Materials

You can use the L22 slides (pdf) to take notes.

L22 annotated slides (pdf) from lecture have my drawings.

Please see piazza@439 for a link to the recorded video.

Summary

The main topic is to understand the structure of a buffer overflow attack.

1. First, understand how functions are called in a program. Stack, function arguments, return address.

2. What happens when a function inadvertently overwrites the return address? Crash! Why? Be able to explain at the level of page table faults that may result.

3. This implementation flaw (over-writing a variable stored on the stack) can lead to a security attack. Namely, an attacker can feed in a value that overwrites the return address to an address of their choosing. This address can point to shellcode; shellcode is essentially a small snippet of code that runs /bin/sh and provides a shell to the attacker which can be used to start other programs, and generally take control of the subject’s account.

4. These attacks are fragile and require all the addresses and code to exactly match up. Techniques like NOP sleds can make these attacks more likely to succeed.

5. Counter-measures include W^X (not NX as written in the slides), ASLR, and stack canaries. However, more advanced techniques like return-oriented programmign (ROP) can defeat many of these measures.

6. Networks allow computers to send messages to each other. Popular network protocols include TCP, UDP, and ICMP. Network protocols do not have built-in authentication, which allows for many type of network attacks.

7. A popular class of attacks is to deplete a victim’s resources by mounting an “amplification attack.” The attacker can send a small amount of network traffic that gets amplified into a huge amount of traffic directed at the victim.

8. Other attacks are meant to consume a victim’s limited memory, etc.

9. A standard defense to this type of attack is a network firewall. There are stateful and stateless firewalls (what are the differences, when does one suffice over the other?)