Lecture 07 Heap control data. Stephen Checkoway University of Illinois at Chicago
|
|
- Vanessa Richards
- 6 years ago
- Views:
Transcription
1 Lecture 07 Heap control data Stephen Checkoway University of Illinois at Chicago
2 Layout of program memory Heap is managed by malloc - Many different malloc implementations - glibc uses a modified version of Doug Lea s Malloc (dlmalloc) Responsibilities - Requesting pages of memory from the OS - Managing free chunks of memory - Allocating memory for the program Image source:
3 Chunks Basic unit of memory managed by malloc prev_: of the previous chunk in memory : of this chunk - lsb is 1 if the previous chunk is in use (PREV_IN_USE bit) : forward pointer in free list : backward pointer in free list struct malloc_chunk { _t prev_; _t ; struct malloc_chunk *; struct malloc_chunk *; }
4 Free chunks/free lists A chunk can be allocated or free Free chunks are stored in doubly-linked lists using the and pointers prev_ refers to the of the previous chunk adjacent to the current chunk, not the chunk pointed to by the pointer malloc maintains several different free lists for chunks of various s
5 Example (lie, truth shortly) prev_ xx 801 unallocated space
6 Example (lie, truth shortly) prev_ xx 801 unallocated space void *p = malloc(100); prev_ prev_ xx 117 NULL NULL 100-byte user data unallocated space p
7 Example (lie, truth shortly) prev_ xx 801 unallocated space void *p = malloc(100); prev_ prev_ xx 117 NULL NULL 100-byte user data unallocated space p void *q = malloc(300); prev_ prev_ prev_ xx 117 NULL NULL 100-byte user data NULL NULL 300-byte user data p q
8 Freeing chunks When freeing a chunk c, malloc looks at the chunk just before and the chunk just after c to see if they are free The adjacent free chunks are - removed from their free lists - combined with c to form a new, larger chunk c c (or c if neither neighbor were free) is added to a free list Malloc uses the prev_ and fields plus some pointer arithmetic to find the preceding and following chunks Malloc uses the lsb of the fields to determine if the previous chunks are in use or free
9 Optimization and are only used when the chunk is free prev_ is only used when the previous chunk is free (to combine struct malloc_chunk { _t prev_; _t ; struct malloc_chunk *; with the current chunk) Malloc saves space by overlapping these fields with user data } struct malloc_chunk *;
10 Optimization and are only used when the chunk is free prev_ is only used when the previous chunk is free (to combine struct malloc_chunk { _t prev_; _t ; struct malloc_chunk *; with the current chunk) Malloc saves space by overlapping these fields with user data } struct malloc_chunk *; prev_ prev_ xx 117 NULL NULL 100-byte user data unallocated space p
11 Optimization and are only used when the chunk is free prev_ is only used when the previous chunk is free (to combine struct malloc_chunk { _t prev_; _t ; struct malloc_chunk *; with the current chunk) Malloc saves space by overlapping these fields with user data } struct malloc_chunk *; prev_ prev_ xx 117 NULL NULL 100-byte user data unallocated space p byte user data 697 unallocated space p
12 Example (truth but not to scale) 801 unallocated space
13 Example (truth but not to scale) 801 unallocated space void *p = malloc(100);
14 Example (truth but not to scale) 801 unallocated space void *p = malloc(100); byte user data 697 unallocated space p
15 Example (truth but not to scale) 801 unallocated space void *p = malloc(100); byte user data 697 unallocated space p void *q = malloc(300);
16 Example (truth but not to scale) 801 unallocated space void *p = malloc(100); byte user data 697 unallocated space p void *q = malloc(300); byte user data byte user data 393 unallocated space p q
17 Example continued byte user data byte user data 393 unallocated space p q
18 Example continued byte user data byte user data 393 unallocated space p free(p); q
19 Example continued byte user data byte user data 393 unallocated space p free(p); q prev_ 105 u-s byte user data 393 unallocated space q
20 Example continued byte user data byte user data 393 unallocated space p free(p); q prev_ 105 u-s byte user data 393 unallocated space q void *r = malloc(252);
21 Example continued byte user data byte user data 393 unallocated space p free(p); q prev_ 105 u-s byte user data 393 unallocated space q void *r = malloc(252); prev_ 105 u-s byte user data byte user data 137 q r
