P1L2: Software Security Flashcards
What are stack buffer overflows?
Inserting extra instructions into a command to force an overlfow that inserts calls to malware.
The stack buffer is used for
Local variables Parameters passed to the function Control information (ie return address)
what is shellcode?
The code the attacker whats to launch
What does shellcode do?
- Creates a shell from machine code.
2. Must have a return address that is a legitimate return address.
What privileges does shellcode allow?
The same privileges that the host program exploited by the shellcode has.
The system service or OS root privileges
What variations of buffer overflow exist?
Return-to-libc: return address is overwritten to point to a funciton in a library.
Heap Overflows: Long lived data get stored on the heap (alloc/malloc/globals)
OpenSSL Heartbleed: Attacker reads sensitive data
What is Return-to-libc?
return address is overwritten to point to a funciton in a library.
Heap Overflows
Long lived data get stored on the heap (alloc/malloc/globals)
OpenSSL Heartbleed
Attacker reads sensitive data
Example of safe language
Java
Example of an unsafe language
C
What is the defense if unsafe languages must be used?
Check all input
Use safer functions that do bounds checking
Use automatic tools to analyze code for unsafe functions.
What are ways to thwart Buffer Overflow Attacks?
Stack canaries: Values written into the stack frame just before the return address
Address Space Layout Randomization(ASLR): Randomized the stack, heap, etc.
Non-executable Stack: Used with ASLR. Requires hardware support
To exploit any type of buffer overflow the attacker needs to identify a buffer overflow vulnerability in some program that can be triggered using externally sourced data under the attackers control. T/F
True
At the basic machine level, all of the data manipulated by machine instructions executed by the computer processor are stored in either the processor?s registers or in memory. T/F
True
A stack overflow can result in some form of a denial-of-service attack on a system. T/F
True
An attacker is more interested in transferring control to a location and code of the attacker’s choosing rather than immediately crashing the program. T/F
True
The potential for a buffer overflow exists anywhere that data is copied or merged into a buffer, where at least some of the data is read from outside the program. T/F
True
Shell code is not specific to a particular processor architecture. T/F
False
There are several generic restrictions on the content of shell-code T/F
False
An attacker can generally determine in advance exactly where the targeted buffer will be located in the stack frame of the function in which it is defined. T/F
True
It is possible to write a compiler tool to check a program and identify all possible buffer overflow bugs. T/F
False
It is possible to develop a run-time monitoring tool to detect the effects of all possible buffer overflow attacks. T/F
False
A consequence of a buffer overflow error is _____.
- corruption of data used by the program.
- unexpected transfer of control in the program.
- possible memory access violation.
The function of _____ was to transfer control to a user command-line interpreter, which gave access to any program available on the system with the privileges of the attacked program.
Shellcode
_____ is a form of overflow attack.
- Heap overflows
- Return to system call
- Replacement stack frame
Data is simply an array of
bytes
Shellcode has to be ______, which means it cannot contain any absolute address referring to itself.
position dependent
______is one of the best known mechanisms that is a GCC compiler extension that inserts additional function entry and exit code.
Stackguard
The ____is typically located above the program code and global data and grows up in memory (while the stack grows down towards it).
Heap
A _____ value is named after the miner’s bird used to detect poisonous air in a mine and warn miners in time for them to escape.
Canary
OpenSSL Heartbleed Vulnerability
read much more of the buffer than just the data, which may include sensitive data.
NOP Sled
A bunch of NOPs that helps the attacker make the program run his shellcode
What does a Stackguard do at compile time?
writes the canary
Guard pages
A range of addresses that are flagged as illegal addresses in case an attacker tries to overflow to them
Replacement Stack Frame attack
Overwrites buffer and saved frame pointer address. The saved frame pointer points to a dummy stack frame whose return address is the start of the shellcode in the buffer.
