Basic Buffer Overflows

Size: px
Start display at page:

Download "Basic Buffer Overflows"

Transcription

1 Operating Systems Security Basic Buffer Overflows (Stack Smashing) Computer Security & OS lab. Cho, Seong-je ( 조성제 ) Fall, 2018 sjcho at dankook.ac.kr

2 Chapter 10 Buffer Overflow 2

3 Contents Virtual Memory Layout under Linux Stack structure of OS Stack Overflows Buffer Overflow Basics Stack Buffer Overflows Shellcode - 3 -

4 Learning Objectives After studying this chapter, you should be able to: Define what a buffer overflow is Describe how a stack buffer overflow works in detail Define shellcode and describe its use in a buffer overflow attack Hands-on experience on Buffer overflows Buffer overflow vulnerability lab with LoB - 4 -

5 Basic Buffer Overflow boolean rootpriv = false; char name[8]; cin >> name; When the program reads the name Smith S m i t h false char name[8] rootpriv source: Teaching Buffer Overflow, Ken Williams, NC A&T State University -5-

6 Basic Buffer Overflow boolean rootpriv = false; char name[8]; cin >> name; When the program reads the name Armstrong A r m s t r o n g char name[8] rootpriv -6-

7 The Problem void foo(char *s) { int num = 0x123456; char buf[10]; strcpy(buf,s); printf( buf is %s\n,s); } foo( thisstringistoolongforfoo ); Is it possible? buf[10] = 9 ; buf[15] = A ; What happened to num? Where is buf[10] located in memory space? (text, data, heap, stack)? Where are local variables? What happen when a function is called in C? Assume the address of buf[0] is 1500 on Intel x86. The address of buf[5] =? The address of buf[9] =? The address of buf[10] =? -7-

8 Background knowledge to understand buffer overflow? Understanding C functions and the stack. Process memory layout, Stack frame, Some familiarity with machine code Know how system calls are made The system() function, and exec() system call To make shellcode Attacker needs to know which CPU and OS used on the target machine: Our examples are for x86 running Linux or Windows Details vary slightly between CPUs and OSs: Little endian vs. big endian (x86 vs. Motorola) Stack Frame structure (Unix vs. Windows) Stack growth direction -8-

9 Programs and Processes Figure 10.4 Program Loading into Process Memory 9

10 Layout of the Virtual Space of a Process The layout of the virtual space of a process in Linux The stack is used whenever a function call is made -10-

11 Linux Process Memory Layout -11-

12 Layout of Stack Stack grows from high-end address to low-end address But, buffer grows from low-end address to high-end address Return Address- When a function returns, the instructions pointed by it will be executed; Stack Frame pointer(esp)- is used to reference to local variables and function parameters. int cal (int a, int b) { int c; c = a + b; return c; } int main () { int d; d = cal(1, 2); printf("%d\n", d); return; } ebp esp b (2) a (1) ret addr(0x ) previous ebp c Stack high-end address Low-end address -12-

13 The Stack Frame On the x86 architecture the stack grows downwards Stack is divided into individual stack frames Each function call (call instruction) sets up a new stack frame on top of the stack Function arguments Return address Upon function return (i.e., a ret instruction is issued), control transfers to the code pointed to by the return address (i.e., control transfers back to the caller of the function) Saved Base Pointer Base pointer of the calling function Variables/arguments are accessed via an offset to the base pointer Local variables -13-

14 Stack Review Consider the function void thefunc( float &dog, int cat ){ char cow[4]; gets (cow); } that is called by the main program main(){ int oak = 5; float pine = 7.0; float *birch = &pine; } thefunc( birch, oak ); : 14

15 Stack for Call push oak push birch push return address push frame pointer Allocate space for local variable, cow[4] 5 (value of oak) address of pine return address Addr of last frame cow[4] thefunc( birch, oak ); source: Teaching Buffer Overflow, Ken Williams, NC A&T State University 15

16 Overflowing Local Variables On an Intel processor (and many others) the stack is extended to lower addresses If you address beyond a local variable, you will overwrite the return address. 5 (value of oak) address of pine return address Addr of last frame cow[4] 16

17 Hacking the Stack If a program does not properly check array bounds, it may be possible to give the program specially crafted input that overwrites the return address with a binary value. 5 (value of oak) address of pine return address Addr of last frame cow[4] cow[8] to cow[11] are the return address 17