22 Example continued prev_ 105 u-s byte user data byte user data 137 q r
23 Example continued prev_ 105 u-s byte user data byte user data 137 free(q); q r
24 Example continued prev_ 105 u-s byte user data byte user data 137 free(q); q r prev_ 409 unallocated space byte user data 137 r
25 Example continued prev_ 105 u-s byte user data byte user data 137 free(q); q r prev_ 409 unallocated space byte user data 137 r free(r);
26 Example continued prev_ 105 u-s byte user data byte user data 137 free(q); q r prev_ 409 unallocated space byte user data 137 r free(r); 801 unallocated space
27 Removing chunks from free lists Chunks are removed using the unlink macro P is the chunk to unlink BK and FD are temporaries #define unlink(p, BK, FD) \ BK = P->; \ FD = P->; \ FD-> = BK; \ BK-> = FD; P
28 Removing chunks from free lists Chunks are removed using the unlink macro P is the chunk to unlink BK and FD are temporaries #define unlink(p, BK, FD) \ BK = P->; \ FD = P->; \ FD-> = BK; \ BK-> = FD; BK P
29 Removing chunks from free lists Chunks are removed using the unlink macro P is the chunk to unlink BK and FD are temporaries #define unlink(p, BK, FD) \ BK = P->; \ FD = P->; \ FD-> = BK; \ BK-> = FD; BK P FD
30 Removing chunks from free lists Chunks are removed using the unlink macro P is the chunk to unlink BK and FD are temporaries #define unlink(p, BK, FD) \ BK = P->; \ FD = P->; \ FD-> = BK; \ BK-> = FD; BK P FD
31 Removing chunks from free lists Chunks are removed using the unlink macro P is the chunk to unlink BK and FD are temporaries #define unlink(p, BK, FD) \ BK = P->; \ FD = P->; \ FD-> = BK; \ BK-> = FD; BK P FD
32 Overwriting heap metadata The chunk metadata is inline (meaning the user data and the metadata are side-by-side) We can modify the metadata with a buffer overflow on the heap Consider char *x = malloc(100); void *y = malloc(100); strcpy(x, attacker_controlled); free(y); x y We can overflow x and overwrite y s metadata
33 Attacking malloc x y When free(y) is called, it will examine x s chunk to see if it is free. If x s chunk is free, then unlink will be called on it to remove it from its free list We can carefully structure the attacker-controlled data to - convince free that x s chunk is free (how do we do this?) - convince the unlink macro to overwrite a saved instruction pointer on the stack by setting x s chunk s and pointers - inject shellcode When the function returns, our shellcode runs!
34 Attacking malloc prev_ x y 1. Change y s chunk s from 105 to 104 (clears the PREV_IN_USE bit); y s chunk s prev_ and x s chunk s and are now used
35 Attacking malloc prev_ x y 1. Change y s chunk s from 105 to 104 (clears the PREV_IN_USE bit); y s chunk s prev_ and x s chunk s and are now used 2. Set y s chunk s prev_ to 104 so free looks back 104 bytes to find the start of the chunk to unlink
36 Attacking malloc prev_ P x y 1. Change y s chunk s from 105 to 104 (clears the PREV_IN_USE bit); y s chunk s prev_ and x s chunk s and are now used 2. Set y s chunk s prev_ to 104 so free looks back 104 bytes to find the start of the chunk to unlink 3. P in the unlink macro is x s chunk, so its and pointers need to be valid
37 Attacking malloc prev_ P x seip-12 y 1. Change y s chunk s from 105 to 104 (clears the PREV_IN_USE bit); y s chunk s prev_ and x s chunk s and are now used 2. Set y s chunk s prev_ to 104 so free looks back 104 bytes to find the start of the chunk to unlink 3. P in the unlink macro is x s chunk, so its and pointers need to be valid 4. Point P-> to saved eip (seip) - 12
38 Attacking malloc prev_ 105 jmp shellcode P x seip-12 y 1. Change y s chunk s from 105 to 104 (clears the PREV_IN_USE bit); y s chunk s prev_ and x s chunk s and are now used 2. Set y s chunk s prev_ to 104 so free looks back 104 bytes to find the start of the chunk to unlink 3. P in the unlink macro is x s chunk, so its and pointers need to be valid 4. Point P-> to saved eip (seip) Point P-> to a short jump to shellcode
39 Unlinking P (zooming in on P) p_sz 105 jmp shellcode P x Stack y saved eip saved ebp #define unlink(p, BK, FD) \ BK = P->; \ FD = P->; \ FD-> = BK; \ BK-> = FD;
40 Unlinking P (zooming in on P) p_sz 105 jmp shellcode P x BK Stack y saved eip saved ebp #define unlink(p, BK, FD) \ BK = P->; \ FD = P->; \ FD-> = BK; \ BK-> = FD;
41 Unlinking P (zooming in on P) p_sz 105 jmp shellcode P x BK Stack y saved eip saved ebp #define unlink(p, BK, FD) \ BK = P->; \ FD = P->; \ FD-> = BK; \ FD BK-> = FD;
