DOCSLIB.ORG

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Attacking Systems Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns This article describes three powerful general-purpose families of exploits for buffer overruns: arc injection, pointer subterfuge, and heap smashing. These new techniques go beyond the traditional “stack smashing” attack and invalidate traditional assumptions about buffer overruns. JONATHAN ecurity vulnerabilities related to buffer overruns fact practical for PINCUS account for the largest share of CERT advi- real-world vulnera- Microsoft sories, as well as high-profile worms—from the bilities. The Apache/Open_SSL Slapper worm1 was the Research S original Internet Worm in 1987 through first high-profile worm to employ heap smashing. Blaster’s appearance in 2003. When malicious crackers The wide variety of exploits published for the stack BRANDON discover a vulnerability, they devise exploits that take ad- buffer overrun that Microsoft Security Bulletin MS03- BAKER vantage of the vulnerability to attack a system. 0262 addressed (the vulnerability exploited by Blaster) Microsoft The traditional approach to exploiting buffer over- further illustrates the viability of these new techniques. runs is stack smashing: modifying a return address saved Table 1 shows a few examples. on the stack (the region of memory used for parame- These new approaches typically first surface in non- ters, local variables, and return address) to point to code traditional hacker publications. (For more discussion of the attacker supplies that resides in a stack buffer at a this, including references to the origins of many of these known location. Discussions of buffer overrun ex- techniques, see the “Nontraditional literature” sidebar on ploitation in software engineering literature typically page 26.) A few brief summaries in the mainstream liter- concentrate on stack-smashing attacks. As a result, ature,3,4 and recent books (such as Exploiting Software: many software engineers and even security profession- How to Break Code5 and The Shellcoder’s Handbook: Discov- als seemingly assume that all buffer overrun exploits ering and Exploiting Security Holes6), also discuss some of operate in a similar manner. these techniques. During the past decade, however, hackers have de- Understanding new approaches to exploitation is vital veloped several additional approaches to exploit buffer for evaluating countermeasures’ effectiveness in address- overruns. The arc injection technique (sometimes re- ing the buffer overrun problem. Failure to consider them ferred to as return-into-libc) involves a control transfer leads people to suggest overly simplistic and worthless to code that already exists in the program’s memory “solutions” (for example, “move all the buffers to the space. Various pointer subterfuge techniques change the heap”) or to overstate the value of useful improvements program’s control flow by attacking function pointers (for instance, valuable mitigation methods such as a (pointer variables whose value is used as an address in a nonexecutable stack, which many mistakenly view as a function call) as an alternative to the saved return ad- silver bullet). dress, or modify arbitrary memory locations to create more complex exploits by subverting data pointers. Exploiting buffer overruns Heap smashing allows exploitation of buffer overruns A buffer overrun occurs when a program attempts to read in dynamically allocated memory, as opposed to on or write beyond the end of a bounded array (also known the stack. as a buffer). In runtime environments for languages such as While these techniques appear esoteric, they are in Pascal, Ada, Java, and C#, the runtime environment de- 20 PUBLISHED BY THE IEEE COMPUTER SOCIETY I 1540-7993/04/$20.00 © 2004 IEEE I IEEE SECURITY & PRIVACY Authorized licensed use limited to: IEEE Xplore. Downloaded on March 17, 2009 at 14:46 from IEEE Xplore. Restrictions apply. Attacking Systems Table 1. Different exploits of Microsoft Security Bulletin MS03-026. AUTHOR TECHNIQUE COMMENTS Last Stage of Delirium Unknown Original report; specific exploit was never published XFocus Stack smashing Apparently used by Blaster author Litchfield Pointer subterfuge Cigital Pointer subterfuge Unpublished K-otic Arc injection Authors of this article Pointer subterfuge and arc injection Unpublished tects buffer overruns and generates an exception. In the runtime environ- (a) ment for C and C++, however, no void f1a(void * arg, size_t len) { such checking is performed. Attack- char buff[100]; ers can often exploit the defect by memcpy(buff, arg, len); /* buffer overrun if len > 100 */ using the buffer overrun to change the /* ... */ program’s execution. Such exploits return; can in turn provide the infection vec- } tor for a worm or a targeted attack on a given machine. (b) A buffer overrun is characterized void f1b(void * arg, size_t len) { as a stack buffer overrun or heap buffer char * ptr = malloc(100); overrun depending on