Intrusion Detection and Malware Analysis
|
|
- Jeffrey Wilcox
- 5 years ago
- Views:
Transcription
1 Intrusion Detection and Malware Analysis Host Based Attacks Pavel Laskov Wilhelm Schickard Institute for Computer Science
2 Software security threats Modification of program code viruses and self-replicating code OS and API hooking Control flow hijacking integer overflow stack overflow heap overflow format string vulnerabilities heap spraying Code and data injection script injection (e.g. XSS) SQL injection
3 Stack overflow: a motivating example #include <stdio.h> #define SIZE 10 main() { int matrix[size*size]; int total_size = SIZE*SIZE; int* row_ind[size]; for (int i = 0; i <= total_size; i++) matrix[i] = i; for (int i = 0; i <= SIZE; i++) row_ind[i] = &matrix[i*size]; for (int i = 0; i <= SIZE; i++) printf("a[%d] = %d\n", i, *row_ind[i]); }
4 Process memory organization Process memory is partitioned into segments:.text - program code.data - initialized static data.bss - uninitialized static data heap - dynamically allocated memory stack - program call stack Each memory segment has appropriate permissions. Access operations violating these permissions cause the segmentation fault error. Higher memory addresses stack unused memory heap bss data text Lower memory addresses
5 Contiguous memory (buffer) allocation C/C++ static: int x[20] declaration outside any function; allocated in the.data segment automatic: int x[20] declaraiton inside some function; allocated on the stack dynamic: int *x = new int[20]; must be followed by delete to avoid memory leaks; allocated on the heap Java dynamic: int x = new int[20]; gets allocated in on the heap; automatic deallocation by garbage collector
6 Stack organization Stack is composed of frames Each frame comprises functions arguments return address frame pointer: the address of the start of the previous frame local variables Frames are pushed on the stack during function invocation and popped back after the return Previous frame Function arguments Return address Frame pointer Local variables Unused stack space Stack frame
7 Overwriting the return address A local buffer is allocated bottom-up, i.e. it starts at lower and ends at higher stack locations. Without proper bound checking a buffer content can overspill into adjacent upper stack area. By controlling buffer content, an attacker can overwrite the return address with an arbitrary value and hijack the execution flow. Previous frame Function arguments Return address Frame pointer Local variables Unused stack space Stack frame
8 Buffer overflow resume A well established exploitation technique. Requires knowledge of stack location. Can be prevented by stack protection mechanisms or address space layout randomization.
9 Heap overflow: a motivating example /* Log a message to syslog splitting the message into parts */ static void do_syslog( int pri, char * msg ) {... for ( p=msg, count=0; count < strlen(msg)/maxsysloglen + 1; count++ ) { if ( strlen(p) > MAXSYSLOGLEN ) { /* Break up the line into what will fit on one syslog(3) line * Try to break on a word boundary if possible. */ for ( tmp = p + MAXSYSLOGLEN; tmp > p && *tmp!= ' '; tmp-- ) ; if ( tmp <= p ) tmp = p + MAXSYSLOGLEN; /* NULL terminate line, but save the char to restore later */ save = *tmp; [2] *tmp = '\0'; SYSLOG( pri, "%8.8s : %s", user_name, p ); /* restore saved character */ [3] *tmp = save; /* Eliminate leading whitespace */ [1] for ( p = tmp; *p!= ' '; p++ ) ; }... }}
10 Security issues and challenges The loop [1] does not check for the termination symbol \0. The pointer tmp can run beyond the buffer boundary.
11 Security issues and challenges The loop [1] does not check for the termination symbol \0. The pointer tmp can run beyond the buffer boundary. The pointer tmp is used for writing in [2]. Can corrupt memory beyond the buffer boundary...
12 Security issues and challenges The loop [1] does not check for the termination symbol \0. The pointer tmp can run beyond the buffer boundary. The pointer tmp is used for writing in [2]. Can corrupt memory beyond the buffer boundary......but is only allowed to write the value \0
13 Security issues and challenges The loop [1] does not check for the termination symbol \0. The pointer tmp can run beyond the buffer boundary. The pointer tmp is used for writing in [2]. Can corrupt memory beyond the buffer boundary......but is only allowed to write the value \0 The value of *tmp is restored in [3]. Only the call to syslog can do any damage.
