Null Pointer Vulnerability Protection Technology-Preliminary

Null Pointer Vulnerability Protection Technology-Preliminary
In the security history, the number of vulnerabilities and attacks caused by null pointers is numerous. However, due to its requirements on the programming capability of the caller, the security has higher requirements for the analysis and protection personnel, therefore, there are not many discussions on Null Pointer vulnerabilities and related technologies in China. Today's "null pointer vulnerability Protection Technology", which is explained by the Green Alliance's threat response security experts. You can learn about the basic knowledge of the Null Pointer Vulnerability and use the Windows 8 memory protection mechanism as an example, practice the Protection Technology for NULL pointer vulnerabilities.
Author: Sun jianpo
Directory 1 Background
2. Null Pointer Vulnerability
3 basics: NULL pointer Verification
3.1 conceptual Verification
3.1.1 empty pointer for Memory Management
3.1.2 wild pointer to knowledge expansion
3.2 source code verification
3.2.1 comparison of pointer usage
3.2.2 comparison of pointer usage
3.3 visual memory Verification
3.4 Null Pointer Vulnerability
1. Background pointers are no stranger to most programmers. The use of pointers in C/C ++ brings convenience to programming, it is also a test of personal programming capabilities. Incorrect pointer usage will directly cause program crashes. if the pointer is incorrectly used in kernel code, the system will crash, the consequences are also quite serious.
Generally, when we use pointers, the error usage is concentrated in three aspects:
A piece of dynamic memory directed by the pointer, after being used, the memory is not released, resulting in Memory leakage, the usage of the wild pointer (floating pointer), after the memory space pointed to by the pointer is released, the memory space pointed to by the pointer has been returned to the operating system. At this time, the pointer becomes a wild pointer, without processing the wild pointer, this pointer may be exploited again, causing a pointer reference error and program crash. Null Pointer refers to a Null Pointer. The incorrect reference to a Null Pointer is usually because the Null Pointer is not judged before the reference, it is also possible to use the NULL pointer as an object and indirectly use the attributes or methods in the object, causing program crash. The error of NULL pointer is commonly used in system, service, and software vulnerabilities.

For the first and second cases, we can use some code audit tools to determine the cause of Memory leakage or the presence of wild pointers before release. For example, common tools such as fority and valgrind promptly discover problems caused by incorrect pointer references.

In the third case, errors caused by Null Pointer references are hard to be identified by code audit tools, because NULL pointer reference generally does not occur when a null pointer is used directly. It is often because the code logic is complicated and the NULL pointer reference location will be far away, and it is not easy to find; and it will not be triggered under normal circumstances, null Pointer Reference is triggered only under specific input conditions. It is more difficult to troubleshoot such errors.

This article will not focus on memory leaks and wild pointers, but analyzes Null Pointer Null pointers through some existing vulnerabilities and instances. The concept and nature of NULL Pointer are combined with static reverse and kernel dynamic debugging technologies to understand the differences in the processing of Null Pointer in win7 32-bit and win8 32-bit systems; which protection mechanisms are added for Null Pointer by Win8 32-bit.

 

This article describes the NULL Pointer step by step from the shortest to the depth, and deeply analyzes the zero-page memory protection mechanism of the win8 system based on static Reverse Analysis and kernel-level dynamic debugging technology, it also involves some kernel debugging techniques. For the concept of NULL Pointer, it is worth reading if you use fuzzy ones, the personnel engaged in security research and learning are also good materials to consolidate, deepen, and expand.

2. Null Pointer vulnerability caused by Null Pointer

First, let's take a look at the system and service vulnerabilities caused by incorrect use of null pointers in recent years:

Microsoft windows kernel 'win32k. sys 'Local Privilege Escalation Vulnerability (CVE-2015-1721) (MS15-061)

This vulnerability affects windows Server 2003 SP2 and R2 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, windows 8, Windows 8.1, Windows Server2012 Gold and R2, windows RT Gold and 8.1. The kernel driver win32k. sys vulnerability can be exploited to increase the permission or cause access denial of service (DoS). The main cause is the error reference of a null pointer.