what memory if (ptr == NULL) return; gets overrun. C and C++ compilers memcpy(ptr, arg, len); /* buffer overrun if len > 100 */ typically use the stack for local vari- /* ... */ ables as well as parameters, frame return; pointers, and saved return addresses. } Heaps, in this context, refer to any dynamic memory implementations Figure 1. Code samples with traditional (simple) buffer overrun defects. (a) A stack such as the C standard library’s mal- buffer overrun and (b) a heap buffer overrun. loc/free, C++’s new/delete, or the Microsoft Windows APIs Heap- Alloc/HeapFree. Figure 1 provides examples of causes the buffer overrun, but this need not be the case. functions containing a stack buffer overrun (a) and heap All that is required is that the payload be at a known or buffer overrun (b). discoverable location in memory at the time that the un- Published general-purpose exploits for buffer over- expected control-flow transfer occurs. runs typically involve two steps: Stack smashing 1. Change the program’s flow of control. (Pure data ex- Stack smashing, a technique first described in detail in the ploits in which the buffer happens to be adjacent to a mid ‘90s by such hackers as AlephOne and DilDog, illus- security-critical variable operate without changing trates these two steps: changing the flow of control to ex- the program’s flow of control; these are relatively rare, ecute attacker-supplied code. Stack smashing relies on and to date no general-purpose techniques have been the fact that most C compilers store the saved return ad- published relating to them.) dress on the same stack used for local variables. 2. Execute some code (potentially supplied by the at- To exploit the buffer overrun in f1a via a classic tacker) that operates on some data (also potentially stack-smashing attack, the attacker must supply a value supplied by the attacker). for arg (for example, as received from a network packet) that contains both an executable payload and the address The term payload refers to the combination of code or at which the payload will be loaded into the program’s data that the attacker supplies to achieve a particular goal memory—that is, the address of buff. This value must (for example, propagating a worm). The attacker some- be positioned at a location within arg that corresponds times provides the payload as part of the operation that to where f1a’s return address is stored on the program’s www.computer.org/security/ I IEEE SECURITY & PRIVACY 21 Authorized licensed use limited to: IEEE Xplore. Downloaded on March 17, 2009 at 14:46 from IEEE Xplore. Restrictions apply. Attacking Systems stack when the buffer overrun occurs; depending on the lowed the attacker to run an arbitrary program. The specific compiler used to compile f1a, this will typically term “arc injection” refers to how these exploits oper- be somewhere around 108 bytes into arg. This new ate: the exploit just inserts a new arc (control-flow value for the saved return address changes the program’s transfer) into the program’s control-flow graph, as op- control flow: when the return instruction executes, con- posed to code injection-exploits such as stack smash- trol is transferred to buff instead of returning to the call- ing, which also insert a new node. ing procedure. A straightforward version of arc injection is to use a Stack smashing is well described in mainstream liter- stack buffer overrun to modify the saved return address ature,1 so we won’t discuss it in detail in this article. to point to a location already in the program’s address However, two important enhancements to the standard space—more specifically, to a location within the sys- stack-smashing technique are often used in conjunction tem function in the C standard library. The system with some of the other approaches, and therefore are function takes an arbitrary command line as an argu- worth describing. ment, checks the argument’s validity, loads it into a reg- Trampolining lets an attacker apply stack smashing in ister R, and makes a system call to create the process. situations in which buff’s absolute address is not known Eliding some details, pseudocode for the system ahead of time. The key insight here is that if a program function is: register R contains a value relative to buff, we can trans- fer control to buff by first transferring control to a se- void system(char * arg) { quence of instructions that indirectly transfers via R. check_validity(arg); When an attacker can find such a sequence of instructions R = arg; (known as the trampoline) at a well-known or predictable target: address, this provides a reliable mechanism for transfer- execl(R, ...) ring control to buff. Alternatively, a pointer to attacker- } supplied data can often be found somewhere on the stack, and so exploits often use sequences of instructions such as If an attacker can arrange for R to point to an attacker- pop/pop/ret to trampoline without involving regis- supplied string and then jump directly to the location ters.
