Blackhat and Defcon 2004 conference materials

A Comparison of Buffer Overflow Prevention Implementations and Weaknesses

Blackhat and Defcon 2004 conference materials
Richard Johnson ([email protected])
Peter Silberman ([email protected])

Paper
Presentation Slides
Attack Vector Test Platform
Vulnerability Matrix Test Results for Linux
-------------------------------------------

A plus symbol (+) indicates that the software successfully protected against the specified
exploitation vector.



ProPolice SSP Stack Protection
------------------------------

Buffer overflow on stack all the way to the target
+       Target: Parameter function pointer
-       Target: Parameter longjmp buffer
+       Target: Return address
+       Target: Old base pointer (Not Supported by Win32)
+       Target: Function pointer
+       Target: Longjmp buffer

Buffer overflow on heap/BSS all the way to the target
-       Target: Function pointer
-       Target: Longjmp buffer (Not Supported by Win32)

Buffer overflow of pointer on stack and then pointing to target
+       Target: Parameter function pointer
+       Target: Parameter longjmp buffer (Not Supported by Win32)
+       Target: Return address
+       Target: Old base pointer (Not Supported by Win32)
+       Target: Function pointer
+       Target: Longjmp buffer (Not Supported by Win32)

Buffer overflow of pointer on heap/BSS and then pointing to target
-       Target: Return address
+       Target: Old base pointer (Not Supported by Win32)
-       Target: Function pointer (Not Supported by Win32)
-       Target: Longjmp buffer (Not Supported by Win32)



StackShield
-----------

Buffer overflow on stack all the way to the target
-       Target: Parameter function pointer
-       Target: Parameter longjmp buffer
+       Target: Return address
+       Target: Old base pointer (Not Supported by Win32)
-       Target: Function pointer
-       Target: Longjmp buffer

Buffer overflow on heap/BSS all the way to the target
-       Target: Function pointer
-       Target: Longjmp buffer (Not Supported by Win32)

Buffer overflow of pointer on stack and then pointing to target
-       Target: Parameter function pointer
-       Target: Parameter longjmp buffer (Not Supported by Win32)
+       Target: Return address
+       Target: Old base pointer (Not Supported by Win32)
-       Target: Function pointer
-       Target: Longjmp buffer (Not Supported by Win32)

Buffer overflow of pointer on heap/BSS and then pointing to target
+       Target: Return address
+       Target: Old base pointer (Not Supported by Win32)
-       Target: Function pointer (Not Supported by Win32)
-       Target: Longjmp buffer (Not Supported by Win32)



StackGuard
----------

Buffer overflow on stack all the way to the target
-       Target: Parameter function pointer
-       Target: Parameter longjmp buffer
+       Target: Return address
+       Target: Old base pointer (Not Supported by Win32)
-       Target: Function pointer
-       Target: Longjmp buffer

Buffer overflow on heap/BSS all the way to the target
-       Target: Function pointer
-       Target: Longjmp buffer (Not Supported by Win32)

Buffer overflow of pointer on stack and then pointing to target
-       Target: Parameter function pointer
-       Target: Parameter longjmp buffer (Not Supported by Win32)
-       Target: Return address
+       Target: Old base pointer (Not Supported by Win32)
-       Target: Function pointer
-       Target: Longjmp buffer (Not Supported by Win32)

Buffer overflow of pointer on heap/BSS and then pointing to target
-       Target: Return address
+       Target: Old base pointer (Not Supported by Win32)
-       Target: Function pointer (Not Supported by Win32)
-       Target: Longjmp buffer (Not Supported by Win32)



Linux 2.4.26-grsec w/ SEGMEXEC
------------------------------

Buffer overflow on stack all the way to the target
+       Target: Parameter function pointer
+       Target: Parameter longjmp buffer
+       Target: Return address
+       Target: Old base pointer (Not Supported by Win32)
+       Target: Function pointer
+       Target: Longjmp buffer

Buffer overflow on heap/BSS all the way to the target
+       Target: Function pointer
+       Target: Longjmp buffer (Not Supported by Win32)

Buffer overflow of pointer on stack and then pointing to target
+       Target: Parameter function pointer
+       Target: Parameter longjmp buffer (Not Supported by Win32)
+       Target: Return address
+       Target: Old base pointer (Not Supported by Win32)
+       Target: Function pointer
+       Target: Longjmp buffer (Not Supported by Win32)

Buffer overflow of pointer on heap/BSS and then pointing to target
+       Target: Return address
+       Target: Old base pointer (Not Supported by Win32)
+       Target: Function pointer (Not Supported by Win32)
+       Target: Longjmp buffer (Not Supported by Win32)