42 Unlinking P (zooming in on P) p_sz 105 jmp shellcode P x BK Stack y saved eip saved ebp #define unlink(p, BK, FD) \ BK = P->; \ FD = P->; \ FD-> = BK; \ FD BK-> = FD;
43 Unlinking P (zooming in on P) p_sz 105 jmp shellcode P x BK Stack y saved eip saved ebp #define unlink(p, BK, FD) \ BK = P->; \ FD = P->; \ FD-> = BK; \ FD BK-> = FD;
44
Heap Off by 1 Overflow Illustrated. Eric Conrad October 2007
Heap Off by 1 Overflow Illustrated Eric Conrad October 2007 1 The Attack Older CVS versions are vulnerable to an Off by 1 attack, where an attacker may insert one additional character into the heap CVS
More informationIntrusion Detection and Malware Analysis
Intrusion Detection and Malware Analysis Host Based Attacks Pavel Laskov Wilhelm Schickard Institute for Computer Science Software security threats Modification of program code viruses and self-replicating
More informationSecure Coding in C and C++ Dynamic Memory Management Lecture 5 Jan 29, 2013
Secure Coding in C and C++ Dynamic Memory Management Lecture 5 Jan 29, 2013 Acknowledgement: These slides are based on author Seacord s original presentation Issues Dynamic Memory Management Common Dynamic
More informationSecure Coding in C and C++
Secure Coding in C and C++ Dynamic Memory Management Lecture 5 Sept 21, 2017 Acknowledgement: These slides are based on author Seacord s original presentation Issues Dynamic Memory Management Common Dynamic
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Spring 2018, Lecture 6 Low Level Software Security IV: Heap Corruption Memory management in C The C programming language uses explicit memory management Data is
More informationSecure Software Programming and Vulnerability Analysis
Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Heap Buffer Overflows and Format String Vulnerabilities Secure Software
More informationmalloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which
Heap Overflow malloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which data are placed). The header contains
More informationCSE 509: Computer Security
CSE 509: Computer Security Date: 2.16.2009 BUFFER OVERFLOWS: input data Server running a daemon Attacker Code The attacker sends data to the daemon process running at the server side and could thus trigger
More information2/9/18. Secure Coding. CYSE 411/AIT681 Secure Software Engineering. Agenda. Dynamic Memory Interface. Dynamic Memory Interface
Secure Coding CYSE 411/AIT681 Secure Software Engineering Topic #9. Secure Coding: Dynamic Memory Instructor: Dr. Kun Sun String management Pointer Subterfuge Dynamic memory management Integer security
More informationDnmaloc: a more secure memory allocator
Dnmaloc: a more secure memory allocator 28 September 2005 Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium
More informationMemory Allocator Security
Memory Allocator Security Yves Younan, Wouter Joosen, Frank Piessens and Hans Van den Eynden DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium Yves.Younan@cs.kuleuven.ac.be
More informationAgenda. Dynamic Memory Management. Robert C. Seacord. Secure Coding in C and C++
Dynamic Memory Management Secure Coding in C and C++ Robert C. Seacord CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh, PA 15213-3890 The CERT Coordination
More informationCSE / / 60567: Computer Security. Software Security 4
CSE 40567 / 44567 / 60567: Computer Security Software Security 4 91 Homework #5 Due: Tonight at 11:59PM Eastern Time (ND) / Pacific Time (SV) See Assignments Page on the course website for details 92 Notes
More informationENEE 457: Computer Systems Security. Lecture 16 Buffer Overflow Attacks
ENEE 457: Computer Systems Security Lecture 16 Buffer Overflow Attacks Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland, College Park Buffer overflow
More informationBeyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus(MSR) and Brandon Baker (MS) Buffer Overflows and How they Occur Buffer is a contiguous segment of memory of a fixed
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Homework 1 Due: Wednesday, February 9, at 9:59pm Instructions. Submit your solution by Wednesday, February 9, at 9:59pm, in the drop box labelled CS161 in 283
More informationDynamic Memory Allocation. Zhaoguo Wang
Dynamic Memory Allocation Zhaoguo Wang Why dynamic memory allocation? Do not know the size until the program runs (at runtime). #define MAXN 15213 int array[maxn]; int main(void) { int i, n; scanf("%d",
