Informative Information for the Uninformed | ||||||||||||||
|
||||||||||||||
Next: Limited Pool of Challenge/Response
Up: Attacks (and Counter-Attacks) on
Previous: Minor Functional Differences Between
Spoofed Return Address for CheckRevision CallsDue to how the x86 architecture works, it is trivially easy to spoof the return address pointer for a procedure call. All that one must do is push the spoofed return address on the stack, and then immediately execute a direct jump to the target procedure (as opposed to a standard call). As a result, it is fairly trivial to bypass this protection mechanism at run-time. One need only search for a `ret' opcode in the code space of the Battle.snp module in memory, and use the technique described previously to simply "bounce" the call off of Battle.snp via the use of a spoofed return address. To the Lockdown module, the call will appear to originate from the context of Battle.snp, but in reality the call will immediately return from Battle.snp to the real caller in the untrusted process. To counter this, the following could be attempted:
|