Safety and Security beyond coding standards (1/3)
Koustubh Tilak
CTO| Leadership | Autonomous driving | ISO 26262 | Cybersecurity | Vehicle Dynamics Expert | ADAS | AI/ML | Safety Critical Software | RADAR | UWB | MBD-HIL | Owner - Joshi Sweets Baner | keynote speaker
In this article we will deep dive into buffer overflow and stack overflow attacks and the ways to mitigate those
Let’s take a look at the simple example code below.
Is there anything wrong with above code ? ?Yes , it is prone to buffer overflow attack , instead of typing a password of length less than equal to 20 , one can just key in dummy password with same alphabet and length of 40 and that’s it , the user will get through the password check exploiting buffer overflow vulnerability .?
Let’s write the same code as follows
Is there anything wrong with above code?? , now even though attacker cannot get across ?the password check logic , attacker ?can cause even bigger damage by over writing return address with the spurious routine of his origin
?
???????????????? ???
It can? be clearly evident in above diagram ?that by inputting more than 20 characters , the hacker can eventually replace the return address ??, this is known as stack smashing attack
One of the ways to mitigate stack smashing attack as well as buffer over flow attack is to use stack guard canary as illustrated in figure below
领英推荐
Different types of Canaries
Terminator canaries
Most buffer overflow attacks are based on certain string operations which end at string terminators. A terminator canary contains NULL(0x00), CR (0x0d), LF (0x0a), and EOF (0xff), four characters that should terminate most string operations, rendering the overflow attempt harmless. This prevents attacks using strcpy() and other methods that return upon copying a null character while the undesirable result is that the canary is known.? This type of protection can be bypassed by an attacker overwriting the canary with its known values and the return address with specially-crafted value resulting in a code execution. This can be when non-string functions are used to copy buffers and both the buffer contents and the length of the buffer are attacker controlled.
Random canaries
A random canary is chosen at random at the time the program execs. With this method, the attacker could not learn the canary value prior to the program start by searching the executable image. The random value needs to be generated using TPM / HSM module built into the micro controller . This randomness is sufficient to prevent most prediction attempts. If there is an information leak flaw in the application, which can be used to read the canary value, this kind of protection could be bypassed.
Random XOR canaries
Random XOR canaries are random canaries that are XOR-scrambled using all or part of the control data (frame pointer + return address etc). In this way, once the canary or the control data is clobbered, the canary value is wrong and it will result in immediate program termination.
??
In the no_return_foo() , soft reset shall be carried out with a reason of reset as (cyber attack) stored in Data Flash. ?In the subsequent articles we will take a detailed look at some of the other types of attacks and the ways to mitigate them. ?
One of the key question that needs to be answered is , ?whether the popular auto coder(s) which we typically use for converting ?a model into? code generate functions which have an inbuilt ?protection against stack ?/ buffer over flow attacks ?
If not it’s a time to rethink ?on auto coding strategies , may be there shall be an option to mark some systems in model as security critical and the code for those shall give more preference to security mechanisms rather than memory and execution time optimization !!
?