the parameters area.

Even if you use /GS, you should strive to write secure code. That is, make sure that your code cannot overrun any buffer under any circumstances.

See Also

Concepts

Unique Build Options

Other Resources

Differences Between Desktop and Device Compilers