CFI-PIE / format string vulnerabilities

0.0(0)
studied byStudied by 9 people
learnLearn
examPractice Test
spaced repetitionSpaced Repetition
heart puzzleMatch
flashcardsFlashcards
Card Sorting

1/14

encourage image

There's no tags or description

Looks like no tags are added yet.

Study Analytics
Name
Mastery
Learn
Test
Matching
Spaced

No study sessions yet.

15 Terms

1
New cards

What is Address Space Layout Randomization

Every time a program runs, the location of its memory space changes

2
New cards

How does ASLR Work?

randomly offsets the location of modules and certain in-memory structures System wide measure and works regardless of the program

3
New cards

What is a weakness of ASLR

The location of the TEXT and DATA segments don’t change so we can still jump to functions in the program’s code as we used to

4
New cards

What is Return Oriented Programming

a computer security exploit technique that allows an attacker to execute code in the presence of security defenses such as executable-space protection and code signing.

5
New cards

How does ROP work

We can find small sequences of instructions with a ret (gadgets)

We builtd a chain of gadgets, each performing a small update to the system state (e.g., set registers, copy an address to somewhere in memory, execute a system call, ...)

6
New cards

What can you do with ROP

We can

  1. copy values from the stack to registers using pop

  2. Copy values to specific addresses using mov

Every time ret or pop are called, the stack pointer is moved 4 bytes up

7
New cards

How do we defend against ROP

We use Control Flow Integrity (CFI)

8
New cards

What is Control Flow Integrity (CFI)

Security policy dictating that software execution must follow a path that is determined ahead of time

typically involves adding runtime checks that verify whether a program's control flow transfers (e.g., function calls, jumps) are valid according to the program's intended design.

9
New cards

How do we implement CFI

  1. Static analysis to determine the expected control flow graph (CFG) • Code rewriting to enforce the program flow + runtime checks

  2. Code rewriting to enforce the program flow + runtime checks

10
New cards

What are some challenges CFI presents

  1. The control flow of a program is non deterministic - it needs to take into account dynamic checks

  2. Static analysis is not perfect - it needs to allow a somewhat "flexible" control flow

  3. Enforcing CFI has performance implications (5%-10%)

11
New cards

What is position independent executables (PIE)

a type of executable file that can be loaded into memory at any address without requiring modification — position of code and global variables are both randomized

12
New cards

How can we bypass PIE

  1. Exploit address leaks - the distance between program elements (functions and variables) within a memory segment doesn't change between executions

  2. Bruteforcing — 32 bit randomness is limited

    1. for code its 2^8 guesses

    2. for libraries its 2^12 guesses

    3. for the stack its 2^20 guesses

13
New cards

what family of functions are vulnerable to format string vulnerability

the printf family of functions allows to format data and output it. If an attacker can control the format string passed to a printf function, they can read and write arbitrary memory in the program

14
New cards

How do format string vulnerabilities work

You can control the format of how things are printed. If an attacker can control the format string passed to a printf function, they can read and write arbitrary memory in the program

15
New cards

Format strings can read arbitrary memory, how can they write arbitrary memory?

%n Writes an integer to locations in the process’ memory