More informationProcess Layout, Function Calls, and the Heap
Process Layout, Function Calls, and the Heap CS 6 Spring 20 Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed, Matthias Vallentin January 9, 20 / 5 2 / 5 Outline Process Layout Function Calls The Heap
More informationHomework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08
Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08 For your solutions you should submit a hard copy; either hand written pages stapled together or a print out of a typeset document
More informationLecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller
Lecture 10 Return-oriented programming Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller ROP Overview Idea: We forge shellcode out of existing application
More informationLecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017
Lecture 09 Code reuse attacks Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Last time No good reason for stack/heap/static data to be executable No good reason for code to be writable
More informationBuffer Overflow and Format String Overflow Vulnerabilities
Syracuse University SURFACE Electrical Engineering and Computer Science College of Engineering and Computer Science 2002 Buffer Overflow and Format String Overflow Vulnerabilities Kyung-suk Lhee Syracuse
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationLecture 4 September Required reading materials for this class
EECS 261: Computer Security Fall 2007 Lecture 4 September 6 Lecturer: David Wagner Scribe: DK Moon 4.1 Required reading materials for this class Beyond Stack Smashing: Recent Advances in Exploiting Buffer
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationBetriebssysteme und Sicherheit Sicherheit. Buffer Overflows
Betriebssysteme und Sicherheit Sicherheit Buffer Overflows Software Vulnerabilities Implementation error Input validation Attacker-supplied input can lead to Corruption Code execution... Even remote exploitation
More informationC and C++: vulnerabilities, exploits and countermeasures
C and C++: vulnerabilities, exploits and countermeasures Yves Younan DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium Yves.Younan@cs.kuleuven.ac.be Introduction C/C++ programs:
More informationBuffer Overflows Defending against arbitrary code insertion and execution
www.harmonysecurity.com info@harmonysecurity.com Buffer Overflows Defending against arbitrary code insertion and execution By Stephen Fewer Contents 1 Introduction 2 1.1 Where does the problem lie? 2 1.1.1
More informationImproving memory management security for C and C++
Improving memory management security for C and C++ Yves Younan, Wouter Joosen, Frank Piessens, Hans Van den Eynden DistriNet, Katholieke Universiteit Leuven, Belgium Abstract Memory managers are an important
More information2
1 2 3 4 5 6 7 $ sed -n 22,27p glibc/malloc/malloc.c This is a version (aka ptmalloc2) of malloc/free/realloc written by Doug Lea and adapted to multiple threads/arenas by Wolfram Gloger. There have been
More informationIn Java we have the keyword null, which is the value of an uninitialized reference type
+ More on Pointers + Null pointers In Java we have the keyword null, which is the value of an uninitialized reference type In C we sometimes use NULL, but its just a macro for the integer 0 Pointers are
More informationCountermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)
Countermeasures in Modern Operating Systems Yves Younan, Vulnerability Research Team (VRT) Introduction Programs in C/C++: memory error vulnerabilities Countermeasures (mitigations): make exploitation
More informationDynamic Memory Allocation
Dynamic Memory Allocation CS61, Lecture 11 Prof. Stephen Chong October 6, 2011 Announcements 1/2 Reminder: No section on Monday Monday sections have been rescheduled See website for details Please attend
More informationLecture 1: Buffer Overflows
CS5431 Computer Security Practicum Spring 2017 January 27, 2017 1 Conficker Lecture 1: Buffer Overflows Instructor: Eleanor Birrell In November 2008, a new piece of malware was observed in the wild. This
More informationMemory Corruption 101 From Primitives to Exploit
Memory Corruption 101 From Primitives to Exploit Created by Nick Walker @ MWR Infosecurity / @tel0seh What is it? A result of Undefined Behaviour Undefined Behaviour A result of executing computer code
More informationLecture 08 Control-flow Hijacking Defenses
Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation
More informationCSE509 System Security
CSE509 System Security Software Security Nick Nikiforakis nick@cs.stonybrook.edu Things we are going to discuss Basic x86 assembly instructions Stack workings GDB syntax Overflows Stack Heap Shellcode
More informationMemory Corruption 2. Advanced Internet Security
Memory Corruption 2 Advanced Internet Security Adrian Dabrowski, Georg Merzdovnik, Aljosha Judmayer, Johanna Ullrich, Markus Kammerstätter, Stefan Riegler, Christian Kudera 1 News from the Lab 75 solved
More informationECE 598 Advanced Operating Systems Lecture 12
ECE 598 Advanced Operating Systems Lecture 12 Vince Weaver http://web.eece.maine.edu/~vweaver vincent.weaver@maine.edu 1 March 2018 Announcements Next homework will be due after break. Midterm next Thursday
More informationCSC 405 Computer Security Stack Canaries & ASLR
CSC 405 Computer Security Stack Canaries & ASLR Alexandros Kapravelos akaprav@ncsu.edu How can we prevent a buffer overflow? Check bounds Programmer Language Stack canaries [...more ] Buffer overflow defenses
More informationShellcode Analysis. Chapter 19
Shellcode Analysis Chapter 19 What is Shellcode Shellcode a payload of raw executable code, attackers use this code to obtain interactive shell access. A binary chunk of data Can be generally referred
More informationSecure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows)
Secure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows) David Aspinall, Informatics @ Edinburgh 25th January 2018 Memory corruption Buffer overflow is a common vulnerability. Simple
More informationMemory Corruption Vulnerabilities, Part II
Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Integer Overflow Vulnerabilities * slides adapted from those by Seacord 3 Integer Overflows
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationMalloc Lab & Midterm Solutions. Recitation 11: Tuesday: 11/08/2016
Malloc Lab & Midterm Solutions Recitation 11: Tuesday: 11/08/2016 Malloc 2 Important Notes about Malloc Lab Malloc lab has been updated from previous years Supports a full 64 bit address space rather than
More informationSYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14
SYSTEM CALL IMPLEMENTATION CS124 Operating Systems Fall 2017-2018, Lecture 14 2 User Processes and System Calls Previously stated that user applications interact with the kernel via system calls Typically
More informationAnnouncements. assign0 due tonight. Labs start this week. No late submissions. Very helpful for assign1
Announcements assign due tonight No late submissions Labs start this week Very helpful for assign1 Goals for Today Pointer operators Allocating memory in the heap malloc and free Arrays and pointer arithmetic
More informationMore Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows)
More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester Rebeiro Indian Institute of Technology Madras Buffer Overreads 2 Buffer Overread Example 3 Buffer Overread
More informationComputer Systems Lecture 9
Computer Systems Lecture 9 CPU Registers in x86 CPU status flags EFLAG: The Flag register holds the CPU status flags The status flags are separate bits in EFLAG where information on important conditions
More informationIAGO ATTACKS: WHY THE SYSTEM CALL API IS A BAD UNTRUSTED RPC INTERFACE
IAGO ATTACKS: WHY THE SYSTEM CALL API IS A BAD UNTRUSTED RPC INTERFACE Stephen Checkoway and Hovav Shacham March 19, 2013 1 1 A vulnerable program #include int main() { void *p = malloc(100);
More informationSecure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows)
Secure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows) David Aspinall, Informatics @ Edinburgh 28th January 2019 Memory corruption Buffer overflow is a common vulnerability. Simple
More informationCMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING
CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING LECTURE 16, SPRING 2013 TOPICS TODAY Project 6 Perils & Pitfalls of Memory Allocation C Function Call Conventions in Assembly Language PERILS
More informationputting m bytes into a buffer of size n, for m>n corrupts the surrounding memory check size of data before/when writing
Secure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows) David Aspinall, Informatics @ Edinburgh 25th January 2018 Memory corruption Buffer overflow is a common vulnerability Simple
More informationECE 598 Advanced Operating Systems Lecture 10
