CSC 2045 Week 10 Memory Segments PDF

Summary

This document discusses memory segments and layouts in computer science. It covers topics such as security and various programming techniques. Specific concepts like buffer overflow are explained in detail.

Full Transcript

CSC 2045
SECURE MEMORY HANDLING:
MEMORY SEGMENTS AND LAYOUT
BUFFER OVERFLOW
 OBJECTIVES AGENDA: WEEK 10
Explain the relationship between 1. Von Neumann Architecture
applications, CPU, and main memory 2. Low-Level and High-Level
Understand how modern computers Programming languages
store both program code and data in
3. Memory Layout /
memory
Segments
Understand how stack frames relate to
program variables 4. Data Execution Prevention
Write a program that prevents an 5. ASLR
attacker from writing a single address to 6. The Stack & Stack Frames
any memory location.
7. Smashing Stack
Allocate buffer overflows that lead to
vulnerability in C++ 8. Buffer Overflow
Implement an arbitrary memory write in 9. Stack Canaries
C++
VON NEUMANN ARCHITECTURE
Modern
computers are
based on the
Von Neumann
architecture
(from 1945):
Key point:
Memory stores
BOTH
instructions and
data
MACHINE LOW-LEVEL HIGH-LEVEL
 SOFTWARE PROGRAM IN MEMORY
Get instructions
from text section
by addressed
stored in
Program
Counter, put
instructions
registers,
CU interpret it (x,
+, y), and pass
to processor to
process when
time comes.
MEMORY LAYOUT
PROGRAM LAYOUT: PROCESS
 DATA EXECUTION PREVENTION (DEP)
Imagine you own a coffee shop, and your shop has doors
that are for customers and other doors for deliveries. In
order to ensure that only approved products are sold and
used in your shop you require that all deliveries have to
come through the delivery doors.

If a delivery person comes through the customer-only door that's considered
suspicious and you decline to accept their delivery.

DEP doesn't let deliveries (executable code) come through the customer-only door
(areas of memory marked for data only).

Source: What is Data Execution Prevention (DEP)?
ADRESS SPACE LAYOUT RANDOMIZATION
ASLR: Address Space Layout Randomization
When a program is loaded into memory, ASLR randomly
arranges the positions of key data areas, such as the
base address of the executable code, libraries, heap, and
stack.
This randomization makes it difficult for attackers to
predict the memory layout, making it harder to exploit
By randomizing memory addresses, ASLR makes it more
challenging for attackers to exploit vulnerabilities because
they can't rely on fixed memory addresses to launch
attacks, such as buffer overflow exploits or Return-
Oriented Programming (ROP) attacks.
STACK: LIFO (LAST IN, FIRST OUT)
A stack is a sequence of items that can only
be inserted or removed from one end (the top
or front).
It is like a stack of books. The bottom one is
only used if all the rest have been taken.
Items are pushed onto or popped off of the
stack
Function calls go on a call stack
Don't BREAK the stack!
 THE STACK
The stack space in memory is where space is given for every method call
The space allocated is called a stack frame or
activation record
Function calls create activation records
Local variables / parameters
Return address
State (stack pointers, registers, etc.)
Runtime stacks normally have CPU assistance
ESP/EBP: registers for top of stack and a function's stack frame
A “CALL” implicitly pushes the return address onto the stack
Use PUSH/POP to move data onto/off of stack
 STACK FRAME (DEFINITION)
A stack frame is a memory management technique used in some programming
languages for generating and eliminating temporary variables.
The collection of all information on the stack pertaining to a subprogram call.
Stack frames are only existent during the runtime process.
USE OF STACK FRAMES WITH SUBROUTINES
STACK MEMORY
The call stack area manages the data associated with functions.
When a function is called, a block of data called an activation record is pushed onto
the stack.
When we return from that function, that block of data is popped or removed from the
stack.
Allocating memory on the stack is comparatively fast.
Memory allocated on the stack stays in scope as long as it is on the stack. It is
destroyed when it is popped off the stack.
All memory allocated on the stack is known at compile time. Consequently, this memory
can be accessed directly through a variable.
Because the stack is relatively small, it is generally not a good idea to do anything that
eats up lots of stack space. This includes passing by value or creating local variables of
large arrays or other memory-intensive structures.
STACK OVERFLOW
The stack has a limited size, and consequently can only hold a limited
amount of information.
If the program tries to put too much information on the stack, stack
overflow will result.
Stack overflow happens when all the memory in the stack has been
allocated -- in that case, further allocations begin overflowing into other
sections of memory.
Stack overflow is generally the result of allocating too many variables on
the stack, and/or making too many nested function calls (where functionA
calls functionB calls functionC calls functionD etc…)
On modern operating systems, overflowing the stack will generally cause
your OS to issue an access violation and terminate the program.
SMASHING THE STACK
This is an important class of vulnerability because of their
frequency and potential consequences.
Occurs when a buffer overflow overwrites data in the memory
allocated to the stack.
Successful exploits can overwrite the return address on the stack
allowing execution of arbitrary code on the targeted machine.
BUFFER OVERFLOW
Core problem
User data and program flow control information intermingled for the
sake of performance
Low-level languages allow direct access to application memory
C and C++ two most popular languages afflicted
Buffer overrun occurs when a program allows input to write beyond the
end of the allocated buffer
Effect of a buffer overrun is anything from a crash to the attacker gaining
complete control of the application
RUNTIME PROTECTION: STACK CANARIES
Stack canaries, named for their
analogy to a canary in a coal
mine, are used to detect
a stack buffer overflow before
execution of malicious code can
occur. This method works by
placing a small integer, the value
of which is randomly chosen at
program start, in memory just
before the stack return pointer
Wikipedia: Stack Canaries