14 Security issues and challenges The loop [1] does not check for the termination symbol \0. The pointer tmp can run beyond the buffer boundary. The pointer tmp is used for writing in [2]. Can corrupt memory beyond the buffer boundary......but is only allowed to write the value \0 The value of *tmp is restored in [3]. Only the call to syslog can do any damage. Does this suffice for an exploit?
15 dlmalloc dlmalloc internals Memory layout Memory layout: heap is divided into contiguous chunks of memory Heap is divided into contiguous chunks of memory. No no two two free free chunks chunks can may be be adjacent. physically adjacent Heap low addresses high addresses U U F U F U U Wilderness U... used chunk F... free chunk Wilderness... topmost free chunk Control Wilderness structures: chunk A special boundary tag preceeds each chunk. only chunk that may be increased (with system call sbrk) Getting treated extra as memory: bigger than all other chunks The largest unused chunk ( wilderness ) can be extended by a system call to sbrk() (if physical space is available). Internet Security 2
16 Maintenance of free chunks The total of 128 doubly-linked linked lists of free chunks (bins) are maintained. The first 62 lists store chunks of fixed length (16 to 512 bytes, aligned by 8 byte). The remaining 66 lists contain chunks of variable length within a certain ranges, computed according to a pre-defined schema. Entries are sorted by size in decreasing order in each list. Ties are resolved by age (FIFO). Pointers to the front and the back of each list are available.
17 The boundary tag definition #define INTERNAL_SIZE_T size_t struct malloc_chunk { INTERNAL_SIZE_T prev_size; /* size of the prev. chunk */ INTERNAL_SIZE_T size; /* size of this chunk */ struct malloc_chunk * fd; /* forward pointer */ struct malloc_chunk * bk; /* backward pointer */ }; Each field is 4 bytes long. The 3 least significant bit of the size (unused due to 8 byte alignment) are used to store two special flags: PREV_INUSE: previous chunk is used. IS_MMAPED: chunk is allocated using mmap.
18 Chunk layout Used chunk Unused chunk chunk prev_size chunk prev_size mem size fd size fd bk user_data bk unused nextchunk prev_size nextchunk prev_size
19 Allocation algorithm 1. Identify the appropriate chunk list. exact match for small chunks (less than 512 bytes) range match for large chunks 2. Traverse the chunk list from back to front until a large enough chunk is found. 3. If no appropriate chunks are found, continue with the list of next largest chunks. 4. If all else fails, carve-out a chunk from the Wilderness. Notes: Whenever a larger than requested chunk is found, it is trimmed to the requested size, and the remainder is put back into an appropriate chunk list. When an element is removed from a list, the fd and bk pointers are updated.
20 The unlink macro and its aftermath #define unlink( P, BK, FD ) { \ BK = P->bk; \ FD = P->fd; \ FD->bk = BK; \ BK->fd = FD; \ }
21 The unlink macro and its aftermath #define unlink( P, BK, FD ) { \ BK = P->bk; \ FD = P->fd; \ FD->bk = BK; \ BK->fd = FD; \ } Let s look at the special case...
22 The unlink macro and its aftermath #define unlink( P, BK, FD ) { \ BK = P->bk; \ FD = P->fd; \ FD->bk = BK; \ BK->fd = FD; \ } Let s look at the special case... P->fd = &free - 12 P->bk = &shellcode
23 The unlink macro and its aftermath #define unlink( P, BK, FD ) { \ BK = P->bk; \ FD = P->fd; \ FD->bk = BK; \ BK->fd = FD; \ } Let s look at the special case... P->fd = &free - 12 P->bk = &shellcode And the result is...
24 The unlink macro and its aftermath #define unlink( P, BK, FD ) { \ BK = P->bk; \ FD = P->fd; \ FD->bk = BK; \ BK->fd = FD; \ } Let s look at the special case... P->fd = &free - 12 P->bk = &shellcode And the result is... FD->bk = (P->fd)->bk = *((&free - 12) + 12) = &free := := BK = P->bk = &shellcode (!)
25 The heart of the hack How can we use this if we are only allowed to write \0?
26 The heart of the hack How can we use this if we are only allowed to write \0? By carefully chosing the input parameters to sudo, force such a constellation of memory chunks that the bk field of the chunk immediately following msg chunk contains the address ending with 2020.
