Defenses and Privilege escalation

Ungraded Quiz

• explain how a stack canary works
• why does ASLR make it harder to run a simple stack-based buffer overflow attack?
• explain a simple example of how privilege escalation can work

Key Concepts

Buffer overflow defenses

• make stack and heap non-executable
  • flag specified address ranges as non-executable
  • Windows allows you to turn on Data Execution Prevention
  • details on how DEP works
• stack canary
  • inserted into stack to detect code injection
  • can also use a heap canary
• run-time bounds checking
  • instrumented by compiler
• memory layout randomization (ASLR)
  • makes it more difficult for an attacker to predict where code is loaded when a buffer is overflowed
• type-safe languages
  • see NIST safer languages
  • type safety in Rust
• safe C libraries
• static analysis tools — tools that analyze your code and warn you

Adoption Barriers

• no governing body
• backwards compatibility
• incomplete solutions

Privilege escalation

• may be able to break into a low-privilege account first, then need to try to gain higher privileges
  • from a fixed program to a shell
  • from a sandbox to a complete system
  • from non-root to root
  • from root to kernel
• see simple example, page 175
• some ports are privileged, so the programs given access to those ports are targets for an attacker
• follow best practices! don’t use root accounts, don’t put untested programs on privileged ports
• privilege escalation CVEs

Extra Reading

• Return-Oriented Programming: Systems, Languages, and Applications
• tutorial on return-oriented programming
• Practical Timing Side Channel Attacks against Kernel Space ASLR
• Position-Independent Code Reuse: On the Effectiveness of ASLR in the Absence of Information Disclosure