Stack smashing/buffer overflow research

Hi, let me start by apologising if these are the wrong groups to post
these kinds of messages to (I've cross-posted) but after searching the
web and not finding any good material I thought there might be someone
here who know.

I'm a student and I'm currently working on a small project dealing
with stack smashing/buffer overflows and protection mechanisms in
modern OSes, the idea is to make a survey of the different techniques
that can be used to protect an application against these kinds of
attacks. On the Windows side I have identified three mechanisms that
I'm focusing on, the /GS flag in Visual Studio 2005, ASLR (Address
Space Layout Randomization) and DEP (Data Execution Prevention).

Since I'm not a security expert I can't see any way that I might be
able to circumvent any of those (even less so all of them together)
but I know there are people working with these kinds of things
(whatever their intentions are) so what I'm asking is, if there are
any known and published stack smashing/buffer overflow attacks that
can successfully circumvent the techniques mentioned above (either
just one of them or a combination).

Any information will be greatly appreciated.

PS: Mind the cross-posting when replying

--
Erik Wikström

>I'm focusing on, the /GS flag in Visual Studio 2005, ASLR (Address
>Space Layout Randomization) and DEP (Data Execution Prevention).

>Since I'm not a security expert I can't see any way that I might be
>able to circumvent any of those (even less so all of them together)
>but I know there are people working with these kinds of things
>(whatever their intentions are) so what I'm asking is, if there are
>any known and published stack smashing/buffer overflow attacks that
>can successfully circumvent the techniques mentioned above (either
>just one of them or a combination).



1. /GS stackguard protection places canary before frame pointer/stack
pointer.
Canary value change results in security error.
The issue: /GS protects arrayas ONLY, you can also exploit BO's that are not
on the stack

2. ASLR - changes mapping of DLL, stack, heap (randomness)
Hardcoded address-based attacks prevention technique. How do we pass ASLR?
We take advantage of so-called heap spraying (suggested reading!)

3. ASLR and DEP bypassing - usage of heap spraying, exploit jumps to
existing DEP disable
code, payload is executed

If You have any doubts, please, feel free to contact me at:
sapheal<at>hack<dot>pl.


Hope I helped,


Michal Bucko

sapheal.hack.pl
HACKPL Security Labs

By the way, I assumed that you already know what SEH overwrite technique is
;-)


mb

By the way, lately I posted a short article about the exploitation
techniques
under Windows. You might be interested:
http://sapheal.hack.pl/arts/Introduc...ploitation.pdf

The article isn't , however, even giving an overall view on the subject -
it is more like a bunch of thoughts and notes made in a rush ;-)

Hope I could help,

Michal