Load more

Recommended publications
  • Declaring Pointers in Functions C
    Declaring Pointers In Functions C isSchoolgirlish fenestrated Tye or overlain usually moltenly.menace some When babbling Raleigh orsubmersing preappoints his penetratingly. hums wing not Calvinism insidiously Benton enough, always is Normie outdance man? his rectorials if Rodge Please suggest some time binding in practice, i get very complicated you run this waste and functions in the function pointer arguments Also allocated on write in c pointers in declaring function? Been declared in function pointers cannot declare more. After taking these requirements you do some planning start coding. Leave it to the optimizer? Web site in. Functions Pointers in C Programming with Examples Guru99. Yes, here is a complete program written in C, things can get even more hairy. How helpful an action do still want? This title links to the home page. The array of function pointers offers the facility to access the function using the index of the array. If you want to avoid repeating the loop implementations and each branch of the decision has similar code, or distribute it is void, the appropriate function is called through a function pointer in the current state. Can declare functions in function declarations and how to be useful to respective function pointer to the basic concepts of characters used as always going to? It in functions to declare correct to the declaration of your site due to functions on the modified inside the above examples. In general, and you may publicly display copies. You know any type of a read the licenses of it is automatically, as small number types are functionally identical for any of accessing such as student structure? For this reason, every time you need a particular behavior such as drawing a line, but many practical C programs rely on overflow wrapping around.
    [Show full text]
  • Using the GNU Compiler Collection (GCC)
    Using the GNU Compiler Collection (GCC) Using the GNU Compiler Collection by Richard M. Stallman and the GCC Developer Community Last updated 23 May 2004 for GCC 3.4.6 For GCC Version 3.4.6 Published by: GNU Press Website: www.gnupress.org a division of the General: [email protected] Free Software Foundation Orders: [email protected] 59 Temple Place Suite 330 Tel 617-542-5942 Boston, MA 02111-1307 USA Fax 617-542-2652 Last printed October 2003 for GCC 3.3.1. Printed copies are available for $45 each. Copyright c 1988, 1989, 1992, 1993, 1994, 1995, 1996, 1997, 1998, 1999, 2000, 2001, 2002, 2003, 2004 Free Software Foundation, Inc. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation; with the Invariant Sections being \GNU General Public License" and \Funding Free Software", the Front-Cover texts being (a) (see below), and with the Back-Cover Texts being (b) (see below). A copy of the license is included in the section entitled \GNU Free Documentation License". (a) The FSF's Front-Cover Text is: A GNU Manual (b) The FSF's Back-Cover Text is: You have freedom to copy and modify this GNU Manual, like GNU software. Copies published by the Free Software Foundation raise funds for GNU development. i Short Contents Introduction ...................................... 1 1 Programming Languages Supported by GCC ............ 3 2 Language Standards Supported by GCC ............... 5 3 GCC Command Options .........................
    [Show full text]
  • Bash Shell Scripts
    Bash Shell Scripts Writing Bash shell scripts Bash shell scripts are text files Text files most efficiently built with programming editors (emacs or vi) File must be executable and in search path chmod 700 my_script PATH environment variable may not include .! An example shell script: #!/bin/bash #My first script echo "Hello World!" Bash Shell Scripts Writing Bash shell scripts Compile a Verilog file with vlog #!/bin/bash if [ ! d work ] ; then echo work does not exist, making it vlib work fi if [ ! s adder.v ] ; then vlog adder.v fi work directory must exist before compilation Get scripts via wget, eg: wget http://web.engr.oregonstate.edu/~traylor/ece474/script --- Bash Shell Scripts Writing Bash shell scripts File attribute checking #!/bin/bash if [ ! s junk_dir ] ; then mkdir junk_dir fi Spaces around brackets are needed! File attribute checking d exists and is a directory e, a file exists f exists and is a regular file s file exists and is not empty --- Bash Shell Scripts Writing Bash shell scripts Compile Verilog then run a simultion #!/bin/bash if [ ! -d "work" ] ; then vlib work fi if [ -s "adder.v" ] ; then vlog adder.v #runs simulation with a do file and no GUI vsim adder -do do.do quiet c else echo verilog file missing fi --- Bash Shell Scripts Writing Bash shell scripts vsim command and arguments vsim entity_name do dofile.do quiet -c -quiet (do not report loading file messages) -c (console mode, no GUI) -do (run vsim from a TCL do file) +nowarnTFMPC (don’t warn about mismatched ports, scary) +nowarnTSCALE (don’t warn about timing mismatches) Try vsim help for command line arguements --- Bash Shell Scripts Writing Bash Shell Scripts (TCL Script) In another text file, we create a TCL script with commands for the simulator.
