Processes
- executes programs etc.
- multiprocess with scheduling
- can create new processes -> forks
Intel CPU Registers
rax -> for values to return
rbx -> base addressing
rbp -> base pointer
rsp -> stack pointer
Memory Layout: The Stack in x64
... 8th parameter 7th parameter return address saved rbp local variables red zone ...
Buffer Overflow: Code Execution
- Overwrite return address with pointer to shellcode
- Saved rip will blindly be interpreted as address to return to upon ret
NOP sleds
- attackers cannot predict exact location of shellcode
- write many nop’s and then hopefully code is executed
Canaries
- place canary on stack before rip, rbp
- before ret compare to actual canary
Random Canaries, Terminator Canaries
- Random canaries use a random value pre-generated at program start
- Terminator canaries consist of bytes that terminate C strings
Limitations of Stack Canaries
- only against stack overflow
- Byte-by-byte trial-and-error on canary
- > try first byte if correct continue if crashes directly then to next number
Non-Executable Stack
- A non-executable stack prevents classical shellcode attacks
- MMU enforces non-executable stack
Shadow Stack
- store rip twice and check if the same
Format Strings Attack
- if %s or equals aren’t use bad!
- with input as %p (pointers) %n (stores data on stack) we can manipulate
Code-Reuse Attacks
- assuming stack not executable
- use already existing code to attack
- we can return to libc or use a ROP (Return-Oriented Programming)
Address Space Layout Randomization (ASLR)
- randomize data and code addresses
- needs compiler and linker support
- if absolute addresses are used problems may happen
Fine-Grained ASLR
- also reorders functions
- shuffles instructions within a function
JIT-ROP
- if one pointer to code is leaked rest can be leaked
- uses JIT environment to read code pages and find pointer etc.
Execute-no-Read
- removes read permission from code pages
- conflict with a lot of things
- > so map just a small amount of code pages
Control Flow Integrity CFI
- enforce control flow foreseen by developer
Uninitialized Stack Variables
- if variable isn’t initialised someone can read them in a second insertion or something
Overwriting Function Pointers
- if attacker (e.g. with an overflow) controls the function pointer can access it
Def. fat pointers
-> give the size of a buffer with an check
Use-after-Free (Dangling Pointers)
- free dosen’t erase content of a buffer
- potentially fee space is used in an buffer with the same size
- we can put data in it
- just set a buffer before freeing =NULL
