Windows Vista Forums

Stack smashing/buffer overflow research

  1. #1


    Erik Wikström Guest

    Stack smashing/buffer overflow research

    Hi, let me start by apologising if these are the wrong groups to post
    these kinds of messages to (I've cross-posted) but after searching the
    web and not finding any good material I thought there might be someone
    here who know.

    I'm a student and I'm currently working on a small project dealing
    with stack smashing/buffer overflows and protection mechanisms in
    modern OSes, the idea is to make a survey of the different techniques
    that can be used to protect an application against these kinds of
    attacks. On the Windows side I have identified three mechanisms that
    I'm focusing on, the /GS flag in Visual Studio 2005, ASLR (Address
    Space Layout Randomization) and DEP (Data Execution Prevention).

    Since I'm not a security expert I can't see any way that I might be
    able to circumvent any of those (even less so all of them together)
    but I know there are people working with these kinds of things
    (whatever their intentions are) so what I'm asking is, if there are
    any known and published stack smashing/buffer overflow attacks that
    can successfully circumvent the techniques mentioned above (either
    just one of them or a combination).

    Any information will be greatly appreciated.

    PS: Mind the cross-posting when replying

    --
    Erik Wikström


      My System SpecsSystem Spec

  2. #2


    Michal Bucko Guest

    Re: Stack smashing/buffer overflow research

    >I'm focusing on, the /GS flag in Visual Studio 2005, ASLR (Address
    >Space Layout Randomization) and DEP (Data Execution Prevention).


    >Since I'm not a security expert I can't see any way that I might be
    >able to circumvent any of those (even less so all of them together)
    >but I know there are people working with these kinds of things
    >(whatever their intentions are) so what I'm asking is, if there are
    >any known and published stack smashing/buffer overflow attacks that
    >can successfully circumvent the techniques mentioned above (either
    >just one of them or a combination).




    1. /GS stackguard protection places canary before frame pointer/stack
    pointer.
    Canary value change results in security error.
    The issue: /GS protects arrayas ONLY, you can also exploit BO's that are not
    on the stack

    2. ASLR - changes mapping of DLL, stack, heap (randomness)
    Hardcoded address-based attacks prevention technique. How do we pass ASLR?
    We take advantage of so-called heap spraying (suggested reading!)

    3. ASLR and DEP bypassing - usage of heap spraying, exploit jumps to
    existing DEP disable
    code, payload is executed

    If You have any doubts, please, feel free to contact me at:
    sapheal<at>hack<dot>pl.


    Hope I helped,


    Michal Bucko

    sapheal.hack.pl
    HACKPL Security Labs


      My System SpecsSystem Spec

  3. #3


    Michal Bucko Guest

    Re: Stack smashing/buffer overflow research

    By the way, I assumed that you already know what SEH overwrite technique is
    ;-)


    mb


      My System SpecsSystem Spec

  4. #4


    Michal Bucko Guest

    Re: Stack smashing/buffer overflow research

    By the way, lately I posted a short article about the exploitation
    techniques
    under Windows. You might be interested:
    http://sapheal.hack.pl/arts/Introduc...ploitation.pdf

    The article isn't , however, even giving an overall view on the subject -
    it is more like a bunch of thoughts and notes made in a rush ;-)

    Hope I could help,

    Michal


      My System SpecsSystem Spec

Stack smashing/buffer overflow research

Similar Threads
Thread Forum
Stack Overflow at line:24
When running Facebook I keep getting this error message Stack Overflow at line:24. can anyone tell me how yo repair this. Thanks
Browsers & Mail
Buffer Overflow Exception
Hello I've recently started to have this happen when I go to bring up explorer. Problem signature: Problem Event Name: BEX Application Name:...
General Discussion
RE: Serial buffer overflow occurs where?
3ZEfAW http://google.com Posted via http://www.VirtualServerFaq.com - Brought to you by Business Information Technology Shop -...
Virtual PC
RE: Serial buffer overflow occurs where?
http://khfuq.eu.interia.pl/yte.html online questionnaires to find the right career Posted via http://www.VirtualServerFaq.com - Brought to you...
Virtual PC
AOE II Buffer Overflow
I loaded AOE II Conquerers Edition onto my sons computer. When I start it up my firewall posts an error message indicating that it has bkloced AOE...
Vista Games
Re: Stack overflow and thumbnails
(cross-post added to Vista Performance & Maintenance) "Dave P" <DaveP@xxxxxx> wrote in message news:06DBCF9F-F074-4076-A9FE-E50542E02EAA@xxxxxx ...
Vista performance & maintenance
Stack overflow and thumbnails
I am running Vista and all of a sudden my IE has stopped working correctly on a number of sites. 1. On some sites with a number of drop down menus...
Vista networking & sharing