Memory Attacks Flashcards
(24 cards)
In 64 bit where are the arguments for a function past?
The first 6 go into registers, after that they go into the stack.
In 32 bit, where are the arguments for a function past?
The stack
Name the 6 registers in order that function arguments are passed into in x64
RDI
RSI
RDX
RCX
R8
R9
Which registers are function results returned in?
RAX and RDX
What is the RAX register?
The accumulator
What is the RIP register?
The instruction point
What does the RSP register point to?
The top of the stack
What does the RBP register point to?
The bottom of the stack
Which registers are floating point function arguments pass into?
XMM0 to XMM7
Describe what happens in memory when a function is called?
Arguments are put into registers
The function updates the RSP and RBP values to make new stack space
The old instruction pointer is pushed onto the stack
The old RBP is pushed onto the stack
What is a buffer overflow attack?
When you write data that is large than the size of a buffer into a buffer, causing it to overflow and overwrite the old instruction pointer. Allowing you to change where the program resumes from after the function finishes.
How does the NX-bit defend against buffer overflow attacks?
The NX-bit provides a hardware distinction between the text and the stack. Code should only be in the text, and never the stack. If the instruction pointer ever points to the stack it will crash.
How does address space layout randomisation (ASLR) protect against buffer overflow attacks?
ASLR adds a random offset to the stack and code bases each time a program runs. This makes it harder for an attacker to know the address of particular pieces of code.
How does do stack canaries protect against buffer overflow attacks?
A stack canary is a random value from the heap that is written to the base of the stack. When the function finishes the value on stack is compared to the value on the heap, if they are different the program crashes.
What is use after free?
This is when a memory address is freed by a program and then the program accesses the address later. This allows another program to gain control of the memory address and change the value stored there.
What is double free?
When the same memory address is freed twice, which means it will be reallocated twice. Which means 2 variables later in the program may point to the same address.
Where do canaries go on the stack?
Before the old stack base pointer and instruction pointer
What is a format string vulnerability?
There is no check in the number of % signs in a string inputted by the user. You can then input a string with many %p to get register values and values from the stack.
In x64 calls to libc what must you remember?
The RSP must end with 0
What is a signed integer comparison vulnerability?
When a signed integer is a negative value it passes a check to see if it is below a certain positive value, it is then casted into an unsigned value making it a greater value that would not have passed the size check
What is defensive programming?
Adding checks, such as bound checks, to prevent an attacker from performing unexpected behaviour
What is control flow integrity?
Ensures that code execution follows a pre-determined call graph.
State 5 defences against memory based attacks
Defensive programming
NX-bit
Stack Canaries
Control flow integrity
ALSR
What is the difference between a heap overflow and a stack overflow?
The layout of the stack is always the same, while it is not guaranteed a program will be allocated space in the heap in one continuous area