    [Show full text]
  • Introduction to Linux by Lars Eklund Based on Work by Marcus Lundberg
    Introduction to Linux By Lars Eklund Based on work by Marcus Lundberg ● What is Linux ● Logging in to UPPMAX ● Navigate the file system ● “Basic toolkit” What is Linux ● The Linux Operating system is a UNIX like UNIX compatible Operating system. ● Linux is a Kernel on which many different programs can run. The shell(bash, sh, ksh, csh, tcsh and many more) is one such program ● Linux has a multiuser platform at its base which means permissions and security comes easy. Many Flavours Connect to UPPMAX ● (Download XQuartz or other X11 server for Mac OS ) ● Linux and MacOS: – start Terminal – $ ssh -X [email protected] Connect to UPPMAX for windows users ● Download a X-server such as GWSL or X-ming or VcXsrv or an other of your choosing ● Install WSL and a Distribution such as ubuntu or a ssh program such as MobaXTerm ● Connect to $ ssh -X [email protected] Windows links ● https://sourceforge.net/projects/vcxsrv/ ● https://mobaxterm.mobatek.net/ ● https://opticos.github.io/gwsl/ ● https://sourceforge.net/projects/xming/ ● https://docs.microsoft.com/en-us/windows/wsl/install-wi n10 ● Don’t forget to update to wsl2 X11-forwarding graphics from the command line ● Graphics can be sent through the SSH connection you’re using to connect - Use ssh -Y or ssh -X ● MacOS users will need to install XQuartz. ● When starting a graphical program, a new window will open, but your terminal will be “locked”. - Run using & at the end to run it as a background proccess e.g. “gedit &” - Alternatively, use ctrl-z to put gedit to sleep and
    [Show full text]
  • Refining Indirect-Call Targets with Multi-Layer Type Analysis
    Where Does It Go? Refining Indirect-Call Targets with Multi-Layer Type Analysis Kangjie Lu Hong Hu University of Minnesota, Twin Cities Georgia Institute of Technology Abstract ACM Reference Format: System software commonly uses indirect calls to realize dynamic Kangjie Lu and Hong Hu. 2019. Where Does It Go? Refining Indirect-Call Targets with Multi-Layer Type Analysis. In program behaviors. However, indirect-calls also bring challenges 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS ’19), November 11–15, 2019, to constructing a precise control-flow graph that is a standard pre- London, United Kingdom. ACM, New York, NY, USA, 16 pages. https://doi. requisite for many static program-analysis and system-hardening org/10.1145/3319535.3354244 techniques. Unfortunately, identifying indirect-call targets is a hard problem. In particular, modern compilers do not recognize indirect- call targets by default. Existing approaches identify indirect-call 1 Introduction targets based on type analysis that matches the types of function Function pointers are commonly used in C/C++ programs to sup- pointers and the ones of address-taken functions. Such approaches, port dynamic program behaviors. For example, the Linux kernel however, suffer from a high false-positive rate as many irrelevant provides unified APIs for common file operations suchas open(). functions may share the same types. Internally, different file systems have their own implementations of In this paper, we propose a new approach, namely Multi-Layer these APIs, and the kernel uses function pointers to decide which Type Analysis (MLTA), to effectively refine indirect-call targets concrete implementation to invoke at runtime.
    [Show full text]
  • SI 413, Unit 3: Advanced Scheme
    SI 413, Unit 3: Advanced Scheme Daniel S. Roche ([email protected]) Fall 2018 1 Pure Functional Programming Readings for this section: PLP, Sections 10.7 and 10.8 Remember there are two important characteristics of a “pure” functional programming language: • Referential Transparency. This fancy term just means that, for any expression in our program, the result of evaluating it will always be the same. In fact, any referentially transparent expression could be replaced with its value (that is, the result of evaluating it) without changing the program whatsoever. Notice that imperative programming is about as far away from this as possible. For example, consider the C++ for loop: for ( int i = 0; i < 10;++i) { /∗ some s t u f f ∗/ } What can we say about the “stuff” in the body of the loop? Well, it had better not be referentially transparent. If it is, then there’s no point in running over it 10 times! • Functions are First Class. Another way of saying this is that functions are data, just like any number or list. Functions are values, in fact! The specific privileges that a function earns by virtue of being first class include: 1) Functions can be given names. This is not a big deal; we can name functions in pretty much every programming language. In Scheme this just means we can do (define (f x) (∗ x 3 ) ) 2) Functions can be arguments to other functions. This is what you started to get into at the end of Lab 2. For starters, there’s the basic predicate procedure?: (procedure? +) ; #t (procedure? 10) ; #f (procedure? procedure?) ; #t 1 And then there are “higher-order functions” like map and apply: (apply max (list 5 3 10 4)) ; 10 (map sqrt (list 16 9 64)) ; '(4 3 8) What makes the functions “higher-order” is that one of their arguments is itself another function.
