Control Hijacking - Defenses

Question 1

Describe

Canaries

Answer 1

Placed in stack frames to prevent and detect overwritten return addresses since the value had to be verified against stored value after function execuation

Question 1

List all control hijacking defenses

Answer 1

• Canaries
• Non-executable memory
• Address Space Layout Randomization
• Control Flow Integrity

Question 2

Where are the canaries located?

Answer 2

After the return address

Question 3

List the types of canaries

Answer 3

• Terminator
• Random
• XOR

Question 4

Describe

Terminator Canary

Answer 4

Contains characters that prevents string functions to overwrite return address (i.e. NULL, CR, LF, EOF)

Question 5

Describe

Random Canary

Answer 5

A random value chosen at the start and stored in an unmapped location to validate the code

Question 6

Describe

XOR Canary

Answer 6

Random Value ^ Return Address; one bit must equal 1, not both

Question 7

When are canaries recompiled?

Answer 7

At runtime

Question 8

Limitations of Canaries

Answer 8

• Can be learned
• Doesn’t protect against stack smashing
• Bypassable if other pointers are overwritten

Question 9

Describe

Non-Executable Memory

Answer 9

Memory that isn’t both writable and executable to prevent launchable code injections

Question 10

Limitations of Non-Executable Memory

Answer 10

• Bypassable if the function is returning into a libc
• Hijacking existing code or gluing fragments still possible

Question 11

Describe

Address Space Layout Randomization

Answer 11

Maps the stack, heap, and code to random locations in memory

Question 11

Limitations of Address Space Layout Randomization

Answer 11

• Incurs overhead costs
• Susceptible to address leack and other control hijack attacks

Question 12

Describe

Control Flow Integrity

Answer 12

Ensures outlined paths in CFG are followed and prevents jumping to invalid locations through indirect calls by reinforcing validity checks during run time

Question 13

When are CGF built?

Answer 13

At compile time

Question 14

Limitations to Control Flow Integrity

Answer 14

• Hard to build accurately
• Doesn’t prevent attacker from jumping to a valid wrong function

Question 15

Memory Corruption Vulnerabilities

What do humans do?

Answer 15

Make mistakes or not be situationally aware of various security threats/protective measures

Question 16

Memory Corruption Vulnerabilities

Not all ____ are safe

Answer 16

Languages

Question 17

Which language should be avoided?

Answer 17

C/C++

Question 18

Memory Corruption Vulnerabilities

Dealing with problems are ____ and ____

Answer 18

Expensive and difficult

Question 19

Ways to find security problems

Answer 19

• Random inputs
• Assumptions
• Fuzz testing
• Scanning
• Penetration testing

Question 20

Define

Control Flow

Answer 20

The order/interpretation of the code during execution

Question 21

Describe

Control Flow Graph (CFG)

Answer 21

Reflects all possible paths during execution

Question 22

Parts of a CFG

Answer 22

• Node/basic block
• Directed edge
• Path

Question 23

Parts of a CFG

Node/basic block

Answer 23

Code without branches

Question 24

Parts of a CFG

Directed edge

Answer 24

Branch with 1 entry/exit

Question 25

Parts of a CFG

Path

Answer 25

Collection of nodes connected; may or may not be feasible based on unreachable code, conditions, and input constraints