More content

work/01paper.tex

@@ -12,6 +12,8 @@
 \usepackage{graphicx}
 \usepackage{textcomp}
 \usepackage{xcolor}
+\usepackage{caption}
+\usepackage{subcaption}
 
 % code listings
 \usepackage{minted}
@@ -89,9 +91,6 @@ In 2018, 14\% (2368 out of 16556)~\cite{Cve2018} of all software vulnerabilities
 that have a CVE assigned, were overflow related. This shows that, even if this
 type of bug is very old and well known, it's still relevant today.
 
-
-% \section{Main Part, TODO}\label{ref:main} %TODO!!!!
-
 \section{Background}\label{ref:background}
 
 % TODO: many references
@@ -119,6 +118,40 @@ int main(int argc, char **argv) {
 }
 \end{minted}
 
+A successful exploit would place the payload in the memory by supplying it as an
+argument to the programm and eventually overwrite the return address by
+providing an input $> 50$ and therefore writing out of bounds. When the
+\mintinline{C}{return} instruction is executed, and jumps into the payload, the
+attacker's code is executed. This works due to the way, how function calls on
+CPUs work. The stack frame of the current function lies between the two pointers
+\ac{bp} and \ac{sp} as shown in~\ref{fig:before}. When a function is called, the
+value of the \ac{bp}, \ac{sp} and \ac{ip} is pushed to the stack
+(Fig.~\ref{fig:call}) and the \ac{ip} is set to the address of the called
+function. When the function returns, the old \ac{ip} is restored from the stack
+and the execution continues from where the function was called. If an overflow
+overwrites the old \ac{ip} (Fig.~\ref{fig:exploit}), the execution continues in
+attacker controlled code.
+
+\begin{figure}[h!]
+  \includegraphics[width=.3\textwidth]{./dot/before.pdf}
+  \caption{Stack layout before function call}\label{fig:before}
+\end{figure}%
+
+\begin{figure}[h!]
+  \includegraphics[width=.3\textwidth]{./dot/call.pdf}
+  \caption{Stack layout after function call}\label{fig:call}
+\end{figure}%
+
+\begin{figure}[h!]
+  \includegraphics[width=.3\textwidth]{./dot/exploit.pdf}
+  \caption{Stack layout after overflow}\label{fig:exploit}
+\end{figure}
+
+This is only one of several types and exploitation techniques but the general
+idea stays the same: ovewrite the return address or some kind of function
+pointer (e.g. in vtables or the \ac{plt}) and once that function is called, the
+execution flow is hijacked and the attacker can execute arbitiary code.
+
 \subsection{Implications}
 
 \section{Concept and Methods}\label{ref:concept}
@@ -204,8 +237,9 @@ stack and reuses the existing code to circumvent the w\^{}x protection.
 
 \subsubsection{\ac{aslr}}
 
-\Ac{aslr} has been really effective and is included in all major operating
-systems. Some even use kernel \ac{aslr}. Since this mechanism is active at %TODO
+\Ac{aslr} has been really effective and wildly used in production. It is
+included in most major operating systems~\cite{FBSDaslr}. Some
+even use kernel \ac{aslr}~\cite{Linuxaslr}. Since this mechanism is active at %TODO
 runtime, it does not require any changes in the code itself, the programm only
 has to be compiled as a \ac{pie}.