8/13/2019 Response Ex3

1/5

IT Security - 2

Exercise 3 (Buffer Overflows)

Tanmaya Mahapatra

Matriculation Number : 340959

tanmaya.mahapatra@rwth-aachen.de

Bharath Rangaraj

Matriculation Number : 340909

bharath.rangaraj@rwth-aachen.de

Mohibullah Kamal

Matriculation Number : 341323

mohibullah.kamal@rwth-aachen.de

October 31, 2013

1 Task - 1 : Heap and Stack

Question 1

What is the heap and what is the stack used for ?

Solution:

The stack is the memory set aside as scratch space for a thread of execution. When afunction is called, a block is reserved on the top of the stack for local variables and some

bookkeeping data. When that function returns, the block becomes unused and can be usedthe next time a function is called. The stack is always reserved in a LIFO order; the mostrecently reserved block is always the next block to be freed. This makes it really simpleto keep track of the stack; freeing a block from the stack is nothing more than adjustingone pointer.

The heap is memory set aside for dynamic allocation. Unlike the stack, theres noenforced pattern to the allocation and deallocation of blocks from the heap; you canallocate a block at any time and free it at any time. This makes it much more complexto keep track of which parts of the heap are allocated or free at any given time; thereare many custom heap allocators available to tune heap performance for different usage

patterns.

Each thread gets a stack, while theres typically only one heap for the application (al-though it isnt uncommon to have multiple heaps for different types of allocation).

Question 2

Where are stack and heap located in memory, in which direction do they grow (on the x86architecture) ?

1

8/13/2019 Response Ex3

2/5

Solution:

The stack is typically stored in the low addresses of memory and fills upward towardits upper limit. The heap is typically stored at the top of the address space and growstoward the stack. Because they usually have to share the same address space, and as a

convenience they each begin on one end of the address space. Then they grow towardseach other, giving that grow down-grow up behavior.

Some systems (some HP systems, for example), the stack grows up instead of down.And on other systems (e.g., IBM/390) there is no real hardware stack at all, but rather apool of pages that are dynamically allocated from user space memory.

The heap can, in general, grow in any direction, since it may contain many allocationand deallocation holes, so it is better to think of it as a loose collection of pages than asa LIFO-stack type structure. But most heap implementations expand their space usagewithin a predetermined address range, growing and shrinking it as necessary.

Question 3

Why do buffer overflow attacks always depend on heap or stack memory ?

Solution:

By Buffer overflow we mean that a program while writing data to a buffer, overruns thebuffers boundary and overwrites adjacent memory. This is a special case of violation ofmemory safety. The Buffer overflow techniques are mainly targeted on Stack and Heapbecause :

The Text Segment is Read only. No alterations can be done.

Data Segment : Cant change return address : Systems prevent crossing data, stackboundary

Heap and stack shrink and grow dynamically during program execution.

1. The stack is an area of memory set aside for local variables which are allocatedwhen a function is called and which are de-allocated when that function returns.This includes the automatic variables of C, and it may include the return addressand other registers saved when a function is called. If by buffer overflow these

return addresses are manipulated then we can execute arbitrary code withoutany problems.

2. Memory on the heap is dynamically allocated by the application at run-time andtypically contains program data. Exploitation is performed by corrupting thisdata in specific ways to cause the application to overwrite internal structuressuch as linked list pointers. The canonical heap overflow technique overwritesdynamic memory allocation linkage (such as malloc meta data) and uses theresulting pointer exchange to overwrite a program function pointer. Thus theHeap is prone to Buffer overflow attacks.

So the Buffer Overflow attacks target on Stack and Heap portion of the Executable program

Segments.

Page 2

8/13/2019 Response Ex3

3/5

8/13/2019 Response Ex3

4/5

Question 3

Consider the following scenario: You have found an exploitable vulnerability for a platform-independent software (e.g. a web-browser). What problem arises when you are looking fora suitable shellcode ? What could you do to make your life easier ?

Solution:

1. Once vulnerability is detected on a system it can be exploited with the help of a shellcode but the problem arises when we want to find the most suitable and effectiveshellcode because the target machine architecture, operating system and the servicepack is unknown. Since the shellcode is not unique for all machines we need to knowthe specifics of the machine for a successful attack.

2. Life can me made easier by creating multiple versions of the shellcode that targetthe various platforms and creating a header that branches to the correct version forthe platform the code is running on. When executed, the code behaves differently

for different platforms and executes the right part of the shellcode for the platformit is running on.

3 Task - 3 : NOPs

Question 1

How can an attacker use NOPs to increase his chances for success in a buffer overflow attack?

Solution:

An attacker in a buffer overflow attack scenario does not have to know the precise startingaddress of code because he/she can exploit the fact that the code is much smaller thanthe space between the buffer therefore he/she can place code near the end of the bufferby padding the memory area before it with no operations (NOP) instructions, a computerprocessing unit (CPU) instruction which tells the CPU to do nothing. As these instructionsdo nothing the attacker can designate the return address used to enter this code at alocation somewhere in the run of NOPs which is known as the NOP sled, many consecutiveNOPs. If the return address is overwritten with any address within the no operation regionof the buffer it will slide down the NOPs until it is redirected to the actual malicious codeby the jump at the end.

Question 2

How hard is the detection of this technique ?

Solution:

The detection only occurs when the designated address is in between the NOP sled whereby the attacker guess can differ from the actual buffer address by half the size of the NOPsled.

Question 3

How can an attacker avoid detection while using the same principle ?

Page 4

8/13/2019 Response Ex3

5/5

Solution:

4 Task - 4 : Exploit Mitigation Techniques

Question 1What are mitigation techniques and what are they good for?

Solution:

ASLR: Attacker does not know address of executable code.

Stack Canaries. 2 types are used :

1. Choose random canary string on program start. Attacker cant guess what thevalue of canary will be.

2. Terminator canary: any termination symbol for C string library functions suchas \0, newline, linefeed, EOF String functions like strcpy wont copy beyond\0.

Question 2

What is the underlying problem (besides missed bound checking) that makes it possibleto execute shellcode from within a buffer that is filled with (benign) data during regularprogram execution ? Which mitigation technique tries to solve this problem ?

Solution:

Question 3

Which mitigation technique tries to make the prediction of memory addresses harder ?

Solution:

Address Space layout Randomization (ASLR), an operating system shuffles up all thelocation addresses for an application as well as all the supporting libraries surroundingthe application. Therefore, the only choice left with the attacker is to predict addresses,which makes buffer overflow much harder.

Page 5