Return-to-libc attack: Difference between revisions
mNo edit summary |
fixed the instruction link such that it now links to the instruction page instead of the function page |
||
| Line 1: | Line 1: | ||
{{refimprove|date=April 2009}} |
{{refimprove|date=April 2009}} |
||
A '''return-to-libc attack''' is a [[computer security]] attack usually starting with a [[buffer overflow]] in which the [[return statement|return address]] on the [[stack]] is replaced by the address of another [[ |
A '''return-to-libc attack''' is a [[computer security]] attack usually starting with a [[buffer overflow]] in which the [[return statement|return address]] on the [[stack]] is replaced by the address of another [[instruction (computer science)|instruction]] and an additional portion of the stack is overwritten to provide arguments to this function. This allows attackers to call preexisting functions without the need to inject malicious code into a program. |
||
The shared library called "<code>[[libc]]</code>" provides the C runtime on [[UNIX]] style systems. Although the attacker could make the code return anywhere, <code>libc</code> is the most likely target, as it is always linked to the program, and it provides useful calls for an attacker (such as the <code>[[system (C standard library)|system]]()</code> call to execute an arbitrary program, which needs only one argument). This is why the exploit is called "return-to-libc" even when the return address may point to a completely different location. |
The shared library called "<code>[[libc]]</code>" provides the C runtime on [[UNIX]] style systems. Although the attacker could make the code return anywhere, <code>libc</code> is the most likely target, as it is always linked to the program, and it provides useful calls for an attacker (such as the <code>[[system (C standard library)|system]]()</code> call to execute an arbitrary program, which needs only one argument). This is why the exploit is called "return-to-libc" even when the return address may point to a completely different location. |
||
Revision as of 21:44, 25 April 2009
 | This article needs additional citations for verification. (April 2009) |
A return-to-libc attack is a computer security attack usually starting with a buffer overflow in which the return address on the stack is replaced by the address of another instruction and an additional portion of the stack is overwritten to provide arguments to this function. This allows attackers to call preexisting functions without the need to inject malicious code into a program.
The shared library called "libc" provides the C runtime on UNIX style systems. Although the attacker could make the code return anywhere, libc is the most likely target, as it is always linked to the program, and it provides useful calls for an attacker (such as the system() call to execute an arbitrary program, which needs only one argument). This is why the exploit is called "return-to-libc" even when the return address may point to a completely different location.
Protection from return-to-libc attacks
A non-executable stack can prevent some buffer overflows but not a return-to-libc attack because in the return-to-libc attack only existing executable code is used. On the other hand these attacks can only call preexisting functions. Stack-smashing protection can prevent or obstruct exploitation as it can detect the corruption of the stack and possibly flush out the compromised segment. Address Space Layout Randomization (ASLR) makes this type of attack extremely unlikely to succeed on 64-bit machines as the memory locations of functions are random; however Shacham et al show that on 32-bit machines ASLR provides little benefit.
See also
- Buffer Overflow
- Stack buffer overflow
- Stack-smashing protection
- No eXecute (NX) bit
- Address space layout randomization
References
- Shacham, Hovav. "On the Effectiveness of Address-Space Randomization" (PDF). Proc. of CCS 2004.
{{cite conference}}: Unknown parameter|booktitle=ignored (|book-title=suggested) (help); Unknown parameter|coauthors=ignored (|author=suggested) (help)
External links
- Bypassing non-executable-stack during exploitation using return-to-libc by c0ntex at InfoSecWriters.com