sen-material: comparison handouts/ho03.tex

equal deleted inserted replaced

-:0697622fb181
+:3d1f65e43065
 very relevant even today since there are many legacy systems
 out there and also many modern embedded systems often do not
 take any precautions to prevent such attacks. The plot below
 shows the percentage of buffer overflow attacks listed in the
 US National Vulnerability Database.\footnote{Search for
-``Buffer errors'' at
+``Buffer errors'' in the advanced serach tab at
 \url{http://web.nvd.nist.gov/view/vuln/statistics}.}
 \begin{center}
 \begin{tikzpicture}
 \begin{axis}[
 xlabel={year},
 ylabel={\% of total attacks},
 ylabel style={yshift=-1em},
 enlargelimits=false,
-xtick={1997,2000,2002,...,2016},
+xtick={1997,1999,2001,...,2017},
 xmin=1996.5,
-xmax=2017,
+xmax=2018,
 ymax=21,
 ytick={0,5,...,20},
 scaled ticks=false,
 axis lines=left,
 width=12cm,
 \noindent This statistics shows that in the last seven years or so the
 number of buffer overflow attacks is around 10\% of all attacks
 (whereby the absolute numbers of attacks grow each year). So you can
 see buffer overflow attacks are very relevant today. For example, very
 recently (February 2016) a buffer overflow attack was discovered in the glibc
-library:\footnote{See \url{goo.gl/De2mA8}}
+library:\footnote{See \url{http://goo.gl/De2mA8}}
 \begin{quote}\it
-``Since 2008, vulnerability has left apps and hardware open to remote
+``Since 2008, a vulnerability has left apps and hardware open to remote
 hijacking: Researchers have discovered a potentially catastrophic flaw in
 one of the Internet's core building blocks that leaves hundreds or
 thousands of apps and hardware devices vulnerable to attacks that can take
 complete control over them.  The vulnerability was introduced in 2008 in
 GNU C Library, a collection of open source code that powers thousands of
 (1,2 and 3). The auxiliary function has two local
 buffer variables {\tt buf}$_1$ and {\tt buf}$_2$.\label{stack}}
 \end{figure}
 On the left is the stack before \code{foo} is called; on the
-right is the stack after \code{foo} finishes. The function
+right is the stack after \code{foo} finishes. The before and
+after of the stack looks the same.
+The function
 call to \code{foo} in Line 7 (in the C program above) pushes
 the arguments onto the stack in reverse order---shown in the
 middle. Therefore first 3 then 2 and finally 1. Then it pushes
 the return address onto the stack where execution should
 resume once \code{foo} has finished. The last stack pointer
 morekeywords={movl,movw},xleftmargin=5mm]
 {../progs/example1b.s}}
 \end{tabular}
 \end{center}
-\noindent You can see how the function \pcode{foo} stores
+\noindent The code for function \pcode{foo} stores
 first the last stack pointer onto the stack and then
 calculates the new stack pointer to have enough space for the
 two local buffers (Lines 2 - 4). Then it puts the two local
 buffers onto the stack and initialises them with the given
 data (Lines 5 to 9). Since there is no real computation going
 will be send to the target computer. This of course requires
 that the buffer we are trying to attack can at least contain
 the shellcode we want to run. But as you can see this is only
 47 bytes, which is a very low bar to jump over. Actually there
 are optimised versions which only need 24 bytes. More
-formidable is the choice of finding the right address to jump
+formidable is the problem of finding the right address to jump
 to. The string is typically of the form
 \begin{center}
 \begin{tikzpicture}[scale=0.6]
 \draw[line width=1mm] (-2, -1) rectangle (2,3);
 rectangle). It has to be precisely the first byte of the
 shellcode. While this is easy with the help of a debugger (as
 seen before), we typically cannot run anything, including a
 debugger, on the machine yet we target. And the address is
 very specific to the setup of the target machine. One way of
-finding out what the right address is is to try out one by one
+finding out what the right address is is to try out one-by-one
 every possible address until we get lucky. With the large
-memories available today, however, the odds are long. And if
+memories available today, however, the odds are long for this. And if
 we try out too many possible candidates too quickly, we might
 be detected by the system administrator of the target system.
 We can improve our odds considerably by making use of a very
 clever trick. Instead of adding the shellcode at the beginning
 \subsubsection*{Caveats and Defences}
 How can we defend against these attacks? Well, a reflex could
 be to blame programmers. Precautions should be taken by them
-so that buffers cannot been overfilled and format strings
+so that buffers cannot be overfilled and format strings
 should not be forgotten. This might actually be slightly
 simpler to achieve by programmers nowadays since safe versions
 of the library functions exist, which always specify the
 precise number of bytes that should be copied. Compilers also
 nowadays provide warnings when format strings are omitted. So
 harder, but not impossible. Indeed, I---as an amateur
 attacker---had to explicitly switch off these defences.
 A real attacker would be more knowledgeable and not need this
 shortcut.
-To work I run my example under an Ubuntu version ``Maverick
+To explain BoAs, I run my examples under an Ubuntu version ``Maverick
 Meerkat'' from October 2010 and the gcc 4.4.5. I have not
 tried whether newer versions would work as well. I tested all
 examples inside a virtual
 box\footnote{\url{https://www.virtualbox.org}} insulating my
 main system from any harm. When compiling the programs I
 & \pcode{-mpreferred-stack-boundary=2}\\
 & \pcode{-z execstack}
 \end{tabular}
 \end{center}
-\noindent The first two are innocent as they instruct the
+\noindent The first two options are innocent as they instruct the
 compiler to include debugging information and also produce
 non-optimised code (the latter makes the output of the code a
 bit more predictable). The third is important as it switches
 off defences like the stack canaries. The fourth again makes
 it a bit easier to read the code. The final option makes the
 stack executable, thus the example in Figure~\ref{C3} works as
-intended. While this might be considered cheating....since I
+intended. While this might be considered as a complete cheat....since I
-explicitly switched off all defences, I hope I was able convey
+explicitly switched off all defences; I hope I was able convey
 the point that this is actually not too far from realistic
 scenarios. I have shown you the classic version of the buffer
 overflow attacks. Updated and more advanced variants do exist.
 With the standard defences switched on, you might want to

changeset 546	3d1f65e43065
parent 516	0fbfb0a86fa8