The document discusses buffer overflows, a common security vulnerability, and reviews various defense-in-depth techniques such as stack canaries and Address Space Layout Randomization (ASLR). It examines the effectiveness of these defenses against attacks and their potential to be bypassed. The author emphasizes the importance of a mixed approach to strengthen security against evolving attacker methods.

1. Overflowing Attack Potential
Scoring Defence-in-Depth
Defence-in-
Javier Tallón Guerri
11ICCC - Turkey

2. 2

3. 3

4. 4

5. 1.Buffer overflows, a bit of background
2.Reviewing and bypassing defence-in-
depth techniques
3.Impact in the CC
4.What to do?
5

6. 1.Buffer overflows, a bit of background
2.Reviewing and bypassing defence-in-
depth techniques
3.Impact in the CC
4.What to do?
6

7. 1. Buffer overflows, a bit of background
You know... The classic stack overflow….
#include <string.h>
void foo (char *bar) {
char c[12];
strcpy(c, bar); // no bounds checking...
}
int main (int argc, char **argv) {
foo(argv[1]);
}
7

8. 1. Buffer overflows, a bit of background
8

9. 1. Buffer overflows, a bit of background
9

10. 1. Buffer overflows, a bit of background
10

11. 1. Buffer overflows, a bit of background
There are also heap and integer
overflows….
11

12. 1. Buffer overflows, a bit of background
Could lead to arbitrary code execution
12

13. 1. Buffer overflows, a bit of background
Those were the old days…
Very few problems for the attacker:
Null bytes
Shellcode size and other constraints
Shellcode development 13

14. 1.Buffer overflows, a bit of background
2.Reviewing defence-in-depth techniques
3.Impact in the CC
4.What to do?
14

15. 2. Reviewing defence-in-depth techniques
Stack canaries
approach:
The compiler
place a value
before the return
address when a
function is called
and check that the
value has not
changed when the
function finalize.
15

16. 2. Reviewing defence-in-depth techniques
Bypassing stack canaries:
Implementation can be not correct
It can be a statistical problem
16

17. 2. Reviewing defence-in-depth techniques
Bypassing stack canaries:
Windows: SEH overwriting
Protected by SafeSEH and so on…
Unix: Other (more complex)
techniques…
17

18. 2. Reviewing defence-in-depth techniques
Non-eXecutable Stack approach:
Code is code and data is data
Widely deployed (every computer since
2001 allows this)
18

19. 2. Reviewing defence-in-depth techniques
Bypassing Non-eXecutable Stack:
Save the payload in the heap
Return into libc attacks
19

20. 2. Reviewing defence-in-depth techniques
64bits hardware resolves the
problem:
In 64 bits computers, arguments
are loaded from registers, not from
the stack.
Return into libc attack is not
possible
20

21. 2. Reviewing defence-in-depth techniques
64bits hardware resolves the
problem:
Borrowed Code Chunks or
Return Oriented Programming
21

22. 2. Reviewing defence-in-depth techniques
22

23. 2. Reviewing defence-in-depth techniques
ASLR (Address Space Layout
Randomization) approach:
The code is loaded in different
memory regions each time
23

24. 2. Reviewing defence-in-depth techniques
Bypassing ASLR:
It could be an statistical question
24

25. 2. Reviewing defence-in-depth techniques
Bypassing ASLR:
Maybe not all the libraries are
randomly loaded
25

26. 2. Reviewing defence-in-depth techniques
Mixed approach:
Standalone use of these techniques
is not very useful
Technique Technique Better
A B results
26

27. 2. Reviewing defence-in-depth techniques
Non-eXecutable Stack + ASLR:
Make very difficult the return
attacks.
27

28. 2. Reviewing defence-in-depth techniques
NX
Stack
ASLR
Stack
Canaries
Each technique makes successful
exploitation more difficult 28

29. 2. Reviewing defence-in-depth techniques
There are more defence-in-depth
techniques
Attackers always develop techniques
to bypass the new countermeasures
29

30. 2. Reviewing defence-in-depth techniques
30

31. 2. Reviewing defence-in-depth techniques
31

32. 1.Buffer overflows, a bit of background
2.Reviewing defence-in-depth techniques
3.Impact in the CC
4.What to do?
32

33. 3. Impact in the CC
Overflow detected!
Unique
characteristics
Unique exploit path
Base attack
potential
33

34. 3. Impact in the CC
Buffer Base Defence in
Overflow Attack Depth
Detected Potential Modifiers
Base
Attack
Potential
Real
Attack
Potential
Defence
in Depth
Modifiers
34

35. 3. Impact in the CC
Defence in depth technique Attack potential factor
Stack Canaries (Windows) x 1.2
Stack Canaries + SafeSEH (Windows) x 1.3
Non-eXecutable Stack x 1.35
ASLR x 1.50
Stack Canaries (Unix) x 1.52
NX Stack + ASLR x 1.54
NX Stack + ASLR + Stack Canaries (Windows) x 1.62
NX Stack + ASLR + Stack Canaries + SafeSEH (Windows) x 1.66
NX Stack + ASLR + Stack Canaries (Unix) x 1.68
… …
35

36. 1.Buffer overflows, a bit of background
2.Reviewing defence-in-depth techniques
3.Impact in the CC
4.What to do?
36

37. 4. What to do?
37

38. 4. What to do?
38

39. 4. What to do?
39

40. 4. What to do?
Whenever it is possible
Through compiler
Through Operating System
40

41. 4. What to do?
41

42. Thanks for your attention!
attention!
Javier Tallón
Epoche & Espri, S.L.
Avda. de la Vega, 1
28108, Alcobendas,
Madrid, Spain.
eval@epoche.es
42