    [Show full text]
  • Object-Oriented Programming in C
    OBJECT-ORIENTED PROGRAMMING IN C CSCI 5448 Fall 2012 Pritha Srivastava Introduction Goal: To discover how ANSI – C can be used to write object- oriented code To revisit the basic concepts in OO like Information Hiding, Polymorphism, Inheritance etc… Pre-requisites – A good knowledge of pointers, structures and function pointers Table of Contents Information Hiding Dynamic Linkage & Polymorphism Visibility & Access Functions Inheritance Multiple Inheritance Conclusion Information Hiding Data types - a set of values and operations to work on them OO design paradigm states – conceal internal representation of data, expose only operations that can be used to manipulate them Representation of data should be known only to implementer, not to user – the answer is Abstract Data Types Information Hiding Make a header file only available to user, containing a descriptor pointer (which represents the user-defined data type) functions which are operations that can be performed on the data type Functions accept and return generic (void) pointers which aid in hiding the implementation details Information Hiding Set.h Example: Set of elements Type Descriptor operations – add, find and drop. extern const void * Set; Define a header file Set.h (exposed to user) void* add(void *set, const void *element); Appropriate void* find(const void *set, const Abstractions – Header void *element); file name, function name void* drop(void *set, const void reveal their purpose *element); Return type - void* helps int contains(const void *set, const in hiding implementation void *element); details Set.c Main.c - Usage Information Hiding Set.c – Contains void* add (void *_set, void *_element) implementation details of { Set data type (Not struct Set *set = _set; struct Object *element = _element; exposed to user) if ( !element-> in) The pointer Set (in Set.h) is { passed as an argument to element->in = set; add, find etc.
    [Show full text]
  • Conda-Build Documentation Release 3.21.5+15.G174ed200.Dirty
    conda-build Documentation Release 3.21.5+15.g174ed200.dirty Anaconda, Inc. Sep 27, 2021 CONTENTS 1 Installing and updating conda-build3 2 Concepts 5 3 User guide 17 4 Resources 49 5 Release notes 115 Index 127 i ii conda-build Documentation, Release 3.21.5+15.g174ed200.dirty Conda-build contains commands and tools to use conda to build your own packages. It also provides helpful tools to constrain or pin versions in recipes. Building a conda package requires installing conda-build and creating a conda recipe. You then use the conda build command to build the conda package from the conda recipe. You can build conda packages from a variety of source code projects, most notably Python. For help packing a Python project, see the Setuptools documentation. OPTIONAL: If you are planning to upload your packages to Anaconda Cloud, you will need an Anaconda Cloud account and client. CONTENTS 1 conda-build Documentation, Release 3.21.5+15.g174ed200.dirty 2 CONTENTS CHAPTER ONE INSTALLING AND UPDATING CONDA-BUILD To enable building conda packages: • install conda • install conda-build • update conda and conda-build 1.1 Installing conda-build To install conda-build, in your terminal window or an Anaconda Prompt, run: conda install conda-build 1.2 Updating conda and conda-build Keep your versions of conda and conda-build up to date to take advantage of bug fixes and new features. To update conda and conda-build, in your terminal window or an Anaconda Prompt, run: conda update conda conda update conda-build For release notes, see the conda-build GitHub page.
    [Show full text]
  • Call Graph Generation for LLVM (Due at 11:59Pm 3/7)
    CS510 Project 1: Call Graph Generation for LLVM (Due at 11:59pm 3/7) 2/21/17 Project Description A call graph is a directed graph that represents calling relationships between functions in a computer program. Specifically, each node represents a function and each edge (f, g) indicates that function f calls function g [1]. In this project, you are asked to familiarize yourself with the LLVM source code and then write a program analysis pass for LLVM. This analysis will produce the call graph of input program. Installing and Using LLVM We will be using the Low Level Virtual Machine (LLVM) compiler infrastructure [5] de- veloped at the University of Illinois Urbana-Champaign for this project. We assume you have access to an x86 based machine (preferably running Linux, although Windows and Mac OS X should work as well). First download, install, and build the latest LLVM source code from [5]. Follow the instructions on the website [4] for your particular machine configuration. Note that in or- der use a debugger on the LLVM binaries you will need to pass --enable-debug-runtime --disable-optimized to the configure script. Moreover, make the LLVM in debug mode. Read the official documentation [6] carefully, specially the following pages: 1. The LLVM Programmers Manual (http://llvm.org/docs/ProgrammersManual.html) 2. Writing an LLVM Pass tutorial (http://llvm.org/docs/WritingAnLLVMPass.html) Project Requirements LLVM is already able to generate the call graphs of the pro- grams. However, this feature is limited to direct function calls which is not able to detect calls by function pointers.