18 Hacking the Stack If a program does not properly check array bounds, it may be possible to give the program specially crafted input that overwrites the return address with a binary value. 5 (value of oak) address of pine return addr=? Frame ptr = wxyz cow[4]= abcd The return address can be changed to the address of a function in the program. Function parameters can also be put on the stack 18

19 Stack Buffer Overflow A buffer overflow occurs when too much data is put into the buffer; C language and its derivatives(c++) offer many ways to put more data than anticipated into a buffer; gets( ), strcpy( ), strcat( ), sprintf( ), scanf( ) Stack smashing attacks = Stack overflow = Stack overrun Does buffer overflow mean stack overflow at all times? -19-

20 Example Int bof() { char buffer[8]; // an 8 bytes buffer which is in the stack strcpy(buffer, AAAAAAAAAAAAAAAAAAA ); // copy 20 bytes into buffer // this will cause to the content of ret to be overwritten; // namely, the return address will be 0x (AAAA) return 1; } int main () { bof(); // call bof printf( end\n ); // will never be executed; return 1; } EBP &buffer[0] ESP AAAA AAAA (RET->printf()) AAAA (previous EBP) AAAA AAAA source: Attacks using stack buffer overflow, Boxuan Gu, Ohio-state University -20-

21 Another example of Buffer Overflow Find a input to print out Success [Stack]#./bo2 `perl -e 'print "A"x22'` [Stack]#./bo2 `perl -e 'print "A"x24'` [Stack]#./bo2 `perl -e 'print "A"x28'` [Stack]#./bo2 `perl -e 'print "A"x32'` Segmentation fault (core dumped) Little endian Big endian /* bo2.c */ #include <stdio.h> #include <string.h> int main(int argc, char * argv[]) { int locvar = 20; char buf[22]; } strcpy(buf, argv[1]); if (locvar == 0x ) printf( Success\n ); return 0; [Stack]#./bo2 `perl -e 'print "A"x22, "\x08\x01\x02\x05"'` [Stack]#./bo2 `perl -e 'print "A"x24, "\x08\x01\x02\x05"'` [Stack]#./bo2 `perl -e 'print "A"x24, "\x05\x02\x01\x08"'` Success -21-

22 Buffer Overflow (Stack Overflow) 1) Inject (malicious) code 2) Manipulate code pointer (return address) /* vuln1.c */ #include <unistd.h> void Func(char *argv) { char buff[4]; printf("some input: "); strcpy(buff, argv); puts(buff); } int main(int argc, char *argv[ ]) { Func (argv[1]); return 0; } $ vuln1 `perl e print A x8, \x74\x85\x96\xbf ` -22-

23 Basic Idea of the Attack using stack buffer overflow Bottom of Stack Intent Arbitrary code execution Spawn a shell or infect with worm/virus DoS Attack Code (= Malicious code) Cause software to crash E.g., TCP sync flooding Steps RET addr 1) Inject malicious code into the virtual space of a process; Buffer grows Local variable (buffer) Stack grows 2) Overflow RET addr 3) Redirect control flow to the malicious code. 4) Execute attack code -23-

24 Malicious Code = Attack code = Shellcode A long input to a short buffer might also contain binary machine language. The return address can be overwritten to cause the program to jump to the newly loaded machine language when it returns. Shellcode Shellcode is defined as a set of instructions which is injected and then is executed by an exploited program; Shellcode is used to directly manipulate registers and the function of a program; Most of shellcodes use system call to do malicious behaviors; System calls is a set of functions which allow you to access operating system-specific functions such as getting input, producing output, exiting a process; -24-

25 Shellcode code supplied by attacker often saved in buffer being overflowed traditionally transferred control to a user command-line interpreter (shell) machine code specific to processor and operating system traditionally needed good assembly language skills to create more recently a number of sites and tools have been developed that automate this process Metasploit Project provides useful information to people who perform penetration testing, IDS signature development, and exploit research 25

26 Example UNIX Shellcode 26

27 Stack Smashing Malicious input via local variables (argv[]) Malicious input contains shellcode, pattern bytes, and a new return address After completing a function, return is resulted in execution of shellcode -27-

