Lecture 008

Memory Layout

Stack: run-time. 8MB limit Heap: malloc() Data: global, static variable, string constant Text: Code, Libraries

• Note: because we don't need all 64 bits, memory address has 4 useless 0s

Buffer Overflow

Buffer Overflow Example

Result

• 

• 

• 

• 

• 

Avoid Buffer Overflow

Using a Good Library

• use fgets instead of gets

• use strncpy instead of strcpy

• don't use scanf with %s (or use %ns)

Salt(Add) with Random Allocated Stack Space On Higher Address

• It shifts the stack space so that it is hard for hacker to know what exactly the return address should be.

• Can be overcome with padding of nop in exploit code

System-Level Protection

x86-64 marked stack as non-executable by default (seg-fault)

Stack Canaries

Compiler-added canaries (used by default)

Return-Oriented Programming

Why We Use it:

• works with non-executable stack

• works with stack randomization

• return-oriented does not overcome canaries

Gadgets: sequence of code ending with ret(0xc3)

• the location of library is fixed

• libraries are executable

xxd a.out | grep c3

Union

• since they share memory space, we can access them like this