Dies ist eine alte Version des Dokuments!


ASCII-Armored Addresses

The previous chapter about dangerous standard library functions revealed that many buffer overflows are caused by the incorrect handling of ASCII strings. Limiting this attack vector, Red Hat provided a patch1) for the Linux kernel that places executable code in low memory addresses. With all executable addresses containing a 0-byte and string functions like strcpy() stopping at this termination character, the patch prevents the successful usage of these addresses in string functions. Using this property of ASCII strings as protection mechanism, this protected memory area was named „ASCII-armor area“2).

Due to the rise of ASLR and NX this patch is commonly considered obsolete. However, a similar concept applies when considering x64 systems. Only the lowest 48 bits are used for virtual addressing. According to the x64 standard, the remaining 16 bits are required to have the same value as the 48th bit3). In cases where the 48th bit is 0, the two highest bytes of the address have a value of 0 and protect against ASCII-based attacks.