bufferover flow cont. ?

Programming, for all ages and all languages.
Post Reply
User avatar
Sam111
Member
Member
Posts: 385
Joined: Mon Nov 03, 2008 6:06 pm

bufferover flow cont. ?

Post by Sam111 »

Ok , I have been reading about the compiler security /GS switch
http://msdn.microsoft.com/library/aa290051.aspx <-(if you are interested this is an excellent description of how it works)

I get how it works it basically uses 4 extra bytes on the stack for a cookie.
If the cookie is changes (i.e overwritten by a buffer overflow ) then the security exception method is called which displays a error message ,....etc and cancels the program before the buffer overflow exploit can occur

But what I am concerned about is what happens if you just overflowed the security exception method with your shellcode?
Then when the cookie is detected corrupt by XOR the jump to the report/security functions would start the execution of the shellcode thus getting around the whole security thing?

The only thing I can thing of to make it completely safe (i.e 100% buffer overflow secure) is to put the security/report handleing functions in a section that is read only , and execute only but not writeable to it if that is possible?

If not then this security checking is only to make it more difficult but not impossible for overflows to be still exploited.
Also with this security /gs thing it also takes up more of the stack and makes your code bigger, and slower in some cases if your not careful about knowing what functions to use it with. (And if you know this then chances are you could just fix the damn code in the first place.)

Also correct me if I am wrong this security checking /gs feature is only good for detecting/stopping stack based overflows.
It can't stop heap or other types of non-stack overflows.
Top
User avatar
Combuster
Member
Member
Posts: 9301
Joined: Wed Oct 18, 2006 3:45 am
Libera.chat IRC: [com]buster
Location: On the balcony, where I can actually keep 1½m distance
Contact:
Contact Combuster

Re: bufferover flow cont. ?

Post by Combuster »

The idea of calling that handler is that it doesn't depend on anything that's on the stack already. Since the executable portion cannot be written, transfer to that function will always work.
"Certainly avoid yourself. He is a newbie and might not realize it. You'll hate his code deeply a few years down the road." - Sortie
[ My OS ] [ VDisk/SFS ]
Top
User avatar
Sam111
Member
Member
Posts: 385
Joined: Mon Nov 03, 2008 6:06 pm

Re: bufferover flow cont. ?

Post by Sam111 »

OK , I see now.

Anyway this only protects agains stack based overflows not any others. ... like heap , or bss ...etc overflows?
Is their any protection for the other segments heap , bss ,...etc?

Also Microsoft provides programing tools like dumpbin , and editbin.
When I am on linux using the GNU tools gcc , ld , objdump ,...etc
Is their any thing that allows me to do the equivalent of editbin?
objdump is equivalent to dumpbin
what is equivalent to editbin for the GNU suite?

editbin is cool because it lets you change the stacksize , and heapsize as well as section attribuite like w/r or execute, or share,..etc ,...etc without having to recompile the code with the stacksize heapsize options,...etc
Top
pcmattman
Member
Member
Posts: 2566
Joined: Sun Jan 14, 2007 9:15 pm
Libera.chat IRC: miselin
Location: Sydney, Australia (I come from a land down under!)
Contact:
Contact pcmattman

Re: bufferover flow cont. ?

Post by pcmattman »

Heap overflows are often detected by unmapping the page directly following an allocation. Whilst this significantly increases memory use, you will always get a fault as soon as an overflow occurs, which allows you to determine exactly what is causing an overflow.

If the overhead of that method is too much for you, you can add values to the header and footer of each allocation and verify them when freeing the block. However, all this does is tell you that a heap overflow has occurred at some point - you can't find out what wrote there or when.

As for the BSS/data section - try defensive programming instead of depending on the operating system to handle your mistakes ;). Seriously though, most of the stuff in data and bss sections is of a static size. If you do overflow, you'll trash the contents of another variable - you can't trash anything important such as code or kernel hooks, as they're read-only.
Top
User avatar
Sam111
Member
Member
Posts: 385
Joined: Mon Nov 03, 2008 6:06 pm

Re: bufferover flow cont. ?

Post by Sam111 »

OK , got you on this
Also Microsoft provides programing tools like dumpbin , and editbin.
When I am on linux using the GNU tools gcc , ld , objdump ,...etc
Is their any thing that allows me to do the equivalent of editbin?
objdump is equivalent to dumpbin
what is equivalent to editbin for the GNU suite?

editbin is cool because it lets you change the stacksize , and heapsize as well as section attribuite like w/r or execute, or share,..etc ,...etc without having to recompile the code with the stacksize heapsize options,...etc
Does anybody know how you can have the capability of editbin under linux gcc , ld ,...etc ?
Top
User avatar
ucosty
Member
Member
Posts: 271
Joined: Tue Aug 08, 2006 7:43 am
Location: Sydney, Australia

Re: bufferover flow cont. ?

Post by ucosty »

Sam111 wrote:OK , got you on this
Also Microsoft provides programing tools like dumpbin , and editbin.
When I am on linux using the GNU tools gcc , ld , objdump ,...etc
Is their any thing that allows me to do the equivalent of editbin?
objdump is equivalent to dumpbin
what is equivalent to editbin for the GNU suite?

editbin is cool because it lets you change the stacksize , and heapsize as well as section attribuite like w/r or execute, or share,..etc ,...etc without having to recompile the code with the stacksize heapsize options,...etc
Does anybody know how you can have the capability of editbin under linux gcc , ld ,...etc ?
Take a look at objcopy.
The cake is a lie | rackbits.com
Top
Post Reply

Return to “General Programming”