Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
Buffer overflow
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
===Pointer protection=== Buffer overflows work by manipulating [[Pointer (computer programming)|pointers]], including stored addresses. PointGuard was proposed as a compiler-extension to prevent attackers from reliably manipulating pointers and addresses.<ref>{{cite web|url=http://www.usenix.org/events/sec03/tech/full_papers/cowan/cowan_html/index.html|title=12th USENIX Security Symposium β Technical Paper|website=www.usenix.org|access-date=3 April 2018}}</ref> The approach works by having the compiler add code to automatically XOR-encode pointers before and after they are used. Theoretically, because the attacker does not know what value will be used to encode and decode the pointer, one cannot predict what the pointer will point to if it is overwritten with a new value. PointGuard was never released, but Microsoft implemented a similar approach beginning in [[Windows XP]] SP2 and [[Windows Server 2003]] SP1.<ref>{{cite web|url=http://blogs.msdn.com/michael_howard/archive/2006/01/30/520200.aspx|title=Protecting against Pointer Subterfuge (Kinda!)|website=msdn.com|access-date=3 April 2018|archive-url=https://web.archive.org/web/20100502021754/http://blogs.msdn.com/michael_howard/archive/2006/01/30/520200.aspx|archive-date=2010-05-02|url-status=dead}}</ref> Rather than implement pointer protection as an automatic feature, Microsoft added an API routine that can be called. This allows for better performance (because it is not used all of the time), but places the burden on the programmer to know when its use is necessary. Because XOR is linear, an attacker may be able to manipulate an encoded pointer by overwriting only the lower bytes of an address. This can allow an attack to succeed if the attacker can attempt the exploit multiple times or complete an attack by causing a pointer to point to one of several locations (such as any location within a NOP sled).<ref>{{cite web|url=http://www.usenix.org/publications/login/2005-06/pdfs/alexander0506.pdf |archive-url=https://ghostarchive.org/archive/20221009/http://www.usenix.org/publications/login/2005-06/pdfs/alexander0506.pdf |archive-date=2022-10-09 |url-status=live|title=USENIX - The Advanced Computing Systems Association|website=www.usenix.org|access-date=3 April 2018}}</ref> Microsoft added a random rotation to their encoding scheme to address this weakness to partial overwrites.<ref>{{cite web|url=http://blogs.msdn.com/michael_howard/archive/2006/08/16/702707.aspx|title=Protecting against Pointer Subterfuge (Redux)|website=msdn.com|access-date=3 April 2018|archive-url=https://web.archive.org/web/20091219202748/http://blogs.msdn.com/michael_howard/archive/2006/08/16/702707.aspx|archive-date=2009-12-19|url-status=dead}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)