Return-into-libc attack and Defense-bug warning-the black bar safety net

ID MYHACK58:62201561204
Type myhack58
Reporter 佚名
Modified 2015-04-15T00:00:00


This article first analyzes the return-into-libc attack principle, were introduced in different platforms for the traditional return-into-libc attack of the experimental process and results. Then, this paper further introduces and explains the return-oriented programming attacks, this attack can make up for the traditional return-into-libc attack is insufficient, making the attack more flexible and more effective. Finally, the article gives for these methods of attack Defense means. This article can help the reader to understand the return-into-libc attacks, and how in the system to prevent the attack occurred. Foreword Buffer overflow attacks are the most common use of the program defect method of attack, and become a current important security threat. In a variety of security reports, a buffer overflow vulnerability is always one very important part. Buffer overflow attacks very easily be exploited by attackers, because C and C++and other languages and there is no automatic detection of buffer overflow operation, while program developers when writing code is also difficult to always check whether the buffer is likely to overflow. The use of the overflow, the attacker may be desired to write data into the vulnerability of the program memory in any location, and even includes a control program execution flow of critical data such as function call return addresses, so the control program execution process and the implementation of malicious behavior. Buffer overflow is a common attack method is the malicious code shellcode is injected into the program, and use it to address to cover the program itself of the function call return address, so that the return time of the execution of this malicious code instead of the original should be the implementation of the code. In other words, this attack in the implementation normally first of all to the malicious code injected into the target vulnerabilities in the program. However, the program code segment is usually set to non-writable, so the attacker will need to the attack code placed on the stack. So in order to prevent this type of attack, the buffer overflow defense mechanism uses the non-implementation of stack technique, this technique makes on the stack of malicious code is not executed. And in order to avoid this defense mechanism, the buffer overflow and the emergence of a new variant of return-into-libc attacks. return-into-libc, the attacker does not need the stack can be executed, without even the need to inject new code, you can achieve the attack. Therefore, if you want to write a program can run safely, we need to know what is the Return-into-libc attack, it attacks the principles as well as possible Defense ways and means. Data Execution protection policy with return-into-libc attack As the Preface said, in a buffer overflow attack, the attacker will need to exploit the program control flow moves to the attack code. For example, an attacker can overflow the vulnerability of the program buffer zone tamper with the function's return address to point to the already placed malicious code shellcode, so that when the function returns it will jump to the corresponding malicious code to execute. In other words, this attack approach requires first, the malicious code injection to write into the target program, and later jump to and execute this section of code. For the above this kind of attack behavior, first write after the execution, researchers have proposed a Data Execution protection strategy(DEP)to help resist buffer overflow attacks. The security policy can control the program memory access, that is the protection the program memory may be constrained to only be written or to be executed(W XOR X), and can not be the first to write after execution. Currently, this security policy is already in the system has been widely used. Foreword to the non-executable stack is the policy of a special case, i.e., the stack can be written but not performed. Data Execution protection policy although the program runtime memory access provides the security protection to ensure that the memory can only be written to or to be executed and can not be the first to write after execution. But unfortunately, this protection is not completely effective, it is still not resist not to violate W XOR X protection strategy of attack. Return-into-libc attacks do not have simultaneous write and perform patterns of behavior, because it does not need to inject new malicious code, instead of reusing the vulnerability in the program has some function to complete the attack,so the vulnerability of the program to jump to the existing code sequence such as the library function of the code sequence is. The attacker in the attack can still be used the malicious code of the address, such as the libc library in the system function, etc., to cover the program of the function call return address, and passes the re-set parameters make it possible to press the attacker's desired run. This is why the attacker will use the return-into-libc the way, and use the program provided by the library function. This kind of attack way in the realization of the attack, but also avoid the Data Execution protection policy, the attack code is injected and executed for protection. Return-into-libc attack principle Return-into-libc attack can be the vulnerability function returns to the memory space has some dynamic library function. And in order to understand the return-into-libc attacks, where the first given program function call stack frame of the structure. Figure 1. Function call stack frame structure ! Figure 1 shows a typical function call, the stack frame structure, the stack is from high address to low address growth. Whenever a function calls another function to the low address direction onto the stack, and when the function returns to the high address direction to clear the stack. For example, when main() calls func(arg_1,arg_2,arg_3), first all the parameters arg_1,arg_2 and arg_3 into the stack. Figure 1 parameter from right to left in turn is pressed into the stack, this is because the C language function of the transmission parameters is from right to left onto the stack. Then, the call instruction the return address onto the stack, and the execution flow goes to func () it. The return address is a call instruction the next instruction address, this is used to inform the func ()function upon return from main()function which the instruction begins execution. Enter the func function, usually requires the main()function of the stack base pointer ebp is saved to the stack and the current stack pointer esp is saved in ebp as a func the bottom of the stack. Next, the func function will be in the stack for the local variables assigned space. Therefore, the calling function func()when the stack frame structure shown in Figure 1. And when func()execution is complete return when the leave instruction will ebp copy to the esp in the empty local variable in the stack area, and then popped from the stack the old ebp is put back into the ebp register so that ebp restored to the main()function to the bottom of the stack. Then the ret instruction from the stack to obtain the return address, return to the main()function continues to execute. An attacker can use to stack the content in the embodiment of the return-into-libc attacks. This is because the attacker is able to by buffer overflows overwrite return address of a library function's address, and this library function is executed when the parameters are re-written to the stack. So when a function is called when the Get is the attacker a good set of parameter values, and after the end of the return when it will return to the library function instead of main () is. And this library function actually help attackers to execute their malicious behavior. More complex attacks can also be by return-into-libc call chain is a series of library functions of the continuous call to complete. Return-into-libc attack experiment x86 platform attack experiment The author in the Ubuntu x86 system to a return-into-libc attack lab. Experiment by making the vulnerability of the program to jump to a libc library function the system function and execute system(“/bin/sh”)to implement the attack. The experiment mainly relates to a vulnerability in the program and an attack program. The time of the attack, the attack program will first overflow the buffer content is written to the file, whereas the loopholes of the program then the file content is read into the buffer causing it to overflow. Further attacks can be found in the reference resources in the“return-to-libc attack experiment”.

[1] [2] [3] next