For implementing StackFences I've used TCC, using first the version 0.9.16 e afterwords version, 0.9.20. The SF.tgz file contains the modifyied files (tcc.c and i386-gen.c) of version 0.9.20. All the extra code if properly #ifdef'ed, though not as extensively commented.

StackFences uses auxiliary external variables and functions for controlling application's execution. They have a name starting with ___stack and are provided in separate modules that must be linked with applications. The 3 extra modules that I've used are also attached (in the extra.tgz file). Please read the previously referred documents for better understanding their purpose.

There is small hack that is necessary to prepare an application to support StackFences: it must start with alternative main() function for initiating StackFences variables and watchdogs. You can find such main() function in the extra modules previously referred (sf_prod.c and sf_debug.c). The main() function of these modules is then responsible for calling the application's main function, that should be renamed ___sf_main(). Such renaming can easily be done with DEFINE's. That could be made instead by TCC but I didn't figured out how to do it.

Besides the basic StackFences protection basic mechanism, I've added to TCC two other complementary mechanisms, all based in the StackGhost mechanism for masking return addresses and frame pointers. The difference between the two mechanisms is:

• One is faster and provides only attack prevention, it simply masks twice the return address (and frame pointer) on the prologue and epilogue.
• The other is slower and provides attack detection, it stores masked copies of the return address (and frame pointer) on the prologue and checks the copies and the originals on the epilogue. Similar works use parallel stacks for storing the (unmasked) copies.

The new options that I've added to TCC are the following:

-SF_sghost	generate StackGhost's like ret addr checks
-SF_fast_sghost	generate StackGhost's like ret addr hiding
-SF_stack	generate StackFences code
-SF_all_vars	consider all local vars as vulnerable
-SF_dump <file>	dump StackFences' info into file
-SF_load <file>	load StackFences' info from file
-SF_external_check	check stack overflows externally (e.g. in syscalls)
-SF	same as -SF_sghost plus -SF_stack

SF_ghost activates the slow StackGhost-like detection of modifications in return addresses and frame pointers.

SF_fast_sghost activates the fast StackGhost-like prevention of modifications in return addresses and frame pointers.

SF_stack activates StackFences' protection of potentially vulnerable stack variables.

SF_all_vars activates StackFences' protection of all stack variables.

SF_external_check generates StackFences' validation calls for the production policy. If not specifyied the development policy is assumed (see referred papers for getting more details about the two policies).

SF_dump and SF_load are hacks for getting a better code generation. The same source file is compiled twice, the first with -SF_dump <filename> and the second with -SF_load <filename>, allowing StackFences to save space alocated in the stack and useless NOP's in the functions' prologue.

For testing StackFences I also included a very simple test project with one source file and one sample Makefile (test.c and Makefile.sample). test.c contains a factorial function that does an explicit wrong memory access that is detected by StackFences.

Please fell free to ask anything about the StackFences and its implementation with TCC.