Php null pointer reference Restriction Bypass Vulnerability (CVE-2015-3411)

PHP has a security vulnerability. Due to the lack of Null Byte check for paths or function path parameters in multiple extensions of the program, remote attackers can exploit the vulnerability to bypass access restrictions of the target file system, access any file.

0rg NULL pointer reference Access Denied Vulnerability (CVE-2008-0153)

X. Org is an official reference implementation for the X Window System operated by the X. Org Foundation and is an open-source free software. LibXfont is an X Font Processing library for servers and utilities. X. bitmap/bdfread for versions earlier than Org libXfont 1.4.9 and earlier than 1.5.x. the 'bdfreadcharacters 'function in the c file has a security vulnerability. This vulnerability is caused by a program failure to correctly process character bitmaps that cannot be read. Remote attackers can exploit this vulnerability to execute arbitrary code by exploiting a specially crafted BDF font file to cause DoS (empty pointer reverse reference and crash.

Paragma TelnetServer NULL pointer reference Denial of Service Vulnerability (BID-27143)

Pragma TelnetServer is a remote access and control Telnet server. The Pragma TelnetServer has a vulnerability in processing protocol data. Remote attackers may exploit this vulnerability to make the server unavailable. The telnetserverserver server starts a telnetd.exe process for each inbound connection. a null pointer reference exists in the process of handling the telopt pragma logon telnet Option (No. 138), resulting in Process Termination. Although terminating a single process does not affect other processes, terminating some processes will result in a denial of access to the server.

OpenSSL SSLv2 Client NULL pointer reference Denial of Service Vulnerability (CVE-2006-4343)

OpenSSL is an open-source SSL implementation that implements high-strength encryption for network communication. It is widely used in various network applications. OpenSSL protocol implementation has problems in processing connection requests. Remote attackers may exploit this vulnerability to cause Server Denial of Service. The get_server_hello () function of the SSLv2 Client does not correctly check the NULL pointer. If the affected client using OpenSSL creates a SSLv2 connection to a malicious server, it will crash.

Linux Kernel NULL pointer indirectly references Local Denial of Service Vulnerability (CVE-2014-2678)

In Linux kernel 3.14, net/rds/iw. the rds_iw_laddr_check function in c has a local denial of service vulnerability. The local user calls the RDS socket on the system without RDS transmission through the blind system, this vulnerability can cause indirect NULL pointer reference and system crash.

Isc bind named Denial-of-Service Vulnerability (CVE-2015-5477)

In isc bind versions earlier than 9.9.7-P2 and earlier than 9.10.2-P3, named has a security vulnerability. Remote attackers can use TKEY to query and exploit this vulnerability to cause denial of service (REQUIRE assertion failure and program exit, pointer not initialized ).

There are many other such vulnerabilities. From the vulnerabilities given, the Null Pointer Vulnerability is mainly a Denial of Service Access Vulnerability. The Null Pointer Error reference will naturally lead to program errors, and serious vulnerabilities will crash, this causes Denial of Service Access.

3 basics: NULL pointer Verification

 

This vulnerability is caused by a null pointer error reference. Its principle is very simple: the NULL pointer is incorrectly referenced, leading to illegal access to the memory address.

 

So what is the Null Pointer Vulnerability? When using pointers in computer programming, there are two important concepts: NULL pointers and wild pointers. So the Null Pointer Vulnerability we mentioned above is what we call a null pointer during programming? To find out this problem, you must first know what are the null pointers and the wild pointers in the programming field, and find out what is a null pointer vulnerability.

3.1 conceptual Verification

If char p is used, p is a pointer variable that does not point to any memory space. If p = 0; p = 0L; p = "; p = 3-3; p = 0*5; after any value assignment operation (for C, it can also be p = (void) 0;), p becomes a null pointer, the system ensures that the NULL pointer does not point to any actual object or function. Conversely, the address of any object or function cannot be a null pointer. (For example, void 0 is a null pointer. Of course, in addition to the above assignment methods, you can also use p = NULL; To make p a NULL pointer. In many systems, # define NULL (void) 0.

