Hi,
my OS uses the virtual addresses from 0x10000000 to 0xD0000000 (3 GB) to map the user applications.
As far as I know, Windows and Linux loads code in a fixed location (0x401000 in Win and 0x80000000 in Linux, I think), but I may map the program at any location if it was linked as PIC.
Now the question? The buffer overflow exploit needs to know the ESP address in order to write the malicious code in the stack, but if the ESP address is variable, this attack will fail. Am I wrong?
For example if I start an editor, the code can be located at 0x607B0000 and the stack at 0x607A000); the second time the code may be located at 0x15FF0000 and the stack at 0x15FE0000)
Thanks
Position Indipendent Code: more secure?
-
Anton
RE:Position Indipendent Code: more secure?
PIC was invented for other goals, but if you see the posibilty to use it for security resons, then i gess, you can, but you should know, that there is no perfect secure system.
Now concerning the buffer overflow attack: 1)After the computer restarts, the text editors code, stack, data will be placed at the same loactions, since the machine is in the same state(undless you install, or uninstall something).
2)I am shure that this atack can be made with a variable ESP, using the same PIC technology.
Anton.
Now concerning the buffer overflow attack: 1)After the computer restarts, the text editors code, stack, data will be placed at the same loactions, since the machine is in the same state(undless you install, or uninstall something).
2)I am shure that this atack can be made with a variable ESP, using the same PIC technology.
Anton.
-
ka3r
RE:Position Indipendent Code: more secure?
I know OS aren't 100% secure.
I don't want to describe my entire VMM since it is very large, but the way it is designed leads the program load address to be _pseudo_ random. If the FIRST program loaded is the text editor, the address will be the same, but it depends on the programs loaded before it.
I read something about the buffer overflow denial of service, and I know it uses the ESP stack to overwrite the return address of the code.
I don't want to describe my entire VMM since it is very large, but the way it is designed leads the program load address to be _pseudo_ random. If the FIRST program loaded is the text editor, the address will be the same, but it depends on the programs loaded before it.
I read something about the buffer overflow denial of service, and I know it uses the ESP stack to overwrite the return address of the code.
-
tom1000000
RE:Position Indipendent Code: more secure?
Hi,
I think your idea about PIC code being more secure is wrong.
Just say you allocate 8 bytes on the stack for a string. The stack will have:
EIP (ret address 4 bytes)
String (8 bytes)
<---- ESP points here
It doesn't matter what the ESP value is, if you write 12 bytes to the string, you will modify the return address.
I am no expert so if any hackers have a better answer please let us know.
I think your idea about PIC code being more secure is wrong.
Just say you allocate 8 bytes on the stack for a string. The stack will have:
EIP (ret address 4 bytes)
String (8 bytes)
<---- ESP points here
It doesn't matter what the ESP value is, if you write 12 bytes to the string, you will modify the return address.
I am no expert so if any hackers have a better answer please let us know.
-
ka3r
RE:Position Indipendent Code: more secure?
Yes, you are right.
But what does the hacker? The hacker wants to have root access to the system and if the system is running with root privileges, the hacker can inject malicious code in the stack so he has to modify the EIP on the stack:
Stack:
EIP
Variables
Malicious code
Since EIP is an _ABSOLUTE_ address, and the ESP is variable, the code address is pseudo-random.
Causing a segmentation fault by overwriting the EIP with random data is not very useful
But what does the hacker? The hacker wants to have root access to the system and if the system is running with root privileges, the hacker can inject malicious code in the stack so he has to modify the EIP on the stack:
Stack:
EIP
Variables
Malicious code
Since EIP is an _ABSOLUTE_ address, and the ESP is variable, the code address is pseudo-random.
Causing a segmentation fault by overwriting the EIP with random data is not very useful