Chapter 10 (Buffer Overflow) Flashcards
what is a buffer overflow
when more input can be placed into a buffer or data holding area than the capacity allocated for so it overwrites neighboring information
where are 3 locations a buffer could be located
stack, heap, data section of a process
what are 4 possible consequences of a buffer overflow attack
corruption of prog data
unexpected transfer of control
mem access violations
execution of code selected by attacker
what are 2 things an attacker needs to know to execute a buffer overflow attack
identify vulnerability in some prog that can be triggered using external sourced data
understand how that buffer is stored in memory and determine potential for corruption
3 ways that you can identify vulnerable programs
inspect program source
trace execution of prog as they process oversize input
using tools such as fuzzing to automaticcly identify potential programs
what makes a prog lang vulnerable to buffer overflow attacks
when they allow direct access to memory
why is a stack frame needed
when one function calls another it needs somewhere to save return address
also saves parameters to be passed into function
what are some common unsafe C standard lib functions
what is shell code
provided by attacker, transfers control to user command line interpreter (shell)
where is shell code saved
in buffer being overflowed
3 possible things the target program can be
trusted sys utility
network service daemon
commonly used library code
what are these possible functions of
shellcode
2 broad defense approaches against buffer overflow and their aims
compile time: harden programs to resist attacks in new programs
runtime: aim to detect and abort attacks in existing programs
what was the goal of the openBSD project
rewrite unsafe coding
what is 1 compile time defense with C
use a safe variant of std lib functions like libsafe
what is stack protection, and what is important to do when implementing it
add functions to entry and exit code to check stack for signs of corruption
use a random canary so diff on diff systems
how does stackshield and return address defender work
what does executable address space protection do? and what type of overflow protection is it
uses virtual mem support to make some regions of memory non-executable
run time defense
what does address space randomization do and what type of defense is it
randomizes location of key data structures (stack, heap, global data)
what do guard pages do and what type of defense is this
places guard pages between critical regions of memory, run time defense
why is it not easy to transfer control in a heap overflow
heap has no return address
what are targeted in heap overflows
function pointers
manipulate management data structures
