Popa and 2021
CS 161 Computer Security
Discussion 3
Memory Safety Mitigations
Question 1 C Memory Defenses () Mark the following statements as True or False and justify your solution. Please feel free to discuss with students around you.
1. Stack canaries completely prevent a buffer overflow from overwriting the return instruction pointer.
2. A format-string vulnerability can allow an attacker to overwrite values below the stack pointer
3. An attacker exploits a buffer overflow to redirect program execution to their in- put. This attack no longer works if the data execution prevention/executable space protection/NX bit is set.
4. If you have a non-executable stack and heap, buffer overflows are no longer ex- ploitable.
Solution:
False, stack canaries can be defeated if they are revealed by information leakage, or if there is not sufficient entropy, in which case an attacker can guess the value. Also, format string vulnerabilities can simply skip past the canary.
Solution:
True, format string vulnerabilities can write to arbitrary addresses by using a ‘%n’ in junction with a pointer.
Solution:
True, the definition of the NX bit is that it prevents code from being writable and executable at the same time. An attacker who can write code into memory cannot execute it.
Solution:
Page 1 of 5
False. Many attacks rely on writing malicious code to memory and then execut- ing them. If we make writable parts of memory non-executable, these attacks cannot succeed. However there are other types of attacks which still work in these cases, such as Return Oriented Programming.
5. If you use a memory-safe language, some buffer overflow attacks are still possible.
6. ASLR, stack canaries, and NX bits all combined are insufficient to prevent exploita- tion of all buffer overflow attacks.
Short answer!
1. What vulnerability would arise if the canary was above the return address?
2. What vulnerability would arise if the stack canary was between the return address and the saved frame pointer?
3. Assume ASLR is enabled. What vulnerability would arise if the instruction jmp *esp exists in memory?
Solution:
False, buffer overflow attacks do not work with memory safe languages.
Solution:
True, all of these protections can be overcome.
Solution:
It doesn’t stop an attacker from overwriting the return address. Although if an attacker had absolutely no idea where the return address was, it could potentially detect stack smashing.
Solution:
An attacker can overwrite the saved frame pointer so that the program uses the wrong address as the base pointer after it returns. This can be turned into an exploit.
Solution:
An attacker can overwrite the return instruction pointer with the address of
Discussion 3 Page 2 of 5 CS 161 – Fall 2021
this command. This will cause the function to execute the instruction one word before the rip. An attacker could place the shellcode after the rip, and have the word before the rip contain a JMP command two words forward.
Discussion 3 Page 3 of 5 CS 161 – Fall 2021
Question 2 Pointer Authentication Codes (PACs) () Suppose we are on a 64-bit system, and we have an address space of 250 bytes.
For each of the following questions, provide a short answer and justify your response. Please feel free to discuss with students around you.
1. How many unused bits are available for pointer authentication in each address?
Regardless of your answer to the previous part, for the remainder of the questions, assume that 10 bits are used for pointer authentication in each address and the attacker does not have the ability to create their own pointer authentication codes (PACs).
2. Assume that 64-bit stack canaries are enabled and that the first two bytes of the stack canary are always null. How many bits does the attacker have to guess correctly to guess the stack canary and the PAC?
Solution:
Addresses are 64 bits, and we need 50 bits to address the entire address space, so there are 64 − 50 = 14 unused bits available for pointer authentication.
Solution:
The stack canary has 48 bits to be brute-forced (the canary is 64 bits long, but there are two constant null bytes, which are 8 bits each). The attacker must also guess the 10 bits in the PAC. In total, there are 10 + 48 = 58 bits that must be guessed correctly.
Now assume that the attacker has a format string vulnerability that lets them read any part of memory while the program is running.
3. How many bits does the attacker have to guess correctly to guess the stack canary and the PAC?
Solution:
Since the attacker can read memory, they can read the stack canary value, so they don’t need to guess the stack canary. However, they still need to guess the 10-bit PAC. (Recall that the secrets used for generating PACs are stored in the CPU and are not accessible to the program memory.)
4. Suppose the attacker is interacting with a remote system. Provide at least one defense that would make brute-force attacks infeasible for the attacker.
Discussion 3 Page 4 of 5 CS 161 – Fall 2021
Solution:
Possible answers: Timeouts. Rate-limiting. Attacker is blocked from making too many guesses.
Other answers are possible too.
Discussion 3 Page 5 of 5 CS 161 – Fall 2021