3.1.1 empty pointer for Memory Management

Where does the NULL pointer point to the memory? The standard does not specify the location in the memory where the Null Pointer Points to, that is, the specific address value used (0x0 address or a specific address) indicates that the NULL pointer depends on the system implementation. Our common null pointers generally point to the 0 address, that is, the empty pointer is represented by all 0 internally (zeronull pointer, null pointer ).

For NULL, which can represent NULL pointers, is there any other value to represent NULL pointers? In the windows core programming chapter of the fifth edition of windows Memory Structure, Table 13-1 mentions the partition for NULL pointer allocation, which ranges from 0x00000000 to 0x0000FFFF. This space is idle, and there is no corresponding physical memory for the idle space. Therefore, any read/write operations will cause exceptions for this space.

We can see that there are as many regions as 0x10000 for NULL pointer allocation. Why is the allocation of such a large space? When defining NULL, only the value 0x00000000 is used. In table 13-1, the partition allocated by the NULL pointer contains 0x00000000-0x0000FFFF, which is a waste of space; this is related to the distribution granularity of the operating system address space. The default distribution granularity of windows X86 is 64 KB. To achieve alignment, the space address needs to be allocated from 0x00010000, therefore, the range of the NULL pointer is so large.

3.1.2 wild pointer to knowledge expansion

"Wild Pointer" is also called "floating Pointer". It is not a NULL pointer, but a pointer to "junk" memory.

There are three main causes of "wild pointer:

1) pointer variables are not initialized. When a pointer variable is created, it does not automatically become a NULL pointer. Its default value is random, which means it is random. Therefore, the pointer variable should be initialized at the same time when it is created, either set the pointer to NULL or set it to direct to the legal memory. For example, char * p = NULL; char * str = (char *) malloc (100 );

2) After the pointer p is free or deleted, It is not set to NULL, which makes people mistakenly think p is a valid pointer.

Free and delete only release the memory indicated by the pointer, but they do not kill the pointer itself. After free, the address remains unchanged (non-NULL), but the memory corresponding to the address becomes junk memory, and p becomes the "wild Pointer ". If p is not set to NULL at this time, it is mistaken that p is a valid pointer. If the program is long, we sometimes cannot remember whether the memory referred to by p has been released. Before using p, the statement if (p! = NULL. Unfortunately, the if statement does not prevent errors at this time, because even if p is not a NULL pointer, it does not point to a valid memory block.

 

After the memory is released with free or delete, the pointer should be set to NULL to prevent "wild pointer ". The memory is released, which does not mean that the pointer will die or become a NULL pointer.

3) pointer operations go beyond the scope of variables. For example, do not return a pointer or reference pointing to the stack memory, because the function in the stack will be released at the end of the function, which is difficult to prevent. The example program is as follows:

In addition, if the program defines a pointer, it must immediately point it to a space we set or set it to NULL. If this is not done, the content in this pointer is unpredictable, that is, it does not know which space it points to in the memory (that is, the wild pointer). It may point to a blank memory area, it may point to protected areas, or even to critical system memory, maybe we may accidentally operate the pointer later, which may cause system disorder and crash. Therefore, you must set a space to point the pointer to it, or set the pointer to NULL.

3.2 source code verification

Next we will take a look at the NULL pointer and the consequences of using the NULL pointer in two small experiment examples.