27 The heart of the hack How can we use this if we are only allowed to write \0? By carefully chosing the input parameters to sudo, force such a constellation of memory chunks that the bk field of the chunk immediately following msg chunk contains the address ending with Line [2] of do_syslog() overruns the buffer (since [1] does not check for \0 ), overwrites the 20 byte with 00 and hence corrupts the border tag.
28 The heart of the hack How can we use this if we are only allowed to write \0? By carefully chosing the input parameters to sudo, force such a constellation of memory chunks that the bk field of the chunk immediately following msg chunk contains the address ending with Line [2] of do_syslog() overruns the buffer (since [1] does not check for \0 ), overwrites the 20 byte with 00 and hence corrupts the border tag. The new address points in the middle of another buffer controlled by the attacker.
29 The heart of the hack How can we use this if we are only allowed to write \0? By carefully chosing the input parameters to sudo, force such a constellation of memory chunks that the bk field of the chunk immediately following msg chunk contains the address ending with Line [2] of do_syslog() overruns the buffer (since [1] does not check for \0 ), overwrites the 20 byte with 00 and hence corrupts the border tag. The new address points in the middle of another buffer controlled by the attacker. That buffer contains addresses on the stack, where an attacker placed a fake boundary tag with malicious fd and bk fields.
30 What happens next? The chunk following msg gets allocated in a call to syslog() (crucial: another buffer arrangement magic!). The corrupted bk pointer gets copied by the unlink macro and remains in the control structures. During the next invocation of syslog(), the same allocation is requested, but with a fully fake boundary tag stored on the stack. The unlink macro overwrites a pointer to the free() function. The chunk gets deallocated by calling free().
31 Heap overflow resume Extremely subtle: a precise knowledge of and control over memory allocation in a program is required. difficult for remote exploitation Memory allocation mechanisms vary across platforms and operating systems. poor portability Applications supporting script languages allow an attacker to easily influence heap layout e.g., by writing scripts that perform (seemingly stupid ) memory allocations and deallocations. a dramatic increase in exploit reliability
32 Take-home message Software insecurity stems from attacker s ability to modify system resources criticial for program execution. One of the key sources for software insecurity is failed validation of user input. The latter is easier said than done.
Introduction to Computer Security Software Security. Pavel Laskov Wilhelm Schickard Institute for Computer Science
Introduction to Computer Security Software Security Pavel Laskov Wilhelm Schickard Institute for Computer Science Software security threats Modification of program code viruses and self-replicating code
More informationSecure Software Programming and Vulnerability Analysis
Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Heap Buffer Overflows and Format String Vulnerabilities Secure Software
More information==Phrack Inc.== Volume 0x0b, Issue 0x39, Phile #0x08 of 0x12. --=[ Disclaimer ]= //
==Phrack Inc.== Volume 0x0b, Issue 0x39, Phile #0x08 of 0x12 --=[ Disclaimer ]=-----------------------------------------------------// In this issue of Phrack, there are two similar articles about malloc
More informationLecture 07 Heap control data. Stephen Checkoway University of Illinois at Chicago
Lecture 07 Heap control data Stephen Checkoway University of Illinois at Chicago Layout of program memory Heap is managed by malloc - Many different malloc implementations - glibc uses a modified version
More informationHeap Off by 1 Overflow Illustrated. Eric Conrad October 2007
Heap Off by 1 Overflow Illustrated Eric Conrad October 2007 1 The Attack Older CVS versions are vulnerable to an Off by 1 attack, where an attacker may insert one additional character into the heap CVS
More informationmalloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which
Heap Overflow malloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which data are placed). The header contains
More informationSecure Coding in C and C++ Dynamic Memory Management Lecture 5 Jan 29, 2013
Secure Coding in C and C++ Dynamic Memory Management Lecture 5 Jan 29, 2013 Acknowledgement: These slides are based on author Seacord s original presentation Issues Dynamic Memory Management Common Dynamic
More informationSecure Coding in C and C++
Secure Coding in C and C++ Dynamic Memory Management Lecture 5 Sept 21, 2017 Acknowledgement: These slides are based on author Seacord s original presentation Issues Dynamic Memory Management Common Dynamic
More informationCSE 509: Computer Security
CSE 509: Computer Security Date: 2.16.2009 BUFFER OVERFLOWS: input data Server running a daemon Attacker Code The attacker sends data to the daemon process running at the server side and could thus trigger
More informationBuffer Overflows Defending against arbitrary code insertion and execution
www.harmonysecurity.com info@harmonysecurity.com Buffer Overflows Defending against arbitrary code insertion and execution By Stephen Fewer Contents 1 Introduction 2 1.1 Where does the problem lie? 2 1.1.1
More informationBeyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus(MSR) and Brandon Baker (MS) Buffer Overflows and How they Occur Buffer is a contiguous segment of memory of a fixed
More informationDnmaloc: a more secure memory allocator
Dnmaloc: a more secure memory allocator 28 September 2005 Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium
More informationCSCI-UA /2. Computer Systems Organization Lecture 19: Dynamic Memory Allocation: Basics
Slides adapted (and slightly modified) from: Clark Barrett Jinyang Li Randy Bryant Dave O Hallaron CSCI-UA.0201-001/2 Computer Systems Organization Lecture 19: Dynamic Memory Allocation: Basics Mohamed
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationISA564 SECURITY LAB. Code Injection Attacks
ISA564 SECURITY LAB Code Injection Attacks Outline Anatomy of Code-Injection Attacks Lab 3: Buffer Overflow Anatomy of Code-Injection Attacks Background About 60% of CERT/CC advisories deal with unauthorized
More informationDynamic Memory Management! Goals of this Lecture!
