Discussion:
Does klee support for function return address
高凤娟
2014-09-09 07:13:56 UTC
Permalink
Hi,
Is there any function that gives us the distance between the buffer and the return address?
Anyone can help me?
Many thanks in advance.
-------------------------------
Richel Gao
Daniel Liew
2014-09-09 08:56:48 UTC
Permalink
Post by 高凤娟
Hi,
Is there any function that gives us the distance between the buffer and the
return address?
Your question is much too vague to be answerable (i.e. what "buffer"
are you talking about and what is it?). If you reformulate the
question in a clearer manner someone might answer it.
高凤娟
2014-09-10 01:56:19 UTC
Permalink
Hi,
Is there any function that gives us the distance between the buffer and the
return address?I'm trying to detect buffer overflow.In order to make sure the buffer overflow detected is a dangerous one,I want to know if the overflowed string overlap the return address.For example,//////////////////////////.....(other code)char a[2];char b[6];klee_make_symbolic(b)strcpy(a,b);////////////////////////I want to know the distance between a[1] and the return address.Sorry for my poor english...Anyone can help me?
Many thanks in advance.
-------------------------------
Richel Gao
Jonathan Neuschäfer
2014-09-10 13:34:07 UTC
Permalink
Post by 高凤娟
Hi,
Is there any function that gives us the distance between the buffer and the
return address?I'm trying to detect buffer overflow.In order to make sure the buffer overflow detected is a dangerous one,I want to know if the overflowed string overlap the return address.For example,//////////////////////////.....(other code)char a[2];char b[6];klee_make_symbolic(b)strcpy(a,b);////////////////////////I want to know the distance between a[1] and the return address.Sorry for my poor english...Anyone can help me?
Many thanks in advance.
-------------------------------
Richel Gao
I am not very familiar with KLEE, but the distance of a stack variable
to the return address depends on the compiler, the CPU architecture and
maybe the operating system. Furthermore, today's compilers may use stack
canaries[1] to make exploitation harder in case the return address is
overwritten.

If you've found a buffer overflow and want to know if it will be able to
overwrite the return address you should probably disassemble the
compiled program (or ask the compiler to give you the intermediate
assembler code), and then check this yourself. A debugger may also help.

If you've found a bunch of buffer overflows and are thinking about which
of them you will fix, please fix all of them.


Hope that helps,
Jonathan Neuschäfer

[1] https://en.wikipedia.org/wiki/Buffer_overflow_protection
Paul Marinescu
2014-09-10 14:12:54 UTC
Permalink
No, there is no such function.
This paper http://security.ece.cmu.edu/aeg/aeg-current.pdf discusses the problem in detail.

Paul
Post by Jonathan Neuschäfer
Post by 高凤娟
Hi,
Is there any function that gives us the distance between the buffer and the
return address?I'm trying to detect buffer overflow.In order to make sure the buffer overflow detected is a dangerous one,I want to know if the overflowed string overlap the return address.For example,//////////////////////////.....(other code)char a[2];char b[6];klee_make_symbolic(b)strcpy(a,b);////////////////////////I want to know the distance between a[1] and the return address.Sorry for my poor english...Anyone can help me?
Many thanks in advance.
-------------------------------
Richel Gao
I am not very familiar with KLEE, but the distance of a stack variable
to the return address depends on the compiler, the CPU architecture and
maybe the operating system. Furthermore, today's compilers may use stack
canaries[1] to make exploitation harder in case the return address is
overwritten.
If you've found a buffer overflow and want to know if it will be able to
overwrite the return address you should probably disassemble the
compiled program (or ask the compiler to give you the intermediate
assembler code), and then check this yourself. A debugger may also help.
If you've found a bunch of buffer overflows and are thinking about which
of them you will fix, please fix all of them.
Hope that helps,
Jonathan NeuschÀfer
[1] https://en.wikipedia.org/wiki/Buffer_overflow_protection
_______________________________________________
klee-dev mailing list
https://mailman.ic.ac.uk/mailman/listinfo/klee-dev
高凤娟
2014-09-11 07:15:48 UTC
Permalink
Thank you very much,you help me a lot.

At 2014-09-10 10:12:54, "Paul Marinescu" <***@imperial.ac.uk> wrote:

No, there is no such function.
This paper http://security.ece.cmu.edu/aeg/aeg-current.pdf discusses the problem in detail.


Paul


On 10 Sep 2014, at 14:34, Jonathan NeuschÀfer <***@gmx.net> wrote:

On Wed, Sep 10, 2014 at 09:56:19AM +0800, 高净嚟 wrote:
Hi,
Is there any function that gives us the distance between the buffer and the
return address?I'm trying to detect buffer overflow.In order to make sure the buffer overflow detected is a dangerous one,I want to know if the overflowed string overlap the return address.For example,//////////////////////////.....(other code)char a[2];char b[6];klee_make_symbolic(b)strcpy(a,b);////////////////////////I want to know the distance between a[1] and the return address.Sorry for my poor english...Anyone can help me?
Many thanks in advance.
-------------------------------
Richel Gao

I am not very familiar with KLEE, but the distance of a stack variable
to the return address depends on the compiler, the CPU architecture and
maybe the operating system. Furthermore, today's compilers may use stack
canaries[1] to make exploitation harder in case the return address is
overwritten.

If you've found a buffer overflow and want to know if it will be able to
overwrite the return address you should probably disassemble the
compiled program (or ask the compiler to give you the intermediate
assembler code), and then check this yourself. A debugger may also help.

If you've found a bunch of buffer overflows and are thinking about which
of them you will fix, please fix all of them.


Hope that helps,
Jonathan NeuschÀfer

[1] https://en.wikipedia.org/wiki/Buffer_overflow_protection

Loading...