Lecture 8_ Defenses.md (1626B)
1 +++ 2 title = "Lecture 8: Defenses" 3 +++ 4 5 # Lecture 8: Defenses 6 Some techniques available to make attacks harder. 7 Modern compilers and OSes implement several of them, some by default. 8 9 Stack canaries: 10 - value between local vars and return address, compiler adds initialization in function prologue 11 - check whether value is same before function returns, compiler adds check in function epilogue 12 - corrupting return address also corrupts canary 13 - attacker can: 14 - jump over canary 15 - overwrite canary with correct value after leaking it first 16 17 Data execution prevention 18 - OS marks data pages as non-executable (requires CPU feature no-execute bit, supported on all modern Intel/AMD CPUs) 19 - attempt to execute those pages causes segfault 20 21 W⊕X: write xor execute 22 - ensure no memory is both writable and executable 23 - prevents attacker from injecting code and executing it 24 - attacker can instead reuse existing code: 25 - shared library functions (return to libc) 26 - for example, write address of system(), ensure %rdi has pointer to shell command 27 - easier in 32-bit as parameters are on stack 28 - chain together parts of code into new program (Return Oriented Programming chains, where stack has addresses) 29 30 ASLR: address space layout randomization 31 - randomizes memory addresses of code, data, heap, stack 32 - prevents attacker from finding code pointer to overwrite, or knowing what to overwrite it with 33 - attacker can: 34 - leak addresses 35 - leak code and data to recover addresses 36 - use side channels to recover complete address space layout 37 - only few bits are truly random, so try to brute force 38