• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Stack smashing/buffer overflow research

E

Erik Wikström

#1
Hi, let me start by apologising if these are the wrong groups to post
these kinds of messages to (I've cross-posted) but after searching the
web and not finding any good material I thought there might be someone
here who know.

I'm a student and I'm currently working on a small project dealing
with stack smashing/buffer overflows and protection mechanisms in
modern OSes, the idea is to make a survey of the different techniques
that can be used to protect an application against these kinds of
attacks. On the Windows side I have identified three mechanisms that
I'm focusing on, the /GS flag in Visual Studio 2005, ASLR (Address
Space Layout Randomization) and DEP (Data Execution Prevention).

Since I'm not a security expert I can't see any way that I might be
able to circumvent any of those (even less so all of them together)
but I know there are people working with these kinds of things
(whatever their intentions are) so what I'm asking is, if there are
any known and published stack smashing/buffer overflow attacks that
can successfully circumvent the techniques mentioned above (either
just one of them or a combination).

Any information will be greatly appreciated.

PS: Mind the cross-posting when replying

--
Erik Wikström
 

My Computer

M

Michal Bucko

#2
>I'm focusing on, the /GS flag in Visual Studio 2005, ASLR (Address
>Space Layout Randomization) and DEP (Data Execution Prevention).


>Since I'm not a security expert I can't see any way that I might be
>able to circumvent any of those (even less so all of them together)
>but I know there are people working with these kinds of things
>(whatever their intentions are) so what I'm asking is, if there are
>any known and published stack smashing/buffer overflow attacks that
>can successfully circumvent the techniques mentioned above (either
>just one of them or a combination).




1. /GS stackguard protection places canary before frame pointer/stack
pointer.
Canary value change results in security error.
The issue: /GS protects arrayas ONLY, you can also exploit BO's that are not
on the stack

2. ASLR - changes mapping of DLL, stack, heap (randomness)
Hardcoded address-based attacks prevention technique. How do we pass ASLR?
We take advantage of so-called heap spraying (suggested reading!)

3. ASLR and DEP bypassing - usage of heap spraying, exploit jumps to
existing DEP disable
code, payload is executed

If You have any doubts, please, feel free to contact me at:
sapheal<at>hack<dot>pl.


Hope I helped,


Michal Bucko

sapheal.hack.pl
HACKPL Security Labs
 

My Computer

Users Who Are Viewing This Thread (Users: 1, Guests: 0)