|
|
|
Modern Operating Systems by Herbert Bos and Andrew S. Tanenb...
Modern_Operating_Systems_by_Herbert_Bos_and_Andrew_S._Tanenbaum_4th_Ed.pdf
Showing 679-680 out of 1137
Modern Operating Systems by Herbert Bos and Andrew...
Modern_Operating_Systems_by_Herbert_Bos_and_Andrew_S._Tanenbaum_4th_Ed.pdf-M ODERN O PERATING S YSTEMS
Modern Operating Systems by Herbert...
Modern_Operating_Systems_by_Herbert_Bos_and_Andrew_S._Tanenbaum_4th_Ed.pdf-M ODERN O PERATING S YSTEMS
Page 679
648
SECURITY
CHAP. 9
A more important attack against ASLR is formed by memory disclosures. In
this case, the attacker uses one vulnerability not to take control of the program di-
rectly, but rather to leak information abour the memory layout, which he can then
use to exploit a second vulnerability. As a trivial example, consider the following
code:
01. void C( ) {
02.
int index;
03.
int prime [16] = { 1,2,3,5,7,11,13,17,19,23,29,31,37,41,43,47 };
04.
printf ("Which prime number between would you like to see?");
05.
index = read
user
input ( );
06.
printf ("Prime number %d is: %d\n", index, prime[index]);
07. }
The code contains a call to
read
user
input
, which is not part of the standard C li-
brary. We simply assume that it exists and returns an integer that the user types on
the command line. We also assume that it does not contain any errors. Even so, for
this code it is very easy to leak information. All we need to do is provide an index
that is greater than 15, or less than 0. As the program does not check the index, it
will happily return the value of any integer in memory.
The address of one function is often sufficient for a successful attack. The rea-
son is that even though the position at which a library is loaded may be ran-
domized, the relative offset for each individual function from this position is gener-
ally fixed. Phrased differently: if you know one function, you know them all. Even
if this is not the case, with just one code address, it is often easy to find many oth-
ers, as shown by Snow et al. (2013).
Noncontrol-Flow Diverting Attacks
So far, we have considered attacks on the control flow of a program: modifying
function pointers and return addresses. The goal was always to make the program
execute new functionality, even if that functionality was recycled from code al-
ready present in the binary.
However, this is not the only possibility. The data itself
can be an interesting target for the attacker also, as in the following snippet of
pseudocode:
01. void A( ) {
02.
int authorized;
03.
char name [128];
04.
authorized = check
credentials (...);
/* the attacker is not authorized, so returns 0 */
05.
printf ("What is your name?\n");
06.
gets (name);
07.
if (authorized != 0) {
08.
printf ("Welcome %s, here is all our secret data\n", name)
09.
/* ... show secret data ... */
Page 680
SEC. 9.7
EXPLOITING SOFTWARE
649
10.
} else
11.
printf ("Sorry %s, but you are not authorized.\n");
12.
}
13. }
The code is meant to do an authorization check. Only users with the right cre-
dentials are allowed to see the top secret data. The function
check
credentials
is
not a function from the C library, but we assume that it exists somewhere in the
program and does not contain any errors. Now suppose the attacker types in 129
characters. As in the previous case, the buffer will overflow, but it will not modify
the return address. Instead, the attacker has modified the value of the
authorized
variable, giving it a value that is not 0.
The program does not crash and does not
execute any attacker code, but it leaks the secret information to an unauthorized
user.
Buffer Overflows—The Not So Final Word
Buffer overflows are some of the oldest and most important memory corrup-
tion techniques that are used by attackers. Despite more than a quarter century of
incidents, and a a plethora of defenses (we have only treated the most important
ones), it seems impossible to get rid of them (Van der Veen, 2012). For all this
time, a substantial fraction of all security problems are due to this flaw, which is
difficult to fix because there are so many existing C programs around that do not
check for buffer overflow.
The arms race is nowhere near complete. All around the world, researchers are
investigating new defenses. Some of these defenses are aimed at binaries, others
consists of security extension to C and C++ compilers. It is important to emphasize
that attackers are also improving their exploitation techniques. In this section, we
have tried to given an overview of some of the more important techniques, but
there are many variations of the same idea. The one thing we are fairly certain of is
that in the next edition of this book, this section will still be relevant (and probably
longer).
9.7.2 Format String Attacks
The next attack is also a memory-corruption attack, but of a very different
nature. Some programmers do not like typing, even though they are excellent typ-
ists. Why name a variable
reference
count
when
rc
obviously means the same
thing and saves 13 keystrokes on every occurrence? This dislike of typing can
sometimes lead to catastrophic system failures as described below.
Consider the following fragment from a C program that prints the traditional C
greeting at the start of a program:
Ace your assessments! Get Better Grades
Browse thousands of Study Materials & Solutions from your Favorite Schools
Concordia University
Concordia_University
School:
Operating_Systems
Course:
Great resource for chem class. Had all the past labs and assignments
Leland P.
Santa Clara University
Introducing Study Plan
Using AI Tools to Help you understand and remember your course concepts better and faster than any other resource.
Find the best videos to learn every concept in that course from Youtube and Tiktok without searching.
Save All Relavent Videos & Materials and access anytime and anywhere
Prepare Smart and Guarantee better grades
Know more
Students also viewed documents
lab 18.docx
lab_18.docx
Course
Course
3
Module5QuizSTA2023.d...
Module5QuizSTA2023.docx.docx
Course
Course
10
Week 7 Test Math302....
Week_7_Test_Math302.docx.docx
Course
Course
30
Chapter 1 Assigment ...
Chapter_1_Assigment_Questions.docx.docx
Course
Course
5
Week 4 tests.docx.do...
Week_4_tests.docx.docx
Course
Course
23
Week 6 tests.docx.do...
Week_6_tests.docx.docx
Course
Course
106
