diff options
author | Leonard Kugis <leonard@kug.is> | 2020-03-07 01:06:04 +0100 |
---|---|---|
committer | Leonard Kugis <leonard@kug.is> | 2020-03-07 01:06:04 +0100 |
commit | 0bad90edb3a1e432b321832575a00c7a7292530c (patch) | |
tree | b774e80d31b750adb55c8fb31dc69b7104bbea4a | |
parent | 81fad937fe9a9fbc7b492a4b7ab0041d73286a15 (diff) |
IntroSec
Added double free attack scenarios.
-rw-r--r-- | en_GB/Introduction to Information Security/introduction_to_information_security.md | 54 |
1 files changed, 53 insertions, 1 deletions
diff --git a/en_GB/Introduction to Information Security/introduction_to_information_security.md b/en_GB/Introduction to Information Security/introduction_to_information_security.md index fbdd9ad..d1ce4fb 100644 --- a/en_GB/Introduction to Information Security/introduction_to_information_security.md +++ b/en_GB/Introduction to Information Security/introduction_to_information_security.md @@ -383,7 +383,7 @@ The password is `IntroSec`. so it is likely that there is no new correct char. 4. The attacker continues, learning char by char for each processing time increase, until he got the full password. -## Software Security +## Memory management ### Buffers @@ -391,6 +391,16 @@ Logically, values are assigned to variables. In reality, for every variable, a portion of memory on the call stack gets allocated (*buffer*), and the data gets written to that buffer. Data written to the buffer is written upwards from the address allocated to the buffer. +### Allocation (Doug Lea) + +Memory is divided into chunks. These contain the user and control data (e.g. boundary tags (size, previous size)). +Adjacent free chunks are unified to one free chunk automatically. +Free chunks are stored in *bins*, which are connected in a double linked list, and sorted by size (ascending). +When a chunk is freed, `frontlink(...)` searches the *bins* list from lowest to highest size, and places the chunk in the list whenever +the chunk in the next bin is bigger than the chunk itself, and inserts the chunk in the list in that place. +`unlink(...)` does the opposite. It takes the chunk specified, looks up the chunk in the bin list, +and removes it by rearranging pointers of the next and previous bin. + ## Threat scenarios No security issues without threat models! E.g. a password is considered safe without any provided threat model. @@ -479,3 +489,45 @@ and overrides in wrong memory. - Protect return address using *canaries*. Special instructions placed before actually returning to check for correct return address. - Mark potential shellcode memory as non-executable. + +### Double Free + +#### Dependencies + +When `free(...)` is executed, `frontlink(...)` gets executed at some point transparently. +When `frontlink(...)` finds a place in the *bin* list to put the chunk, it sets the next pointer of the previous chunk +and the back pointer of the next chunk to the inserted chunk. +If this chunk gets added another time, *the previous chunk is already the inserted chunk*! +So the next pointer of the previous chunk gets gets linked to the inserted chunk. +*But with the previous chunk being already the inserted chunk, the next pointer of the inserted chunk gets linked to itself.* +Also, the back pointer of the inserted chunk gets linked to the previous chunk. +*But with the previous chunk being already the inserted chunk, the back pointer of the inserted chunk gets linked to itself.* +Invoking a `malloc(...)` (and eventually an `unlink(...)`) now will result in the chunk *not being removed* from the bin list, +due to the looping pointers on itself. + +#### Free-Free-Malloc-Malloc + +1. Prepare memory. These steps are for target and shellcode preparation. The chunks inbetween ensure, that the chunks dont get unified on `free`. +1.1 Allocate top memory chunk. +1.2 Allocate target chunk from top memory chunk. +1.3 Allocate top memory chunk. +1.4 Allocate shellcode chunk. +2. Perform `free` on target chunk twice. +3. Call `malloc` with size of target chunk. We might get the target junk again, *but it won't get removed from the bin list*. +4. Chunk is now writable. Overwrite *back* pointer with attack target address, and *next* pointer with attack target value. +5. Call `malloc` again. `unlink` algorithm will overwrite memory at *back* with *next*. + +#### Free-Malloc-Free + +1. Allocate memory chunk *A*. +2. `free(A)`, hope that the chunk gets unified with the following chunk. +3. Allocate large chunk *B*, hope to get the chunk just freed. +4. Write ghost chunk data to *B* so, that it appears to be a chunk at *A*, and an unallocated adjacent chunk. +5. Call `free(A)` again. `unlink` is applied to ghost chunk. Unifying will overwrite a target address. + +#### Countermeasure: Canary + +Add *canary* to end of chunk, checksumming the chunks control data, signed with secret key. + +1. On allocation, add calculate checksum over chunk control data and add canary. +2. On `free`, recalculate checksum. If they mismatch, throw error. |