CSB06 - Memory safety violations

Software security

Software bugs

We can sometimes use software bugs to violate security principles. E.g. Memory corruption bugs, one of the most used bugs for exploitation, can corrupt the memory of a program to violate security principles. They can lead to:

• Arbitrary read

• Arbitrary write

• Control flow hijacks

• Control flow corruption

Pointer bugs

Pointers allow you to refer to arbitrary memory addresses in most programming languages. To introduce a bug we want to get a pointer pointing somewhere it should not. 

Memory safety violation

When object boundary access is violated via pointers. Spatial safety violation or temporal safety violation.

Memory spatial safety violation

An error in which a pointer is used to access the data at a location in memory that is outside the bounds of an allocated object. The error is spatial in the sense that the dereference pointer refers to an incorrect location in memory

Leads to Arbitrary execution

Memory temporal safety violation

An error in which a pointer is used in an attempt to access or deallocate an object that has already been deallocated. The error is temporal in the sense that the pointer use occurs at an invalid instance during the execution of the program. 

Leads to arbitrary write

Preventing buffer overflow

In order to counteract a buffer overflow, modern CPUs don’t allow you to write to regions of memory you can execute, or execute from regions of memory you can write to. 

Stack canaries (random numbers before the return address) can help prevent exploitation as we can check they haven't changed before returning. 

Shadow stacks can also help, these are a second stack with just return addresses used to check consistency with the main stack

Use safe versions of C APIs.

Formatted output functions

Consists of a format string and a variable number of arguments.

The Format string provides a set of instructions that are interpreted by the formatted output function .

By controlling the content of the format string, a user can control execution of the formatted output function. 

Format strings are character sequences consisting of ordinary characters and conversion specifications.  

Conversion specifications

Convert arguments according to a corresponding conversion specifier and write the results to the output stream.

They begin with a percent sign and are interpreted from left to right. If there are more arguments than conversion specs, the extra arguments are ignored.

However, if there are not enough arguments then results are undefined. 

Format string safety violation

By careful choice of format string, we can write to arbitrary addresses somewhere after the stack pointer such as a local variable (causing data corruption) or a return address (causing control flow corruption and arbitrary code execution)

BoF Consequences

If we know where things are stored in memory (stack is predictable), and we can control what is placed into the buffer, we could put valid instruction sequences into it, meaning we coule make the program start to run our own code instead of its own.