Questions about this topic? Sign up to ask in the talk tab.
Difference between revisions of "DEP"
From NetSec
MargeryLeddy (Talk | contribs) (→Magic Numbers and ASLR) |
|||
| (4 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
| − | <b>D</b>ata <b>E</b>xecution <b>P</b>revention. | + | <b>D</b>ata <b>E</b>xecution <b>P</b>revention is a hardware-layer feature provided by modern [[instruction set architecture]]s. On Intel CPU's, this is called the '''NX bit''', and on AMD CPU's, this is called the '''XD bit'''. These bits provide the [[assembly]] instructions '''jno''' and '''jo''', ''jump if no overflow'' and ''jump if overflow'', respectively. |
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | <includeonly> | ||
Microsoft's Windows XP SP2 Operating System was Microsoft's first real attempt at data execution prevention. While the attempt was in fact a feeble one, it laid the ground work for later innovations, for example [[ASLR]], or [[ASLR|Address Space Layout Randomization]] employed by Microsoft's Windows Vista Operating System. | Microsoft's Windows XP SP2 Operating System was Microsoft's first real attempt at data execution prevention. While the attempt was in fact a feeble one, it laid the ground work for later innovations, for example [[ASLR]], or [[ASLR|Address Space Layout Randomization]] employed by Microsoft's Windows Vista Operating System. | ||
| Line 23: | Line 32: | ||
==Magic Numbers and ASLR== | ==Magic Numbers and ASLR== | ||
| − | I'm sure that this list will be constantly updated and/or rewritten as versions and the years go by. This is the simple DEP bypass for Windows XP SP2. As mentioned before, Windows Vista employs something called [[ASLR|Address Space Layout Randomization]]. To bypass this runtime data execution prevention, one must overwrite what is called the SEH frame, or the Structured Exception Handler frame. This frame is located near the bottom of the stack and is used to define whether the [[ | + | I'm sure that this list will be constantly updated and/or rewritten as versions and the years go by. This is the simple DEP bypass for Windows XP SP2. As mentioned before, Windows Vista employs something called [[ASLR|Address Space Layout Randomization]]. To bypass this runtime data execution prevention, one must overwrite what is called the SEH frame, or the Structured Exception Handler frame. This frame is located near the bottom of the stack and is used to define whether the [[application]] uses windows' exception handler or if the application has its own exception handler. Generally speaking, exploitation is much more successful when the attacker writes his or her own exception handler for the vulnerable application. An overwritten exception handler allows for what is called a "magic number attack", or an attack where the attacker no longer needs to know the location of his [[shellcode]], in stead the attacker uses the exception handler to find out the location and jump to it during the exception handling execution cycle, not only bypassing data execution prevention but also making his or her exploitation cross-version compatible as no absolute pointers are needed for this type of exploitation. |
[[Category:Buffer Overflows]] | [[Category:Buffer Overflows]] | ||
| + | |||
| + | {{countermeasures}} | ||
| + | </includeonly> | ||
Latest revision as of 04:40, 19 November 2012
Data Execution Prevention is a hardware-layer feature provided by modern instruction set architectures. On Intel CPU's, this is called the NX bit, and on AMD CPU's, this is called the XD bit. These bits provide the assembly instructions jno and jo, jump if no overflow and jump if overflow, respectively.
