diff --git a/work/01paper.pdf b/work/01paper.pdf index ff4f7ee..d7e9bfa 100644 Binary files a/work/01paper.pdf and b/work/01paper.pdf differ diff --git a/work/01paper.tex b/work/01paper.tex index 94a35ca..ba53603 100644 --- a/work/01paper.tex +++ b/work/01paper.tex @@ -12,6 +12,8 @@ \usepackage{graphicx} \usepackage{textcomp} \usepackage{xcolor} +\usepackage{caption} +\usepackage{subcaption} % code listings \usepackage{minted} @@ -89,9 +91,6 @@ In 2018, 14\% (2368 out of 16556)~\cite{Cve2018} of all software vulnerabilities that have a CVE assigned, were overflow related. This shows that, even if this type of bug is very old and well known, it's still relevant today. - -% \section{Main Part, TODO}\label{ref:main} %TODO!!!! - \section{Background}\label{ref:background} % TODO: many references @@ -119,6 +118,40 @@ int main(int argc, char **argv) { } \end{minted} +A successful exploit would place the payload in the memory by supplying it as an +argument to the programm and eventually overwrite the return address by +providing an input $> 50$ and therefore writing out of bounds. When the +\mintinline{C}{return} instruction is executed, and jumps into the payload, the +attacker's code is executed. This works due to the way, how function calls on +CPUs work. The stack frame of the current function lies between the two pointers +\ac{bp} and \ac{sp} as shown in~\ref{fig:before}. When a function is called, the +value of the \ac{bp}, \ac{sp} and \ac{ip} is pushed to the stack +(Fig.~\ref{fig:call}) and the \ac{ip} is set to the address of the called +function. When the function returns, the old \ac{ip} is restored from the stack +and the execution continues from where the function was called. If an overflow +overwrites the old \ac{ip} (Fig.~\ref{fig:exploit}), the execution continues in +attacker controlled code. + +\begin{figure}[h!] + \includegraphics[width=.3\textwidth]{./dot/before.pdf} + \caption{Stack layout before function call}\label{fig:before} +\end{figure}% + +\begin{figure}[h!] + \includegraphics[width=.3\textwidth]{./dot/call.pdf} + \caption{Stack layout after function call}\label{fig:call} +\end{figure}% + +\begin{figure}[h!] + \includegraphics[width=.3\textwidth]{./dot/exploit.pdf} + \caption{Stack layout after overflow}\label{fig:exploit} +\end{figure} + +This is only one of several types and exploitation techniques but the general +idea stays the same: ovewrite the return address or some kind of function +pointer (e.g. in vtables or the \ac{plt}) and once that function is called, the +execution flow is hijacked and the attacker can execute arbitiary code. + \subsection{Implications} \section{Concept and Methods}\label{ref:concept} @@ -204,8 +237,9 @@ stack and reuses the existing code to circumvent the w\^{}x protection. \subsubsection{\ac{aslr}} -\Ac{aslr} has been really effective and is included in all major operating -systems. Some even use kernel \ac{aslr}. Since this mechanism is active at %TODO +\Ac{aslr} has been really effective and wildly used in production. It is +included in most major operating systems~\cite{FBSDaslr}. Some +even use kernel \ac{aslr}~\cite{Linuxaslr}. Since this mechanism is active at %TODO runtime, it does not require any changes in the code itself, the programm only has to be compiled as a \ac{pie}.