Buffer overflow questions
What are some defenses of an ROP attack?
1) enforcing control flow 2) detect abnormal ret frequency 3) deterministic gadget removal 4) randomized binaries
Where are the 3 places to jump in a buffer overflow attack?
1. buffer 2. environment variable 3. function
What is a return to LibC attack?
A buffer overflow attack in which the return address is overwritten to point to a standard library function (like System).
How does a non-executable stack prevent a traditional buffer overflow from occurring?
A non-executable stack prevents shellcode from being executed.
What is a gadget?
A small sequence of instructions ending in a return
How is a canary used to detect buffer overflows?
A value is placed on the stack, and the program can check if the value has changed at the end of the function. A different value indicates an overflow.
How does artificial diversity prevent buffer overflows?
Artificial diversity randomly arranges the position of key data areas to prevent the attacker from predicting the address space.
What is the order of the stack?
Buffer -> EBP -> Return Address -> Parameters
How can one protect against buffer overflows at the compiler level?
By detecting and blocking exploit attempts
How can one protect against buffer overflows at the program level?
By eliminating vulnerabilities
How can one protect against buffer overflows at the OS level?
By making exploitation more difficult
What is chaining?
Concatenating multiple function calls to invoke a shell or perform an attack.
What does the attacker have control over even if the stack is non-executable?
Control stack content and the EIP value
What does Return Object Programming use?
Gadgets
What is the main cause of buffer overflow attacks?
Humans writing bad code
What are the benefits of jumping into an environmental variable in a buffer overflow attack?
It is easy to implement and works with small buffers.
What are the drawbacks of jumping into an environment variable in a buffer overflow attack?
It only works locally and the stack must be executable.
What is the benefit of jumping directly into the buffer in a buffer overflow attack?
It works for remote attacks.
What are the benefits of jumping to a program function in a buffer overflow?
It works remotely and does not require an executable stack.
What is the bit that prevents shellcode from being executed?
NX bit
What problems do NOP sleds solve?
Needing to know the exact address of the buffer because it increases the target area.
How is the call instruction used in buffer overflow attacks?
Puts the return address back on the stack.
What does ROP stand for?
Return Oriented Programming
How can humans use in their programs to help prevent buffer overflow attacks?
Safe libraries (LibSafe)
What are three types of canaries?
Terminator, random, and random xor.
What are the drawbacks of jumping into the buffer in a buffer overflow?
The attacker needs to know the address of the buffer and the stack must be executable
What are the drawbacks of jumping to a program function in a buffer overflow?
You need to find the right code.
What is a program that solves the zeros problem in buffer overflows?
msfencode