28 Code Injection Attacks with Stack smashing obtain a shell by injecting shellcode Main problems No bounds-checking functions: strcpy(), strcat(), sprintf(), strlen(), memcpy(), etc A code is writable and executable in stack -28-

29 Another Attack Scenario of Buffer Overflow Typical Attack Scenario: Users enter data into a Web form Web form is sent to server Server writes data to buffer, without checking length of input data Data overflows from buffer Sometimes, overflow can enable an attack Web form attack could be carried out by anyone with an Internet connection -29-

30 Summary of Buffer Overflows -30-

31 General Idea Target of Buffer Overflow Attacks Subvert the usual execution flow of a program by redirecting it to a injected (malicious) code The attack consists of 1 2 injecting new (malicious) code into some writable memory area, and changing a code pointer (usually the return address) in such a way that it points to the injected malicious code. Code Injection Code can be injected by overflowing a local buffer allocated on the stack The target of the injected code is usually to launch a shell to the adversary Therefore the injected code is often referred to as shellcode -31-

32 Summary Buffer overflows Application reserves adjacent memory locations (buffer) to store arguments to a function, or variable values. Attacker gives an argument too long to fit in the buffer. The application copies the whole argument, overflowing the buffer and overwriting memory space. If the conditions are just right this will enable to attacker to gain control over the program flow and execute arbitrary code, with the same privileges of the original application. Particularly problematic when present in system libraries and other code that runs with high execution privileges. LoB (Lord of Buffer overflows) -32-

33 Buffer Overflow Attacks One of control hijacking attacks Control hijacking attacks Attacker s goal: Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control flow Examples: Buffer overflow, Integer overflows, Format string attacks, Code injection Injected code, shellcode Code-reuse attacks Existing code, Ret2Libc, Return Oriented Programming (ROP), Related Linux commands strings, size, file, objdump, gdb, ls l, chmod, find, -33-

Stack Overflow COMP620

Stack Overflow COMP620 Stack Overflow COMP620 There are two kinds of people in America today: those who have experienced a foreign cyber attack and know it, and those who have experienced a foreign cyber attack and don t know

More information

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks

More information

Lecture 08 Control-flow Hijacking Defenses

Lecture 08 Control-flow Hijacking Defenses Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation

More information

Defense against Code-injection, and Code-reuse Attack

Defense against Code-injection, and Code-reuse Attack Operating Systems Security Defense against Code-injection, and Code-reuse Attack Computer Security & OS lab. Cho, Seong-je ( 조성제 ) sjcho at dankook.ac.kr Fall, 2018 Contents Buffer Overflows: Stack Smashing,

More information

Buffer Overflows Defending against arbitrary code insertion and execution

Buffer Overflows Defending against arbitrary code insertion and execution www.harmonysecurity.com info@harmonysecurity.com Buffer Overflows Defending against arbitrary code insertion and execution By Stephen Fewer Contents 1 Introduction 2 1.1 Where does the problem lie? 2 1.1.1

More information

CMPSC 497 Buffer Overflow Vulnerabilities

CMPSC 497 Buffer Overflow Vulnerabilities Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Buffer Overflow

More information

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS) Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus(MSR) and Brandon Baker (MS) Buffer Overflows and How they Occur Buffer is a contiguous segment of memory of a fixed

More information

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013 CS 645: Lecture 3 Software Vulnerabilities Rachel Greenstadt July 3, 2013 Project 1: Software exploits Individual project - done in virtual machine environment This assignment is hard. Don t leave it until

More information

Secure Software Development: Theory and Practice

Secure Software Development: Theory and Practice Secure Software Development: Theory and Practice Suman Jana MW 2:40-3:55pm 415 Schapiro [SCEP] *Some slides are borrowed from Dan Boneh and John Mitchell Software Security is a major problem! Why writing

More information

Buffer overflow background

Buffer overflow background and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer

More information

Control Hijacking Attacks

Control Hijacking Attacks Control Hijacking Attacks Alexandros Kapravelos kapravelos@ncsu.edu (Derived from slides from Chris Kruegel) Attacker s mindset Take control of the victim s machine Hijack the execution flow of a running

More information

buffer overflow exploitation

buffer overflow exploitation buffer overflow exploitation Samuele Andreoli, Nicolò Fornari, Giuseppe Vitto May 11, 2016 University of Trento Introduction 1 introduction A Buffer Overflow is an anomaly where a program, while writing

