STACK COOKIES CSC 444 Josh Stroschein Stack Cookies

  • Slides: 12
Download presentation
STACK COOKIES CSC 444 Josh Stroschein

STACK COOKIES CSC 444 Josh Stroschein

Stack Cookies • Buffers allocated on the stack • Can be overrun by a

Stack Cookies • Buffers allocated on the stack • Can be overrun by a buffer overflow • To stop these overflows cookies have been introduced • Also known as: • Canary • Stack Guard

Stack Cookies – How do they work?

Stack Cookies – How do they work?

Microsoft • A string buffer is defined as an array whose element size is

Microsoft • A string buffer is defined as an array whose element size is one or two bytes, and where the size of the whole array is at least five bytes, or, any buffer allocated with _alloca. • Cookie is static value at runtime • 4 bytes DWORD • Stored in. data section when module loads • XORed with the current value of EBP • That value is placed on the stack:

Microsoft • When the function returns • XOR current value of EBP • Compare

Microsoft • When the function returns • XOR current value of EBP • Compare the value in ECX to the random cookie value • If they are equal, continue

Another Example

Another Example

Checking the value

Checking the value

Stack Cookie PROLOG: push ebp mov ebp, esp Args…. HIGHER RETURN ADDY (EIP) OLD

Stack Cookie PROLOG: push ebp mov ebp, esp Args…. HIGHER RETURN ADDY (EIP) OLD EBP – 4 Cookie … EBP - 18 h Buffer EBP – 1 C Local LOWER

Variable Reordering

Variable Reordering

Variable Reordering

Variable Reordering

GCC • -fstack-protector • Emit extra code to check for buffer overflows, such as

GCC • -fstack-protector • Emit extra code to check for buffer overflows, such as stack smashing attacks. This is done by adding a guard variable to functions with vulnerable objects. This includes functions that call alloca, and functions with buffers larger than 8 bytes. The guards are initialized when a function is entered and then checked when the function exits. If a guard check fails, an error message is printed and the program exits. • -fstack-protector-all • Like -fstack-protector except that all functions are protected.

References • http: //en. wikipedia. org/wiki/Buffer_overflow_protection • Microsoft stack guard • https: //msdn. microsoft.

References • http: //en. wikipedia. org/wiki/Buffer_overflow_protection • Microsoft stack guard • https: //msdn. microsoft. com/en-us/library/8 dbf 701 c(VS. 80). aspx • https: //gcc. gnu. org/onlinedocs/gcc-4. 4. 2/gcc/Optimize-Options. html

CSC CSC CSC CSC CSC CSC CSC CSCCSC CSC CSC CSC CSC CSC CSC CSC
FUZZING CSC 748 Josh Stroschein What Is FuzzingFUZZING CSC 748 Josh Stroschein What Is Fuzzing
CSC 444 Software Engineering Release Planning CSC 444CSC 444 Software Engineering Release Planning CSC 444
CSC 444 Software Engineering Software Releases CSC 444CSC 444 Software Engineering Software Releases CSC 444
CSC 444 Software Engineering Software Releases CSC 444CSC 444 Software Engineering Software Releases CSC 444
Enterprise Mobility Management EMM JOSH STROSCHEIN OCT 2014Enterprise Mobility Management EMM JOSH STROSCHEIN OCT 2014
Cookies and Cakes Cookies Texture of Cookies ThereCookies and Cakes Cookies Texture of Cookies There
Session and Security Management HTTP Cookies Cookies CookiesSession and Security Management HTTP Cookies Cookies Cookies
PHP Cookies PHP Cookies Cookies are small filesPHP Cookies PHP Cookies Cookies are small files
COOKIES BIS 1523 Lecture 23 1 Cookies CookiesCOOKIES BIS 1523 Lecture 23 1 Cookies Cookies
Stack Implementation with Arrays Stack stack new StackStack Implementation with Arrays Stack stack new Stack