[HGI-News] HGI-Seminar 19.12.2005

Newsletter des Horst Görtz Instituts hgi-news at lists.ruhr-uni-bochum.de
So Dez 11 22:36:22 CET 2005 

========================================================================

                               Thomas Dullien
                          Ruhr-Universität Bochum


                   Montag, 19.12.2005, 13:15 Uhr, IC 4/30


                   Attacks on unitialized local variables


Abstract:
Buffer overflows have been abused in order to compromise software  
systems
for the better part of the last 25 years. In recent years, many  
restricted
solutions to curb their negative effect (stack canaries, frontlink/ 
backlink
verification for heap implementations, reordering of local variables)
have been proposed and implemented in most popular compilers and  
operating
systems. What is commonly overlooked is that the 'general' problem is  
the
ability of attackers to trigger behaviour that is 'undefined' by the  
ANSI
C99 standard, not the (relatively small) subclass of 'buffer overflow'.
Other 'undefined' situations can be abused to compromise software  
systems.
This presentation focuses on access to unitialized local variables.
A common programming mistake is a situation where under some exceptional
conditions a local variable is not initialized prior to it's first  
use. As
the local variables are usually allocated on the stack, the memory  
thus used
is not zeroed and may contain values 'left over' from other parts of the
program. Most discussions of this topic imply that these values  
cannot be
controlled by an attacker in a meaningful manner, and thus use of  
unitialized
variables means no security risk beyond a denial-of-service (e.g.  
application
crash). This talk proposes methods with which an attacker can determine
the set of functions in a program that are
accessing the same memory range that will lateron be re-used by the  
faulty
function. By constructing several specialized graphs from the  
disassembly
of a program, it is possible to determine the set of functions that  
might
be used to control the 'unitialized' values.
A direct application where this method was used to compromise a  
commercial VPN
solution will be discussed, too.


========================================================================

Organisation:
Prof. Dr. Roberto Avanzi
Faculty for Mathematics
Ruhr-University Bochum
44780 Bochum, Germany

URL:   http://www.cits.rub.de
          http://www.rub.de/hgi


_______________________________________________
HGI-News mailing list

Informationen unter:
http://lists.ruhr-uni-bochum.de/mailman/listinfo/hgi-news

Mehr Informationen über die Mailingliste Hgi-News-Deutschland