3.2.1 comparison of pointer usage

In this example, we want to verify the status of pointer variables before and after initialization. It is a piece of code:

The code is simple. It only verifies the space in which pointer variables Direct values separately. Value to be printed in the Code:

Value of the address pointer variable before initialization the value of the address pointer variable after Initialization

After compilation, run the program three times to view the running results:

According to the three running results:

The address of each printed pointer variable is different because the address of the P pointer variable is changing every time the program runs. In the same print, the pointer variable remains unchanged before initialization and after initialization. Because the pointer variable is also a variable, the variable can be changed in its life cycle, but the address does not change. In each print, the pointer variable value changes before initialization. The value of the pointer variable itself also points to a memory address. Before initialization, the variable does not point to any memory address. Therefore, the value of this variable is a random value (that is, a random memory address ). In each print, the pointer variable value does not change after initialization. After the pointer variable is initialized, P = 0. Therefore, the pointer variable initialized in the memory points to the location where the memory address is 0x00000000. In each print, the pointer variable value after initialization does not change.

3.2.2 comparison of pointer usage

The source code is as follows:

 

The Code has no complex logic. I just want to verify the condition of the wild pointer before P = NULL and the pointer after P = NULL after the pointer variable is released. The printed content is as follows:

Pointer Variable P-start address and value pointer Variable P-address and value pointer Variable P after memory space allocation address and value pointer Variable P after memory space release address and value pointer Variable P after P = NULL address and value

Is the result of running after compilation:

A. the pointer variable is declared until the end of the program. The address of the pointer variable has not changed to 0x35f778. B. when defining a pointer variable, its value is 0x00000000 c. after applying for a new memory, the pointer variable value is 0x6e7a78 d. after the memory is released, P becomes a wild pointer, but the value of P is still the requested memory address 0x6e7a78, but the P pointer cannot be used at this time. E. If P = NULL, p points to the address 0x00000000 again.

It can be seen that after we release the pointer variable, the pointer variable will become a wild pointer. If we reference this pointer at this time, illegal access will occur. Therefore, we need to release the pointer variable and point it to null.

3.3 visual memory Verification

In order to view the changes of pointer variables in the memory more intuitively, we will look at the changes of pointer variables throughout the use process with the dynamic debugging technology. The following is a piece of program code:

Here, we use the OD dynamic debugger to check the call to the printf function:

A. the first print statement

PHP

printf("p address :%p, value :%08x\n", &p, p);

Memory before calling printf:

We can see that the pointer Variable P value is EAX = [EBP-4], P address ECX = EBP-4, at this time the register value:

The value after printf is called is exactly the two values.

B. The second print statement printf ("p intialized address: % p, value: % 08x \ n", & p, p); memory before calling printf:

 

We can see that the value of the pointer Variable P is EDX = [EBP-4], the address of p eax = EBP-4, the register value at this time:

The value after printf is called is exactly the two values:

C. The third print statement printf ("p free address: % p, value: % 08x \ n", & p, p); memory before calling printf:

We can see that the pointer Variable P value is EAX = [EBP-4], P address ECX = EBP-4, at this time the register value:

The value after printf is called is exactly the two values:

D. Print the fourth statement printf ("p ultimate address: % p, value: % 08x \ n", & p, p); memory usage before calling printf:

We can see that the value of the pointer Variable P is EDX = [EBP-4], the address of p eax = EBP-4, the register value at this time:

The value after printf is called is exactly the two values:

 

 

3.4 concept Summary-Null Pointer Vulnerability

We have explained and verified what is a null pointer and a wild pointer.

In programming, a NULL pointer is a NULL pointer, that is, a pointer to zero page memory is called a NULL pointer. For Uninitialized pointers, releasing the memory does not set the pointer to NULL or pointing the pointer out of the range is called a wild pointer. So in the second section of the List of the Null Pointer Vulnerability and unenumerated NULL pointer vulnerability is not because of reference to the zero page memory caused by it (such as CVE-2014-2678 )? In fact, some vulnerabilities are caused by reference of Uninitialized pointers or reference of pointers out of the range. Such vulnerabilities should be said to be caused by incorrect reference of wild pointers. For example, the latest BIND Vulnerability (CVE-2015-5477 ):

However, we have never heard of any vulnerability named as a wild pointer, but more of it is a null pointer vulnerability. That is to say, the vulnerabilities caused by null pointers or wild pointers in the computer security field are all called null pointers.