Stack Attacks Flashcards
In 64 bit where are the arguments for a function past?
The first 6 go into registers, after that they go into the stack.
In 32 bit, where are the arguments for a function past?
The stack
Name the 6 registers in order that function arguments are passed into in x64
RDI
RSI
RDX
RCX
R8
R9
Which registers are function results returned in?
RAX and RDX
What is the RAX register?
The accumulator
What is the RIP register?
The instruction point
What does the RSP register point to?
The top of the stack
What does the RBP register point to?
The bottom of the stack
Which registers are floating point function arguments pass into?
XMM0 to XMM7
Describe what happens in memory when a function is called?
Arguments are put into registers
The function updates the RSP and RBP values to make new stack space
The old instruction pointer is pushed onto the stack
The old RBP is pushed onto the stack
What is a buffer overflow attack?
When you write data that is large than the size of a buffer into a buffer, causing it to overflow and overwrite the old instruction pointer. Allowing you to change where the program resumes from after the function finishes.
How does the NX-bit defend against buffer overflow attacks?
The NX-bit provides a hardware distinction between the text and the stack. Code should only be in the text, and never the stack. If the instruction pointer ever points to the stack it will crash.
How does address space layout randomisation (ASLR) protect against buffer overflow attacks?
ASLR adds a random offset to the stack and code bases each time a program runs. This makes it harder for an attacker to know the address of particular pieces of code.
How does do stack canaries protect against buffer overflow attacks?
A stack canary is a random value from the heap that is written to the base of the stack. When the function finishes the value on stack is compared to the value on the heap, if they are different the program crashes.
What is use after free?
This is when a memory address is freed by a program and then the program accesses the address later. This allows another program to gain control of the memory address and change the value stored there.