Professional Documents
Culture Documents
Defenses
CS Department
City University of Hong Kong
Double Free:
Can cause memory mgr to write data to specific location
free(ptr);
free(ptr);
printf("Everything is fine.\n");
return 0;
}
3 printf
Guidelines("The magic number is: %d\n", 1911);
The text to be printed is “The magic number is:”, followed by a format
3.1 What is a format string?
parameter ‘%d’, which is replaced with the parameter (1911) in the output.
Therefore the printf
output("The magic number is: %d\n", 1911);
looks like:
The text to be printed isThe magic
“The magic number
number is:
is:”, followed 1911.parameter ‘%d’, which is replaced
by a format
with the parameter (1911) in the output. Therefore the output looks like: The magic number is: 1911. In
addition to %d, there are several other format parameters, each having different meaning. The following
common format parameters
table summarizes these format parameters:
Format String
Adress of c
Value of b
Value of a
Address of
printf()’s internal
pointer
An Information Security Short Course
8
(Summer 2020)
ED Labs – Format String Vulnerability Lab 5
Format String
Adress of c
Value of b
Value of a
Address of
printf()’s internal
pointer
An Information Security Short Course
9
(Summer 2020)
What if there is a miss-match
printf ("a has value %d, b has value %d, c is at
address: %08x\n", a, b);
– Sometimes, the format string is not a constant string, it is generated during the
execution of the program. Therefore, there is no way for the compiler to find the
miss-match in this case.
– The function printf()fetches the arguments from the stack. If the format
string needs 3 arguments, it will fetch 3 data items from the stack. Unless the
stack is marked with a boundary, printf()does not know that it runs out of
the arguments that are provided to it.
void foo(int x) {
int a = 1, b = 2, c = 3;
return 0;
}
An Information Security Short Course
17
(Summer 2020)
Exploit Details
• If we use printf(%s) without specifying a memory address, the target addres
from the stack anyway by the printf() function. The function maintains an in
so it knows the location of the parameters in the stack.
• Observation: the format string is usually located on the stack. If
we can encode
• Observation: the formatthestring
target address
is usually in the
located onformat string,
the stack. If we the
can target
encode th
the address will the
format string, be target
in theaddress
stack.will
In the
be infollowing
the stack. example, the format
In the following example, t
stored in a is
string buffer,
storedwhich
in aisbuffer,
located which
on the stack.
is located on the stack...
int main(int argc, char *argv[])
{
char user_input[100];
... ... /* other variable definitions and statements */
return 0;
}
• If we can force the printf to obtain the address from the format
string (also on the stack), we can control the address.
• If we can force the printf to obtain the address from the format string (also on t
printf("\x10\x01\x48\x08_%x_%x_%x_%x_%s");
control the address. An Information Security Short Course
18
(Summer 2020)
Exploit Details
• Consequence: we use four %x to move the printf()’s pointer towards the
ED Labs – Format String Vulnerability Lab
address that we stored in the format string. Once we reach the destination, we7
abs – Format String Vulnerability Lab
will give %s to printf(), causing it to print out the contents in the7 memory
address 0x10014808. The function printf()will treat the contents as a
Print out the contents at the address 0x10014808 using format-string vlunerability
Printstring,
out the and print
contents at out the string
the address until reaching
0x10014808 the endvlunerability
using format-string of the string (i.e. 0).
user_input [ ]
user_input [ ]
Address of user_input [ ]
Address of user_input [ ]
0x10014808
0x10014808
%s
%x
%x
%x
%x
...
%s
%x
%x
%x
%x
...
Address of user_input [ ]
Address of user_input [ ]
0x10014808
0x10014808
%s
%x
%x
%x
...
%x
%s
%x
%x
%x
%x
...
printf(“%08x.%08x.%08x.%08x.%n”)
An Information Security Short Course
22
(Summer 2020)
Defenses
• Limitations:
– Some apps need executable heap (e.g. JITs).
– Does not defend against `return-to-libc’ exploits
An Information Security Short Course
25
(Summer 2020)
Examples: DEP controls in Windows
stack libc.so
args
ret-addr exec()
sfp printf()
Run-time Defenses
• Solution 1: StackGuard
– Run time tests for stack integrity.
– Embed “canaries” in stack frames and verify their integrity
prior to function return.
Frame 2 Frame 1
top
local canary sfp ret str local canary sfp ret str of
stack
An Information Security Short Course
34
(Summer 2020)
Canary Types
• Random canary:
– Random string chosen at program startup.
– Insert canary string into every stack frame.
– Verify canary before returning from function.
• Exit program if canary changed. Turns potential
exploit into DoS.
– To corrupt, attacker must learn current random
string.
String args
Growth
ret addr Protects pointer args and local
pointers from a buffer overflow
SFP
CANARY
args
String
Growth ret addr
Canary protects ret-addr and
SFP exception handler frame
exception handlers
CANARY
high
next handler buf next handler next handler mem
An Information Security Short Course
41
(Summer 2020)
Evading /GS with exception handlers
• When exception is thrown, dispatcher walks up exception list
until handler is found (else use default handler)
high
ptr to mem
next handler buf next
next handler next handler
attack code
An Information Security Short Course
42
(Summer 2020)
Defense IV: SAFESEH and SEHOP
• /SAFESEH: linker flag
– Linker produces a binary with a table of safe exception handlers
– System will not jump to exception handler not on list
top
sfp ret-addr dest src buf sfp ret-addr of
stack
low high
memory sfp ret-addr dest src buf sfp ret-addr memory