Control hijacking Flashcards
What does control hijacking compromise?
Confidentiality, Integrity, availability
What is the attacker’s goal of control hijacking?
Take over target machine
Execute arbitrary code on target by hijacking application control flow
Name a way an attacker can achieve control hijacking
Buffer overflows
What is the memory layout of a linux process? (7)
Kernel space (read only)
Stack (grows down, runtime)
Shared library (runtime)
Run time heap (grows upwards, runtime)
BSS segment (Known at compile time, uninitialized data)
Data segment (Known at compile time)
Text segment (Known at compile time)
What part of the memory layout of a linux process, does the attacker focus on when doing a buffer overflow attack?
Stack
Shared library
Heap
What is the structure of a stack frame of a function? (6)
Args
return address
stack frame pointer
exception handler
local variables: l1
local variables: l2
What are stack overflows?
When a program does no length checking when writing to data.
example:
char buf[128]
strcpy(buf, arg2)
No bound checking in strcpy. If arg2 > 128 the program will begin writing outside the allocated memory space for the buffer. In this case, other stack memory might be overwritten, such as other local variables, exception handler, return address.
If an attacker is able to overwrite the return address, they can make the program execute malicious code created by the attacker.
What type of attack was heartbleed?
A read overflow attack
What is a read overflow attack?
When a program does not have boundchecking when reading from memory, making it possible to read memory outside an allocated buffer.
How does the heartbleed attack work?
Attack on SSL
The SSL server should accept a “heartbeat” message that it echoes back
The heartbeat-message specifies the length of the message to echo back
SSL did not, however, check the length
If an attacker requests a longer length, they can read past the content of the buffer
How can you defend against buffer overflows? (5)
Always use safe functions that:
- Check the length of the input
- Ensures proper termination of the string
Leverage defences in compilers (GCC -fstack-protector)
Check length when read/write
Use tools to audit source code
Rewrite software in type-safe language
Why is the following code unsafe?
char str[3];
strncpy(str, “bye”, 3);
int x = strlen(str);
Strncpy does not terminate string with NULL
x can be longer that 3.
This can lead to read overflow attack, because the attacker can read until a NULL is met
What is the benefits of using a type-safe language?
You don’t have to specify how big a string will be.
Name a type unsafe language
C
Programmer defines what a variable will store, and what the size of the variable in memory is
If a programmer allocates 20 bytes, then tries to write 30 bytes, we get a buffer overflow
