ward/smash-talk
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

a bit more on mitigations and the workarounds for those

Browse source
This commit is contained in:
Ward Wouts 2023-03-13 15:36:58 +01:00
parent 7da89e8fbb
commit da757910c8
1 changed files with 4 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

8
index.html
View file

@ -384,13 +384,13 @@ template: inverse
]
.right-column[
- Stack canaries<br>
Place a value before the return address and check if it's been changed before returning from a function. (Good explainer here: https://www.sans.org/blog/stack-canaries-gingerly-sidestepping-the-cage/)
Place a value before the return address and check if it's been changed before returning from a function. Good explainer here: https://www.sans.org/blog/stack-canaries-gingerly-sidestepping-the-cage/
- Nonexecutable stack<br>
W^X (write or execute) won't execute code on the stack (but will still follow return addresses).
W^X (write or execute) won't execute code on the stack, but will still follow return addresses. This is why ROP (return oriented programming) was invented. And later JOP (jump oriented programming).
- Randomization<br>
Change function and stack addresses around so whenever a program is executed the locations are different.
Change function and stack addresses around so whenever a program is executed the locations are different. (On 32-bit linux only 12-bits are used for this randomization though. Which gives 4096 options, leading to a success onnce every 2048 attempts on average.)
All these can be worked around given the right conditions. They just make things annoying, euh, harder.
All these can be worked around given the right conditions. They just make things annoying, euh, harder. Better is to not have buffers with these issues in the first place.
]
---
template: inverse