More information

20: Exploits and Containment

20: Exploits and Containment 20: Exploits and Containment Mark Handley Andrea Bittau What is an exploit? Programs contain bugs. These bugs could have security implications (vulnerabilities) An exploit is a tool which exploits a vulnerability

More information

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP CSC 591 Systems Attacks and Defenses Return-into-libc & ROP Alexandros Kapravelos akaprav@ncsu.edu NOEXEC (W^X) 0xFFFFFF Stack Heap BSS Data 0x000000 Code RW RX Deployment Linux (via PaX patches) OpenBSD

More information

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks 2 ARM stands for Advanced RISC Machine Application area: Embedded systems Mobile phones, smartphones (Apple iphone, Google Android), music players, tablets, and some netbooks Advantage: Low power consumption

More information

Exercise 6: Buffer Overflow and return-into-libc Attacks

Exercise 6: Buffer Overflow and return-into-libc Attacks Technische Universität Darmstadt Fachbereich Informatik System Security Lab Prof. Dr.-Ing. Ahmad-Reza Sadeghi M.Sc. David Gens Exercise 6: Buffer Overflow and return-into-libc Attacks Course Secure, Trusted

More information

Buffer Overflow Vulnerability

Buffer Overflow Vulnerability Buffer Overflow Vulnerability 1 Buffer Overflow Vulnerability Copyright c 2006 2014 Wenliang Du, Syracuse University. The development of this document is/was funded by three grants from the US National

More information

(Early) Memory Corruption Attacks

(Early) Memory Corruption Attacks (Early) Memory Corruption Attacks CS-576 Systems Security Instructor: Georgios Portokalidis Fall 2018 Fall 2018 Stevens Institute of Technology 1 Memory Corruption Memory corruption occurs in a computer

More information

18-600: Recitation #4 Exploits

18-600: Recitation #4 Exploits 18-600: Recitation #4 Exploits 20th September 2016 Agenda More x86-64 assembly Buffer Overflow Attack Return Oriented Programming Attack 3 Recap: x86-64: Register Conventions Arguments passed in registers:

More information

Lecture 4 September Required reading materials for this class

Lecture 4 September Required reading materials for this class EECS 261: Computer Security Fall 2007 Lecture 4 September 6 Lecturer: David Wagner Scribe: DK Moon 4.1 Required reading materials for this class Beyond Stack Smashing: Recent Advances in Exploiting Buffer

More information

Control Flow Hijacking Attacks. Prof. Dr. Michael Backes

Control Flow Hijacking Attacks. Prof. Dr. Michael Backes Control Flow Hijacking Attacks Prof. Dr. Michael Backes Control Flow Hijacking malicious.pdf Contains bug in PDF parser Control of viewer can be hijacked Control Flow Hijacking Principles Normal Control

More information

Program Security and Vulnerabilities Class 2

Program Security and Vulnerabilities Class 2 Program Security and Vulnerabilities Class 2 CEN-5079: 28.August.2017 1 Secure Programs Programs Operating System Device Drivers Network Software (TCP stack, web servers ) Database Management Systems Integrity

More information

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows Betriebssysteme und Sicherheit Sicherheit Buffer Overflows Software Vulnerabilities Implementation error Input validation Attacker-supplied input can lead to Corruption Code execution... Even remote exploitation

More information

Buffer Overflow and Protection Technology. Department of Computer Science,

Buffer Overflow and Protection Technology. Department of Computer Science, Buffer Overflow and Protection Technology Department of Computer Science, Lorenzo Cavallaro Andrea Lanzi Table of Contents Introduction

More information

Secure Systems Engineering

Secure Systems Engineering Secure Systems Engineering Chester Rebeiro Indian Institute of Technology Madras Flaws that would allow an attacker access the OS flaw Bugs in the OS The Human factor Chester Rebeiro, IITM 2 Program Bugs

More information

Università Ca Foscari Venezia

Università Ca Foscari Venezia Stack Overflow Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it Introduction Buffer overflow is due to careless programming in unsafe languages like C

More information

Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to

Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through  to CPSC 8810 Fall 2018 Lab 1 1 Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through email to lcheng2@clemson.edu Copyright c 2006-2014 Wenliang Du, Syracuse

More information

One-Slide Summary. Lecture Outline. Language Security

One-Slide Summary. Lecture Outline. Language Security Language Security Or: bringing a knife to a gun fight #1 One-Slide Summary A language s design principles and features have a strong influence on the security of programs written in that language. C s

More information

Fundamentals of Computer Security

Fundamentals of Computer Security Fundamentals of Computer Security Spring 2015 Radu Sion Software Errors Buffer Overflow TOCTTOU 2005-15 Portions copyright by Bogdan Carbunar and Wikipedia. Used with permission Why Security Vulnerabilities?

