CSE 127 Lecture 6: L6 10/11/18
Document Summary
If the attacker doesn"t know where in memory their shellcode is stored, then it"s hard to make the processor jump there. Add a random offset to stack base. Assumption: hard for attackers to guess the location of their shellcode on the stack. Information leak: reveals where things are in the stack. Longer nop sled: sled all the way to my shellcode. Aslr extends the concept to other sections of process memory. Requires compiler, linker, and loader support! (quite expensive) Allocate jizillions of copies of the shellcode (w/ big nop sleds) and then jump blindly into the heap. Stopping malicious code injection doesn"t stop malicious code from being executed! B/c of the fixed width, it is possible to overflow or wrap max expressible # for the type used. I. e. -1: it"ll be treated as unsigned (all 1"s, so super large malloc()) If (buf == null) return; void *concatbytes( void *buf1, unsigned int len1, char *buf2, unsigned int len2)