ECE 598 Advanced Operating Systems Lecture 10 Vince Weaver http://www.eece.maine.edu/~vweaver vincent.weaver@maine.edu 17 February 2015 Announcements Homework #1 and #2 grades, HW#3 Coming soon 1 Various
More informationOptimizing Dynamic Memory Management
Optimizing Dynamic Memory Management 1 Goals of this Lecture Help you learn about: Details of K&R heap mgr Heap mgr optimizations related to Assignment #5 Faster free() via doubly-linked list, redundant
More information2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks
Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks
More informationMemory Allocation. Copyright : University of Illinois CS 241 Staff 1
Memory Allocation Copyright : University of Illinois CS 241 Staff 1 Memory allocation within a process What happens when you declare a variable? Allocating a page for every variable wouldn t be efficient
More informationDigital Forensics Lecture 02 PDF Structure
Digital Forensics Lecture 02 PDF Structure PDF Files Structure Akbar S. Namin Texas Tech University Spring 2017 PDF Format and Structure Tools used Text editor (e.g., vi) ClamAV antivirus (http://www.clamav.net/lang/en/download/
More informationOffensive Security My First Buffer Overflow: Tutorial
Offensive Security My First Buffer Overflow: Tutorial César Bernardini University of Trento cesar.bernardini@unitn.it October 12, 2015 2 Cesar Bernardini Postdoctoral Fellow at UNITN PhD Student at INRIA-LORIA
More informationDynamic Memory Allocation
Dynamic Memory Allocation CS61, Lecture 10 Prof. Stephen Chong October 4, 2011 Announcements 1/2 Assignment 4: Malloc Will be released today May work in groups of one or two Please go to website and enter
More informationLecture 8 Dynamic Memory Allocation
Lecture 8 Dynamic Memory Allocation CS240 1 Memory Computer programs manipulate an abstraction of the computer s memory subsystem Memory: on the hardware side 3 @ http://computer.howstuffworks.com/computer-memory.htm/printable
More informationCSC 1600 Memory Layout for Unix Processes"
CSC 16 Memory Layout for Unix Processes" 1 Lecture Goals" Behind the scenes of running a program" Code, executable, and process" Memory layout for UNIX processes, and relationship to C" : code and constant
More informationputting m bytes into a buffer of size n, for m>n corrupts the surrounding memory check size of data before/when writing
Secure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows) David Aspinall, Informatics @ Edinburgh 28th January 2019 Memory corruption Buffer overflow is a common vulnerability Simple
More information==Phrack Inc.== Volume 0x0b, Issue 0x39, Phile #0x09 of 0x12
==Phrack Inc.== Volume 0x0b, Issue 0x39, Phile #0x09 of 0x12 =---------------------=[ Once upon a free()... ]=-----------------------= =-----------------------------------------------------------------------=
More information==Phrack Inc.== Volume 0x0b, Issue 0x39, Phile #0x08 of 0x12. --=[ Disclaimer ]= //
==Phrack Inc.== Volume 0x0b, Issue 0x39, Phile #0x08 of 0x12 --=[ Disclaimer ]=-----------------------------------------------------// In this issue of Phrack, there are two similar articles about malloc
More informationBBM 201 DATA STRUCTURES
BBM 201 DATA STRUCTURES Lecture 8: Dynamically Allocated Linked Lists 2017-2018 Fall int x; x = 8; int A[4]; An array is stored as one contiguous block of memory. How can we add a fifth element to the
More informationFunction Call Convention
Function Call Convention Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch Content Intel Architecture Memory Layout
More informationPrinceton University Computer Science 217: Introduction to Programming Systems. Dynamic Memory Management
Princeton University Computer Science 217: Introduction to Programming Systems Dynamic Memory Management 1 Goals of this Lecture Help you learn about: The need for dynamic* memory mgmt (DMM) Implementing
More informationIntroduction to Computer Systems , fall th Lecture, Sep. 28 th
Introduction to Computer Systems 15 213, fall 2009 9 th Lecture, Sep. 28 th Instructors: Majd Sakr and Khaled Harras Last Time: Structures struct rec { int i; int a[3]; int *p; }; Memory Layout i a p 0
More informationOn The Effectiveness of Address-Space Randomization. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004
On The Effectiveness of Address-Space Randomization H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004 Code-Injection Attacks Inject malicious executable code
