buffer overflow Flashcards
(20 cards)
what is the text/ code segment in the stack
stores the code/ the executable instructions/programme
what is the data segment
stores the intialised and uninitialised global and static variables
also stores the strings in s&n
what is the stack segment
data in use, command line arguments , local variables
what do we look at specifically in s&n
the stack segment
what is the difference in memory management in java/python compared to C#
python/java
- interpreter/virtual machine takes care of what memory is accessed and when memory is released
C#
- have to do it yourself
- if this is wrong attacker can exploit bug and make application run arbitrary code
what is wrong with this code
void getname() {
char buffer[32];
gets(buffer);
printf(“Your name is %s.\n”, buffer);
}
int main(void) {
printf(“Enter your name:” );
getname();
return 0;
}
if we managed to write more then the sixe of the buffer (32) it overflows into the surroundings
but return address (saved instruction pointer) is also stored on the stack
Ip controls what is exececuted
and we can write on the stack
basically through this we can released the return address
what is a buffer overflow
program that writes data to a buffer beyond the intended boundaries
what can a buffer overflow be used for
overwrite local veriables
overwrite return address
jump to existing code
jump to own code
describe shell code in buffer overflows
shell code (under Linux) is assembly code for execve(“/bin/sh”, Null , 0)
some defences in modern linux
what do we use execve(“/bin/sh”, Null , 0) for
some defenses in modern linux , used to indirectly called binary
that first calls setuid(0) and then spawns a shell
name all the defenses against
bufferoverflow
stack canary
nx bit
ASLR
use memory safe programming language
uses hardware enchanced defenses like CHERI
how to defend against buffer overlows using C# code
use safe methods that have explicit length arguments
e.g strcpy,strncpy
most unsafe functions have a safe equivalent
describe the stack canary defense in buffer overflows
- Intuition: It is hard for Buffer
Overflows to keep variables
untouched that are in-between. - So, if we add a check with a
random value and mark it hard
to guess, we can catch
overflows.
if (canary != 1526378) {
high address
crash();
}
return;
describe the NX Bit defense in buffer overflows
intuition:
data/stack should never contain executable code
NX bit provides hadware distinction between Text and Stack
Used to mark non executable areas
program craches if instruction pointer points to a NX marked area
describe the NX Bit counterattack
reuse code from EXECUTABLE part of memory
jump to another function in program
jump to function from standard C library
String together little pieces of exisiting code
describe the return to libc counterattack to NX Bit
libc -> standard c library
describe the ASLR defence
Intuition: To be able to run a successful exploit, you need to know the addresses of functions.
* Address space layout randomization (ASLR)
will add a random offset to the stack and code base each time the program runs.
* Jumps in the program are altered to point to the right line.
* The idea is that its now hard for an attacker to guess the address of where they inject code or the address of particular functions.
* On by default in all OS.
what does ASLR mean
address space layout randomisation
what is the counterattack to ASLR
there is a nop slide
big area of nop instruction in front of the code we want to call
increases the chance of guessing correctly
If the stack is 2MB, I could inject
999000 bytes of nop followed by
my shell code.
* I then guess a return address and
hope it is somewhere in the 2MB
of NOPs.
* If it is, the program slides down
the NOPs to my shell code.
* Often used with other methods of
guessing the randomness.
what is a nop - slide
big area of nop instruction in front of the code we want to call
increases the chance of guessing correctly