Dynamic Memory Management!!! 1 Goals of this Lecture! Help you learn about:! Dynamic memory management techniques! Garbage collection by the run-time system (Java)! Manual deallocation by the programmer
More informationInside ptmalloc2. Peng Xu Sep 14, 2013
Inside ptmalloc2 Peng Xu peng.p.xu@ericsson.com Sep 14, 2013 Part I basic concept and data structure Memory Translation process memory layout kernel space command line and environment variables stack heap
More informationLecture 4 September Required reading materials for this class
EECS 261: Computer Security Fall 2007 Lecture 4 September 6 Lecturer: David Wagner Scribe: DK Moon 4.1 Required reading materials for this class Beyond Stack Smashing: Recent Advances in Exploiting Buffer
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More information2/9/18. Secure Coding. CYSE 411/AIT681 Secure Software Engineering. Agenda. Dynamic Memory Interface. Dynamic Memory Interface
Secure Coding CYSE 411/AIT681 Secure Software Engineering Topic #9. Secure Coding: Dynamic Memory Instructor: Dr. Kun Sun String management Pointer Subterfuge Dynamic memory management Integer security
More informationDynamic Memory Management
Dynamic Memory Management 1 Goals of this Lecture Help you learn about: Dynamic memory management techniques Garbage collection by the run-time system (Java) Manual deallocation by the programmer (C, C++)
More informationAgenda. Dynamic Memory Management. Robert C. Seacord. Secure Coding in C and C++
Dynamic Memory Management Secure Coding in C and C++ Robert C. Seacord CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 The CERT Coordination
More informationPrinceton University. Computer Science 217: Introduction to Programming Systems. Dynamic Memory Management
Princeton University Computer Science 217: Introduction to Programming Systems Dynamic Memory Management 1 Agenda The need for DMM DMM using the heap section DMMgr 1: Minimal implementation DMMgr 2: Pad
More informationMemory Corruption 2. Advanced Internet Security
Memory Corruption 2 Advanced Internet Security Adrian Dabrowski, Georg Merzdovnik, Aljosha Judmayer, Johanna Ullrich, Markus Kammerstätter, Stefan Riegler, Christian Kudera 1 News from the Lab 75 solved
More informationRun-time Environments - 3
Run-time Environments - 3 Y.N. Srikant Computer Science and Automation Indian Institute of Science Bangalore 560 012 NPTEL Course on Principles of Compiler Design Outline of the Lecture n What is run-time
More informationOther array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned
Other array problems CSci 5271 Introduction to Computer Security Day 4: Low-level attacks Stephen McCamant University of Minnesota, Computer Science & Engineering Missing/wrong bounds check One unsigned
More informationImproving memory management security for C and C++
Improving memory management security for C and C++ Yves Younan, Wouter Joosen, Frank Piessens, Hans Van den Eynden DistriNet, Katholieke Universiteit Leuven, Belgium Abstract Memory managers are an important
More informationMemory Allocator Security
Memory Allocator Security Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium Yves.Younan@cs.kuleuven.ac.be
More informationCSE / / 60567: Computer Security. Software Security 4
CSE 40567 / 44567 / 60567: Computer Security Software Security 4 91 Homework #5 Due: Tonight at 11:59PM Eastern Time (ND) / Pacific Time (SV) See Assignments Page on the course website for details 92 Notes
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Spring 2018, Lecture 6 Low Level Software Security IV: Heap Corruption Memory management in C The C programming language uses explicit memory management Data is
More informationLecture 8 Dynamic Memory Allocation
Lecture 8 Dynamic Memory Allocation CS240 1 Memory Computer programs manipulate an abstraction of the computer s memory subsystem Memory: on the hardware side 3 @ http://computer.howstuffworks.com/computer-memory.htm/printable
More informationECE 598 Advanced Operating Systems Lecture 12
