Software Security Flashcards
1
Q
Processes
A
- executes programs etc.
- multiprocess with scheduling
- can create new processes -> forks
2
Q
Intel CPU Registers
A
rax -> for values to return
rbx -> base addressing
rbp -> base pointer
rsp -> stack pointer
3
Q
Memory Layout: The Stack in x64
A
... 8th parameter 7th parameter return address saved rbp local variables red zone ...
4
Q
Buffer Overflow: Code Execution
A
- Overwrite return address with pointer to shellcode
- Saved rip will blindly be interpreted as address to return to upon ret
5
Q
NOP sleds
A
- attackers cannot predict exact location of shellcode
- write many nop’s and then hopefully code is executed
6
Q
Canaries
A
- place canary on stack before rip, rbp
- before ret compare to actual canary
7
Q
Random Canaries, Terminator Canaries
A
- Random canaries use a random value pre-generated at program start
- Terminator canaries consist of bytes that terminate C strings
8
Q
Limitations of Stack Canaries
A
- only against stack overflow
- Byte-by-byte trial-and-error on canary
- > try first byte if correct continue if crashes directly then to next number
9
Q
Non-Executable Stack
A
- A non-executable stack prevents classical shellcode attacks
- MMU enforces non-executable stack
10
Q
Shadow Stack
A
- store rip twice and check if the same
11
Q
Format Strings Attack
A
- if %s or equals aren’t use bad!
- with input as %p (pointers) %n (stores data on stack) we can manipulate
12
Q
Code-Reuse Attacks
A
- assuming stack not executable
- use already existing code to attack
- we can return to libc or use a ROP (Return-Oriented Programming)
13
Q
Address Space Layout Randomization (ASLR)
A
- randomize data and code addresses
- needs compiler and linker support
- if absolute addresses are used problems may happen
14
Q
Fine-Grained ASLR
A
- also reorders functions
- shuffles instructions within a function
15
Q
JIT-ROP
A
- if one pointer to code is leaked rest can be leaked
- uses JIT environment to read code pages and find pointer etc.