More information

Project 1 Notes and Demo

Project 1 Notes and Demo Project 1 Notes and Demo Overview You ll be given the source code for 7 short buggy programs (target[1-7].c). These programs will be installed with setuid root Your job is to write exploits (sploit[1-7].c)

More information

United States Naval Academy Electrical and Computer Engineering Department EC310-6 Week Midterm Spring AY2017

United States Naval Academy Electrical and Computer Engineering Department EC310-6 Week Midterm Spring AY2017 United States Naval Academy Electrical and Computer Engineering Department EC310-6 Week Midterm Spring AY2017 1. Do a page check: you should have 8 pages including this cover sheet. 2. You have 50 minutes

More information

18-600: Recitation #4 Exploits (Attack Lab)

18-600: Recitation #4 Exploits (Attack Lab) 18-600: Recitation #4 Exploits (Attack Lab) September 19th, 2017 Announcements Some students have triggered the bomb multiple times Use breakpoints for explode_bomb() Attack lab will be released on Sep.

More information

Architecture-level Security Vulnerabilities

Architecture-level Security Vulnerabilities Architecture-level Security Vulnerabilities Björn Döbel Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The Battlefield:

More information

CS 161 Computer Security

CS 161 Computer Security Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.

More information

Is stack overflow still a problem?

Is stack overflow still a problem? Morris Worm (1998) Code Red (2001) Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 31st January 2017 Memory corruption Buffer overflow remains

More information

Advanced Buffer Overflow

Advanced Buffer Overflow Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2016/2017 Department of Electrical and Electronic Engineering

More information

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial

More information

CSE 565 Computer Security Fall 2018

CSE 565 Computer Security Fall 2018 CSE 565 Computer Security Fall 2018 Lecture 14: Software Security Department of Computer Science and Engineering University at Buffalo 1 Software Security Exploiting software vulnerabilities is paramount

More information

Offensive Security My First Buffer Overflow: Tutorial

Offensive Security My First Buffer Overflow: Tutorial Offensive Security My First Buffer Overflow: Tutorial César Bernardini University of Trento cesar.bernardini@unitn.it October 12, 2015 2 Cesar Bernardini Postdoctoral Fellow at UNITN PhD Student at INRIA-LORIA

More information

Buffer Overflow Attack

Buffer Overflow Attack Chapter 4 This is a sample chapter in the book titled "Computer Security: A Hands-on Approach" authored by Wenliang Du. Buffer Overflow Attack From Morris worm in 1988, Code Red worm in 2001, SQL Slammer

More information

ISA 564, Laboratory I: Buffer Overflows

ISA 564, Laboratory I: Buffer Overflows ISA 564, Laboratory I: Buffer Overflows Lab Submission Instructions To complete the lab, you need to submit the compressed files (either tar or zip) using the GMU Blackboard system. Please make sure that

More information

Stack-Based Buffer Overflow Explained. Marc Koser. East Carolina University. ICTN 4040: Enterprise Information Security

Stack-Based Buffer Overflow Explained. Marc Koser. East Carolina University. ICTN 4040: Enterprise Information Security Running Head: BUFFER OVERFLOW 1 Stack-Based Buffer Overflow Explained Marc Koser East Carolina University ICTN 4040: Enterprise Information Security Instructor: Dr. Philip Lunsford 03-17-2015 Prepared

More information

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2 CIS 551 / TCOM 401 Computer and Network Security Spring 2007 Lecture 2 Announcements First project is on the web Due: Feb. 1st at midnight Form groups of 2 or 3 people If you need help finding a group,

More information

ISA564 SECURITY LAB. Code Injection Attacks

ISA564 SECURITY LAB. Code Injection Attacks ISA564 SECURITY LAB Code Injection Attacks Outline Anatomy of Code-Injection Attacks Lab 3: Buffer Overflow Anatomy of Code-Injection Attacks Background About 60% of CERT/CC advisories deal with unauthorized

