Exploits
- The easiest way of getting access to a machine is having the user install something for you
- A software or hardware bug that allows an attacker to circumvent an OS security perimeter
Memory Management
In C and C++ programmer preforms the memory management
- Buffer Overruns
- Stack Overruns
- Heap Overruns Other languages manage this but have their own vulnerabilities
Buffer Overflows
- When a program is executed, contiguous blocks of memory can be allocated to store arrays (buffer)
- If data is written into a buffer that exceeds its size, an overflow occurs
- The data will overwrite the memory beyond the buffer
Program Memory
- Memory is stored in a virtual address space
- Parts of the program are held in different regions by convention
- Different restrictions are placed on these regions
The Stack
- In C and C+, low level functions perform no bounds checking at all
- If str is long, can write into other memory
Stack Smashing
- By crafting the string, can overwrite the buffer and return address with custom exploit code
Protection: Canaries
- Stack canaries modify the prologue and epilogue of all functions to check a value in front of the return address is unchanged
- If the canary value can be worked out there is no issue.
Data Execution Prevention (NX)
- Modern operating systems (where possible) will mark the stack as non-executable
- NX on AMD, XD on intel, XN on arm
- An NX stack means that adding in our exploit code wont work
- Can circumvent this using a return-to-libc attack
Further protection
- Defeat ret2libc, various
0x0
null bytes are inserted into standard library addresses - Developers also restrict access to obvious system calls
- Address Space Layout Randomisation (ASLR) moves the address of library and programs around
- Don't have to move too much before your hand-crafted
ret
address will break
Race Conditions - With concurrent threads or processes, timing can lead to security vulnerabilities. Where items rely on another thing at the same time
Heartbleed
- Bug in OpenSSL
- Specifically targets the heartbeat extension - buffer over-read
- Extension to regular SSL
- Used to keepalive purposes, to stop quiet connections being closed
- Not always used, optional in SSL