P1_L2-Chapter10-Buffer Overflow
List and briefly describe some of the defenses against buffer overflows that can be implemented when running existing, vulnerable programs.
+ Executable Address Space Protection: this is setting a no-execute bit in the Memory Management Unit (MMU) to tag pages of virtual memory as being nonexecutable. + Address Space Randomization: this is changing that address at which the stack or a library is located in a random manner for each process. + Guard Pages: These pages lie between critical regions of memory. Any attempt to access them results in the process being aborted.
List and briefly describe some of the defenses against buffer overflows that can be used when compiling new programs.
+ Using a modern high-level programming language + Safe Coding Techniques, such as range checks and using safe functions + Use of safe libraries + Stack Protection Mechanisms, eg. check the stack frame for corruption, using a canary value
Restrictions on shell code
1. It must be position independent 2. It cannot contain any null values
Define buffer overflow.
A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Attackers exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system.
Describe how a return-to-system-call attack is implemented and why it is used.
A return-to-system-call attack is usually starting with a buffer overflow in which the return address on the stack is replaced by the address of another instruction and an additional portion of the stack is overwritten to provide arguments to this function. This allows attackers to call preexisting functions without the need to inject malicious code into a program. It has been developed to circumvent the nonexecutable stack limitation.
Describe how a stack buffer overflow is implemented.
A stack buffer overflow occurs when the targeted buffer is located on the stack, usually as a local variable in a function's stack frame. The exploits include an unchecked buffer overflow resulting from the use of the C gets() function. The program tries to put more data into a byte array than it is allowed to hold, thus overwriting parts of the adjacent memory.
What types of programming languages are vulnerable to buffer overflows?
Assembly languages and C and its derivatives.
What are the two broad categories of defenses against buffer overflows?
Compile-time defenses, which aim to harden programs to resist attacks in new programs Run-time defenses, which aim to detect and abort attacks in existing programs
A buffer can be located _____ A. In the heap B. On the stack C. In the data section of the process D. All of above
D. All of above
A consequence of a buffer overflow error is _____ A. corruption of data used by the program B. unexpected transfer of control in the program C. possible memory access violation D. all of the above
D. All of above
__ is a form of buffer overflow attack. A. Heap overflows B. Return to System call C. Replacement stack frame D. All of above
D. All of above
An attacker can generally determine in advance exactly where the targeted buffer will be located in the stack frame of the function in which it is defined.
False
It is possible to write a compiler tool to check any C program and identify all possible buffer overflow bugs.
False
Shellcode is not specific to a particular processor architecture
False
A runtime defense that can be used by placing these between critical regions of memory in the process address space
Guard pages
Exploiting or flows and buffers located elsewhere in the process address space. One possible target is a buffer located in memory dynamically allocated from the heap.
Heap overflows
What are the two key elements the must be identified in order to implement a buffer overflow?
Identification of a buffer overflow vulnerability that can be triggered using externally sourced data under the attackers control Understanding of how that buffer will be stored in the process memory and hence the potential for corrupting adjacent memory locations and potentially altering the flow of execution of the program.
Describe how a heap buffer overflow attack is implemented.
Memory on the heap is dynamically allocated by the application at run-time and typically contains program data. Exploitation is performed by corrupting this data in specific ways to cause the application to overwrite internal structures such as linked list pointers.
A run of an NOP commands with the return address in the middle somewhere, to deal with the inability to precisely determine the starting address to put the hackers code
NOP sled
Can the openSSL heartbleed vulnerability be avoided with non-executable stack?
No
Does ASLR protect against read-only buffer overflow attacks?
No
Support from the processors memory management unit to tag pages of virtual memory as being non executable
No - execute bit
A generic restriction on the content of shell code - this means it cannot contain any absolute address referring to itself, Because the attacker generally cannot determine in advance exactly where the target buffer will be located in the stack frame of the function which is defined.
Position independent
A variant of stack overflow, this attack overwrites the buffer and saved frame pointer address. The saved frame pointer value is changed to refer to a location near the top of the overwritten buffer, where a dummy stack frame has been created with a return address pointing to the shellcide lower in the buffer
Replacement stack frame
A variant attack in which the return address is changed to jump to existing code on the system
Return to system call
List some of the different operations an attacker may design shellcode to perform.
Set up a listening service to launch a remote shell when connected to, create a reverse shell that connects back to the hacker, use local exploits that establish a shell, flush firewall rules that currently prevent other attacks.
Code supplied by an attacker and often saved in the buffer being overflowed, so the attacker can transfer execution of the program to the Shell code
Shell code
The function of _______ was to transfer control to a user command-line interpreter, which gave access to any program available on the system with the privileges of the attacked program
Shellcode
What restrictions are often found in a shellcode, and how can they be avoided?
Shellcode has to be position independent, cannot contain any NULL values. The first can be avoided using a tricky combination of CALL instructions to obtain the actual position. The second is avoided by using the XOR function of a register value with itself to generate zero values as the code runs.
Occurs when the targeted buffer is located on the stack, usually is a local variable any functions stack frame
Stack buffer overflow/Stack smashing
A structure on the stack that stores the return address during a function call, here It also stores locations and saves parameters to be passed to the function. Possibly register values too.
Stack frame
Define shellcode.
The act of transferring the execution to code supplied by the attacker that is often saved in the buffer being overflowed is known as shellcode. (Traditionally its function was to transfer the control to a command-line interpreter.)
Return-to-libs
The return address is overwritten to point to a standard library function
Describe what a NOP sled is and how it is used in a buffer overflow attack.
This a mechanism to determine the starting address of the code the attacker wants to execute. The attacker can exploit the fact that the code is often much smaller than the space available in the buffer. By placing the code near the end of the buffer, the attacker can pad the space before it with NOPs. Because these instructions do nothing, the attacker can specify the return address used to enter this code as a location somewhere in this run of NOPs which is called a NOP sled. This allows the attack to succeed even if the attacker's guess of the actual buffer address is not precise.
Describe how a global data area overflow attack is implemented.
This attack involves buffers located in the program's global (or static) data area. If unsafe buffer operations are used, data may overflow a global buffer and change adjacent memory locations, including one with a function pointer. Later the attacked program may call the overwritten function pointer and will transfer control to shellcode of the attacker's choice.
ASLR can prevent return-to-libc attacks.
True
The OpenSSL heartbleed vulnerability would have been prevented if OpenSSL had been implemented in Java.
True
To exploit any type of buffer overflow the attacker needs to identify a buffer overflow vulnerability in some program that can be triggered using externally sourced data under the attackers control
True
Do stack canaries prevent return-to-libc buffer overflow attacks
Yes
A condition at an interface under which more info can be placed into a buffer or data holding area than the capacity allocated, overriding other information
buffer overflow
What are the possible consequences of a buffer overflow occurring?
corruption of data used in the program, unexpected transfer of control in the program, memory access violations, eventual program termination
Shell code
creates a shell which allows it to execute any code the attacker wants
Heap overflows
data stored in the heap is overwritten. Data can be tables of function pointers.
OpenSSL heart bleeds Vulnerability
read much more of the buffer than just the data, which may include sensitive data.
List the three distinct types of locations in a processes address space that buffer overflow attacks typically target.
stack, heap or data section of a process