More informationSecure Programming Lecture 3: Memory Corruption I (Stack Overflows)
Secure Programming Lecture 3: Memory Corruption I (Stack Overflows) David Aspinall, Informatics @ Edinburgh 24th January 2017 Outline Roadmap Memory corruption vulnerabilities Instant Languages and Runtimes
More informationSecure C Coding...yeah right. Andrew Zonenberg Alex Radocea
Secure C Coding...yeah right Andrew Zonenberg Alex Radocea Agenda Some Quick Review Data Representation Pointer Arithmetic Memory Management Basic C Vulnerabilities Memory Corruption Ignoring Return values
More informationWeek 5, continued. This is CS50. Harvard University. Fall Cheng Gong
This is CS50. Harvard University. Fall 2014. Cheng Gong Table of Contents News... 1 Buffer Overflow... 1 Malloc... 6 Linked Lists... 7 Searching... 13 Inserting... 16 Removing... 19 News Good news everyone!
More informationDAY 3. CS3600, Northeastern University. Alan Mislove
C BOOTCAMP DAY 3 CS3600, Northeastern University Slides adapted from Anandha Gopalan s CS132 course at Univ. of Pittsburgh and Pascal Meunier s course at Purdue Memory management 2 Memory management Two
More informationUniversità Ca Foscari Venezia
Stack Overflow Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it Introduction Buffer overflow is due to careless programming in unsafe languages like C
More informationNon-stack Based Exploitation of Buffer Overrun Vulnerabilities on Windows NT/2000/XP
A NGSSoftware Insight Security Research Publication Non-stack Based Exploitation of Buffer Overrun Vulnerabilities on Windows NT/20/XP David Litchfield (david@ngssoftware.com) 5 th March 22 www.ngssoftware.com
More informationInside ptmalloc2. Peng Xu Sep 14, 2013
Inside ptmalloc2 Peng Xu peng.p.xu@ericsson.com Sep 14, 2013 Part I basic concept and data structure Memory Translation process memory layout kernel space command line and environment variables stack heap
More informationEfficient protection against heap-based buffer overflows without resorting to magic 1
Efficient protection against heap-based buffer overflows without resorting to magic 1 Yves Younan, Wouter Joosen, and Frank Piessens DistriNet, Dept. of Computer Science, Katholieke Universiteit Leuven
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #20 Nov 4 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Quiz #3 Today Need to know what big-endian is Remind me to mention it if I
More informationC- based applica-on exploits and countermeasures
C- based applica-on exploits and countermeasures Yves Younan Senior Research Engineer Sourcefire Vulnerability Research Team (VRT) yyounan@sourcefire.com Introduc-on C-based programs: some vulnerabilities
More information20: Exploits and Containment
20: Exploits and Containment Mark Handley Andrea Bittau What is an exploit? Programs contain bugs. These bugs could have security implications (vulnerabilities) An exploit is a tool which exploits a vulnerability
More informationProcess s Address Space. Dynamic Memory. Backing the Heap. Dynamic memory allocation 3/29/2013. When a process starts the heap is empty
/9/01 Process s Address Space Dynamic Memory 0x7fffffff Stack Data (Heap) Data (Heap) 0 Text (Code) Backing the Heap When a process starts the heap is empty The process is responsible for requesting memory
More informationSoftware Security The Dangers of Abstraction
Software Security The Dangers of Abstraction Dieter Gollmann Hamburg University of Technology, Hamburg, Germany diego@tu-harburg.de Abstract. Software insecurity can be explained as a potpourri of hacking
More informationPrinceton University. Computer Science 217: Introduction to Programming Systems. Dynamic Memory Management
Princeton University Computer Science 217: Introduction to Programming Systems Dynamic Memory Management 1 Agenda The need for DMM DMM using the heap section DMMgr 1: Minimal implementation DMMgr 2: Pad
More information(Early) Memory Corruption Attacks
(Early) Memory Corruption Attacks CS-576 Systems Security Instructor: Georgios Portokalidis Fall 2018 Fall 2018 Stevens Institute of Technology 1 Memory Corruption Memory corruption occurs in a computer
More informationVulnerabilities in C/C++ programs Part I
Vulnerabilities in C/C++ programs Part I TDDC90 Software Security Ulf Kargén Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Vulnerabilities
More informationCS 33. Storage Allocation. CS33 Intro to Computer Systems XXVII 1 Copyright 2017 Thomas W. Doeppner. All rights reserved.
