Terms : Hide Images
| 6118452430 | Buffer overflow | A condition at an interface under which more info can be placed into a buffer or data holding area than the capacity allocated, overriding other information | 0 | |
| 6183501318 | Example of a buffer overflow | Stack buffer overflows inserting extra instructions into a command to force an overflow that inserts calls to malware | 1 | |
| 6183491199 | When are stacks used? | 1. in function/procedure calls. 2. for allocation of memory for local variables. 3. for allocation of memory for parameters. 4. control information (return address) | 2 | |
| 6183741654 | ShellCode | 1. Creates a shell. It is short. The shellcode must be in machine code so that can be inserted directly into memory. 2. It must have a return address that is the legitimate return address | 3 | |
| 6183748999 | When control is transferred to the shellcode whose privileges are used? | 1. Recall it is running on behalf of the user. 2. The privileges that are used are: the host program's (this is the program that is exploited by the shellcode) system service or OS root privileges 3. If the program is a system service the shellcode (and therefore the attacker) will have access to much of the system. 4. Root privileges is like having keys to the kingdom | 4 | |
| 6183770309 | Return to libc | 1. The return address is overwritten to point to a function in a library. 2. The function can then be executed with parameters of the attacker's choice. 3. For example the attacker can launch a command shell. | 5 | |
| 6118452431 | Stack buffer overflow/Stack smashing | Occurs when the targeted buffer is located on the stack, usually is a local variable any functions stack frame | 6 | |
| 6118452432 | Stack frame | A structure on the stack that stores the return address during a function call, here It also stores locations and saves parameters to be passed to the function. Possibly register values too. | 7 | |
| 6118452433 | Shell code | Code supplied by an attacker and often saved in the buffer being overflowed, so the attacker can transfer execution of the program to the Shell code | 8 | |
| 6118452434 | Position independent | A generic restriction on the content of shell code - this means it cannot contain any absolute address referring to itself, Because the attacker generally cannot determine in advance exactly where the target buffer will be located in the stack frame of the function which is defined. | 9 | |
| 6118452435 | Restrictions on shell code | 1. It must be position independent 2. It cannot contain any null values | 10 | |
| 6118452436 | NOP sled | A run of an NOP commands with the return address in the middle somewhere, to deal with the inability to precisely determine the starting address to put the hackers code | 11 | |
| 6118452437 | No - execute bit | Support from the processors memory management unit to tag pages of virtual memory as being non executable | 12 | |
| 6118452438 | Guard pages | A runtime defense that can be used by placing these between critical regions of memory in the process address space | 13 | |
| 6118452439 | Return to system call | A variant attack in which the return address is changed to jump to existing code on the system | 14 | |
| 6118452440 | Heap overflows | Exploiting or flows and buffers located elsewhere in the process address space. One possible target is a buffer located in memory dynamically allocated from the heap. | 15 | |
| 6183780481 | Heap Overflows | 1. Long lived data gets stored on the heap (like global variables). 2. The heap does not store return addresses. 3. Data can be tables of function pointers. 4. So the attacker can modify a function pointer to point to malware. 5. This is more sophisticated than buffer overflow | 16 | |
| 6118452441 | Replacement stack frame | A variant of stack overflow, this attack overwrites the buffer and saved frame pointer address. The saved frame pointer value is changed to refer to a location near the top of the overwritten buffer, where a dummy stack frame has been created with a return address pointing to the shellcide lower in the buffer | 17 | |
| 6183785727 | OpenSSL Heartbleed Vulnerability | 1. The attacker can also read data. 2. Suppose the attacker asks for more data than usual. This may expose sensitive data. 3. An example of this is the vulnerability in the OpenSSL code. 4. ASLR doesn't protect against read-only buffer overflow attacks 5. Non-executable stack doesn't protect against the heart bleed vulnerability too | 18 | |
| 6183878832 | Defense Against Buffer Overflow Attacks | 1. Programming language choice is crucial to prevent buffer overflows. 2. Languages that have the following characteristics can prevent buffer overflows: 3. should be strongly typed 4. should do automatic bounds checks 5. should do automatic memory management | 19 | |
| 6183897799 | Examples of safe languages | Java and C++ | 20 | |
| 6183901271 | Drawback of safe languages | reduction of performance and flexibility | 21 | |
| 6183910318 | Sometimes unsafe languages must be used... what is the defense against buffer overflow attacks? | 1. Check all input assume all input is evil 2. Use safer functions that do bounds checking. For example checks the length of a string to prevent buffer overflow. 3. Use automatic tools to analyze code for unsafe functions. 4. The tools use known patterns to compare the software to flag potentially vulnerable areas. 5. There can be a number of false negatives with these tools. | 22 | |
| 6183947788 | Strongly Typed Languages | Help reduce software vulnerabilities 1. Any attempt to pass incompatible data is caught at compile time or generates an error at run time 2. It is impossible to do "pointer arithmetic" to access arbitrary areas of memory. | 23 | |
| 6183980837 | Weakly typed languages | An array index operation may be allowed even though k is outside the range of the array | 24 | |
| 6183992153 | Source code analysis tools | Check the source code by running it through the tools. If all you have is binary file, the tools may not always be helpful | 25 | |
| 6184003449 | Thwarting Buffer Overflow Attacks | 1. Stack canaries 2. Address Space Layout Randomization (ASLR) 3. Nonexecutable Stack | 26 | |
| 6184014597 | Stack canaries | a canary values is written into the stack frame, just before the return address. IF the canary value is modified, then there is a good possibility the return address has been changed. Thus an overflow is detected. Return to libc can be prevented by usage of stack canaries | 27 | |
| 6183796698 | National Vulnerability Database | https://web.nvd.nist.gov/view/vuln/search | 28 | |
| 6183799917 | Key statistics from NVD | 1. Close to 70K vulnerabilities that can be exploited 2. Out of 70K, about 100 vulnerabilities in 3 months range 3. Out of 70K, about 1000 vulnerabilities in 3 yearsrange | 29 |
