SFL Prof. Dr. C. Rossow / S. Hausotte TU Dortmund WS 2021/2022 Exercise 6 (Software Security II)
6.1 Format String Attack
(a) Download the attached executable file format-string. Upon execution, it will ask you for a password. All you know from the source code (which is not given here) is that a pointer to the correct password resides somewhere on the stack. Can you find out the password?
Reminder: The format string %N$s dereferences the Nth specifier and prints the string at that address.
Copyright By PowCoder代写 加微信 powcoder
Solution: As we know from the lecture, the 1st specifier is a pointer to the format string itself. The 2nd through 6th specifiers are register values and starting with the 7th specifier, we will read 8-byte values from the stack. Since most of these values are not actually pointers, some of them may cause segmentation faults. However, we can still cycle through specifiers one-by-one to see which ones work until we find a string which looks like a password.
for i in {1..20}; do echo “%$i\$s” | ./format-string; done; For example, the output could look like this:
%0$s is not correct! %1$s is not correct!
is not correct!
?v(??U is not correct!
?m?? is not correct!
FREE ICE CREAM is not correct! (null) is not correct!
(null) is not correct!
(null) is not correct!
(null) is not correct!
??UH?? is not correct!
Even though the output says FREE ICE CREAM is not correct!, it actually is, as confirmed by:
echo “FREE ICE CREAM” | ./format -string
(b) Which statements about format string attacks are true?
□ Format string attacks allow reading all values stored in registers. ⊠ ASLR does not mitigate the vulnerability from a.
⊠ Format strings should not depend on user input.
□ Data on the stack can not be altered by a format string attack. ⊠ Format string attacks allow unauthorized reads from the stack. □ Using format strings should be avoided at all cost.
Non-Executable Stack
(a) Describe briefly why it might be a desirable property for a stack to be non-executable. Name an attack scenario which only works for executable stacks.
(b) Explain why code-reuse attacks still work even with non-exectuable stacks.
Solution: If the stack is declared to be non-executable, an attacker can not execute arbitrary code which they wrote to the stack earlier. A common example is a buffer overflow, by which shell code is written to the stack. In environments with non-executable stacks, this code can not be returned to and executed.
SFL Prof. Dr. C. Rossow / S. Hausotte TU Dortmund WS 2021/2022 Exercise 6 (Software Security II)
(c) Name a counter measure against code-reuse attacks and briefly explain it.
Solution: Code-reuse attacks use actual code which is intended to be executed and is, therefore, not protected. However, it is possible to jump to specially chosen locations which only execute a few instructions each. By compiling many of these jumps and returns, more complex logic can be assembled.
ASLR ASLR randomizes addresses and thereby prevents code to be placed at predictable locations in memory. As a consequence, hard coded addresses do no longer work as an attacker does not know where they can find the code they want to execute.
CFI Control Flow Integrity is ensured by the compiler. During compilation, all valid calls and jumps are explicitly allowed such that at execution time, all invalid paths can be discarded.
6.3 Heap based attacks
(a) Which steps need to be taken in order to abuse a double-free vulnerability? Construct an example by bringing these blocks of code in the correct order such that the program outputs
“World!World!”. Explain what happens in each step. free(a)
printf(“%s”, b) printf(“%s”, c)
char *a = char *c =
char *b = strcpy(b,
malloc (8) malloc (8)
malloc (8) “Hello␣”)
char *b = strcpy(b,
char *c = strcpy(c,
malloc (8)
malloc (8) “Hello␣”)
malloc (8) “World!”)
printf(“%s”, b) printf(“%s”, c)
Because a is freed twice, it appears twice in the list of free heap chunks. That makes it possible for b and c to allocate the exact same chunk of memory. In this case, the string ‘Hello ’ is overwritten by ‘World!’, which is then written twice.
SFL Prof. Dr. C. Rossow / S. Hausotte TU Dortmund WS 2021/2022 Exercise 6 (Software Security II)
(b) Which two problems arise from use-after-free situations?
(c) Based the code from (a), come up with two sequences of instructions: One which causes the first problem you discovered in (b) and one which causes the second problem.
• Reading from memory of other allocations • Writing to memory of other allocations
• Reading from memory of other allocations
char *a = strcpy(a, free(a)
char *b = strcpy(b, free(b)
malloc (8) “Public”)
malloc (8) “Secret”)
printf(“%s”, a)
• Writing to memory of other allocations
char *a = strcpy(a, free(a)
malloc (8) “Public”)
char *b = strcpy(b, strcpy(a, printf(“%s”, b) free(b)
malloc (8) “healthy”) “broken”)
(d) Wich use-after-free countermeasures can you think of?
• Invalidate pointers once memory is freed
• Don’t allow allocation of previously freed memory • Using safe(r) programming languages
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com