ECE 598 Advanced Operating Systems Lecture 12 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 1 March 2018 Announcements Next homework will be due after break. Midterm next Thursday
More informationBuffer overflow background
and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer
More informationDynamic Memory Allocation
Dynamic Memory Allocation CS61, Lecture 11 Prof. Stephen Chong October 6, 2011 Announcements 1/2 Reminder: No section on Monday Monday sections have been rescheduled See website for details Please attend
More informationLecture 1: Buffer Overflows
CS5431 Computer Security Practicum Spring 2017 January 27, 2017 1 Conficker Lecture 1: Buffer Overflows Instructor: Eleanor Birrell In November 2008, a new piece of malware was observed in the wild. This
More informationCSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018
CSCE 548 Building Secure Software Buffer Overflow Professor Lisa Luo Spring 2018 Previous Class Virus vs. Worm vs. Trojan & Drive-by download Botnet & Rootkit Malware detection Scanner Polymorphic malware
More informationMemory Corruption 101 From Primitives to Exploit
Memory Corruption 101 From Primitives to Exploit Created by Nick Walker @ MWR Infosecurity / @tel0seh What is it? A result of Undefined Behaviour Undefined Behaviour A result of executing computer code
More informationMemory management. Johan Montelius KTH
Memory management Johan Montelius KTH 2017 1 / 22 C program # include int global = 42; int main ( int argc, char * argv []) { if( argc < 2) return -1; int n = atoi ( argv [1]); int on_stack
More informationRun-time Environments -Part 3
Run-time Environments -Part 3 Y.N. Srikant Computer Science and Automation Indian Institute of Science Bangalore 560 012 NPTEL Course on Compiler Design Outline of the Lecture Part 3 What is run-time support?
More informationPrinceton University Computer Science 217: Introduction to Programming Systems. Dynamic Memory Management
Princeton University Computer Science 217: Introduction to Programming Systems Dynamic Memory Management 1 Goals of this Lecture Help you learn about: The need for dynamic* memory mgmt (DMM) Implementing
More informationCSC 591 Systems Attacks and Defenses Stack Canaries & ASLR
CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR Alexandros Kapravelos akaprav@ncsu.edu How can we prevent a buffer overflow? Check bounds Programmer Language Stack canaries [...more ] Buffer
More informationHomework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08
Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08 For your solutions you should submit a hard copy; either hand written pages stapled together or a print out of a typeset document
More informationC and C++: vulnerabilities, exploits and countermeasures
C and C++: vulnerabilities, exploits and countermeasures Yves Younan DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium Yves.Younan@cs.kuleuven.ac.be Introduction C/C++ programs:
More informationIn Java we have the keyword null, which is the value of an uninitialized reference type
+ More on Pointers + Null pointers In Java we have the keyword null, which is the value of an uninitialized reference type In C we sometimes use NULL, but its just a macro for the integer 0 Pointers are
More informationDynamic Memory Management
Dynamic Memory Management Professor Jennifer Rexford http://www.cs.princeton.edu/~jrex 1 Goals of Today s Lecture Dynamic memory management o Garbage collection by the run-time system (Java) o Manual deallocation
More informationLast week. Data on the stack is allocated automatically when we do a function call, and removed when we return
Last week Data can be allocated on the stack or on the heap (aka dynamic memory) Data on the stack is allocated automatically when we do a function call, and removed when we return f() {... int table[len];...
More informationCode with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function
1 Code with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function IsPasswordOK(), and compares it with the correct password.
