Countermeasures

Data Executable Prevention

Non-Executable Stack (NX) (Data Executable Prevention)

  • Most binaries do not allow running code from Stack.

  • Stack segments are marked as Non-Executable (NX bit).

    • Code cannot jump to it.

    • Return to lib-c attack not possible.

Introduced in recent OS, but can be disabled.

  • Not ubiquitous on embedded devices.

  • Binaries must opt-in!

Canaries

Uses reference values after local variables to detect overflow.

  • Value is placed when the function starts.

  • Value is compared before the function exits.

  • The program is interrupted if values do not match.

We can guess them, using brute force.

  • -fno-stack-protector: disables stack protection. (What we have been using)

  • -fstack-protector: enables stack protection for vulnerable functions that contain.

    • A character array larger than 8 bytes.

    • An 8-bit integer array larger than 8 bytes.

    • A call to alloca() with either a variable size or a constant size bigger than 8 bytes.

  • -fstack-protector-strong: enables stack protection for vulnerable functions that contain.

    • An array of any size and type.

    • A call to alloca().

    • A local variable that has its address taken.

  • -fstack-protector-all: adds stack protection to all functions regardless of their vulnerability.

Practical Example: return_to_libc.c (x86_64)

x64 - first arguments are passed in register: RDI, RSI, RDX, RCX.

  • Approach: load RDI with an address of a string, and jump to the system address.

  • Problems: cannot jump to stack (due to NX).

Improved:

  • Search for any code that loads RDI from the stack.

    • we can control what is in the stack but we cannot execute code from it.

  • Jump to code that loads RDI from the stack.

  • Jump to the system.

Last updated