More information

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics. Lecture 6B Machine-Level Programming V: Miscellaneous Topics Topics Linux Memory Layout Understanding Pointers Buffer Overflow Upper 2 hex digits of address Red Hat v. 6.2 ~1920MB memory limit FF C0 Used

More information

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows) Secure Programming Lecture 3: Memory Corruption I (Stack Overflows) David Aspinall, Informatics @ Edinburgh 24th January 2017 Outline Roadmap Memory corruption vulnerabilities Instant Languages and Runtimes

More information

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software. Outline Morris Worm (1998) Infamous attacks Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 23rd January 2014 Recap Simple overflow exploit

More information

CSE 509: Computer Security

CSE 509: Computer Security CSE 509: Computer Security Date: 2.16.2009 BUFFER OVERFLOWS: input data Server running a daemon Attacker Code The attacker sends data to the daemon process running at the server side and could thus trigger

More information

ECS 153 Discussion Section. April 6, 2015

ECS 153 Discussion Section. April 6, 2015 ECS 153 Discussion Section April 6, 2015 1 What We ll Cover Goal: To discuss buffer overflows in detail Stack- based buffer overflows Smashing the stack : execution from the stack ARC (or return- to- libc)

More information

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Security and Privacy in Computer Systems. Lecture 5: Application Program Security CS 645 Security and Privacy in Computer Systems Lecture 5: Application Program Security Buffer overflow exploits More effective buffer overflow attacks Preventing buffer overflow attacks Announcement Project

More information

Lecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017

Lecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Lecture 09 Code reuse attacks Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Last time No good reason for stack/heap/static data to be executable No good reason for code to be writable

More information

Assignment 4 Buffer Overflows

Assignment 4 Buffer Overflows LEIC/MEIC - IST Alameda LEIC/MEIC/MERC IST Taguspark DEASegInf Network and Computer Security 2012/2013 Assignment 4 Buffer Overflows Goal Exploit buffer overflow vulnerabilities. 1. Introduction Log in

More information

BUFFER OVERFLOW. Jo, Heeseung

BUFFER OVERFLOW. Jo, Heeseung BUFFER OVERFLOW Jo, Heeseung IA-32/LINUX MEMORY LAYOUT Heap Runtime stack (8MB limit) Dynamically allocated storage When call malloc(), calloc(), new() DLLs (shared libraries) Data Text Dynamically linked

More information

Buffer Overflow. Jo, Heeseung

Buffer Overflow. Jo, Heeseung Buffer Overflow Jo, Heeseung IA-32/Linux Memory Layout Heap Runtime stack (8MB limit) Dynamically allocated storage When call malloc(), calloc(), new() DLLs (shared libraries) Data Text Dynamically linked

More information

Architecture-level Security Vulnerabilities. Julian Stecklina

Architecture-level Security Vulnerabilities. Julian Stecklina Architecture-level Security Vulnerabilities Julian Stecklina Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The

More information

Language Security. Lecture 40

Language Security. Lecture 40 Language Security Lecture 40 (from notes by G. Necula) Prof. Hilfinger CS 164 Lecture 40 1 Lecture Outline Beyond compilers Looking at other issues in programming language design and tools C Arrays Exploiting

More information

Software Security II: Memory Errors - Attacks & Defenses

Software Security II: Memory Errors - Attacks & Defenses 1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow

More information

putting m bytes into a buffer of size n, for m>n corrupts the surrounding memory check size of data before/when writing

putting m bytes into a buffer of size n, for m>n corrupts the surrounding memory check size of data before/when writing Secure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows) David Aspinall, Informatics @ Edinburgh 28th January 2019 Memory corruption Buffer overflow is a common vulnerability Simple

More information

Lab 2: Buffer Overflows

Lab 2: Buffer Overflows Lab 2: Buffer Overflows Fengwei Zhang Wayne State University Course: Cyber Security Prac@ce 1 Buffer Overflows One of the most common vulnerabili@es in soeware Programming languages commonly associated

More information

Secure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows)

Secure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows) Secure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows) David Aspinall, Informatics @ Edinburgh 28th January 2019 Memory corruption Buffer overflow is a common vulnerability. Simple

More information

Buffer Overflow Attack (AskCypert CLaaS)

Buffer Overflow Attack (AskCypert CLaaS) Buffer Overflow Attack (AskCypert CLaaS) ---------------------- BufferOverflow.c code 1. int main(int arg c, char** argv) 2. { 3. char name[64]; 4. printf( Addr;%p\n, name); 5. strcpy(name, argv[1]); 6.