More informationProcess s Address Space. Dynamic Memory. Backing the Heap. Dynamic memory allocation 3/29/2013. When a process starts the heap is empty
/9/01 Process s Address Space Dynamic Memory 0x7fffffff Stack Data (Heap) Data (Heap) 0 Text (Code) Backing the Heap When a process starts the heap is empty The process is responsible for requesting memory
More informationIntroduction to Computer Systems , fall th Lecture, Sep. 28 th
Introduction to Computer Systems 15 213, fall 2009 9 th Lecture, Sep. 28 th Instructors: Majd Sakr and Khaled Harras Last Time: Structures struct rec { int i; int a[3]; int *p; }; Memory Layout i a p 0
More informationOutline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction
Outline CSci 5271 Introduction to Computer Security Day 3: Low-level vulnerabilities Stephen McCamant University of Minnesota, Computer Science & Engineering Race conditions Classic races: files in /tmp
More informationRun-time Environments
Run-time Environments Status We have so far covered the front-end phases Lexical analysis Parsing Semantic analysis Next come the back-end phases Code generation Optimization Register allocation Instruction
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.
More informationOptimizing Dynamic Memory Management
Optimizing Dynamic Memory Management 1 Goals of this Lecture Help you learn about: Details of K&R heap mgr Heap mgr optimizations related to Assignment #5 Faster free() via doubly-linked list, redundant
More informationRun-time Environments
Run-time Environments Status We have so far covered the front-end phases Lexical analysis Parsing Semantic analysis Next come the back-end phases Code generation Optimization Register allocation Instruction
More informationECE 598 Advanced Operating Systems Lecture 10
ECE 598 Advanced Operating Systems Lecture 10 Vince Weaver http://www.eece.maine.edu/~vweaver vincent.weaver@maine.edu 17 February 2015 Announcements Homework #1 and #2 grades, HW#3 Coming soon 1 Various
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause
More informationCSC 405 Computer Security Stack Canaries & ASLR
CSC 405 Computer Security Stack Canaries & ASLR Alexandros Kapravelos akaprav@ncsu.edu How can we prevent a buffer overflow? Check bounds Programmer Language Stack canaries [...more ] Buffer overflow defenses
More informationProcess Layout, Function Calls, and the Heap
Process Layout, Function Calls, and the Heap CS 6 Spring 20 Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed, Matthias Vallentin January 9, 20 / 5 2 / 5 Outline Process Layout Function Calls The Heap
More informationBuffer overflow prevention, and other attacks
Buffer prevention, and other attacks Comp Sci 3600 Security Outline 1 2 Two approaches to buffer defense Aim to harden programs to resist attacks in new programs Run time Aim to detect and abort attacks
More informationDynamic Memory Allocation
Dynamic Memory Allocation CS61, Lecture 10 Prof. Stephen Chong October 4, 2011 Announcements 1/2 Assignment 4: Malloc Will be released today May work in groups of one or two Please go to website and enter
More informationIs Exploitation Over? Bypassing Memory Protections in Windows 7
Is Exploitation Over? Bypassing Memory Protections in Windows 7 Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Published research into reliable exploitation techniques: Heap
More informationCpt S 122 Data Structures. Data Structures
Cpt S 122 Data Structures Data Structures Nirmalya Roy School of Electrical Engineering and Computer Science Washington State University Topics Introduction Self Referential Structures Dynamic Memory Allocation
More informationBypassing Browser Memory Protections
Bypassing Browser Memory Protections Network Security Instructor: Dr. Shishir Nagaraja September 10, 2011. 1 Introduction to the topic A number of memory protection mechanisms like GS, SafeSEH, DEP and
More information20: Exploits and Containment
20: Exploits and Containment Mark Handley Andrea Bittau What is an exploit? Programs contain bugs. These bugs could have security implications (vulnerabilities) An exploit is a tool which exploits a vulnerability
More informationFastbin_dup into stack exploitation
