Skip to content

Memory Corruption

General considerations

Abandon C and C++!

Statistics

Technical

Memory management and function calling

More in depth

  • Slides and textbook chapter from Computer Security at Berkeley (CS161). Discusses format string and integer conversion vulnerabilities.
  • Slides on memory corruption from Software Security at Radboud University (prof. Erik Poll). Discusses format string and integer conversion vulnerabilities (as well as many subtle C bugs).
  • A short video explaining how to write an exploit for a toy application: a C program (compiled and run without any mitigation) where a password is read with gets(). By overflowing the password variable, execution flow bypass the password check (stack smashing, code reuse; no shellcode is injected). It provides an idea of how to determine the correct address values to overwrite on the return address on the stack. Running this toy example requires disabling stack canary.
  • Handout Slides on Security from Cambridge University (2020-2021). Much material on various topics, including memory safety vulnerabilities examples and mitigations.
  • An Introduction to Exploit Reliability A big consideration when you're writing exploits professionally is exploit reliability: a measure of an exploit's failure rate. If your exploit is 100% reliable, you know it's always going to succeed. If it's 90% reliable, then your exploit will fail in one in ten cases, and so on. Take a look at the CISA KEV database or the CISA/FBI most exploited CVEs list -- most of the issues listed are not memory corruption vulnerabilities. Instead, we commonly see logic issues like command injection, path traversal, and deserialization bugs, all of which typically have extremely high exploit reliability.

Some fundamental papers

Mitigations

  • Slides and textbook chapter from Computer Security at Berkeley (CS161). Discusses mitigations and corresponding circumventions (slightly) more in depth than in our lectures (heavily based on these slides, though).
  • Slides on memory corruption from Software Security at Radboud University (prof. Erik Poll). The final part of the slides mentions many more defenses than those in our lectures. Not in depth, but a broad coverage to have an idea.
  • Use compiler flags for stack protection in GCC and Clang. This article discusses the major stack protection mechanisms in the GNU Compiler Collection (GCC) and Clang, typical attack scenarios, and the compiler's attempts to prevent attacks.

Software security

  • The Cyber Security Body Of Knowledge has several high-level documents on many topics in Cybersecurity. Those on "Software Security" and on "Secure Software Lifecycle" may be interesting.
  • The Software Security course at Radboud University (prof. Erik Poll) has lot of very interesting material.

Appendix - Reverse engineering

This topic is out of scope. These links may be useful for grasping an idea of how to analyze the internals and memory layout of an existing program or device.

  • A curated list of reverse engineering resources
  • How to Use Ghidra to Reverse Engineer Malware There are numerous tools freely available to cybersecurity professionals to assist in analyzing malware. Ghidra was first released a couple of years ago and has proved to be relatively popular due to it being a free tool that can be used to disassemble malware.
  • IDA disassembler Many tutorials out there.
  • I Hacked into my Son's Baby Monitor, for Safety Nice video, part of a longer playlist devoted to reverse engineering.
  • Frida Dynamic code instrumentation toolkit. It lets you inject snippets of JavaScript or your own library into native apps on Windows, macOS, GNU/Linux, iOS, watchOS, tvOS, Android, FreeBSD, and QNX. Frida also provides you with some simple tools built on top of the Frida API. These can be used as-is, tweaked to your needs, or serve as examples of how to use the API.