Question

In: Computer Science

Describe why a stack canary would not be useful against a heap overflow attack.

Describe why a stack canary would not be useful against a heap overflow attack.

Solutions

Expert Solution

  • An information disclosure flaw in a different part of the program could disclose the global __stack_chk_guard value. This would allow an attacker to write the correct canary value and overwrite the function return address.

  • Not all buffer overflows are on stack. StackGuard cannot prevent heap-based buffer overflows.

  • While StackGuard effectively prevents most stack buffer overflows, some out-of-bounds write bugs can allow the attacker to write to the stack frame after the canary, without overwriting the canary value itself.

  • If a function has multiple local data structures and pointers to functions, these are allocated on the stack as well, before the canary value. If there is a buffer overflow in any one of these structures, the attacker can use this to overwrite adjacent buffers/pointers which could result in arbitrary code execution. This really depends on the arrangement of data on the stack.

  • On some architectures, multi-threaded programs store the reference canary __stack_chk_guard in Thread Local Storage, which is located a few kb after the end of the thread's stack. In these circumstances, a sufficiently large overflow can overwrite both canary and __stack_chk_guard to the same value, causing the detection to incorrectly fail.

  • Lastly, for network applications which fork() child processes, there are techniques for brute forcing canary values. This only works in some limited cases though.


Related Solutions

Discuss how a stack buffer overflow attack is implemented.
Discuss how a stack buffer overflow attack is implemented.
Describe what a buffer overflow attack is, especially the main purpose of the attack. During program...
Describe what a buffer overflow attack is, especially the main purpose of the attack. During program execution, an input function is called to get a user's interactive input to the program. Describe what will happen to the return address kept in memory during the function call and the consequences if the user is an attacker performing a buffer overflow attack.
In CP/M why are the stack and the heap on opposite ends of memory? Why is...
In CP/M why are the stack and the heap on opposite ends of memory? Why is the OS at the top of upper memory?
What properties would make a buffer overflow condition in a program exploitable or useful to an...
What properties would make a buffer overflow condition in a program exploitable or useful to an attacker?
Describe the meet-in-the-middle attack against Triple DES (EDE mode).
Describe the meet-in-the-middle attack against Triple DES (EDE mode).
What is the difference between stack-dynamic and explicit heap-dynamic?  
What is the difference between stack-dynamic and explicit heap-dynamic?  
I am exploiting a buffer overflow attack and need to find three pieces of information in...
I am exploiting a buffer overflow attack and need to find three pieces of information in Linux using gdb. 1) The address of the function system 2) The address of the function parameter for system() which is /bin/sh. /bin/ parameter is what will spawn a shell 3) The address of a function that can exit the shell. I was able to use gbd commands to find the first two but what command would I use to find the address of...
Lab 3.1 Create your objects in the stack (not on the heap). Add a friend function,...
Lab 3.1 Create your objects in the stack (not on the heap). Add a friend function, kilotopound, which will convert kilograms to pounds. Change your weight mutator to ask whether weight is input in kilograms or pounds. If it is kilograms, call the friend function kilotopound to convert it to pounds and return pounds. There are 2.2 pounds in one kilogram. Create an object on the stack with the following information:     uld – Container abbreviation - AYK uldid –...
Write a testing program (not sort.c from task 2) that contains a stack buffer overflow vulnerability....
Write a testing program (not sort.c from task 2) that contains a stack buffer overflow vulnerability. Show what the stack layout looks like and explain how to exploit it. In particular, please include in your diagram: (1) The order of parameters (if applicable), return address, saved registers (if applicable), and local variable(s), (2) their sizes in bytes, (3) size of the overflowing buffer to reach return address, and (4) the overflow direction in the stack (5) What locations within the...
Select the item below that best describes a buffer overflow and how is it used against...
Select the item below that best describes a buffer overflow and how is it used against a web server? a. A buffer overflow occurs when more data is sent to an input buffer field than its size. This can be used to overwrite the stack with malicious code and a return pointer to the malicious code. b. A buffer overflow is caused over a network when there is a mismatch in the processing rates between the two entities involved in...
ADVERTISEMENT
ADVERTISEMENT
ADVERTISEMENT