Week 3

Question 1

What is a non-executable stack?

Answer 1

This is a stack does not allow for the execution of any code. If an attacker injected their own shell code into the buffer, for example, they could not execute it simply by jumping back to it.

Question 2

What is Address Space Layout Randomization?

Answer 2

It makes it so that every time a program is run, a different set of memory locations is used so the hacker can’t just learn the layout and then run the program again to attack it.

Question 3

What do you do (as an attacker) if you can’t inject your own code?

Answer 3

You use existing code. Programs typically rely on libraries, so you can use the program’s code or code from its libraries.

Each piece of existing code you leverage is called a gadget. What you can do is chain gadgets together so that you can create your own new execution process/function.

Question 4

What are Stack Canaries?

Answer 4

They are provided by the compiler. They make sure that buffer overflow attacks are harder to perform.

The compiler puts data in between the control data and local variables. If an adversary passes the canary, it will overwrite it. The compiler can detect if the canary was overwtitten before it returns. If it’s been tampered with, it segfaults.

The attacker can still overflow and crash the program, but he can’t take over control.

We can’t add a canary to every pointer/buffer because it’s to expensive to verify it constantly.

Question 5

What happens if an attacker knows the canary’s value?

Answer 5

He can replicate it so it looks untouched. BUT, we have 3 defense mechanisms for this.

1) We can use null terinator characters for the canary so that when the attacker tries to replace the canary value of say 4 null terminating characters, it writes the firsty and strcpy stops since it’s instructed to stop at the first null character. So, the attacker can’t replicate the canary exactly. Memcpy can get around this though since it doesn’t stop at the null character and copies all values up to a certain number, so it’s not fool proof.
2) You can randomly generate the canary on every route. Since it’s random, the attacker will find it hard to figure out (reliably) what the canary is. Every time he is wrong, the program will crash and he needs to start again. But, starting again just gives a new random canary, so he has the same low probability of succeeding. However, if the attacker uses string format specifiers, he can print the values of the stack, learn the canary, and then take over by replicating the canary.
3) You can return an XOR of the RA and EBP which makes it harder for the attacker to replace the canary. The attacker would have to change the RA and EBP to replicate the canary. This is still doable though. It’s just more annoying for the attacker.

Question 6

What is Bounds Checking?

Answer 6

It makes sure that we don’t have more data than we can fit in our buffer. But, if it’s done inefficiently, it will take too much time to do and can’t be used.

Question 7

What is an Electric Fence?

Answer 7

It’s a memory page where if you try to access it, the program just crashes.

They are onlty useful for the heap and are not useful for the stack. It only works on dynamically allocated memory.

Question 8

How does an Electric Fence work?

Answer 8

You allocate your memory pages for your data, and then what we do is we allocate a memory page that serves as an electric fence.

The property of the electric fence is we use the mprotect system call that makes sure that the page has no access privileges whatsoever. So, if the CPU is copying data, doing Loads or Stores, the second it tries to access an address in this memory page, it will trigger a segfault.

SO, if we call malloc and allocate another buffer, (the upper one), we give it another electric fence.

Question 9

What are the pros and cons of the Electric Fence?

Answer 9

PROS:

It works well in terms of performance since it’s done by hardware.

Great for debugging software.

CONS:

It causes the program to crash in the event of a buffer overflow.

It doesn’t really work with the stack.

They are not efficient in terms of space. Pages have a minimum size (usually 4kb) which is too big if you’re going to have a lot of fences.

Question 10

What is a Fat Pointer?

Answer 10

This is another option for bounds checking. Typically, our current pointers consist of one memory word (32-bits in a 32-bit architecture).

Fat Pointers are pointers that have metadata. They have 3 memory words and include the start address, end address, and the current address being pointed to.

Question 11

What is an example of a Fat Pointer?

Answer 11

For simplicity, assume the return memory address starts at 0 and goes to 3. The current address we are pointing to points to 0, the start of the memory region we were allocated. We then have a pointer we create called x + 1 = y.

It inherits the space of x, and the current position will be 1. If we try to access X[3], this will be okay because it’s within the limits.

But if we try to access Y[3] that isn’t okay because it’s technically going to be the current of Y which is 1 + 3 = 4 which is greater than the end offset which is 3, so our check fails.

Question 12

What is the drawback of using Fat Pointers?

Answer 12

Pointers in general are everywhere, so adding this to all pointers ias way too much space eaten up by fat pointers.

Fat pointers also don’t play nicely with legacy libraries and other languages. They aren’t in older code or other languages so they cause problems.

With Fat Pointers, updates are no longer atomic, meaning that id two threads are accessing a pointer, one thread can modify the start of it, while the other is modifying the index we are looking at. This means you could access out of bounds which shouldn’t be possible.

Question 13

What are Low Fat Pointers?

Answer 13

They have the flavor of encoding metadata in the pointer, but they fit in 64 bits.

Question 14

What is another term for Data Execution Prevention?

Answer 14

It’s also called setting the non-executable bit.

Question 15

What is Data Execution Prevention or Setting the Non-executable Bit?

Answer 15

This is where we make the stack completely non-executable. This prevents the attacker from executing the code they injected into the stack.

Memory pages come with three permission bits: Read, Write, Execute. We are setting the execute bit to 0.

The Idea: memory pages should be writeable XOR executable.

Question 16

Who sets the NX bit?

Answer 16

Compiler Annotates, Loader Sets.

It’s a collaboration between software and hardware. The loader takes your binary and creates the address space.

The compiler produces a binary. This has the headers that describe or change the sections of memory.

