Csep-564-Lec-2
Memory Safety
Mostly, attacks are concerned with virtual addresses relevant to a particular program.
Whereas physical addresses really only come into play in side channel attacks.
We're assuming all code in this class is written in C (or any unsafe language).
But fundamentally we're really only interested in the executable binary.
bug: software doesn't work right
vulnerability: a malfunction that can be used for an adversary's goals
exploit: a mechanical set of operations that make use of a vulnerability
- an exploit can also be considered a program for a weird machine
Memory corruption bugs
- Buffer overflows is a large class of bugs
- Still verify prevalent today, especially in embedded systems.
Memory Layout
- Mostly this is a recap of stuff I've just learned in ostep, but some helpful tidbits:
- esp: stack ptr
- ebp: frame ptr
- eax: register where return values go
- This class assumes
x86_32
so everything is 4 bytes. - When a function
f(int a, int b)
is called:- Push
b
- Push
a
- Push
ret
- Push
ebp
- Push local vars
- Push
| locals | saved ebp | ret | arg a | arg b |
^
esp
Example
A classic buffer overflow vulnerability is shown below, with no check on the str
length.
void func(char *str) {
char buf[126];
strcpy(buf, str);
}
- We'll overflow the
ret
address on the stack to point back to thestr
buffer, and put malicious assembly instructions there. - So, for homework, we need to use a debugger to find the correct address for this attack code to put into
ret
.
A fix
A bunch of C functions are safe. New versions have evolved, e.g.
strncpy(char *dest, const char *src, size_t n)
will only copy up to n
bytes. But, you've gotta use the right value for n
!
Homework Notes
We'll have to write an exploit which only allows overflowing a buffer by one byte.
- Hint: It's little endian x86_32 bit system. We can overwrite the first byte of the saved frame pointer, which is the least significant bit of the frame pointer. So, we can shift the frame pointer (slightly) into the buffer.
- Use
gdb
to find the correct addresses.
Function pointer overflow
Another variant of the overflow is to overwrite a C function pointer, rather than the RET address.
Assembly
There are two syntaxes. E.g. a = b
:
- Intel:
mov a, b
- ATT:
mov b, a
- Excessive uses of
%, $
is a giveaway that the format is ATT
- Excessive uses of
Other overflows
- Format strings in C
- Using
printf(buf)
instead ofprintf("%s", buf)
- What if
buf == "hello %s"
?- The
printf
func is going to look for args on the stack, but when they're missing, it's going to access data in the caller's frame.
- The
- Also
printf("asdf %n", &ptr)
writes the length 5 as an int into the mem pointed to byptr
.- As a weird machine, we have three instructions:
- Can
print_char
which incrementsn
. - Can
%read
: increment arg ptr, incrementn
by length. - Can
%write
: increment arg ptr, writen
.
- Can
- For the homework, synthesize a program from these instructions!
- As a weird machine, we have three instructions:
- Using
- Heap management structures used by
malloc
.