Dobin 0x51_ExploitMitigations.pdf
Dobin 0x51_ExploitMitigations.pdf
Dobin 0x51_ExploitMitigations.pdf
Set of flashcards Details
| Flashcards | 19 |
|---|---|
| Language | English |
| Category | Computer Science |
| Level | University |
| Created / Updated | 24.06.2019 / 28.06.2020 |
| Weblink |
https://card2brain.ch/box/20190624_dobin_0x51exploitmitigations_pdf
|
| Embed |
<iframe src="https://card2brain.ch/box/20190624_dobin_0x51exploitmitigations_pdf/embed" width="780" height="150" scrolling="no" frameborder="0"></iframe>
|
What exploit mitigations do you know?
- (ASCII Armor)
- Stack Canary
- ASLR [Address Space Layout Ranfomization]
- PIE
- DEP [Data Exection Prevention]
How can you do to write secure code?
- Use secure libraries
- Perfom Static Analysis of the source code
- Perform Dynamic Analysis of programs
- Perform fuzzing of input vectors
- Have a secure development lifecycle (SDL)
- Manual source code reviews
What two types of protection can be put in place by sysadmins?
- Compile Time Protection
- Runtime Protection
What is required to create an exploit?
- Executable Shellcode
- Aka "Hacker instructions"
- The distance form the buffer to the SIP (Stored Instruction Pointer)
- Offset for the overflow
- The address of shellcode
- in memory of the target process
Name two compile time mitigations.
Compile time mitigations:
- Stack canaries
- PIE
Name some runtime mitigations.
Runtime mitigations:
- ASLR
- DEP
- ASCII Armor
Where is the stack cannary located on the stack?
The stack canary is below the SIP (Stored Instruction Pointer) and the SBP [SFP] (Stored Base Pointer, Stored Frame Pointer)
what does DEP stand for and what does it do?
DEP (Data Execution Prevention)
DEP makes the stack not executable.
What does DEP (Data Execution Prevention) do?
Memory regions
- Are mapped with permissions
- Like files
- R Read
- W Write
- X eXecute
DEP (Data Execution Prevention) removes X bit from memory which do not contain code
- Stack
- Heap
- (Possibly others)
What happens if the EIP (Instruction Pointer) points into the stack or the heap when DEP (Data Execution Prevention) is active?
When the program tries to execute code from the Heap or the Stack there is a segmentation fault.
What is the stack canary and what are other names for it?
Other names:
- Stack Protector
- SSP: Stack Smashing Protector
- Stack Cookie
- Stack Canary
The stack canary is a secret value in front of control data ( SIP [ Stored Instruction Pointer], SFP/SBP [Stored Frame/Base Pointer]).
This is a value unknown to the attacker.
It is checked befor performing a "ret" (return)
- i.e befor using the SIP (Stored Instruction Pointer)
Is the stack protector (stack canary) active by default?
Stack Protector was first introduced in the
- GCC patch in 1997
Last improvement by google in 2012 (-fstack-protect-strong)
It is enabled since like forever by default
- most distributions
- most packages
When does the stack protecter (stack canary) change?
The stack protector (stack canary) changes:
- On execve()
- (replace current process with a ELF file from disk)
- It does NOT change on fork()
- (copy of current process)
What does ASLR stand for and what does it do?
ASLR = Adress Space Layout Randomization
ASLR introduces a randomness in the memory regions.
ASLR randomizes where in memory the stack, libraries and heap location in memory.
What are the restrictions of ASLR?
- Pages have to be page aligned: 4096 bytes = 12 bit
- Very restricted address space in x32 architecture
- ~ 8 bit for stack (256 possibilities)
- Much more space for x64
- ~ 22 bit for stack
When is ASLR (Address Space Layout Randomization) applied?
- ASLR is only applied on exec() [exec = execute new program]
- Not applied on fork() [fork = copy]
What does ASCII armor?
ASCII Armor:
- Maps Library addresses to memory addresses with null bytes
Why null bytes?
- In C, Null bytes are string determinator
- strcpy, strcat, strncpu, sprintf
This means the addresses of the librarys can not be included in shell code, because they include nullbytes. That means they cannt be coppied. by strcpy and others.
In short what does the stack canary, DEP, ASLR and ASCII Armor do?
Stack canary: Detects/blocks overflows
DEP: makes it impossible to execute uploaded code
ASLR makes it impossible to locate data
ASCII Armor: makes it impossible to insert certain data
At what level is ASLR (Adress Space Layout Randomization), DEP (Data Execution Prevention), Stack Canary?
ASLR (Address Space Layout Randomization) : System Level
DEP (Data Execution Prevention) : System Level
Stack Canary: Per-program (3rd party programs?)
-
- 1 / 19
-
