Countermeasures

Data Executable Prevention

Non-Executable Stack (NX) (Data Executable Prevention)

• Most binaries do not allow running code from Stack.

• Stack segments are marked as Non-Executable (NX bit).

  • Code cannot jump to it.

  • Return to lib-c attack not possible.

Introduced in recent OS, but can be disabled.

• Not ubiquitous on embedded devices.

• Binaries must opt-in!

Canaries

Uses reference values after local variables to detect overflow.

• Value is placed when the function starts.

• Value is compared before the function exits.

• The program is interrupted if values do not match.

We can guess them, using brute force.

• -fno-stack-protector: disables stack protection. (What we have been using)

• -fstack-protector: enables stack protection for vulnerable functions that contain.

  • A character array larger than 8 bytes.

  • An 8-bit integer array larger than 8 bytes.

  • A call to alloca() with either a variable size or a constant size bigger than 8 bytes.

• -fstack-protector-strong: enables stack protection for vulnerable functions that contain.

  • An array of any size and type.

  • A call to alloca().

  • A local variable that has its address taken.

• -fstack-protector-all: adds stack protection to all functions regardless of their vulnerability.

Practical Example: return_to_libc.c (x86_64)

x64 - first arguments are passed in register: RDI, RSI, RDX, RCX.

• Approach: load RDI with an address of a string, and jump to the system address.

• Problems: cannot jump to stack (due to NX).

Improved:

• Search for any code that loads RDI from the stack.

  • we can control what is in the stack but we cannot execute code from it.

• Jump to code that loads RDI from the stack.

• Jump to the system.