# 04 Buffer Overflow Attack NTNU 資安攻防演練 ##### [Back to Note Overview](https://reurl.cc/XXeYaE) ##### [Back to Information Security: A Hands-on Approach](https://hackmd.io/z5PJjK7eTJ29YEhMjyAaCw) <!-- {%hackmd @sophie8909/pink_theme %} --> ###### tags: `攻防演練` `110-1` `CSIE` `選修` `NTNU` <!-- tag順序 [學校] [系 必選] or [學程 學程名(不含學程的 e.g. 大師創業)] [課程] [開課學期]--> ## Overview 1. Memory Layout 2. Memory Layout for a Function Call 3. Stack Buffer Overflow Attack 4. A Little Trick: Spraying the Buffer 5. Countermeasures: ASLR 6. Countermeasures: StackGuard 7. Countermeasures: Others 8. Defeating the Countermeasure in DASH ## Memory Layout ![](https://i.imgur.com/6CiMBCB.png) - **Text Argument**: contains <font color=red> executable instruction </font>. - **Data Segment**: Initialized data segment. - contains the global variables and static variables that are initialized. - **BSS Segment**: Uninitialized data segment, block started by symbol. - we seperate data and bss for the **performance issue** - When loading your program into memory, .bss segment can be skipped. - You can also save the program size since you do not need to store lots of zeros. - **Stack**: the allocation and de-allocation for stack memory is automatically done. - <font color=red> **tempary space** </font> - **Heap**: <font color=blue> dynamic memory allocation </font> - explictly managed by programmers ## Memory Layout for a Function Call - A calling convention is an implementation-level (low-level) scheme for <font color=red> how subroutines receive parameters form their caller and how they return a result</font>. - When the subprogram is done executing it <font color=blue> jumps back to the instruction after the call</font>, and the execution resumes as if nothing had happened. ![](https://i.imgur.com/ex2HuZe.png) - When there are more than one function calling **function (red block)**, how does it know that it would jump to which functions? - **Solution**: - The ESP regidter always contains the address of the element at the top of the stack. - <font color=red style="font-size: 24px"> **Important: Do not use ESP for anything else!** </font> - its value is updated by calls to **push** or **pop**. - So what you should do is <font color=red> **push return address** </font> ### Activation Records - In general, when calling a function, one puts all kinds of useful information on the stack. - The set of useful information is typically called an <font color=red> **activation record** </font> or a <font color=red> **stack frame**</font>. - One very important component of an activation record is <font color=blue> the parameters passed to the function</font>. - Another is the return address, as we've already seen. - To call a function you have to follow these steps: 1. Push the parameters onto the stack. - if there are three parameters, compiler will push 'c' first, 'b' second, and 'a' last. 2. Execute the CALL instruction, which pushes the return address onto the stack. - If you want to **call** a function with two 32-bits parameters. ![](https://i.imgur.com/m0NWFQ8.png) - However, **ESP** will be modified, when calling another variables or functions. - There is another register **EBP** to store the content of **ESP** before it is modified by other operations.