Mitigations Flashcards
Data Execution Prevention
- Goal: Prohibit the attacker from injecting code
- Defense assumption: If an attacker cannot inject code (as data), then the attacker cannot achieve code execution
- Solution: Page table extension, introduce NX-bit
- Good measure against code injection, but does not prevent from CFH/Code Reuse attacks
Address Space Randomization
- Attacker must know alternate tage to overwrite it
- ASR randomizes the process memory layout
- Helps against Code Reuse Attacks
-> Address Space Layout Randomization is a practical form of ASR
-> Focuses on blocks of memory (Heap, stack, code, executable, Nmap regions)
-> page-based
-> entropy is key to security
Stack Canary
- Protects against buffer overflows (RIP based CFH attacks)
- Protect integrity of RIP
-> Check before function returns - Limitation: Attacker does not know canary
Safe Exception Handling
- Exceptions are a way of indirect control flow transfer in C++
- Inline Exception Handling: compiler generates code that registers exceptions whenever a function is entered
-> individual exception frames are linked across stack frames
-> when an exception is thrown, the runtime system traces the chain of exception to find the corresponding handler - Exception Tables: Compiler emits per-function or per-object tables that link code addresses to program state with respect to exception handling
-> Throwing an exception becomes a range query in the corresponding table and locating the correct handler
Protection against Format String attacks
- Use FORTIFY_SOURCE
- Deprecate %n
- Check if all arguments are used
- Check if first argument is in a read-only area
What are the limitations of ASLR?
Information Leaks: If an attacker can exploit a vulnerability to leak memory addresses, they can bypass ASLR by obtaining the randomized addresses.
Partial Randomization: In some systems, ASLR may only provide limited entropy, meaning that not all addresses are fully randomized. This can reduce the effectiveness of ASLR, making it easier for an attacker to guess the correct addresses.
Non-randomized Regions: Certain parts of the memory, such as non-randomized regions or fixed offsets, can still be exploited if the attacker can find a way to use them.
Repetitive Execution: In scenarios where the same code is executed multiple times, an attacker might have multiple opportunities to probe the memory layout and eventually guess the randomized addresses correctly.
What is the role of the OS kernel in ASLR?
Memory Management: The OS kernel is responsible for managing the virtual address space of processes. This includes allocating memory for various segments such as the stack, heap, libraries, and executable code. To randomize these addresses, the kernel must implement ASLR at the time of memory allocation.
Loading Executables and Libraries: When a program is executed, the kernel loads the executable and its dependent libraries into memory. With ASLR, the kernel ensures that each time the program is loaded, the base addresses of these segments are randomized. This randomization is typically applied to:
- The stack and heap.
- Shared libraries
- Executable code.
- Memory-mapped files.
Address Space Layout Decisions: The kernel controls the layout of the address space for each process. By incorporating ASLR, the kernel changes the default base addresses of the memory regions, introducing randomness that makes it difficult for attackers to predict where specific code or data resides.
