- In C, many strings-related functions do not check the bound.
- It may start to overwrite a fixed-sized array.
- A savvy users may put a long input array, overwriting the return address with desired value.
Preventing Such Exploits
- Use better functions.
- Use Canary Values
- Compiler inserts random unique values—canary values—before return address
- If the canary values are modified, crash.
- Address Space Layout Randomization (ASLR)
- Compiler randomize where the stack will start.
- Makes hard to predict the desired return address.
- Prepend as many
nopinstructions as possible before the exploit code
- Yields a higher chance of an exploit.
- Privilege & Access Control Bits
- Mark a specific portion of the stack as non-executable.
Return Oriented Programming
- Use Case: When the stack is marked as non-executable && position randomized.
- Idea: Find useful attack instructions
gadgetsthat already exists
- because they are executable and not randomized in position.