    [Show full text]
  • Lambda Expressions
    Back to Basics Lambda Expressions Barbara Geller & Ansel Sermersheim CppCon September 2020 Introduction ● Prologue ● History ● Function Pointer ● Function Object ● Definition of a Lambda Expression ● Capture Clause ● Generalized Capture ● This ● Full Syntax as of C++20 ● What is the Big Deal ● Generic Lambda 2 Prologue ● Credentials ○ every library and application is open source ○ development using cutting edge C++ technology ○ source code hosted on github ○ prebuilt binaries are available on our download site ○ all documentation is generated by DoxyPress ○ youtube channel with over 50 videos ○ frequent speakers at multiple conferences ■ CppCon, CppNow, emBO++, MeetingC++, code::dive ○ numerous presentations for C++ user groups ■ United States, Germany, Netherlands, England 3 Prologue ● Maintainers and Co-Founders ○ CopperSpice ■ cross platform C++ libraries ○ DoxyPress ■ documentation generator for C++ and other languages ○ CsString ■ support for UTF-8 and UTF-16, extensible to other encodings ○ CsSignal ■ thread aware signal / slot library ○ CsLibGuarded ■ library for managing access to data shared between threads 4 Lambda Expressions ● History ○ lambda calculus is a branch of mathematics ■ introduced in the 1930’s to prove if “something” can be solved ■ used to construct a model where all functions are anonymous ■ some of the first items lambda calculus was used to address ● if a sequence of steps can be defined which solves a problem, then can a program be written which implements the steps ○ yes, always ● can any computer hardware
    [Show full text]
  • Metal C Programming Guide and Reference
    z/OS Version 2 Release 3 Metal C Programming Guide and Reference IBM SC14-7313-30 Note Before using this information and the product it supports, read the information in “Notices” on page 159. This edition applies to Version 2 Release 3 of z/OS (5650-ZOS) and to all subsequent releases and modifications until otherwise indicated in new editions. Last updated: 2019-02-15 © Copyright International Business Machines Corporation 1998, 2017. US Government Users Restricted Rights – Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents List of Figures...................................................................................................... vii List of Tables........................................................................................................ ix About this document.............................................................................................xi Who should read this document................................................................................................................. xi Where to find more information..................................................................................................................xi z/OS Basic Skills in IBM Knowledge Center.......................................................................................... xi How to read syntax diagrams......................................................................................................................xi How to send your comments to IBM......................................................................xv
    [Show full text]
  • Pointer Subterfuge Secure Coding in C and C++
    Pointer Subterfuge Secure Coding in C and C++ Robert C. Seacord CERT® Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 The CERT Coordination Center is part of the Software Engineering Institute. The Software Engineering Institute is sponsored by the U.S. Department of Defense. © 2004 by Carnegie Mellon University some images copyright www.arttoday.com 1 Agenda Pointer Subterfuge Function Pointers Data Pointers Modifying the Instruction Pointer Examples Mitigation Strategies Summary © 2004 by Carnegie Mellon University 2 Agenda Pointer Subterfuge Function Pointers Data Pointers Modifying the Instruction Pointer Examples Mitigation Strategies Summary © 2004 by Carnegie Mellon University 3 Pointer Subterfuge Pointer subterfuge is a general term for exploits that modify a pointer’s value. A pointer is a variable that contains the address of a function, array element, or other data structure. Function pointers can be overwritten to transfer control to attacker- supplied shellcode. When the program executes a call via the function pointer, the attacker’s code is executed instead of the intended code. Data pointers can also be modified to run arbitrary code. If a data pointer is used as a target for a subsequent assignment, attackers can control the address to modify other memory locations. © 2004 by Carnegie Mellon University 4 Data Locations -1 For a buffer overflow to overwrite a function or data pointer the buffer must be • allocated in the same segment as the target function or data pointer. • at a lower memory address than the target function or data pointer. • susceptible to a buffer overflow exploit. © 2004 by Carnegie Mellon University 5 Data Locations -2 UNIX executables contain both a data and a BSS segment.
    [Show full text]