CS241 Computer Organization Spring Buffer Overflow

Size: px

Start display at page:

Download "CS241 Computer Organization Spring Buffer Overflow"

Brendan Nash
5 years ago
Views:

1 CS241 Computer Organization Spring 2015 Buffer Overflow

2 Outline! Linking & Loading, continued! Buffer Overflow Read: CSAPP2: section 3.12: out-of-bounds memory references & buffer overflow K&R: Chapter 5, section 5.11 C Traps & Pitfalls (course website, on-line references) Quiz today on IA32 (HW4) Quiz Tuesday, April 7th on run-time stack (HW5) Lab#3 BufferLab goes live tomorrow HW#7 due today HW#6 due: Tuesday, April 7th

3 Linker Symbols Global symbols Symbols defined by module m that can be referenced by other modules. E.g.: non-static C functions and non-static global variables. External symbols Global symbols that are referenced by module m but defined by some other module. Local symbols Symbols that are defined and referenced exclusively by module m. E.g.: C functions and variables defined with the static attribute. Local linker symbols are not local program variables

4 Resolving Symbols Global External Local int buf[2] = {1, 2}; extern int buf[]; int main() { swap(); return 0; } External main.c Linker knows nothing of temp static int *bufp0 = &buf[0]; static int *bufp1; void swap() { int temp; } bufp1 = &buf[1]; temp = *bufp0; *bufp0 = *bufp1; *bufp1 = temp; Global swap.c

5 Relocating Code and Data Relocatable Object Files Executable Object File System code System data.text.data 0 Headers System code main.o main().text main() swap().text int buf[2]={1,2}.data More system code swap.o swap() int *bufp0=&buf[0] int *bufp1.text.data.bss System data int buf[2]={1,2} int *bufp0=&buf[0] Uninitialized data.symtab.debug.data.bss

6 Relocation Info (main) main.c int buf[2] = {1,2}; int main() { swap(); return 0; } main.o <main>: 0: 55 push %ebp 1: 89 e5 mov %esp,%ebp 3: 83 ec 08 sub $0x8,%esp 6: e8 fc ff ff ff call 7 <main+0x7> 7: R_386_PC32 swap b: 31 c0 xor %eax,%eax d: 89 ec mov %ebp,%esp f: 5d pop %ebp 10: c3 ret Disassembly of section.data: <buf>: 0: Source: objdump

7 Relocation Info (swap,.text) swap.c extern int buf[]; static int *bufp0 = &buf[0]; static int *bufp1; void swap() { int temp; } bufp1 = &buf[1]; temp = *bufp0; *bufp0 = *bufp1; *bufp1 = temp; swap.o Disassembly of section.text: <swap>: 0: 55 push %ebp 1: 8b mov 0x0,%edx 3: R_386_32 bufp0 7: a mov 0x4,%eax 8: R_386_32 buf c: 89 e5 mov %esp,%ebp e: c movl $0x4,0x0 15: : R_386_32 bufp1 14: R_386_32 buf 18: 89 ec mov %ebp,%esp 1a: 8b 0a mov (%edx),%ecx 1c: mov %eax,(%edx) 1e: a mov 0x0,%eax 1f: R_386_32 bufp1 23: mov %ecx,(%eax) 25: 5d pop %ebp 26: c3 ret

8 Relocation Info (swap,.data) swap.c extern int buf[]; static int *bufp0 = &buf[0]; static int *bufp1; void swap() { int temp; Disassembly of section.data: <bufp0>: 0: : R_386_32 buf } bufp1 = &buf[1]; temp = *bufp0; *bufp0 = *bufp1; *bufp1 = temp;

9 Executable After Relocation (.text) b4 <main>: 80483b4: 55 push %ebp 80483b5: 89 e5 mov %esp,%ebp 80483b7: 83 ec 08 sub $0x8,%esp 80483ba: e call 80483c8 <swap> 80483bf: 31 c0 xor %eax,%eax 80483c1: 89 ec mov %ebp,%esp 80483c3: 5d pop %ebp 80483c4: c3 ret c8 <swap>: 80483c8: 55 push %ebp 80483c9: 8b 15 5c mov 0x804945c,%edx 80483cf: a mov 0x ,%eax 80483d4: 89 e5 mov %esp,%ebp 80483d6: c movl $0x ,0x dd: e0: 89 ec mov %ebp,%esp 80483e2: 8b 0a mov (%edx),%ecx 80483e4: mov %eax,(%edx) 80483e6: a mov 0x ,%eax 80483eb: mov %ecx,(%eax) 80483ed: 5d pop %ebp 80483ee: c3 ret