Some of these headers have flags that annotate the sections as write, for example. If you set a section as write, you then DON’T set the execution flag (SHF_EXECINSTR). This way, the stack is non-executable.

The compiler doesn’t set the bits, but it gives the direction. The loader, when actually loading your program, will parse the binary, look at the headers, and if it finds a section that does not have the execution flag, then it will set the NXBit for that page to 0.

Question 17

Who enforces DEP?

Answer 17

The Memory Management Unit (MMU). It checks page permissions when a request is made to do something.

Question 18

What are the drawbacks of DEP?

Answer 18

It also prevents some benign code writin. In java and other languages, there is just-in-time compiling which dynamically changes teh code as the program runs. The MMU may thwart this.

An attacker can still change the RA and use gadgets to hijack control flow. For example, the System function in libc can still be given an argument and you can open a shell.

Question 19

What is the default for DEP?

Answer 19

By default, the stack is non-executable. This was disabled in our project 1.

Question 20

What is Return-oriented Programming?

Answer 20

This is a more advanced buffer overflow attack. It bypasses data execution prevention (NX Bit) so that code injection from an attacker isn’t possible.

If the attacker can’t inject their own code, they can use existing code like we talked about before.

Question 21

What is Return-to-Libc?

Answer 21

The idea is that the application links libc functions like System to the shell. So whatever arg you give it, it will just call it as if it were a shell.

So you can tell it to open another shell. The system is very powerful. You just find the address of the function in memory and return to it.

You do need to set up the stack before returning, but that is straightforward.

Question 22

How do we spot gadgets we can use?

Answer 22

Look for ret instruction and then work backwards. We look for ret instructions because they can return control or change the instruction pointer to somewhere we want.

Useful gadgets are things like pop, push, or something that modifies a register.

Question 23

How does chaining gadgets work?

Answer 23

The key idea is to set up the stack just right.

Now we fill in the buffer, and replace the return address with A, the first gadget. It performs a pop and then it returns. This pops the current value on the stack and puts it in whichever register we are pointing to, which in this case is %eax. So not only do we need to modify A, but in the args, we should replace them with 0x4. Then we want to put the RA of B in the slot above that. Then above B, we want to put the value that we want to pop out of, and then above that, we want to place c.

Question 24

What is ASLR

Answer 24

It’s a defense provided by the OS. The attacks we’ve discussed are possible because an attacker can learn precise memory locations for certain things. The attacker needs that information to be successful.

ASLR randomizes the start address of the stack, heap, program code, libraries and data on each run of the program.

If the attaxker has a copy of the binary, the address space on their machine is different than that on the target’s machine.

Question 25

What does the Dynamic Linker Command (lld) do Linux?

Answer 25

It determines where things are in memory with respect to shared libraries.

Question 26

What does memory look like when ASLR is being used?

Answer 26

It’s not entirely random each time, but things change slightly. We just shift the start address of the stack by some offset.

Question 27

What does ASLR NOT do?

Answer 27

It does not randomize the executables (static libraries and program code) by default. They must be compiled to be position iondependent, which means the code is compiled so it can execute properly regardless of where in memory it is.

Compiling as position independent is NOT default. You need the fPIE flag for this.

If this is not done, an attacker can still call libc functions and launch ROP attacks. Gadgets can still be constructed. This is all because they know where things will be.

Question 28

What does ASLR randomize in Linux?

Answer 28

The Stack

The executable (if PIE is set)

The Heap

Shared libraries

Question 29

How much wiggle room is there when ASLR picks random places or things to start?

Answer 29

There isn’t a lot of wiggle room between sections. In 32-bit architecture, there is only 8 bits of offset opportunity. In a 62-bit architecture though, this is totally different and there is a lot more wiggle room.

When we have much more wiggle room, the vast majority of address spave is unused.

Question 30

Who performs ASLR?

Answer 30

The compiler ensures the program does not rely on absolute addresses.

The loader (kernel) randomizes the address space when the process starts. It reads from the binary file, checks if things are position independent, and then it randomizes starting addresses.

The dynamic linker resolves needed absolute addresses at runtime.

Question 31

How can we bypass ASLR?

Answer 31

If the app is not compiled with data execution prevention with the NX bit, there are ways to deal with the program.

This allows the stack and heap to be executable. So what some hackers do is inject their code all over memory so that if you return to some random address, or an educated guess on where you think your injected code might be, you will more likely hit your instructions and your attack will continue.

Question 32

What is a NOP slide?

Answer 32

0x90 in x86 does nothing. It’s called NOP for “no operation” instruction.

This is very useful for padding shellcode. You can prepend many 0x90 instructions before your shellcode and even add some to the end if needed, so that if ASLR is enabled and you set your return address to the general area that starts the buffer, the CPU will land somewhere on the NOPs you inputted in the buffer, and it will run up the buffer, doing nothing at each of them until it hits the shellcode.

This only works if DEP is disabled.

Question 33

When NOP is run, what is it doing exactly?

Answer 33

It is performing an exchange between eax and eax register, so it essentially does nothing. It changes NO behavior which is why it’s useful for the NOP slide.

When ASLR is enabled, our stack could be higher up or lower down. So, the random offset could manifest itsel bt saying our buffer could start higher iup or lower down. By prepending the NOPs to our shellcode, we ensure we land in it and can run up to our shellcode instead of landing mid-shellcode.

In short, this allows us to land at a random place at the beginning of the buffer rather than having to land at a specific memory address which may or may not work (most likely not) if ASLR is enabled.