Return-to-libc Attack

A "return-to-libc" attack is a computer security attack usually starting with a buffer overflow in which a subroutine return address on a call stack is replaced by an address of a subroutine that is already present in the process' executable memory, bypassing the NX bit feature (if present) and ridding the attacker of the need to inject their own code.

On POSIX-compliant operating systems the C standard library is commonly used to provide a standard runtime environment for programs written in the C programming language. Although the attacker could make the code return anywhere, libc is the most likely target, as it is almost always linked to the program, and it provides useful calls for an attacker (such as the system function used to execute shell commands).

Protection from return-to-libc attacks

A non-executable stack can prevent some buffer overflow exploitation, however it cannot prevent a return-to-libc attack because in the return-to-libc attack only existing executable code is used. On the other hand these attacks can only call preexisting functions. Stack-smashing protection can prevent or obstruct exploitation as it may detect the corruption of the stack and possibly flush out the compromised segment.

"ASCII armoring" is a technique that can be used to obstruct this kind of attack. With ASCII armoring, all the system libraries (e.g. libc) addresses contain a NULL byte (0x00). This is commonly done by placing them in the first 0x01010101 bytes of memory (a few pages more than 16 MB, dubbed the "ASCII armour region"), as every address up to (but not including) this value contains at least one NULL byte. This makes it impossible to emplace code containing those addresses using string manipulation functions such as strcpy. However, this technique does not work if the attacker does have a way to overflow NULL bytes into the stack. If the program is too large to fit in the first 16 MB, protection may be incomplete.[1] This technique is similar to another attack known as return-to-plt where, instead of returning to libc, the attacker uses the Procedure Linkage Table (PLT) functions loaded in the binary (e.g. system@plt, execve@plt, sprintf@plt, strcpy@plt, etc.).[2]

Address space layout randomization (ASLR) makes this type of attack extremely unlikely to succeed on 64-bit machines as the memory locations of functions are random. For 32-bit systems ASLR provides little benefit since there are only 16 bits available for randomization, and they can be defeated by brute force in a matter of minutes.[3]

See also


  1. ^ David A. Wheeler (27 Jan 2004). "Secure programmer: Countering buffer overflows". IBM DeveloperWorks. Archived from the original on 2013-10-18. 
  2. ^ Sickness (13 May 2011). "Linux exploit development part 4 - ASCII armor bypass + return-to-plt" (PDF). 
  3. ^ Shacham, H.; Page, M.; Pfaff, B.; Goh, E. J.; Modadugu, N.; Boneh, D. (October 2004). "On the effectiveness of address-space randomization". Proceedings of the 11th ACM conference on Computer and communications security - CCS '04 (PDF). pp. 298-307. doi:10.1145/1030083.1030124. ISBN 1-58113-961-6. 

External links

  This article uses material from the Wikipedia page available here. It is released under the Creative Commons Attribution-Share-Alike License 3.0.



Connect with defaultLogic
What We've Done
Led Digital Marketing Efforts of Top 500 e-Retailers.
Worked with Top Brands at Leading Agencies.
Successfully Managed Over $50 million in Digital Ad Spend.
Developed Strategies and Processes that Enabled Brands to Grow During an Economic Downturn.
Taught Advanced Internet Marketing Strategies at the graduate level.

Manage research, learning and skills at defaultLogic. Create an account using LinkedIn or facebook to manage and organize your IT knowledge. defaultLogic works like a shopping cart for information -- helping you to save, discuss and share.

  Contact Us