|
|
|
Modern Operating Systems by Herbert Bos and Andrew S. Tanenb...
Modern_Operating_Systems_by_Herbert_Bos_and_Andrew_S._Tanenbaum_4th_Ed.pdf
Showing 675 out of 1137
Modern Operating Systems by Herbert Bos and Andrew...
Modern_Operating_Systems_by_Herbert_Bos_and_Andrew_S._Tanenbaum_4th_Ed.pdf-M ODERN O PERATING S YSTEMS
Modern Operating Systems by Herbert...
Modern_Operating_Systems_by_Herbert_Bos_and_Andrew_S._Tanenbaum_4th_Ed.pdf-M ODERN O PERATING S YSTEMS
Page 675
644
SECURITY
CHAP. 9
Let us suppose the system uses stack canaries. How could we possibly change
the return address? The trick is that when the attacker overflows buffer
B
, he does
not try to hit the return address immediately. Instead, he modifies the variable
len
that is located just above it on the stack. In line 9,
len
serves as an offset that deter-
mines where the contents of buffer
B
will be written. The programmer’s idea was
to skip only the date string, but since the attacker controls
len
, he may use it to skip
the canary and overwrite the return address.
Moreover, buffer overflows are not limited to the return address. Any function
pointer that is reachable via an overflow is fair game. A function pointer is just like
a regular pointer, except that it points to a function instead of data. For instance, C
and C++ allow a programmer to declare a variable
f
as a pointer to a function that
takes a string argument and returns no result, as follows:
void (*f)(char*);
The syntax is perhaps a bit arcane, but it is really just another variable declaration.
Since function
A
of the previous example matches the above signature, we can now
write ‘‘
f=A
’’ and use
f
instead of
A
in our program. It is beyond this book to go
into function pointers in great detail, but rest assured that function pointers are
quite common in operating systems. Now suppose the attacker manages to over-
write a function pointer. As soon as the program calls the function using the func-
tion pointer, it would really call the code injected by the attacker. For the exploit to
work, the function pointer need not even be on the stack. Function pointers on the
heap are just as useful. As long as the attacker can change the value of a function
pointer or a return address to the buffer that contains the attacker’s code, he is able
to change the program’s flow of control.
Data Execution Prevention
Perhaps by now you may exclaim: ‘‘Wait a minute! The real cause of the prob-
lem is not that the attacker is able to overwrite function pointers and return ad-
dresses, but the fact that he can inject
code
and have it executed. Why not make it
impossible to execute bytes on the heap and the stack?’’ If so, you had an epiphany.
However, we will see shortly that epiphanies do not always stop buffer overflow at-
tacks. Still, the idea is pretty good.
Code injection attacks
will no longer work if
the bytes provided by the attacker cannot be executed as legitimate code.
Modern CPUs have a feature that is popularly referred to as the
NX bit
, which
stands for ‘‘No-eXecute.’’ It is extremely useful to distinguish between data seg-
ments (heap, stack, and global variables) and the text segment (which contains the
code). Specifically, many modern operating systems try to ensure that data seg-
ments are writable, but are not executable, and the text segment is executable, but
not writable. This policy is known on OpenBSD as
WˆX
(pronounced as ‘‘W
Exclusive-OR X’’) or ‘‘W XOR X’’). It signifies that memory is either writable or
executable, but not both. Mac OS X, Linux, and Windows have similar protection
Ace your assessments! Get Better Grades
Browse thousands of Study Materials & Solutions from your Favorite Schools
Concordia University
Concordia_University
School:
Operating_Systems
Course:
Great resource for chem class. Had all the past labs and assignments
Leland P.
Santa Clara University
Introducing Study Plan
Using AI Tools to Help you understand and remember your course concepts better and faster than any other resource.
Find the best videos to learn every concept in that course from Youtube and Tiktok without searching.
Save All Relavent Videos & Materials and access anytime and anywhere
Prepare Smart and Guarantee better grades
Know more
Students also viewed documents
lab 18.docx
lab_18.docx
Course
Course
3
Module5QuizSTA2023.d...
Module5QuizSTA2023.docx.docx
Course
Course
10
Week 7 Test Math302....
Week_7_Test_Math302.docx.docx
Course
Course
30
Chapter 1 Assigment ...
Chapter_1_Assigment_Questions.docx.docx
Course
Course
5
Week 4 tests.docx.do...
Week_4_tests.docx.docx
Course
Course
23
Week 6 tests.docx.do...
Week_6_tests.docx.docx
Course
Course
106
