lectures.alex.balgavy.eu

Lecture notes from university.
git clone git://git.alex.balgavy.eu/lectures.alex.balgavy.eu.git
Log | Files | Refs | Submodules
commit 388b07c4f03efe8d50ad20654e2f489b5f868263
parent f014dae4903678cedd4ebfd677015dd9f09aa929
Author: Alex Balgavy <alex@balgavy.eu>
Date:   Wed,  6 Oct 2021 16:02:31 +0200

Softsec notes update

Diffstat:

Mcontent/softsec-notes/_index.md | 2++


Acontent/softsec-notes/format-strings.md | 13+++++++++++++


Acontent/softsec-notes/integer-overflows.md | 28++++++++++++++++++++++++++++


3 files changed, 43 insertions(+), 0 deletions(-)

diff --git a/content/softsec-notes/_index.md b/content/softsec-notes/_index.md
@@ -7,3 +7,5 @@ title = 'Software Security'
 3. [Local privilege escalation](local-privilege-escalation)
 4. [Simple attacks](simple-attacks)
 5. [Shellcode](shellcode)
+6. [Integer overflows](integer-overflows)
+7. [Format strings](format-strings)
diff --git a/content/softsec-notes/format-strings.md b/content/softsec-notes/format-strings.md
@@ -0,0 +1,13 @@
++++
+title = 'Format strings'
++++
+# Format strings
+e.g. in `printf`.
+
+`printf` looks at registers, then stack.
+- if user controls format string, can leak info
+- `%P$c`: read character at position P
+- `%n`: stores corrent length of string. use `$` and width modifiers to write data to some address
+
+arbitrary write!
+
diff --git a/content/softsec-notes/integer-overflows.md b/content/softsec-notes/integer-overflows.md
@@ -0,0 +1,28 @@
++++
+title = 'Integer overflows'
+template = 'page-math.html'
++++
+# Integer overflows
+Ints have a fixed size.
+
+For x86-64 Linux:
+
+<table>
+<tr><th>type</th><th>bits</th><th>min</th><th>max</th></tr>
+<tr><td>signed char</td><td>8</td><td>$-2^{7}$</td><td>$2^{7}-1$</td></tr>
+<tr><td>unsigned char</td><td>8</td><td>0</td><td>$2^{8}-1$</td></tr>
+<tr><td>short</td><td>16</td><td>$-2^{15}$</td><td>$2^{15}-1$</td></tr>
+<tr><td>unsigned short</td><td>16</td><td>0</td><td>$2^{16}-1$</td></tr>
+<tr><td>int</td><td>32</td><td>$-2^{31}$</td><td>$2^{31}-1$</td></tr>
+<tr><td>unsigned int</td><td>32</td><td>0</td><td>$2^{32}-1$</td></tr>
+<tr><td>long</td><td>64</td><td>$-2^{63}$</td><td>$2^{63}-1$</td></tr>
+<tr><td>unsigned long</td><td>64</td><td>0</td><td>$2^{64}-1$</td></tr>
+</table>
+
+If number doesn't fit, overflow. CPU discards bits that don't fit.
+i.e. result is computed modulo 2ⁿ (n = number of bits).
+
+leads to unexpected results in casts, computation, comparison:
+- truncation: cast to smaller type, discarding bits
+- arithmetic overflow: wrap around
+- signedness: negative int interpreted as unsigned