buffer overflows (week 2) Flashcards

1
Q

what are some reasons you would get a segmentation fault?

A

a segfault happens when the CPU tries to read a memory address that is not valid

  1. you try to access a memory address that has not been allocated, that is not mapped
  2. if you try to write into a page that’s read only
  3. if you try to load instructions for executing from a page that is non-executable
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

summarize the basic premise of control hijacking via buffer overflow

A
  • incorrect parsing can override the program’s memory
  • memory overriden can include the stack’s control data (return address)
  • when function returns, it returns to bogus address (PC %eip points to it)
  • leads to a segfault when the CPU tries to load instruction from invalid memory
  • if return address is changed to a VALID MEMORY ADDRESS that contains valid x86 instructions the CPU will not trigger a segfault
  • instead, CPU will simply keep on executing those instructions as if nothing wrong had happened

this is how an attacker can hijack and take control of program

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

memory

A

stack, heap, code

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

3 important registers

A
%eip = instruction pointer (attackers want this to point to their own code)
%ebp = frame or base pointer (keeps track of current frame of stack, currently executing function)
%esp = stack pointer
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What happens to the stack during a function call?

A

remember the stack grows by decrementing, i.e., starts at a higher address and grows lower

so, we push a and d onto the stack.

the base pointer points to the “bottom” of the stack. %epb points to where a is. then d gets pushed on.

then, when example calls square, a copy of the argument passed to square is pushed onto the stack. then the return address. this is now the %esp (stack pointer) which keeps getting decremented because it points to the top of the stack.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

what is the function prologue?

A

set of three assembly instructions that run every time you call a function

  1. push $ebp: saving the caller’s ebp on the stack, saving the top of the frame of the caller, so we know how to reconstruct the frame of the caller after the function returns

mov $esp, $ebp: moves the epb to where the stack pointer is; this creates a new frame

sub $0x4, $esp: grow the stuck for current function and start putting the called functions value on the frame (in this case 4 bytes)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

what is the function epilogue?

A

leave
shrink stack + restore caller’s frame:
1: mov $ebp, $esp
2: pop $epb

ret
returns control to caller
1: pop $eip (pops the current value of the stack, i.e. where the stack
pointer is set to, into the instruction pointer. so the code will now resume
executing where we left off before we made the function call)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

return address vs. return value

A

return address: the address that the caller places in the stack and informs the callee where to return once the callee has finished

return value: whatever the callee returns to the caller, for e.g., if the callee needs to retun an integer, where is that integer actually placed?

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

%eax

A

general purpose value

where the compiler often places the return value

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

what happens right before the function epilogue?

A

mov -0x4($ebp), %eax //set return value

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

recap

A

return value is passed in the %eax register
• if value fits in 32 bits (%eax is a 32 bit register)
• int, short, float, char, bool, pointers

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

what might happen if the return value is larger than 32 bits?

A

the rest could be stored in %edx, another general purpose register

OR

  • -> option 1: callee allocates value in heap and returns by reference
  • -> option 2: callee allocates space in stack and callee sets values
How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

option 1: return reference

A

we note that we malloc space on the heap for the book.
and we return not the VALUE of the book but a pointer to the book (return b)
since pointers are 32 bits, this address is stored in %eax

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

option 2: “return” the value

A

here space is being allocated in the stack itself
so remember we can’t return a pointer to it because the stack will shrink back below where the pointer points

but in c this works. how? whoever calls, the book gets copied there as well. so when it returns, the caller still has a copy of this.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

summary

A

if value is small enough to fit in register it is returned in %eax
if value is big, caller allocates space for it in its stack frame
–> THIS IS WHY TYPE AND SIZE MUST BE KNOWN AT COMPILE TIME

How well did you know this?
1
Not at all
2
3
4
5
Perfectly