1 / 23

SECURE PROGRAMMING Chapter 3 Pointer Subterfuge

SECURE PROGRAMMING Chapter 3 Pointer Subterfuge. Exception Handling Structured System default Mitigation Strategies Stack Canaries W^X Encoding/decoding pointers Summary. Overview. Introduction Data Locations Function Pointers Modifying the IP Global Offset Table

thai
Télécharger la présentation

SECURE PROGRAMMING Chapter 3 Pointer Subterfuge

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SECURE PROGRAMMING Chapter 3 Pointer Subterfuge

  2. Exception Handling Structured System default Mitigation Strategies Stack Canaries W^X Encoding/decoding pointers Summary Overview • Introduction • Data Locations • Function Pointers • Modifying the IP • Global Offset Table • The .dtors Section • Virtual Pointers • atexit() and on_exit() • longjmp()/setjmp()

  3. Introduction Pointer subterfuge == modifying pointer values Pointers to objects vs pointers to functions C++ also defines pointer to member type All can be modified to run arbitrary code. First examine relationship data declaration/storage

  4. Data Locations Overwriting a pointer with a buffer overflow: • Limited by upper bound • Limited by lower bound • Limited by Hi • Limited by Lo • Limited by special marker (usually null) Conditions: Buffer and pointer must be in same segment. Pointer must be in direction of overflow Buffer not adequately bounded

  5. Data Locations Data allocation: Unix: data and BSS segment (example 3.1, page 123) Windows is similar

  6. Data Locations

  7. Function Pointers

  8. Object Pointers

  9. Modifying the Instruction Pointer

  10. Modifying the Instruction Pointer

  11. Modifying the Instruction Pointer

  12. Global Offset Table Windows and Linux use a similar mechanism for linking and transferring control to library fns. Windows solution is safe. Linux solution is exploitable. Default binary format on Linux is called Executable and Linking Format (ELF), Developed by Unix System Labs as part of the application binary interface. Includes a “Global Offset Table” (GOT)

  13. Global Offset Table (GOT) Holds absolute addresses of library functions program text is still position independent program text can still be shared Initially entry to Run-Time Linker Address of GOT is fixed. Address of GOT entry is fixed in the executable. Obtainable through objdump –dynamic-reloc xx command. (undocumented!!)

  14. Global Offset Table (GOT) Windows portable executable (PE) file format is similar to ELF: Array of data structures for each imported DLL Name → array of function pointers (Import Address Table, IAT) Once module is loaded (at load time), IAT entries are write protected.

  15. The .dtors Section __atribute__ for functions (like constructor (called before main) or destructor (called after main exits)) Examine with: objdump -s -j .dtors <fname>

  16. Virtual Pointers (pp 132/133, not used yet)

  17. atexit() and on_exit() (See code, manual pages)

  18. longjmp() pp 135, 136

  19. Exception Handling Windows has three types: Vectored exception handling Structured exception handling (try/catch) System defaults Unix has three: Vectored exception handling Structured exception handling (try/catch) System defaults (see man signal, man sigprocmask)

  20. Structured Exception Handling Windows guarantees on page 138

  21. System Default Exception Handling Interrupt vector: Windows encodes pointer addresses, making it difficult for crackers.

  22. Mitigation Strategies Eliminate the vulnerabilities: Stack canaries W ^ X Encode/decode function pointers (pp 140-141

  23. Summary

More Related