金丝雀是否可以防止返回到 libc 和面向返回的编程攻击? [英] Do canaries prevent return-into-libc and return-oriented programming attacks?

问题描述

我试图了解如果使用金丝雀，是否/如何实现返回到 libc 和面向返回的编程漏洞利用.
金丝雀将被放置在返回值和要溢出的缓冲区之间的堆栈上，并且需要被覆盖以将返回值更改为库函数或计算的位置.Canary 自 1997 年 (StackGuard) 以来一直存在，而 ROP 是 2007 年首次引入的技术 (Shacham).

I am trying to understand if/how return-into-libc and return-oriented programming exploits are possible if a canary is being used.
A canary would be placed on the stack in between the return value and the buffer to be overflown, and would need to be overwritten in order to change the return value to the location of a library function or computation. Canaries have been around since 1997 (StackGuard) and ROP is a technique first introduced in 2007 (Shacham).

金丝雀会让这些类型的攻击变得不可能吗?

Does a canary make these types of attacks impossible?

推荐答案

金丝雀会让这些类型的攻击变得不可能吗?

Does a canary make these types of attacks impossible?

不，没有.这使得执行 return-to-libc 或 ROP 变得更加困难，但绝对不是对付此类攻击的灵丹妙药.

No, it doesn't. It makes it more difficult to perform return-to-libc or ROP but it is definitely no silver bullet against such attacks.

首先，堆栈金丝雀只能通过缓冲区溢出防止返回地址粉碎.但是还有其他方法可以破坏内存:间接指针覆盖或格式化字符串漏洞 仅举两个.

First of all, stack canaries only protect against return address smashing through buffer overflows. But there are other ways to corrupt memory: indirect pointer overwrite or format string vulnerabilities to name two.

其次，可以通过用原始值覆盖它们来绕过堆栈金丝雀.我并不是说这在现代实现中很容易，但它肯定不是不可能.

Second, stack canaries may be bypassed by overwriting them with the original value. I'm not saying this is easy on modern implementations but it certainly isn't impossible.

第三，虽然这些攻击被称为return-to-libc 和Return Oriented Programming，但谁说我们需要返回指令来执行这些攻击?这些攻击可以通过破坏处理器将从其加载和跳转到的地址的任何内存位置来发起.最常见的例子是函数指针.但我们也可以覆盖 GOT 或 longjmp 缓冲区.(作为旁注，已经证明 ROP 可以在 不使用 任何退货说明！)

Third, although the attacks are called return-to-libc and Return Oriented Programming, who says we need return instructions to carry out those attacks? These attacks can be initiated by corrupting any memory location from which the processor will load and address to jump to. The most common example is a function pointer. But we could also overwrite the GOT or longjmp buffers. (As a side note, it has been shown that ROP can be performed without using any return instructions!)

第四个原因不是堆栈金丝雀本身的弱点，而是大多数实现之一.堆栈金丝雀通常只放置在具有基于堆栈的字符缓冲区且大小至少为 8 的函数中.因此，这些实现不会检测其他缓冲区中的溢出.此漏洞利用在整数数组中使用溢出，因此无法由堆栈金丝雀检测到.

The fourth reason is not a weakness of stack canaries in se but one of most implementations. Stack canaries are normally only placed in functions that have a stack based character buffer with a size of at least 8. Those implementation will therefore not detect overflows in other buffers. This exploit used an overflow in an integer array so it could not be detected by stack canaries.

这篇关于金丝雀是否可以防止返回到 libc 和面向返回的编程攻击?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！