22C3 - 2.2

22nd Chaos Communication Congress
Private Investigations

Sebastian Krahmer
Day 1
Room Saal 2
Start time 17:00
Duration 01:00
ID 802
Event type Lecture
Track Hacking
Language German

Der Hammer: x86-64 und das Um-schiffen des NX Bits

Die X86-64 Architektur bietet neben den bisher bei x86 verfügbaren Page-protection-bits ein neues Bit, welches es erlaubt Seiten als nicht ausführbar zu markieren. Dies soll dazu dienen die weithin bekannten Buffer-overflow-exploits zu verhindern oder zu erschweren. Wie sich das trotzdem anstellen lässt zeigt dieser Vortrag.

In recent years many security relevant programs suffered from buffer overflow vulnerabilities. A lot of intrusions happen due to buffer overflow exploits, if not even most of them. Historically x86 CPUs suffered from the fact that data pages could not only be readable OR executable. If the read bit was set this page was executable too. That was fundamental for the common buffer overflow exploits to function since the so called shellcode was actually data delivered to the program. If this data would be placed in a readable but non-executable page, it could still overflow internal buffers but it won’t be possible to get it to execute. Demanding for such a mechanism the PaX kernel patch introduced a workaround for this r-means-x problem [7]. Todays CPUs (AMD64 as well as newer x86 CPUs) however offer a solution in-house. They enforce the missing execution bit even if a page is readable, unlike recent x86 CPUs did. From the exploiting perspective this completely destroys the common buffer overflow technique since the attacker is not able to get execution to his shellcode anymore. Why return-into-libc also fails is explained within the next sections.