Reading...
Play button
Play button
Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
22 Cards in this Set
- Front
- Back
- 3rd side (hint)
|
Buffer
|
Region of memory storage used to temporarly store data while it is being moved from one place to another
|
|
|
|
Buffer Overflow
|
While writing data to a buffer a program overruns the buffer's boundary and ovewrites the adjacent memory.
|
|
|
|
Heap Smashing Attack
|
Corrupting this data to cause the application to overwrite internal structures such as linked list pointers. Overwrites dynamic memory allocation
|
|
|
|
Stack Smashing Attack
|
Can overwrite a local variable near the buffer, ovewrite the return address, ovewrite a function,
|
|
|
|
Anatomy of a Stack
|
Bottom of the stack is higher memory address - fixed
|
|
|
|
Function call sequence
|
Same as stack
|
|
|
|
Exploit Shell Strategy
|
Compile attack code and insert into the buffer we are overflowing
|
Overwrite return address with the address where the overflow code should jump
|
|
|
Counter Measures
|
Safe Languages, Randomization, Bounds Checkers... ect
|
|
|
|
Safe Language
|
Memory management is handled differently - defers to a scheduled time or until memory constrains it
|
No dangling pointer references
|
|
|
Bounds Checkers
|
Adding Bounds, information to all pointers and checking accesses to ensure the bounds have not overflowed
|
Can also add bound info to pointers, or adding bounds info for all object. Table stores the bounds info - if pointer points out of bounds then error
|
|
|
Canaries
|
Canary (random value) is placed on the stack below the return address. When function is done executing canary will be compared to original
|
not foolproof, can overwrite a local variable to point at the return address, can reorder stack frame and put pointers on top
|
|
|
Seperators/Replicators
|
Store the return address somewhere else
|
Replicate process but maybe change direction of the stack, or change it around in some other way. Makes attacking replicates hard.
|
|
|
Execution Monitors
|
Observe application execution in order to enforce policy or detect aberrations.
|
2 types: Enforce Policies, specific requirements like only files under /downloads can be opened. 2. Detect anomalies, figures out when things are going wrong
|
|
|
Taint Tracking
|
A value is tainted if its value carries info about another already tainted value. Doesn't allow this tainted data in trusted places
|
|
|
|
Hardened Libraries
|
Use libraries with functions that have been built to defend against these problems.
|
Would Check: If a string is properly NULL terminated. That the number of format specifiers are the same as the number of arguments passed in the function
|
|
|
Obfuscation of Memory
|
store pointers in "encrypted form" val (XOR) r for a random value r. to use pointer retrieve r and decrypt it first.
|
Limitation : If attacker needs to overwrite only low order bytes this is easy to foil? Why?
|
|
|
NOP Instructions
|
No Operation is an instruction that does nothing. Can be used with an NOP sled
|
|
|
|
Dangling Pointers
|
Pointers that do not point to a valid object of the appropriate type. Memory Safety violations.
|
|
|
|
Address-space layout Randomization (ASLR)
|
Randomizing the memory segment base address. Also randomize space between objects. When they try to point at return address just get error.
|
|
|
|
Instruction-Set Randomization
|
"Encrypts" instructions on a per-process basis while they are in memory and "decrypts" when needed for execution.
|
If the attacker doesn't have the key its instructions will cause the an execution error. Attacker injects non encrypted code and so can't be used. Slow approach but effective
|
|
|
Virtual Memory Defenses
|
Marking memory as "non executable", requires selectively executing specific lines of code at a time
|
|
|
|
NOP sled
|
Allows code to execute when the exact value of the instruction pointer is indeterminate. Slides CPU instruction execution to the final destination - for example the return address.
|
|
