====== ASCII-Armored Addresses ======
The previous chapter about [[.stdlib|dangerous standard library functions]] revealed that many buffer overflows are caused by the incorrect handling of ASCII strings. Limiting this attack vector, Red Hat provided a patch(([[https://people.redhat.com/mingo/exec-shield/|exec-shield]])) for the Linux kernel that places executable code in low memory addresses. With all executable addresses containing a ''0''-byte and string functions like [[c:lib:string:strcpy|strcpy()]] stopping at this termination character, the patch prevents the successful usage of these addresses in string functions. Using this property of ASCII strings as protection mechanism, this protected memory area was named "ASCII-armor area"(([[https://www.akkadia.org/drepper/nonselsec.pdf|Security Enhancements in Red Hat Enterprise Linux (beside SELinux)]])).

Due to the rise of [[.aslr|ASLR]] and [[.nx|NX]] this patch is commonly considered obsolete. However, a similar concept applies when considering [[..exploitation:amd64|AMD64 systems]]. Only the lowest 48 bits are used for virtual addressing. According to the AMD64 standard, the remaining 16 bits are required to have the same value as the 48th bit(([[https://support.amd.com/TechDocs/24593.pdf|AMD64 Architecture Programmer’s Manual Volume 2: System Programming]])). In cases where the 48th bit is 0, the two highest bytes of the address have a value of 0 and protect against ASCII-based attacks.


\\
----
<html>
<table style="width:100%">
  <tr>
    <td align="left" style="width:33%"></html>[[.stdlib|← Back to dangerous standard library functions and safer alternatives]]<html></td>
    <td align="center" style="width:34%"></html>[[..start|Overview]]<html></td>
    <td align="right" style="width:33%"></html>[[.stack-protection|Continue with stack protection →]]<html></td>
  </tr>
</table>
</html>