--- a/handouts/ho03.tex Tue Oct 03 22:43:03 2017 +0100
+++ b/handouts/ho03.tex Sun Oct 08 23:49:40 2017 +0100
@@ -41,7 +41,7 @@
take any precautions to prevent such attacks. The plot below
shows the percentage of buffer overflow attacks listed in the
US National Vulnerability Database.\footnote{Search for
-``Buffer errors'' at
+``Buffer errors'' in the advanced serach tab at
\url{http://web.nvd.nist.gov/view/vuln/statistics}.}
\begin{center}
@@ -51,9 +51,9 @@
ylabel={\% of total attacks},
ylabel style={yshift=-1em},
enlargelimits=false,
- xtick={1997,2000,2002,...,2016},
+ xtick={1997,1999,2001,...,2017},
xmin=1996.5,
- xmax=2017,
+ xmax=2018,
ymax=21,
ytick={0,5,...,20},
scaled ticks=false,
@@ -76,10 +76,10 @@
(whereby the absolute numbers of attacks grow each year). So you can
see buffer overflow attacks are very relevant today. For example, very
recently (February 2016) a buffer overflow attack was discovered in the glibc
-library:\footnote{See \url{goo.gl/De2mA8}}
+library:\footnote{See \url{http://goo.gl/De2mA8}}
\begin{quote}\it
-``Since 2008, vulnerability has left apps and hardware open to remote
+``Since 2008, a vulnerability has left apps and hardware open to remote
hijacking: Researchers have discovered a potentially catastrophic flaw in
one of the Internet's core building blocks that leaves hundreds or
thousands of apps and hardware devices vulnerable to attacks that can take
@@ -216,7 +216,9 @@
\end{figure}
On the left is the stack before \code{foo} is called; on the
-right is the stack after \code{foo} finishes. The function
+right is the stack after \code{foo} finishes. The before and
+after of the stack looks the same.
+The function
call to \code{foo} in Line 7 (in the C program above) pushes
the arguments onto the stack in reverse order---shown in the
middle. Therefore first 3 then 2 and finally 1. Then it pushes
@@ -265,7 +267,7 @@
\end{tabular}
\end{center}
-\noindent You can see how the function \pcode{foo} stores
+\noindent The code for function \pcode{foo} stores
first the last stack pointer onto the stack and then
calculates the new stack pointer to have enough space for the
two local buffers (Lines 2 - 4). Then it puts the two local
@@ -509,7 +511,7 @@
the shellcode we want to run. But as you can see this is only
47 bytes, which is a very low bar to jump over. Actually there
are optimised versions which only need 24 bytes. More
-formidable is the choice of finding the right address to jump
+formidable is the problem of finding the right address to jump
to. The string is typically of the form
\begin{center}
@@ -532,9 +534,9 @@
seen before), we typically cannot run anything, including a
debugger, on the machine yet we target. And the address is
very specific to the setup of the target machine. One way of
-finding out what the right address is is to try out one by one
+finding out what the right address is is to try out one-by-one
every possible address until we get lucky. With the large
-memories available today, however, the odds are long. And if
+memories available today, however, the odds are long for this. And if
we try out too many possible candidates too quickly, we might
be detected by the system administrator of the target system.
@@ -661,7 +663,7 @@
How can we defend against these attacks? Well, a reflex could
be to blame programmers. Precautions should be taken by them
-so that buffers cannot been overfilled and format strings
+so that buffers cannot be overfilled and format strings
should not be forgotten. This might actually be slightly
simpler to achieve by programmers nowadays since safe versions
of the library functions exist, which always specify the
@@ -748,7 +750,7 @@
A real attacker would be more knowledgeable and not need this
shortcut.
-To work I run my example under an Ubuntu version ``Maverick
+To explain BoAs, I run my examples under an Ubuntu version ``Maverick
Meerkat'' from October 2010 and the gcc 4.4.5. I have not
tried whether newer versions would work as well. I tested all
examples inside a virtual
@@ -765,15 +767,15 @@
\end{tabular}
\end{center}
-\noindent The first two are innocent as they instruct the
+\noindent The first two options are innocent as they instruct the
compiler to include debugging information and also produce
non-optimised code (the latter makes the output of the code a
bit more predictable). The third is important as it switches
off defences like the stack canaries. The fourth again makes
it a bit easier to read the code. The final option makes the
stack executable, thus the example in Figure~\ref{C3} works as
-intended. While this might be considered cheating....since I
-explicitly switched off all defences, I hope I was able convey
+intended. While this might be considered as a complete cheat....since I
+explicitly switched off all defences; I hope I was able convey
the point that this is actually not too far from realistic
scenarios. I have shown you the classic version of the buffer
overflow attacks. Updated and more advanced variants do exist.