RU beehive logo ITEC dept promo banner
ITEC 345
2014fall
ibarland

homelectshws
D2Lbreeze (snow day)

stack-protection
smashing the stack
well, defending it 

We saw how the stack works:
 every subroutine call makes its own stack frame,
 which includes not just its local variables, but
 also two other pieces of info: Upon completion,
 - where to update the top-of-stack, and
 - what point of code to return to (return-instruction-pointer, or %rip)

Alas, buffer overflows can corrupt the stack, and even trick the computer
into "arbitrary code execution": e.g. support.apple.com/kb/HT5806.
Or, search (say)
“apple security update”.

    

But *how* can buffer overflows attack the stack?
  From mid-1990s: "Smashing the Stack for Fun and Profit" -- a tutorial
    for x86-based linux machines -- which still holds true.
  www-inst.eecs.berkeley.edu/~cs161/fa08/papers/stack_smashing.pdf
    


    

  How you do it: put the string "/bin/sh" in memory, and figure out its *address* too;
      say 0xABCD.
    Then, add [the assembly code for] "execve 0xABCD" into memory 
        [at location, say, 0x8888];
    Then, over-write the stack so that the return-IP gets overwritten with 0x8888.
    


    

  The 'smashing the stack' document details getting around other technical issues
  (you have to have the 'execve' word-aligned, and no null-characters, 
    and you'll eventually need to get it into the data-segment of memory and you
    don't really know where that is.
    Trick: precede your implanted code in the data-segement w/ a whole bunch 
    of NOP instructions; then transfer control to some guessed location that
    you hope is close enough to be in the NOP region.)
    


    
How to *protect* against stack attacks?    
  - programmer check bounds; 
  - have language check array-indices
  - "stack fencing", or canary in coal mine:

     Every time you boot the OS, choose a random int (a 'canary'),
       and store it somewhere.
     Every time the OS pushes the return-address, 
       follow it with a copy of that random canary.
     Finally, when the OS pops off a return-address, it 
       verifies that the (correct) canary is there.
     If the canary is dead (the wrong value),
       we have detected tampering, and we quit.
                          
   -- a *random* value is used each run, since if you always used 417 then
      attackers will realize that and they'll just write 417 before their
      forged return address.
   -- Windows 7.early tried this implementation, and goofed: they kept
      the original copy of the canary in a register, and attackers were
      (somehow) able to get access to that register, and use it.
      [I don't understand exactly how, though.]
      
      
============
Intro Unix

mentioned ls, cd, and the root dir.

homelectshws
D2Lbreeze (snow day)

©2014, Ian Barland, Radford University
Last modified 2014.Sep.12 (Fri)		 Please mail any suggestions
(incl. typos, broken links)
to ibarlandradford.edu		 Rendered by Racket.