vbrandl/WIS-SEC-BOF
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

More content

Browse Source
This commit is contained in:
Valentin Brandl 2019-12-10 20:36:42 +01:00
parent 8a6a8b2348
commit 0cfdc132fc
No known key found for this signature in database
GPG Key ID: 30D341DD34118D7D
2 changed files with 39 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
work/01paper.pdf
View File

Binary file not shown.

44
work/01paper.tex
View File

@ -12,6 +12,8 @@
\usepackage{graphicx} \usepackage{graphicx}
\usepackage{textcomp} \usepackage{textcomp}
\usepackage{xcolor} \usepackage{xcolor}
\usepackage{caption}
\usepackage{subcaption}
% code listings % code listings
\usepackage{minted} \usepackage{minted}
@ -89,9 +91,6 @@ In 2018, 14\% (2368 out of 16556)~\cite{Cve2018} of all software vulnerabilities
that have a CVE assigned, were overflow related. This shows that, even if this that have a CVE assigned, were overflow related. This shows that, even if this
type of bug is very old and well known, it's still relevant today. type of bug is very old and well known, it's still relevant today.
% \section{Main Part, TODO}\label{ref:main} %TODO!!!!
\section{Background}\label{ref:background} \section{Background}\label{ref:background}
% TODO: many references % TODO: many references
@ -119,6 +118,40 @@ int main(int argc, char **argv) {
} }
\end{minted} \end{minted}
A successful exploit would place the payload in the memory by supplying it as an
argument to the programm and eventually overwrite the return address by
providing an input $> 50$ and therefore writing out of bounds. When the
\mintinline{C}{return} instruction is executed, and jumps into the payload, the
attacker's code is executed. This works due to the way, how function calls on
CPUs work. The stack frame of the current function lies between the two pointers
\ac{bp} and \ac{sp} as shown in~\ref{fig:before}. When a function is called, the
value of the \ac{bp}, \ac{sp} and \ac{ip} is pushed to the stack
(Fig.~\ref{fig:call}) and the \ac{ip} is set to the address of the called
function. When the function returns, the old \ac{ip} is restored from the stack
and the execution continues from where the function was called. If an overflow
overwrites the old \ac{ip} (Fig.~\ref{fig:exploit}), the execution continues in
attacker controlled code.
\begin{figure}[h!]
\includegraphics[width=.3\textwidth]{./dot/before.pdf}
\caption{Stack layout before function call}\label{fig:before}
\end{figure}%
\begin{figure}[h!]
\includegraphics[width=.3\textwidth]{./dot/call.pdf}
\caption{Stack layout after function call}\label{fig:call}
\end{figure}%
\begin{figure}[h!]
\includegraphics[width=.3\textwidth]{./dot/exploit.pdf}
\caption{Stack layout after overflow}\label{fig:exploit}
\end{figure}
This is only one of several types and exploitation techniques but the general
idea stays the same: ovewrite the return address or some kind of function
pointer (e.g. in vtables or the \ac{plt}) and once that function is called, the
execution flow is hijacked and the attacker can execute arbitiary code.
\subsection{Implications} \subsection{Implications}
\section{Concept and Methods}\label{ref:concept} \section{Concept and Methods}\label{ref:concept}
@ -204,8 +237,9 @@ stack and reuses the existing code to circumvent the w\^{}x protection.
\subsubsection{\ac{aslr}} \subsubsection{\ac{aslr}}
\Ac{aslr} has been really effective and is included in all major operating \Ac{aslr} has been really effective and wildly used in production. It is
systems. Some even use kernel \ac{aslr}. Since this mechanism is active at %TODO included in most major operating systems~\cite{FBSDaslr}. Some
even use kernel \ac{aslr}~\cite{Linuxaslr}. Since this mechanism is active at %TODO
runtime, it does not require any changes in the code itself, the programm only runtime, it does not require any changes in the code itself, the programm only
has to be compiled as a \ac{pie}. has to be compiled as a \ac{pie}.