Fastbin_dup into stack exploitation This tutorial is about the fastbin_dup into stack heap exploitation. First we re going to analyze what is fastbin and how to exploit the heap by double freeing and reallocating
More informationBinding and Storage. COMP 524: Programming Language Concepts Björn B. Brandenburg. The University of North Carolina at Chapel Hill
Binding and Storage Björn B. Brandenburg The University of North Carolina at Chapel Hill Based in part on slides and notes by S. Olivier, A. Block, N. Fisher, F. Hernandez-Campos, and D. Stotts. What s
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Homework 1 Due: Wednesday, February 9, at 9:59pm Instructions. Submit your solution by Wednesday, February 9, at 9:59pm, in the drop box labelled CS161 in 283
More informationDynamic Data Structures (II)
Lecture 23 Dynamic Data Structures (II) CptS 121 Summer 2016 Armen Abnousi Data Structure Data structures are different ways of organizing data in computer We design new data structures to make the programs
More informationBuffer Overflow and Format String Overflow Vulnerabilities
Syracuse University SURFACE Electrical Engineering and Computer Science College of Engineering and Computer Science 2002 Buffer Overflow and Format String Overflow Vulnerabilities Kyung-suk Lhee Syracuse
More informationmmalloc The GNU memory-mapped malloc package Fred Fish Cygnus Support Mike Haertel Free Software Foundation
mmalloc The GNU memory-mapped malloc package Fred Fish Cygnus Support Mike Haertel Free Software Foundation Cygnus Support fnf@cygnus.com MMALLOC, the GNU memory-mapped malloc package, Revision: 1.4 TEXinfo
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 14: Software Security Department of Computer Science and Engineering University at Buffalo 1 Software Security Exploiting software vulnerabilities is paramount
More informationWeek 5, continued. This is CS50. Harvard University. Fall Cheng Gong
This is CS50. Harvard University. Fall 2014. Cheng Gong Table of Contents News... 1 Buffer Overflow... 1 Malloc... 6 Linked Lists... 7 Searching... 13 Inserting... 16 Removing... 19 News Good news everyone!
More information6.172 Performance Engineering of Software Systems Spring Lecture 9. P after. Figure 1: A diagram of the stack (Image by MIT OpenCourseWare.
6.172 Performance Engineering of Software Systems Spring 2009 Lecture 9 MIT OpenCourseWare Dynamic Storage Allocation Stack allocation: LIFO (last-in-first-out) Array and pointer A used unused P before
More informationBasic Buffer Overflows
Operating Systems Security Basic Buffer Overflows (Stack Smashing) Computer Security & OS lab. Cho, Seong-je ( 조성제 ) Fall, 2018 sjcho at dankook.ac.kr Chapter 10 Buffer Overflow 2 Contents Virtual Memory
More informationIAGO ATTACKS: WHY THE SYSTEM CALL API IS A BAD UNTRUSTED RPC INTERFACE
IAGO ATTACKS: WHY THE SYSTEM CALL API IS A BAD UNTRUSTED RPC INTERFACE Stephen Checkoway and Hovav Shacham March 19, 2013 1 1 A vulnerable program #include int main() { void *p = malloc(100);
More information2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks
Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks
More informationCOSC Software Engineering. Lectures 14 and 15: The Heap and Dynamic Memory Allocation
COSC345 2013 Software Engineering Lectures 14 and 15: The Heap and Dynamic Memory Allocation Outline Revision The programmer s view of memory Simple array-based memory allocation C memory allocation routines
More informationECE 2035 Programming HW/SW Systems Fall problems, 5 pages Exam Three 28 November 2012
Instructions: This is a closed book, closed note exam. Calculators are not permitted. If you have a question, raise your hand and I will come to you. Please work the exam in pencil and do not separate
More informationCling: A Memory Allocator to Mitigate Dangling Pointers. Periklis Akritidis
Cling: A Memory Allocator to Mitigate Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory Through Dangling Pointers Techniques : Heap Spraying, Feng Shui Manual
More informationShort Notes of CS201
#includes: Short Notes of CS201 The #include directive instructs the preprocessor to read and include a file into a source code file. The file name is typically enclosed with < and > if the file is a system
More informationCS 33. Storage Allocation. CS33 Intro to Computer Systems XXVII 1 Copyright 2017 Thomas W. Doeppner. All rights reserved.
