Worksheet 07: Software Security II

Worksheets are self-guided activities that reinforce lectures. They are not graded for accuracy, only for completion. Worksheets are due by the start of the next lecture via Blackboard link as a single PDF document. Be sure to properly label each question.

1. In which segment of program memory stores the instructions of the program?

   Reveal Solution

   The text segment

2. Explain why we refer to the stack as “growing down” and the heap as “growing up?”

   Reveal Solution

   The stack memory resides at a higher address space, so the bottom of the stack is a lower address space. By “growing down”, you add to the stack by subtracting from the stack point into unallocated memory with a lower address.

   The heap grows upward for similar reasons, but reversed. The heap is stored at a lower address space, and the base pointer defines the top of the heap. To allocate more space you add to the base pointer, moving into higher addressed, unallocated memory.

3. In a stack frame, what is the purpose of the stack pointer and the frame pointer?

   Reveal Solution

   The stack pointer describes the bottom of the stack frame, lower addresses. Subtracting from it allocates more space in the stack frame for local variables.

   The frame pointer references the memory location of the calling-function’s, stack frame’s frame pointer, or the old FP. Memory above the frame pointer includes the return address of the function and its argument.

4. What is the instruction pointer (IP)?

   Reveal Solution

   The instruction pointer is a reference to the TEXT segment of code for what is the current instruction/code that is being executed?

5. When a function returns, how is the stack frame de-allocated and control returned to the call function?

   Reveal Solution

   1. The stack pointer (SP) is set to the frame pointer (FP), which de-allocates any local variables
   2. The old frame pointer is “popped” off the stack and set to FP (at this point SP references the return address)
   3. The return address is “popped” off into the instruction pointer (at this point SP references the function arguments)

   Note that function arguments are set by the calling function in its local variables, so at this point the stack frame of the calling function is reconstructed. Additionally, the instruction pointer references the next instruction after the function call.

6. Using the process you described above, explain how a buffer overflow attack could enable arbitrary code execution?

   Reveal Solution

   If an attacker can overwrite beyond the bounds of a buffer, and keep writing up the stack and overwrite the return address, then when the return address is popped off the stack into the instruction pointer, that could be a location of the attackers choosing and code of their choosing.

7. Download the following exercise exploit-me-3 as a zip file and unzip it. You should open that directory in a VSCode environment. If you already have Docker Desktop installed, it should also prompt you to open it in a container. Please do so. If you need some review, refer to problem #12 in Worksheet 2.

   In here you’ll find the source code (minus the flag) for a program that can be exploited using an stack-based buffer overflow. Do so and retrieve the flag. Also describe a way to fix this program.

   Note that the README.md file has additional instructions and hints on how to accomplish this task.

   Reveal Solution

   flag{366-bUFF3r0v3RF10w_r3turn}
   

   In the function parrot(), the strcpy() should check the length of the string properly.

8. What is shell code?

   Reveal Solution

   Shell code is a small piece of binary/instructions that if executed, will open a shell. Technically, shell code doesn’t necessarily have to open a shell – it could do anything really – but historically, that’s been the purpose.

9. What is a NOP sled and how is it used?

   Reveal Solution

   A NOP sled is a series of instructions that don’t do anything meaningful, i.e., a no-operation or NOP. A NOP sled is when you have a long section of such instructions in a row, and then at the end, shell code? This is useful when an attacker may not know the exact location of the shell code, but can have the program jump to a address that’s close. If the attacker lands in the NOP sled, execution will slide to the shell code.

10. How does the mechanism of a heap-based vs. a stack-based overflow differ?

    Reveal Solution

    In a heap-based oveflow attack, the target for gaining control of the program is not the return address. Unlike a stack-based overflow, within the stack-frame, there always exists memory that will be loaded into the instruction pointer (namely the return address). The heap doesn’t store stack frames, but it may still store function pointers that can be overwritten or other memory that might be corrupted.

    The most common example of this is dynamic objects, for example in C++, where the data and the functions that manipulate that data, are stored together. If there’s an overflow in a buffer that enables overwriting a function reference, then once that function is called, the attacker gains control of the program’s execution.

11. Explain a “heap spray” or “spray and pray” based attack?

    Reveal Solution

    This is when the attacker is able to inject large number of copies of shell-code (with a larger nop-sled) into memory, typcially in the heap. As this memory is dynamic, the exact location may not be known, but the attacker does know if they can get execution to jump to some point in the heap, they’ll likely hit a nop-sled and thus execute shell code.

    So the “heap-spray” refers to spraying large amounts nop-sled, shell-code into memory. And the “spray and pray” refers to just praying that you’ll hit it when you jump execution.

12. What is a return-to-libc attack and how does it differ than using shell code?

    Reveal Solution

    A retun-to-libc attack refers to when the attacker gains control of the execution, instead of jumping to prepared shell-code that was also injected, they instead jump to executing an already existing function included with the program, such as those found in libc. The most common of these is system() which can execute aribtrary bash commands, even opening a shell.

13. What are “stack canaries” and how do they prevent stack-based buffer overflows?

    Reveal Solution

    A stack canary is a special field inserted in memory just beneath the return address. The return address is only popped into the instruction pointer if the canary is untouched, i.e., maintains its original value. Note that in a stack-based buffer overflow, the attacker writes up the stack to reach the return address and by doing so, would overwrite the canary. This could be detected, as the canary is “dead” – just like canaries were used in mines to detect gas leaks.

14. Take a look at this OWASP report on format string attacks. How can this vulnerability be used to reveal values on the stack that the attacker?

    Reveal Solution

    In a format string attack, the programmer used a variable for the string to print, like printf(var), rather than a format printf("%s",var). If var could be manipulated by an attacker to contain additional format characters, like %d or %s, then printf() will refer to the location where theirs arguments would normally be on memory to format them. In the case where no additional arguments were given, it will simply format whatever is on the stack above the frame pointer.