OS, CPU, Memory, Buffer Overflow... oh my!

Question 1

Give a basic overview of how OS system works.

Answer 1

BASIC: OS kernel is intermediary between hardware and user. It “talks” to CPU, memory, disk storage, display, network.

Process Management: It also manages the processes (allocates CPU time to each process so multiple processes can run at once).

Memory Management: Ensures each process’s memory doesn’t inerfere with each other (virtual and physical- RAM).

File System Management: Organizes data, manages disk space, controlls access to files.

AKA: The master communicator/intermediator between all of these processes/components on a computer. High potential for security vulnerabilities.

Question 2

Give a high-level overview of how the CPU works.

Answer 2

Comparable to the “brain” of the computer to execute program instructions + perform tasks. CPU contains registers that store important memory addresses during the runtime of a program.

Question 3

EIP Register

Answer 3

Very important register that contains the memory address for what code to execute next. Repeated: 1) fetch instruction in EIP, 2) execute that instruction, 3) increment or update EIP

Question 4

What does the MMU do? Why is it important?

Answer 4

Each memory access a program wants to make goes through the MMU. It translates virtual->physical memory addresses and ensures each process has its own individual memory space

Question 5

What is the CPL?

Answer 5

= Current Privilege Level on a scale of 0-3. 0 = kernel, will execute any instructions, 3 = will only execute a subset of instructions.

Question 6

Permissions: Kernel vs Non-Kernel

Answer 6

CPL=0=kernel permissions allows: direct access to any addresses, changes to any register, changes to any MMU, can also change CPL level

CPL=3 permissions : no direct access to MMU, nor changes to many registers, nor changes to internal state of MMU, nor changing CPL level

Question 7

What is a process?

Answer 7

Data structure managed by the kernel (its own space in MMU, own registers). When begins, kernel loads values, sets CPL=3, and loads EIP addr to turn over CPU control to this process.

Question 8

Explain how the memory, Kernel and MMU interact

Answer 8

A few key points:
- Kernel will allocate virtual address space to each proces
- Kernel marks virtual addresses as “read only”/”do not execute” aka, the EIP is not allowed to point here
- When the CPU tries to read one of these non-allowed access addresses = segfault
- Kernel configures memory permissions: R/W/E memory to process 1, R/E to libc

Question 9

How does a process with CPL=3 permissions execute certain priviliged actions?

Answer 9

Via syscalls! They are specific instructions that will switch CPL=0 and then execute certain actions, then switch CPL=3 after.

Question 10

What is an Access Control System?

Answer 10

This is a type of policy created. It defines subjects, objects, verbs and then creates corresonding yes/no to these SOV combos

Question 11

Access Control Matrix, Access Control List (ACL), Capability

Answer 11

Objects x Subjects, at each point in the matrix exists the set of actions they can do. ACL is a row in this matrix. Quickly defines “who can access this object”. Capability is the other row of the matrix. It answers “what objects can this subject access”

Question 12

What is a reference monitor? What is the flow of using a reference monitor

Answer 12

1) subject requests permissions of an object
2) reference monitor checks if correct permissions based on the list of policies
3) Subject either is permitted or not permitted access

Question 13

What are the 3 main requirements of a reference monitor? Are they all feasible?

Answer 13

1) tamper-proof
2) always invoked (also not circumventable)
3) verifiable- aka the system should be as simple and small as possible in order to be easily analyzed and prove correctness

These are very difficult to meet all of them in practice

Question 14

What is UNIX system known for? When was it created?

Answer 14

An OS system created in 1970s. Designed to be SIMPLE!! (small programs)

Question 15

How is SOV defined in Unix?

Answer 15

Subjects: Users (UID), Processes (PID)
Objects: Files, directories, memory segments (also: Access control information, processes, users?)
Verbs: For files- Read, write, execute; for processes- kill, debug; for users- delete, change groups

Question 16

How are users defined in UNIX?

Answer 16

Identified by UID, each user belongs to groups = GID

Question 17

How do you change user/group owner of a file in UNIX?

Answer 17

chown = change owner, chgrp = change group

Question 18

Explain the UGO Model

Answer 18

This is a simple set of 12 bits to represent file permissions in unix. 3 bits per user/group/other for read, write, execute permissions. 1 bit to set if directory, 3 special bits (setuid, setgetid, t-bit)

Question 19

What does the heierarchy look like when a user u tries to access a file?

Answer 19

1) if the u is the owner, use owner permissions
2) If the u is not the owner but in the same group, use group permissions
3) else, use “other” permissions

Question 20

What is the “root” user?

Answer 20

• they are the administrator account, UID = 0
• Allowed to have all permissions for all files, processes, etc

Question 21

How do you access the root powers? What design principle(s) does this follow?

Answer 21

Root is not initially set to be logged in. USE sudo to access root permisisons. This follows the least permissions and isolated compartments design principles

Question 22

How do process owership and permissions work in UNIX? (3 UIDS) and how do you change these permissions?

Answer 22

1. Real UID = real UID of process
2. Effective UID = permissions-granting changes to display permissions
3. Saved UID = similar to “temp” variable to store the UID when switching from real-> effective

Use setuid from syscall to change the UID.

Question 23

What is the basic overview of memory layout for a process in Linux? (6 main components)

Stack and heap are most important here. Others not super important but be familiar with them

Answer 23

.text: the machine executable code
.data: global initialized static variables
.bss: global UNinitialized variables
heap: dynamically allocated memory (home to syscall)
stack: stores all local variables + function call info
env: environment variables

Question 24

What does the EIP register do?