CS 33 Storage Allocation CS33 Intro to Computer Systems XXVII 1 Copyright 2017 Thomas W. Doeppner. All rights reserved. The Unix Address Space stack dynamic bss program break data text CS33 Intro to Computer
More informationCSC 1600 Memory Layout for Unix Processes"
CSC 16 Memory Layout for Unix Processes" 1 Lecture Goals" Behind the scenes of running a program" Code, executable, and process" Memory layout for UNIX processes, and relationship to C" : code and constant
More information(Early) Memory Corruption Attacks
(Early) Memory Corruption Attacks CS-576 Systems Security Instructor: Georgios Portokalidis Fall 2018 Fall 2018 Stevens Institute of Technology 1 Memory Corruption Memory corruption occurs in a computer
More informationLimitations of the stack
The heap hic 1 Limitations of the stack int *table_of(int num, int len) { int table[len+1]; for (int i=0; i
More informationCS201 - Introduction to Programming Glossary By
CS201 - Introduction to Programming Glossary By #include : The #include directive instructs the preprocessor to read and include a file into a source code file. The file name is typically enclosed with
More informationCS61, Fall 2012 Section 2 Notes
CS61, Fall 2012 Section 2 Notes (Week of 9/24-9/28) 0. Get source code for section [optional] 1: Variable Duration 2: Memory Errors Common Errors with memory and pointers Valgrind + GDB Common Memory Errors
More informationSecure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows)
Secure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows) David Aspinall, Informatics @ Edinburgh 25th January 2018 Memory corruption Buffer overflow is a common vulnerability. Simple
More informationOffensive Security My First Buffer Overflow: Tutorial
Offensive Security My First Buffer Overflow: Tutorial César Bernardini University of Trento cesar.bernardini@unitn.it October 12, 2015 2 Cesar Bernardini Postdoctoral Fellow at UNITN PhD Student at INRIA-LORIA
More informationProgram Security and Vulnerabilities Class 2
Program Security and Vulnerabilities Class 2 CEN-5079: 28.August.2017 1 Secure Programs Programs Operating System Device Drivers Network Software (TCP stack, web servers ) Database Management Systems Integrity
More informationCS 536 Introduction to Programming Languages and Compilers Charles N. Fischer Lecture 11
CS 536 Introduction to Programming Languages and Compilers Charles N. Fischer Lecture 11 CS 536 Spring 2015 1 Handling Overloaded Declarations Two approaches are popular: 1. Create a single symbol table
More informationECE 2400 Computer Systems Programming, Fall 2018 PA2: List and Vector Data Structures
School of Electrical and Computer Engineering Cornell University revision: 2018-09-25-13-37 1. Introduction The second programming assignment is designed to give you experience working with two important
More informationSecurity Coding Module - Buffer Overflow Data Gone Wild CS1
Security Coding Module - Buffer Overflow Data Gone Wild CS1 Background Summary: Buffer overflow occurs when data is input or written beyond the allocated bounds of an buffer, array, or other object causing
More informationDynamic Memory Allocation: Basic Concepts
Dynamic Memory Allocation: Basic Concepts 15-213: Introduction to Computer Systems 19 th Lecture, March 30, 2017 Instructor: Franz Franchetti & Seth Copen Goldstein 1 Today Basic concepts Implicit free
More informationProgramming and Data Structure Solved. MCQs- Part 2
Programming and Data Structure Solved MCQs- Part 2 Programming and Data Structure Solved MCQs- Part 2 Unsigned integers occupies Two bytes Four bytes One byte Eight byte A weather forecasting computation
More informationLecture Notes on Memory Layout
Lecture Notes on Memory Layout 15-122: Principles of Imperative Computation Frank Pfenning André Platzer Lecture 11 1 Introduction In order to understand how programs work, we can consider the functions,
More informationSecure Programming Lecture 3: Memory Corruption I (Stack Overflows)
Secure Programming Lecture 3: Memory Corruption I (Stack Overflows) David Aspinall, Informatics @ Edinburgh 24th January 2017 Outline Roadmap Memory corruption vulnerabilities Instant Languages and Runtimes
More informationputting m bytes into a buffer of size n, for m>n corrupts the surrounding memory check size of data before/when writing
Secure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows) David Aspinall, Informatics @ Edinburgh 25th January 2018 Memory corruption Buffer overflow is a common vulnerability Simple
More informationSecure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows)
Secure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows) David Aspinall, Informatics @ Edinburgh 28th January 2019 Memory corruption Buffer overflow is a common vulnerability. Simple
More informationMemory corruption vulnerability exposure can be mitigated through memory hardening practices
Memory corruption vulnerability exposure can be mitigated through memory hardening practices OS vendors have a unique opportunity to fight memory corruption vulnerabilities through hardening the memory
More information