SFL Prof. Dr. C. Rossow / S. Hausotte TU Dortmund WS 2021/2022 Exercise 5 (Software Security)
5.1 Signed Integers
In this exercise, we are going to take a look at a practical example of integer boundaries. For this, use the given C code (integers.c) and compile it. The program will ask for two positive numbers and then adds them up. You pass the test if you can enter two integers such that the result becomes negative.
5.2 Decompiling
Copyright By PowCoder代写 加微信 powcoder
You are provided with an (UNIX-) executable file crackme. When executed, the program asks for a password (¡°Enter the password”¡±). If you enter the correct password, the output is ¡°Access granted!¡±, otherwise it is ¡°Access denied!¡±.
Can you find out the password by examining the compiled file? You may use any tools you want to decompile the binary file but you can also do it without any further assistance.
5.3 Buffer overflow
(a) What two types of buffer overflow exploits do you know?
(b) How can you guard against buffer overflows?
(c) Use the given script (overflow.c) to pass the check WITHOUT using the password. To compile the script, use the following command:
gcc -o overflow-unsafe -fno-stack-protector overflow.c
5.4 Stack canaries
(a) How can stack canaries be used to detect buffer overflows?
Solution: The maximum integer in C is 2147483647, adding 1 to this number will result in an integer overflow, thus a negative result.
Solution: The password is ¡°merrychristmas¡±.
The easiest way to find it is to look for known strings within the program. As we already know strings like ¡°Enter the password¡± or ¡°Access granted!¡±, we can locate these in the code and try to find other strings nearby.
Solution: Data Corruption occurs when someone tries to fit a string into a small buffer. The part of the string which won¡¯t fit in anymore will then be written into adjacent parts of the memory causing a corruption. Code Execution can be performed by overwriting a return address with a pointer to some malicious shellcode which then will be executed.
Solution: There are multiple defense mechanisms at hand, for example: stack-canaries, non-executable stacks and ASLR.
Solution: Stack canaries are values which are pushed to the stack on function calls (typically done by the compiler). These values are randomly chosen and inserted between the return address and the local variables of the called function. In this case, if an overflow occurs, it can not alter the return address without simultaneously overwriting the canary value. This change can then be detected before the manipulated return address is used.
SFL Prof. Dr. C. Rossow / S. Hausotte TU Dortmund WS 2021/2022 Exercise 5 (Software Security)
(b) Compile the given script from the previous task again, but this time with stack canaries enabled:
gcc -o overflow-safe overflow.c -fstack-protector-all
What happens if you try to exploit the same buffer overflow now? Pay close attention to the output of the program. Also try password strings of vastly different lengths.
Solution: We can observe, that the program still accepts incorrect passwords if their length exceeds the size of the buffer. This happens because stack canaries are only designed to avoid manipulation outside of a call¡¯s stack frame. Manipulation within the local variables of a function call can not be detected by this method. If we increase the length of the given password even more, however, we can observe a differet behavior: While the unsafe program reports a segmentation fault, the safe program prints stack smashing detected. In this case, the overflowing buffer did not only overwrite the pass variable, but also the return address, which can be detected with stack canaries.
程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com