10 Executable After Relocation (.data) Disassembly of section.data: <buf>: : c <bufp0>: c:

11 Strong and Weak Symbols Program symbols are either strong or weak Strong: procedures and initialized globals Weak: uninitialized globals p1.c p2.c strong int foo=5; int foo; weak strong p1() { } p2() { } strong

12 Linker s Symbol Rules Rule 1: Multiple strong symbols are not allowed Each item can be defined only once Otherwise: Linker error Rule 2: Given a strong symbol and multiple weak symbol, choose the strong symbol References to the weak symbol resolve to the strong symbol Rule 3: If there are multiple weak symbols, pick an arbitrary one Can override this with gcc fno-common

13 Linker Puzzles int x; p1() {} p1() {} Link time error: two strong symbols (p1) int x; p1() {} int x; p2() {} References to x will refer to the same uninitialized int. Is this what you really want? int x; int y; p1() {} double x; p2() {} Writes to x in p2 might overwrite y! Evil! int x=7; int y=5; p1() {} double x; p2() {} Writes to x in p2 will overwrite y! Nasty! int x=7; p1() {} int x; p2() {} References to x will refer to the same initialized variable. Nightmare scenario: two identical weak structs, compiled by different compilers with different alignment rules.

14 Global Variables Avoid if you can Otherwise Use static if you can Initialize if you define a global variable Use extern if you use external global variable

15 Packaging Commonly Used Functions How to package functions commonly used by programmers? Math, I/O, memory management, string manipulation, etc. Awkward, given the linker framework so far: Option 1: Put all functions into a single source file Programmers link big object file into their programs Space and time inefficient Option 2: Put each function in a separate source file Programmers explicitly link appropriate binaries into their programs More efficient, but burdensome on the programmer

16 Solution: Static Libraries Static libraries (.a archive files) Concatenate related relocatable object files into a single file with an index (called an archive). Enhance linker so that it tries to resolve unresolved external references by looking for the symbols in one or more archives. If an archive member file resolves reference, link into executable.

17 Creating Static Libraries atoi.c printf.c random.c Translator Translator... Translator atoi.o printf.o random.o Archiver (ar) unix> ar rs libc.a \ atoi.o printf.o random.o libc.a C standard library Archiver allows incremental updates Recompile function that changes and replace.o file in archive.

18 Commonly Used Libraries libc.a (the C standard library) 8 MB archive of 900 object files. I/O, memory allocation, signal handling, string handling, data and time, random numbers, integer math libm.a (the C math library) 1 MB archive of 226 object files. floating point math (sin, cos, tan, log, exp, sqrt, ) % ar -t /usr/lib/libc.a sort fork.o fprintf.o fpu_control.o fputc.o freopen.o fscanf.o fseek.o fstab.o % ar -t /usr/lib/libm.a sort e_acos.o e_acosf.o e_acosh.o e_acoshf.o e_acoshl.o e_acosl.o e_asin.o e_asinf.o e_asinl.o

19 Linking with Static Libraries addvec.o multvec.o main2.c vector.h Archiver (ar) Translators (cpp, cc1, as) libvector.a libc.a Static libraries Relocatable object files main2.o addvec.o printf.o and any other modules called by printf.o Linker (ld) p2 Fully linked executable object file

20 Using Static Libraries Linker s algorithm for resolving external references: Scan.o files and.a files in the command line order. During the scan, keep a list of the current unresolved references. As each new.o or.a file, obj, is encountered, try to resolve each unresolved reference in the list against the symbols defined in obj. If any entries in the unresolved list at end of scan, then error. Problem: Command line order matters! Moral: put libraries at the end of the command line. unix> gcc -L. libtest.o -lmine unix> gcc -L. -lmine libtest.o libtest.o: In function `main': libtest.o(.text+0x4): undefined reference to `libfun'

21 Loading Executable Object Files Executable Object File ELF header Program header table (required for executables).init section.text section.rodata section.data section 0 0xc x Kernel virtual memory User stack (created at runtime) Memory-mapped region for shared libraries Memory invisible to user code %esp (stack pointer).bss section.symtab.debug.line.strtab Section header table (required for relocatables) 0x Run-time heap (created by malloc) Read/write segment (.data,.bss) Read-only segment (.init,.text,.rodata) Unused brk Loaded from the executable file

23 Internet Worm and IM War November, 1988 Internet Worm attacks thousands of Internet hosts. How did it happen?

24 Internet Worm and IM War November, 1988 Internet Worm attacks thousands of Internet hosts. How did it happen? July, 1999 Microsoft launches MSN Messenger (instant messaging system). Messenger clients can access popular AOL Instant Messaging Service (AIM) servers AIM MSN MSN AIM AIM

25 Internet Worm and IM War (cont.) August 1999 Mysteriously, Messenger clients can no longer access AIM servers. Microsoft and AOL begin the IM war: AOL changes server to disallow Messenger clients Microsoft makes changes to clients to defeat AOL changes. At least 13 such skirmishes. How did it happen? The Internet Worm and AOL/Microsoft War were both based on stack buffer overflow exploits! many Unix functions do not check argument sizes. allows target buffers to overflow.

