Buffer Overflows. Buffer Overflow. Many of the following slides are based on those from

Size: px

Start display at page:

Download "Buffer Overflows. Buffer Overflow. Many of the following slides are based on those from"

Noel Adams
6 years ago
Views:

1 s Many of the following slides are based on those from 1 Complete Powerpoint Lecture Notes for Computer Systems: A Programmer's Perspective (CS:APP) Randal E. Bryant and David R. O'Hallaron The book is used explicitly in CS 2505 and CS 3214 and as a reference in CS 2506.

2 s What is a buffer overflow? How can it be exploited? How can it be avoided? Through programmer measures Through system measures (and how effective are they?) 2

3 String Library Code Implementation of Unix function gets No way to specify limit on number of characters to read 3 /* Get string from stdin */ char *gets(char *dest) { int c = getc(); char *p = dest; while (c!= EOF && c!= '\n') { *p++ = c; c = getc(); *p = '\0'; return dest;

4 Vulnerable Buffer Code int main() { printf("type a string:"); echo(); return 0; 4 /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ gets(buf); puts(buf);

5 Executions 5 unix>./bufdemo Type a string: unix>./bufdemo Type a string:12345 Segmentation Fault unix>./bufdemo Type a string: Segmentation Fault

6 6 Return Address Saved %ebp [3] [2] [1] [0] buf %ebp /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ gets(buf); puts(buf); echo: pushl %ebp # Save %ebp on stack movl %esp,%ebp subl $20,%esp # Allocate space on stack pushl %ebx # Save %ebx addl $-12,%esp # Allocate space on stack leal -4(%ebp),%ebx # Compute buf as %ebp-4 pushl %ebx # Push buf on stack call gets # Call gets...

7 Example unix> gdb bufdemo 7 (gdb) break echo Breakpoint 1 at 0x (gdb) run Breakpoint 1, 0x in echo () (gdb) print /x *(unsigned *)$ebp $1 = 0xbffff8f8 (gdb) print /x *((unsigned *)$ebp + 1) $3 = 0x804864d Before call to gets Return Address Saved %ebp [3] [2] [1] [0] buf %ebp Return Address 86 4d Saved bf ff %ebp f8 f8 0xbffff8d8 [3] xx [2] xx [1] xx [0] xx buf : call c <echo> d: mov 0xffffffe8(%ebp),%ebx # Return Point

8 Example #1 8 Before Call to gets Input = 123 Return Address Saved %ebp [3] [2] [1] [0] buf %ebp Return Address 86 4d Saved bf ff %ebp f8 f8 0xbffff8d8 [3] 00 [2] 33 [1] 32 [0] 31 buf No Problem

9 Example #2 9 Input = Return Address Saved %ebp [3] [2] [1] [0] buf echo code: %ebp Return Address 86 4d Saved bf ff %ebp xbffff8d8 [3] 34 [2] 33 [1] 32 [0] 31 buf Saved value of %ebp set to 0xbfff0035 Bad news when later attempt to : push %ebx : call 80483e4 <_init+0x50> # gets : mov 0xffffffe8(%ebp),%ebx b: mov %ebp,%esp restore %ebp d: pop %ebp # %ebp gets set to invalid value e: ret

10 Example #3 10 Input = Return Address Saved %ebp [3] [2] [1] [0] buf %ebp Return Address Saved %ebp xbffff8d8 [3] 34 [2] 33 [1] 32 [0] 31 buf Invalid address No longer pointing to desired return point : call c <echo> d: mov 0xffffffe8(%ebp),%ebx # Return Point %ebp and return address corrupted

11 Malicious Use of 11 return address tof void foo(){ bar();... right after call to bar() void bar() { char buf[64];... tof foo stack frame buf[] bar stack frame B = &buf[0]

12 Malicious Use of 12 void foo(){ bar();... void bar() { return char buf[64]; address gets(buf); tob... right after call to gets() buf[] tof foo bar tob dest gets gets()can now write whatever it wants, beginning at buf[0]

13 Malicious Use of 13 void foo(){ bar();... void bar() { return char buf[64]; address gets(buf); tob... right before return from gets() And new pointer that overwrites return address with address of buffer And padding (which overwrites rest of bar() s frame Input string to gets() contains byte representation of executable code buf[] tof tob foo bar dest gets

14 Malicious Use of 14 void foo(){ bar();... right after return to bar() from gets() void bar() { char buf[64]; gets(buf);... to buf[] padding foo buf[] code bar When bar() executes ret, will jump to exploit code

15 Avoiding Overflow Vulnerability 15 /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ fgets(buf, 4, stdin); puts(buf); Use Library Routines that check/limit string lengths fgets instead of gets strncpy/strlcpy instead of strcpy snprintf instead of sprintf Don t use scanf with %s conversion specification Use fgets to read the string

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics. Lecture 6B Machine-Level Programming V: Miscellaneous Topics Topics Linux Memory Layout Understanding Pointers Buffer Overflow Upper 2 hex digits of address Red Hat v. 6.2 ~1920MB memory limit FF C0 Used