250 likes | 380 Views
SECURE PROGRAMMING Chapter 3 Pointer Subterfuge. Exception Handling Structured System default Mitigation Strategies Stack Canaries W^X Encoding/decoding pointers Summary. Overview. Introduction Data Locations Function Pointers Modifying the IP Global Offset Table
E N D
SECURE PROGRAMMING Chapter 3 Pointer Subterfuge
Exception Handling Structured System default Mitigation Strategies Stack Canaries W^X Encoding/decoding pointers Summary Overview • Introduction • Data Locations • Function Pointers • Modifying the IP • Global Offset Table • The .dtors Section • Virtual Pointers • atexit() and on_exit() • longjmp()/setjmp()
Introduction Pointer subterfuge == modifying pointer values Pointers to objects vs pointers to functions C++ also defines pointer to member type All can be modified to run arbitrary code. First examine relationship data declaration/storage
Data Locations Overwriting a pointer with a buffer overflow: • Limited by upper bound • Limited by lower bound • Limited by Hi • Limited by Lo • Limited by special marker (usually null) Conditions: Buffer and pointer must be in same segment. Pointer must be in direction of overflow Buffer not adequately bounded
Data Locations Data allocation: Unix: data and BSS segment (example 3.1, page 123) Windows is similar
Global Offset Table Windows and Linux use a similar mechanism for linking and transferring control to library fns. Windows solution is safe. Linux solution is exploitable. Default binary format on Linux is called Executable and Linking Format (ELF), Developed by Unix System Labs as part of the application binary interface. Includes a “Global Offset Table” (GOT)
Global Offset Table (GOT) Holds absolute addresses of library functions program text is still position independent program text can still be shared Initially entry to Run-Time Linker Address of GOT is fixed. Address of GOT entry is fixed in the executable. Obtainable through objdump –dynamic-reloc xx command. (undocumented!!)
Global Offset Table (GOT) Windows portable executable (PE) file format is similar to ELF: Array of data structures for each imported DLL Name → array of function pointers (Import Address Table, IAT) Once module is loaded (at load time), IAT entries are write protected.
The .dtors Section __atribute__ for functions (like constructor (called before main) or destructor (called after main exits)) Examine with: objdump -s -j .dtors <fname>
Virtual Pointers (pp 132/133, not used yet)
atexit() and on_exit() (See code, manual pages)
longjmp() pp 135, 136
Exception Handling Windows has three types: Vectored exception handling Structured exception handling (try/catch) System defaults Unix has three: Vectored exception handling Structured exception handling (try/catch) System defaults (see man signal, man sigprocmask)
Structured Exception Handling Windows guarantees on page 138
System Default Exception Handling Interrupt vector: Windows encodes pointer addresses, making it difficult for crackers.
Mitigation Strategies Eliminate the vulnerabilities: Stack canaries W ^ X Encode/decode function pointers (pp 140-141