CS 33 Storage Allocation CS33 Intro to Computer Systems XXVII 1 Copyright 2017 Thomas W. Doeppner. All rights reserved. The Unix Address Space stack dynamic bss program break data text CS33 Intro to Computer
More informationCSC 591 Systems Attacks and Defenses Stack Canaries & ASLR
CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR Alexandros Kapravelos akaprav@ncsu.edu How can we prevent a buffer overflow? Check bounds Programmer Language Stack canaries [...more ] Buffer
More informationJonathan Afek, 1/8/07, BlackHat USA
Dangling Pointer Jonathan Afek, 1/8/07, BlackHat USA 1 Table of Contents What is a Dangling Pointer? Code Injection Object Overwriting Demonstration Remediation Summary Q&A 2 What is a Dangling Pointer?
More informationCNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated
CNIT 127: Exploit Development Ch 14: Protection Mechanisms Updated 3-25-17 Topics Non-Executable Stack W^X (Either Writable or Executable Memory) Stack Data Protection Canaries Ideal Stack Layout AAAS:
More informationYet More Buffer Overflows
Yet More Buffer Overflows 1 Changelog 1 Corrections made in this version not in first posting: 1 April 2017: slide 41: a few more %c s would be needed to skip format string part last time: pointer subterfuge
More informationLinked Lists Structures
Linked Lists Structures 1. Motivation... 2 2. Declaration of a node... 3 2.1. Operations on pointers:... 4 2.2. Disposition of a node... 5 2.3. Singly Linked Lists... 5 3. One-way linked lists... 6 3.1.
More informationStack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta
1 Stack Vulnerabilities CS4379/5375 System Security Assurance Dr. Jaime C. Acosta Part 1 2 3 An Old, yet Still Valid Vulnerability Buffer/Stack Overflow ESP Unknown Data (unused) Unknown Data (unused)
More informationA Heap of Trouble Exploiting the Linux Kernel SLOB Allocator
A Heap of Trouble Exploiting the Linux Kernel SLOB Allocator Dan Rosenberg 1 Who am I? Security consultant and vulnerability researcher at VSR in Boston App/net pentesting, code review, etc. Published
More informationRecitation #11 Malloc Lab. November 7th, 2017
18-600 Recitation #11 Malloc Lab November 7th, 2017 1 2 Important Notes about Malloc Lab Malloc lab has been updated from previous years Supports a full 64 bit address space rather than 32 bit Encourages
More informationModular Synthesis of Heap Exploits
Modular Synthesis of Heap Exploits Dusan Repel Information Security Group Royal Holloway, University of London United Kingdom Johannes Kinder Department of Computer Science Royal Holloway, University of
More informationRoadmap: Security in the software lifecycle. Memory corruption vulnerabilities
Secure Programming Lecture 3: Memory Corruption I (introduction) David Aspinall, Informatics @ Edinburgh 24th January 2019 Roadmap: Security in the software lifecycle Security is considered at different
More informationHowever, in C we can group related variables together into something called a struct.
CIT 593: Intro to Computer Systems Lecture #21 (11/27/12) Structs Unlike Java, C++, and to some extent Python, C is not traditionally considered an objectoriented language. That is, there is no concept
More informationLinked Lists in C and C++
Linked Lists in C and C++ Professor Hugh C. Lauer CS-2303, System Programming Concepts (Slides include materials from The C Programming Language, 2 nd edition, by Kernighan and Ritchie, Absolute C++, by
More informationCSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko
CSE 127: Computer Security Control Flow Hijacking Kirill Levchenko October 17, 2017 Control Flow Hijacking Defenses Avoid unsafe functions Stack canary Separate control stack Address Space Layout Randomization
More information