Answer 24

the instruction pointer; contains address in memory for what code will be executed next

Question 25

What does the ESP register do?

Answer 25

ESP is the TOP stack pointer

Question 26

What does the EBP register do?

Answer 26

EBP is the base stack pointer; points to the bottom of the stack, aka the stack frame

Question 27

Explain what happens in memory with this basic function call:

int foo(int a, int b) {
int d = 1;
return a + b + d;
}

Answer 27

1) A new stack frame is added: ESP and EBP are adjusted
2) Instruction pointer EIP moves to the code for foo() funciton
3) Arguments a and b are added to the stack

Question 28

Explain a basic buffer overflow attack via this function:

void bad(char s) {
char buf[64];
strcpy(buf, s);
}

Answer 28

The components will be allocated in memory as so: local variables, ebp, eip, function arguments. If we set s to be LARGER than 64 char, it will be strcpy into the buffer which is stored above ebp and eip. All we have to do is specifically manipulate our code to perfectly overwrite the eip address with our own special address. This address will point to malicious code to run (either in our buffer or somewhere else- syscall maybe).

Question 29

What do NOP Sleds work around? What are they?

Answer 29

Due to ASLR and other memory security, we may not know the address of the top of the payload, so instead we inject our malicious code into the payload with a TON of NOP sleds right before. NOP sleds (commonly 0x90) are instructions that essentially do nothing, so if the EIP points to a NOP sled, it will follow the NOP sleds down to the malicious code and then execute that.

Question 30

What is a technique workaround for not knowing where the EIP lays in memory?

Answer 30

We can simply spam place the fake EIP address in multiple places in our payload to hope that it will eventually hit the dedicated EIP register

Question 31

What are Heap Attacks? What are some of the vulnerabilities/bugs that can allow for this?

Answer 31

Heap attacks are similar to stack- you overwrite the heap’s instruction pointer to point to a different spot in the heap with your malicious code. Vulnerabilities include: use-after-free, double free, etc

Question 32

What are the main defenses on memory attacks? (4 ways)

Answer 32

1. Stack canaries
2. ASLR
3. W ^ X (Write XOR execute)
4. Fuzzing + memory safe languages

Question 33

Explain how Stack canaries work and what they protect against. Next, explain how canaries are chosen.

Answer 33

Stack canaries aim to detect if data has been corrupted BEFORE the function returns.
1) compiler inserts extra code into each function: pushes a “canary” value onto the stack in between the local variables and ebp/eip
2) Before returning, if this canary is different, we know the code has been tampered with: abort!

Attackers can try to GUESS the canary to try and include it in their code for the compiler to bypass! For this, comiler can choose one of these special canaries:
- NULL: 0x00…00 these are hard to replicate on the stack- a lot of the times will return
- Terminator: (ex: 0x000d0aff) code will terminate at this
- Random: randomly change the canary at each time so that the attacker cannot guess.

Question 34

What is the difference between -fstack-protector and -fstack-protector-strong in gcc?

Answer 34

the first will protect 2.5% of kernel functions and .33% of binary. The second will protect 20.5% of kernel functions and 2.4% of binary

Question 35

What does it mean to “read the stack”

Answer 35

“reading the stack” is a technique to bypass canaries. You basically overflow byte by byte. Your program will crash if you guessed it wrong, but if you guessed it right, it will not. Keep doing this until you have guessed the canary. You can learn one XX byte after 256 tries.

Question 36

Explain what Shadow Stacks are

Answer 36

The compiler can basically save the eip address on a “shadow stack” and then check to make sure the eip matches this shadow before returning (similar to canary)

Question 37

What is ASLR and what are possible further attacks against this defense?

Answer 37

Stands for Address-Space Layout Randomization. makes it extremely difficult to guess where the EIP is! Basically OS will add random bits of padding (16 or 24) between various parts of memory.

Attacks:
- A ton of NOP sleds + copying shellcode in many places
- Brute force via many forks

Question 38

What is W ^ X?

Answer 38

Stands for Write XOR Execute. Idea that code is not writeable, data not executable. Stack is set to not executable. The OS marks each portion of memroy as either writeable, executable NOT both.

Question 39

What is a return-to-libc attack?

Answer 39

On hardware where the stack is non-executable, engineer your payload to overwrite EIP to point to lib-c function.

1) Overwrite EIP -> point to system call in libc.
2) Must engineer payload to overflow EIP with special address to system call, then a random extra word of memory (where the EBP is) and then after that can put the sys arguments.

Question 40

What is ROP attack?

Answer 40

ROP = Return-oriented programming. This is an attack that is similar to return-to-libc but it jumps to the very end of these library functions. You can chain on these returns to continuously execute code

Question 41

Explain what program fuzzing is and its 2 types (+ their cons)

Answer 41

To test code, devlopers will run their code on a ton of random inputs to search for bugs/crashes.

mutation- based: (dumb)- take a bunch of real examples and “Mutate” them. These are not as thorough and you could theoretically do this forever. (too many test cases, need a strong server)
generative: (smart)- creating the bugs based on the CODE and where there could possibly be bugs. (too little test cases, way too much human work)

General issues: Need to know which of them are automatic, some can trigger the same bug, how do we prioritize bugs?

Question 42

What are some of the most industry-standard widely used fuzzers?

Answer 42

AFL: open-source fuzzer by google
OneFuzz: An SAAS fuzzer

Question 43

Explain which languages are memory safe/not-memory safe and their pros and cons

Answer 43

Not memory safe: C, C++, Assembly
Memory safe: Java, Python, Javascript, etc all else

Memory safe cons- they are slower!