Buffer Overflow
List and briefly describe some of the defenses against buffer overflows that can be implemented when running existing, vulnerable programs.
+ Executable Address Space Protection: this is setting a no-execute bit in the Memory Management Unit (MMU) to tag pages of virtual memory as being nonexecutable. + Address Space Randomization: this is changing that address at which the stack or a library is located in a random manner for each process. + Guard Pages: These pages lie between critical regions of memory. Any attempt to access them results in the process being aborted.
List and briefly describe some of the defenses against buffer overflows that can be used when compiling new programs.
+ Using a modern high-level programming language + Safe Coding Techniques, such as range checks and using safe functions + Use of safe libraries + Stack Protection Mechanisms, eg. check the stack frame for corruption, using a canary value
Define buffer overflow.
A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Attackers exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system.
Describe how a return-to-system-call attack is implemented and why it is used.
A return-to-system-call attack is usually starting with a buffer overflow in which the return address on the stack is replaced by the address of another instruction and an additional portion of the stack is overwritten to provide arguments to this function. This allows attackers to call preexisting functions without the need to inject malicious code into a program. It has been developed to circumvent the nonexecutable stack limitation.
Describe how a stack buffer overflow is implemented.
A stack buffer overflow occurs when the targeted buffer is located on the stack, usually as a local variable in a function's stack frame. The exploits include an unchecked buffer overflow resulting from the use of the C gets() function. The program tries to put more data into a byte array than it is allowed to hold, thus overwriting parts of the adjacent memory.
What types of programming languages are vulnerable to buffer overflows?
Assembly languages and C and its derivatives.
What are the two broad categories of defenses against buffer overflows?
Compile-time defenses, which aim to harden programs to resist attacks in new programs Run-time defenses, which aim to detect and abort attacks in existing programs
What are the two key elements the must be identified in order to implement a buffer overflow?
Identification of a buffer overflow vulnerability that can be triggered using externally sourced data under the attackers control Understanding of how that buffer will be stored in the process memory and hence the potential for corrupting adjacent memory locations and potentially altering the flow of execution of the program.
Describe how a heap buffer overflow attack is implemented.
Memory on the heap is dynamically allocated by the application at run-time and typically contains program data. Exploitation is performed by corrupting this data in specific ways to cause the application to overwrite internal structures such as linked list pointers.
List some of the different operations an attacker may design shellcode to perform.
Set up a listening service to launch a remote shell when connected to, create a reverse shell that connects back to the hacker, use local exploits that establish a shell, flush firewall rules that currently prevent other attacks.
What restrictions are often found in a shellcode, and how can they be avoided?
Shellcode has to be position independent, cannot contain any NULL values. The first can be avoided using a tricky combination of CALL instructions to obtain the actual position. The second is avoided by using the XOR function of a register value with itself to generate zero values as the code runs.
Define shellcode.
The act of transferring the execution to code supplied by the attacker that is often saved in the buffer being overflowed is known as shellcode. (Traditionally its function was to transfer the control to a command-line interpreter.)
Describe what a NOP sled is and how it is used in a buffer overflow attack.
This a mechanism to determine the starting address of the code the attacker wants to execute. The attacker can exploit the fact that the code is often much smaller than the space available in the buffer. By placing the code near the end of the buffer, the attacker can pad the space before it with NOPs. Because these instructions do nothing, the attacker can specify the return address used to enter this code as a location somewhere in this run of NOPs which is called a NOP sled. This allows the attack to succeed even if the attacker's guess of the actual buffer address is not precise.
Describe how a global data area overflow attack is implemented.
This attack involves buffers located in the program's global (or static) data area. If unsafe buffer operations are used, data may overflow a global buffer and change adjacent memory locations, including one with a function pointer. Later the attacked program may call the overwritten function pointer and will transfer control to shellcode of the attacker's choice.
What are the possible consequences of a buffer overflow occurring?
corruption of data used in the program, unexpected transfer of control in the program, memory access violations, eventual program termination
List the three distinct types of locations in a processes address space that buffer overflow attacks typically target.
stack, heap or data section of a process