More information

CS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities

CS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities CS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities Given: November 13, 2003 Due: November 20, 2003 1 Motivation Buffer overflows and format string vulnerabilities are widespread

More information

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 1 Programming Why do we write programs? Function What functions do we enable via our programs?

More information

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University Buffer Overflow Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu IA-32/Linux Memory Layout Runtime stack (8MB limit) Heap Dynamically allocated storage

More information

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32. Lab session this afternoon Memory corruption attacks Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 2nd February 2016 The first Secure Programming

More information

malloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which

malloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which Heap Overflow malloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which data are placed). The header contains

More information

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

CSc 466/566. Computer Security. 20 : Operating Systems Application Security 1/68 CSc 466/566 Computer Security 20 : Operating Systems Application Security Version: 2014/11/20 13:07:28 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2014 Christian

More information

CS527 Software Security

CS527 Software Security Attack Vectors Purdue University, Spring 2018 Exploitation: Disclaimer This section focuses software exploitation We will discuss both basic and advanced exploitation techniques We assume that the given

More information

ROP It Like It s Hot!

ROP It Like It s Hot! Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 1 I N F O R M AT I O N S E C U R I T Y ROP It Like It s Hot! A 101 on Buffer Overflows, Return Oriented Programming, & Shell- code Development

More information

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40 Security Workshop HTS LSE Team EPITA 2018 February 3rd, 2016 1 / 40 Introduction What is this talk about? Presentation of some basic memory corruption bugs Presentation of some simple protections Writing

More information

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018 CSCE 548 Building Secure Software Buffer Overflow Professor Lisa Luo Spring 2018 Previous Class Virus vs. Worm vs. Trojan & Drive-by download Botnet & Rootkit Malware detection Scanner Polymorphic malware

More information

Buffer overflows & friends CS642: Computer Security

Buffer overflows & friends CS642: Computer Security Buffer overflows & friends CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS 642 Homework 1 will be up tonight Low- level

More information

Buffer-Overflow Attacks on the Stack

Buffer-Overflow Attacks on the Stack Computer Systems Buffer-Overflow Attacks on the Stack Introduction A buffer overflow occurs when a program, while writing data to a buffer, overruns the buffer's boundary and overwrites memory in adjacent

More information

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 2nd February 2016 Outline Announcement Recap Containment and curtailment Tamper detection Memory

More information

Lab 2: Buffer Overflows

Lab 2: Buffer Overflows Department of Computer Science: Cyber Security Practice Lab 2: Buffer Overflows Introduction In this lab, you will learn how buffer overflows and other memory vulnerabilities are used to takeover vulnerable

More information

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Stack-based Buffer Overflows Most popular and best understood exploitation method Aleph One's "Smashing the Stack for Fun and Profit" (1996)

More information

Return Oriented Programming

Return Oriented Programming ROP gadgets Small instruction sequence ending with a ret instruction 0xc3 Gadgets are found in existing, resident code and libraries There exist tools to search for and find gadgets Gadgets are put together

More information

CSE 127 Computer Security

CSE 127 Computer Security CSE 127 Computer Security Stefan Savage, Fall 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on the

More information

Foundations of Network and Computer Security

Foundations of Network and Computer Security Foundations of Network and Computer Security John Black Lecture #20 Nov 4 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Quiz #3 Today Need to know what big-endian is Remind me to mention it if I

More information

CSE 127 Computer Security

CSE 127 Computer Security CSE 127 Computer Security Alex Gantman, Spring 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on

More information

CSE / / 60567: Computer Security. Software Security 4

CSE / / 60567: Computer Security. Software Security 4 CSE 40567 / 44567 / 60567: Computer Security Software Security 4 91 Homework #5 Due: Tonight at 11:59PM Eastern Time (ND) / Pacific Time (SV) See Assignments Page on the course website for details 92 Notes