26 String Library Code Implementation of Unix function gets() /* Get string from stdin */ char *gets(char *dest) { int c = getchar(); char *p = dest; while (c!= EOF && c!= '\n') { *p++ = c; c = getchar(); } *p = '\0'; return dest; } No way to specify limit on number of characters to read Similar problems with other Unix functions strcpy: Copies string of arbitrary length scanf, fscanf, sscanf, when given %s conversion specification

27 Vulnerable Buffer Code /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ gets(buf); puts(buf); } int main() { printf("type a string:"); echo(); return 0; } unix>./bufdemo Type a string: unix>./bufdemo Type a string: Segmentation Fault unix>./bufdemo Type a string: abc Segmentation Fault

28 Buffer Overflow Disassembly f0 <echo>: 80484f0: 55 push %ebp 80484f1: 89 e5 mov %esp,%ebp 80484f3: 53 push %ebx 80484f4: 8d 5d f8 lea 0xfffffff8(%ebp),%ebx 80484f7: 83 ec 14 sub $0x14,%esp 80484fa: 89 1c 24 mov %ebx,(%esp) 80484fd: e8 ae ff ff ff call 80484b0 <gets> : 89 1c 24 mov %ebx,(%esp) : e8 8a fe ff ff call a: 83 c4 14 add $0x14,%esp d: 5b pop %ebx e: c9 leave f: c3 ret 80485f2: e8 f9 fe ff ff call 80484f0 <echo> 80485f7: 8b 5d fc mov 0xfffffffc(%ebp),%ebx 80485fa: c9 leave 80485fb: 31 c0 xor %eax,%eax 80485fd: c3 ret

29 Buffer Overflow Stack Before call to gets Stack Frame for main Return Address Saved %ebp [3] [2] [1] [0] buf %ebp /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ gets(buf); puts(buf); } Stack Frame for echo echo: pushl %ebp movl %esp, %ebp pushl %ebx leal -8(%ebp),%ebx subl $20, %esp movl %ebx, (%esp) call gets... # Save %ebp on stack # Save %ebx # Compute buf as %ebp-8 # Allocate stack space # Push buf on stack # Call gets

30 Buffer Overflow Stack Example Before call to gets Stack Frame for main Carnegie Mellon unix> gdb bufdemo (gdb) break echo Breakpoint 1 at 0x (gdb) run Breakpoint 1, 0x in echo () (gdb) print /x $ebp $1 = 0xffffc638 (gdb) print /x *(unsigned *)$ebp $2 = 0xffffc658 (gdb) print /x *((unsigned *)$ebp + 1) $3 = 0x80485f7 Before call to gets Stack Frame 0xffffc658 for main Return Address Saved %ebp f7 ff ff c6 58 0xffffc638 [3] [2] [1] [0] Stack Frame for echo buf xx xx xx xx buf Stack Frame for echo 80485f2: call 80484f0 <echo> 80485f7: mov 0xfffffffc(%ebp),%ebx # Return Point

31 Buffer Overflow Example #1 Before call to gets Input Stack Frame for main 0xffffc658 Stack Frame for main 0xffffc f7 ff ff c6 58 xx xx xx xx buf Stack Frame for echo 0xffffc f7 ff ff c6 58 0xffffc buf Stack Frame for echo Overflow buf, but no problem

32 Buffer Overflow Example #2 Before call to gets Input Stack Frame for main 0xffffc658 Stack Frame for main 0xffffc f7 ff ff c6 58 xx xx xx xx buf Stack Frame for echo 0xffffc f7 ff ff c6 00 0xffffc buf Stack Frame for echo Base pointer corrupted a: 83 c4 14 add $0x14,%esp # deallocate space d: 5b pop %ebx # restore %ebx e: c9 leave # movl %ebp, %esp; popl %ebp f: c3 ret # Return

