Help
Options
Didn't know it?
click below
click below
Knew it?
click below
click below
Don't Know
Remaining cards (0)
Know
retry
shuffle
restart
0:00
Embed Code - If you would like this activity on your web page, copy the script below and paste it into your web page.
Normal Size Small Size show me how
Normal Size Small Size show me how
CYB2200-L6
Heap Buffer Overflow
| Question | Answer |
|---|---|
| Buffer Overflow | is a software bug in which data copied to a location in memory exceeds the size of the reserved destination area. When an overflow is triggered, the excess data overwrites the adjacent memory locations |
| what is the main reason for buffer overflows to happen | Programmers forget to check the size of the data copy. |
| types of overflows | stack overflows, heap overflows, global and static data overflows |
| Stack overflows | buffer overflows in which the target buffer is located on the runtime program stack |
| heap overflows | overflows happened in the heap |
| Global and static data overflows | the target memory is not on stack and heap. |
| WHAT CAN STACK OVERFLOW OVERWRITE? | ● Local variables ● Saved ebp (previous frame pointer) ● Return address ● Function arguments ● Previous stack frames |
| overflow counter measurers | staying within bounds and avoid using unsafe functions |
| how do you stay within bounds | Check lengths before writing • Confirm that array subscripts are within limits • Double-check boundary condition code for off-by-one errors • Limit input to the number of acceptable characters • Limit programs’ privileges to reduce potential harm |
| what are the unsafe C functions | strcpy (char *dest, const char *src) strcat (char *dest, const char *src) gets (char *s) scanf ( const char *format, ... ) printf (conts char *format, ... ) |
| how to prevent buffer overflow attacks | Code analyzers (static code analyzer) can analyze source code to identify many overflow vulnerabilities. • Black box testing • Runtime checking • Mark stack as non-executable • Stack canary (stack cookie). • Address space layout randomization (ASLR) |
| Address space layout randomization (ASLR) | Arranging the positions of key data areas randomly in a process’ address space |
| what is the heap | is a pool of memory used for dynamic allocations at runtime |
| what is used for dynamic allocations in c | malloc(), free() |
| what is used for dynamic allocations in cpp | new, delete operators |
| malloc() | grabs memory on the heap |
| free() | releases memory on the heap |
| new operators | grabs memory on the heap |
| delete operators | releases memory on the heap |
| chunk | Every memory allocation a program makes (eg. calling malloc) is internally represented by a so called "chunk |
| chunk composition | consists of metadata and the memory returned to the program |
| An allocated chuck | in use |
| A free chuck | not in use |
| Free chucks are saved in | a doubly linked list |
| how many lists are there of free chunks | There are multiple lists of free chunks |
| Previous Chunk Size | Size of previous chunk (used if the chunk is free) |
| Chunk Size | Size of the entire chunk including overhead |
| Data | your newly allocated memory (ptr returned by malloc) |
| heap flags (Flags) | the lower 3 bits of the chunk size field are used for flag bits. |
| 0x01 PREV_INUSE | set when previous chunk is in use |
| 0x02 IS_MMAPPED | set if chunk was obtained with mmap() |
| 0x04 NON_MAIN_ARENA | set if chunk belongs to a thread arena |
| A freed chunk also (besides flags?) uses the | fd and bk fields |
| what are the fd and bk fields used for | for doubly linked list |
| fd | Forward Pointer |
| bk | Backwards Pointer |
| fd forward pointer | A pointer to the next freed chunk |
| bk backwards pointer | A pointer to the previous freed chunk |
| when are heap flags used | when heap is in use |
| when are fd and bk used | when heap is not in use |
| in use | allocated |
| not in use | free |
| Free chucks are stored in a | doubly linked list |
| Assuming no memory chunks have been freed, new memory allocations are always stored | after the last allocated chunk |
| If there are previously-freed chunks of memory during chunk allocation what happens 1st step | The heap manager will first search for a free chunk that has the same size or a bit larger to service the request. if there is one, use that freed chunk for the new allocation. |
| If there are previously-freed chunks of memory during chunk allocation what happens 2nd step | Otherwise, if there is available space at the top of the heap, the heap manager will allocate a new chunk out of that available space and use that |
| If there are previously-freed chunks of memory during chunk allocation what happens 3rd step | Otherwise, the heap manager will ask the kernel to add new memory to the end of the heap, and then allocates a new chunk from this newly allocated space |
| If there are previously-freed chunks of memory during chunk allocation what happens 4th step | If all these strategies fail, the allocation can’t be serviced, and malloc returns NULL |
| what happens when a heap gets overflowed | Metadata (header data) and list pointers can be overflowed, giving attackers the opportunity to disrupt the management of heap blocks. |
| in a heap overflow attackers may set | The attackers may set the list pointers in the corrupted chunk to locations useful to an attacker. |
| What you need to do in your program (to prevent heap overflows?) | Input validation. |
Created by:
user-1830624
Popular Computers sets