Windows Vista Forums

Stack smashing/buffer overflow research

  1. #1


    Erik Wikström Guest

    Stack smashing/buffer overflow research

    Hi, let me start by apologising if these are the wrong groups to post
    these kinds of messages to (I've cross-posted) but after searching the
    web and not finding any good material I thought there might be someone
    here who know.

    I'm a student and I'm currently working on a small project dealing
    with stack smashing/buffer overflows and protection mechanisms in
    modern OSes, the idea is to make a survey of the different techniques
    that can be used to protect an application against these kinds of
    attacks. On the Windows side I have identified three mechanisms that
    I'm focusing on, the /GS flag in Visual Studio 2005, ASLR (Address
    Space Layout Randomization) and DEP (Data Execution Prevention).

    Since I'm not a security expert I can't see any way that I might be
    able to circumvent any of those (even less so all of them together)
    but I know there are people working with these kinds of things
    (whatever their intentions are) so what I'm asking is, if there are
    any known and published stack smashing/buffer overflow attacks that
    can successfully circumvent the techniques mentioned above (either
    just one of them or a combination).

    Any information will be greatly appreciated.

    PS: Mind the cross-posting when replying

    --
    Erik Wikström


      My System SpecsSystem Spec

  2. #2


    Michal Bucko Guest

    Re: Stack smashing/buffer overflow research

    >I'm focusing on, the /GS flag in Visual Studio 2005, ASLR (Address
    >Space Layout Randomization) and DEP (Data Execution Prevention).


    >Since I'm not a security expert I can't see any way that I might be
    >able to circumvent any of those (even less so all of them together)
    >but I know there are people working with these kinds of things
    >(whatever their intentions are) so what I'm asking is, if there are
    >any known and published stack smashing/buffer overflow attacks that
    >can successfully circumvent the techniques mentioned above (either
    >just one of them or a combination).




    1. /GS stackguard protection places canary before frame pointer/stack
    pointer.
    Canary value change results in security error.
    The issue: /GS protects arrayas ONLY, you can also exploit BO's that are not
    on the stack

    2. ASLR - changes mapping of DLL, stack, heap (randomness)
    Hardcoded address-based attacks prevention technique. How do we pass ASLR?
    We take advantage of so-called heap spraying (suggested reading!)

    3. ASLR and DEP bypassing - usage of heap spraying, exploit jumps to
    existing DEP disable
    code, payload is executed

    If You have any doubts, please, feel free to contact me at:
    sapheal<at>hack<dot>pl.


    Hope I helped,


    Michal Bucko

    sapheal.hack.pl
    HACKPL Security Labs


      My System SpecsSystem Spec

  3. #3


    Michal Bucko Guest

    Re: Stack smashing/buffer overflow research

    By the way, I assumed that you already know what SEH overwrite technique is
    ;-)


    mb


      My System SpecsSystem Spec

  4. #4


    Michal Bucko Guest

    Re: Stack smashing/buffer overflow research

    By the way, lately I posted a short article about the exploitation
    techniques
    under Windows. You might be interested:
    http://sapheal.hack.pl/arts/Introduc...ploitation.pdf

    The article isn't , however, even giving an overall view on the subject -
    it is more like a bunch of thoughts and notes made in a rush ;-)

    Hope I could help,

    Michal


      My System SpecsSystem Spec


Stack smashing/buffer overflow research
Similar Threads
Thread Forum
Buffer Overflow Exception General Discussion
RE: Serial buffer overflow occurs where? Virtual PC
RE: Serial buffer overflow occurs where? Virtual PC
AOE II Buffer Overflow Vista Games
Stack overflow and thumbnails Vista networking & sharing