33 Buffer Overflow Example #3 Before call to gets Stack Frame for main 0xffffc658 Input ABC Stack Frame for main 0xffffc f7 ff ff c6 58 xx xx xx xx buf Stack Frame for echo 0xffffc xffffc buf Stack Frame for echo Return address corrupted 80485f2: call 80484f0 <echo> 80485f7: mov 0xfffffffc(%ebp),%ebx # Return Point

34 Malicious Use of Buffer Overflow Stack after call to gets() void foo(){ bar();... } return address A B foo stack frame int bar() { char buf[64]; gets(buf);... return...; } data written by gets() B pad exploit code bar stack frame Input string contains byte representation of executable code Overwrite return address with address of buffer When bar() executes ret, will jump to exploit code

35 Exploits Based on Buffer Overflows Buffer overflow bugs allow remote machines to execute arbitrary code on victim machines Internet worm Early versions of the finger server (fingerd) used gets() to read the argument sent by the client: finger Worm attacked fingerd server by sending phony argument: finger exploit-code padding new-returnaddress exploit code: executed a root shell on the victim machine with a direct TCP connection to the attacker.

36 Exploits Based on Buffer Overflows Buffer overflow bugs allow remote machines to execute arbitrary code on victim machines IM War AOL exploited existing buffer overflow bug in AIM clients exploit code: returned 4-byte signature (the bytes at some location in the AIM client) to server. When Microsoft changed code to match signature, AOL changed signature location.

37 Date: Wed, 11 Aug :30: (PDT) From: Phil Bucking Subject: AOL exploiting buffer overrun bug in their own software! To: Mr. Smith, I am writing you because I have discovered something that I think you might find interesting because you are an Internet security expert with experience in this area. I have also tried to contact AOL but received no response. I am a developer who has been working on a revolutionary new instant messaging client that should be released later this year.... It appears that the AIM client has a buffer overrun bug. By itself this might not be the end of the world, as MS surely has had its share. But AOL is now *exploiting their own buffer overrun bug* to help in its efforts to block MS Instant Messenger.... Since you have significant credibility with the press I hope that you can use this information to help inform people that behind AOL's friendly exterior they are nefariously compromising peoples' security. Sincerely, Phil Bucking Founder, Bucking Consulting philbucking@yahoo.com It was later determined that this originated from within Microsoft!

38 Code Red Worm History June 18, Microsoft announces buffer overflow vulnerability in IIS Internet server July 19, over 250,000 machines infected by new virus in 9 hours White house must change its IP address. Pentagon shut down public WWW servers for day When We Set Up CS:APP Web Site Received strings of form GET /default.ida? NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN...NNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN %u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9 090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003 %u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" "-" "-"

Code Red Exploit Code Starts 100 threads running Spread self Generate random IP addresses & send attack string Between 1st & 19th of month Attack www.

39 Code Red Exploit Code Starts 100 threads running Spread self Generate random IP addresses & send attack string Between 1st & 19th of month Attack Send 98,304 packets; sleep for 4-1/2 hours; repeat Denial of service attack Between 21st & 27th of month Deface server s home page After waiting 2 hours

40 Code Red Effects Later Version Even More Malicious Code Red II As of April, 2002, over 18,000 machines infected Still spreading Paved Way for NIMDA Variety of propagation methods One was to exploit vulnerabilities left behind by Code Red II ASIDE (security flaws start at home).rhosts used by Internet Worm Attachments used by MyDoom (1 in 6 s Monday morning!)

41 Avoiding Overflow Vulnerability /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ fgets(buf, 4, stdin); puts(buf); } Use library routines that limit string lengths fgets instead of gets strncpy instead of strcpy Don t use scanf with %s conversion specification Use fgets to read the string Or use %ns where n is a suitable integer

42 System-Level Protections Randomized stack offsets At start of program, allocate random amount of space on stack Makes it difficult for hacker to predict beginning of inserted code Nonexecutable code segments In traditional x86, can mark region of memory as either read-only or writeable Can execute anything readable Add explicit execute permission unix> gdb bufdemo (gdb) break echo (gdb) run (gdb) print /x $ebp $1 = 0xffffc638 (gdb) run (gdb) print /x $ebp $2 = 0xffffbb08 (gdb) run (gdb) print /x $ebp $3 = 0xffffc6a8

43 Worms and Viruses Worm: A program that Can run by itself Can propagate a fully working version of itself to other computers Virus: Code that Add itself to other programs Cannot run independently Both are (usually) designed to spread among computers and to wreak havoc

Sungkyunkwan University

Sungkyunkwan University November, 1988 Internet Worm attacks thousands of Internet hosts. How did it happen? November, 1988 Internet Worm attacks thousands of Internet hosts. How did it happen? July, 1999 Microsoft launches MSN