secure programming chapter 3 pointer subterfuge

SECURE PROGRAMMING

Chapter 3

Pointer Subterfuge

Overview

● Introduction● Data Locations● Function Pointers● Modifying the IP● Global Offset Table● The .dtors Section● Virtual Pointers● atexit() and on_exit()● longjmp()/setjmp()

● Exception Handling● Structured● System default

● Mitigation Strategies● Stack Canaries● W^X● Encoding/

decoding pointers● Summary

Introduction

Pointer subterfuge == modifying pointer values

Pointers to objects vs pointers to functions

C++ also defines pointer to member type

All can be modified to run arbitrary code.

First examine relationship data declaration/storage

Data Locations

Overwriting a pointer with a buffer overflow:

➢ Limited by upper bound➢ Limited by lower bound➢ Limited by Hi➢ Limited by Lo➢ Limited by special marker (usually null)

Conditions:

Buffer and pointer must be in same segment.

Pointer must be in direction of overflow

Buffer not adequately bounded

Data Locations

Data allocation:

Unix: data and BSS segment (example 3.1, page 123)

Windows is similar

Data Locations

Function Pointers

Object Pointers

Modifying the Instruction Pointer

Modifying the Instruction Pointer

Modifying the Instruction Pointer

Global Offset Table

Windows and Linux use a similar mechanism for linking and transferring control to library fns.

Windows solution is safe.

Linux solution is exploitable.

Default binary format on Linux is called Executable and Linking Format (ELF),

Developed by Unix System Labs as part of the application binary interface.

Includes a “Global Offset Table” (GOT)

Global Offset Table (GOT)

Holds absolute addresses of library functions

program text is still position independent

program text can still be shared

Initially entry to Run-Time Linker

Address of GOT is fixed.

Address of GOT entry is fixed in the executable.

Obtainable through objdump –dynamic-reloc xx command. (undocumented!!)

Global Offset Table (GOT)

Windows portable executable (PE) file format is similar to ELF:

Array of data structures for each imported DLL

Name → array of function pointers (Import Address Table, IAT)

Once module is loaded (at load time), IAT entries are write protected.

The .dtors Section

__atribute__ for functions (like constructor (called before main) or destructor (called after main exits))

Examine with:

objdump -s -j .dtors <fname>

Virtual Pointers

(pp 132/133, not used yet)

atexit() and on_exit()

(See code, manual pages)

longjmp()

pp 135, 136

Exception Handling

Windows has three types:

Vectored exception handling

Structured exception handling (try/catch)

System defaults

Unix has three:

Vectored exception handling

Structured exception handling (try/catch)

System defaults (see man signal, man sigprocmask)

Structured Exception Handling

Windows guarantees on page 138

System Default Exception Handling

Interrupt vector: Windows encodes pointer addresses, making it difficult for crackers.

Mitigation Strategies

Eliminate the vulnerabilities:

Stack canaries

W ^ X

Encode/decode function pointers (pp 140-141

Summary