More information

CSE 127 Computer Security

CSE 127 Computer Security CSE 127 Computer Security Stefan Savage, Spring 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on

More information

Foundations of Network and Computer Security

Foundations of Network and Computer Security Foundations of Network and Computer Security John Black Lecture #19 Nov 2 nd 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Quiz #3 This Thursday Covers material from midterm through today Project #3

More information

Practical Malware Analysis

Practical Malware Analysis Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the

More information

Advanced Buffer Overflow

Advanced Buffer Overflow Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2017/2018 Department of Electrical and Electronic Engineering

More information

CMSC 414 Computer and Network Security

CMSC 414 Computer and Network Security CMSC 414 Computer and Network Security Buffer Overflows Dr. Michael Marsh August 30, 2017 Trust and Trustworthiness You read: Reflections on Trusting Trust (Ken Thompson), 1984 Smashing the Stack for Fun

More information

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University Buffer Overflow Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu x86-64/linux Memory Layout Stack Runtime stack (8MB limit) Heap Dynamically allocated

More information

HW 8 CS681 & CS392 Computer Security Understanding and Experimenting with Memory Corruption Vulnerabilities DUE 12/18/2005

HW 8 CS681 & CS392 Computer Security Understanding and Experimenting with Memory Corruption Vulnerabilities DUE 12/18/2005 HW 8 CS681 & CS392 Computer Security Understanding and Experimenting with Memory Corruption Vulnerabilities 1 Motivation DUE 12/18/2005 Memory corruption vulnerabilities to change program execution flow

More information

Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include

Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include 2 Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks

More information

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities Secure Programming Lecture 3: Memory Corruption I (introduction) David Aspinall, Informatics @ Edinburgh 24th January 2019 Roadmap: Security in the software lifecycle Security is considered at different

More information

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts This time We will begin our 1st section: Software Security By investigating Buffer overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Software security

More information

Buffer Overflow Attacks

Buffer Overflow Attacks Buffer Overflow Attacks 1. Smashing the Stack 2. Other Buffer Overflow Attacks 3. Work on Preventing Buffer Overflow Attacks Smashing the Stack An Evil Function void func(char* inp){ } char buffer[16];

More information

Sample slides and handout

Sample slides and handout www.securecodingacademy.com Join the Secure Coding Academy group on LinkedIn and stay informed about our courses! [FOOTER] Sample slides and handout 2016 SCADEMY Secure Coding Academy Confidential. These

More information

Selected background on ARM registers, stack layout, and calling convention

Selected background on ARM registers, stack layout, and calling convention Selected background on ARM registers, stack layout, and calling convention ARM Overview ARM stands for Advanced RISC Machine Main application area: Mobile phones, smartphones (Apple iphone, Google Android),

More information

ENEE 457: Computer Systems Security. Lecture 16 Buffer Overflow Attacks

ENEE 457: Computer Systems Security. Lecture 16 Buffer Overflow Attacks ENEE 457: Computer Systems Security Lecture 16 Buffer Overflow Attacks Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland, College Park Buffer overflow

More information

Shellbased Wargaming

Shellbased Wargaming Shellbased Wargaming Abstract Wargaming is a hands-on way to learn about computer security and common programming mistakes. This document is intended for readers new to the subject and who are interested

More information

Hands-on Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

Hands-on Ethical Hacking: Preventing & Writing Buffer Overflow Exploits Hands-on Ethical Hacking: Preventing & Writing Buffer Overflow Exploits OWASP AppSec 2013 Rochester OWASP Chapter Lead Ralph Durkee - Durkee Consulting, Inc. info@rd1.net Hands-on Ethical Hacking: Preventing

More information

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Introduction to Computer Systems , fall th Lecture, Sep. 28 th Introduction to Computer Systems 15 213, fall 2009 9 th Lecture, Sep. 28 th Instructors: Majd Sakr and Khaled Harras Last Time: Structures struct rec { int i; int a[3]; int *p; }; Memory Layout i a p 0

More information

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University Buffer Overflow Jinkyu Jeong (jinkyu@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu SSE2030: Introduction to Computer Systems, Spring 2018, Jinkyu Jeong (jinkyu@skku.edu)

More information

Software Security: Buffer Overflow Defenses

Software Security: Buffer Overflow Defenses CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,

More information