Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

Transcription

1 This time We will begin our 1st section: Software Security By investigating Buffer overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals

2 Software security Security is a form of dependability Does the code do what it should To this end, we follow the software lifecycle Distinguishing factor: an active, malicious attacker Attack model The developer is trusted But the attacker can provide any inputs - Malformed strings - Malformed packets - etc. What harm could an attacker possibly cause?

3 screensaver --prompt= Don t unlock plz Don't unlock plz Locked by dml press ctrl-c to logout

4 screensaver --prompt= Don t unlock pretty plz Don't unlock pretty plz Locked by dml press ctrl-c to logout

5 screensaver --prompt= Don t unlock plz \ Don't unlock plz Locked by dml press ctrl-c to logout

6 screensaver prompt= Under maintenance;\ Do not interrupt \ Under maintenance; Do not interrupt Locked by dml press ctrl-c to logout

7 We re going to focus on C C is still very popular

8 We re going to focus on C Many mission critical systems are written in C Most kernels & OS utilities fingerd X windows server Many high-performance servers Microsoft IIS Microsoft SQL server Many embedded systems Mars rover But the techniques apply more broadly Wiibrew: Twilight Hack exploits buffer overflow when saving the name of Link s horse, Epona

9 We re going to focus on C The harm can be substantial Morris worm Propagated across machines (too aggressively, thanks to a bug) One way it propagated was a buffer overflow attack against a vulnerable version of fingerd on VAXes Sent a special string to the finger daemon, which caused it to execute code that created a new worm copy Didn t check OS: caused Suns running BSD to crash End result: $10-100M in damages, probation, community service

10 We re going to focus on C The harm can be substantial Morris worm Propagated across machines (too aggressively, thanks to a bug) One way it propagated was a buffer overflow attack against a vulnerable version of fingerd on VAXes Sent a special string to the finger daemon, which caused it to execute code that created a new worm copy Didn t check OS: caused Suns running BSD to crash End result: $10-100M in damages, probation, community service Robert Morris is now a professor at MIT

11 We re going to focus on C The harm can be substantial CodeRed Exploited an overflow in the MS-IIS server 300,000 machines infected in 14 hours

12 We re going to focus on C The harm can be substantial CodeRed Exploited an overflow in the MS-IIS server 300,000 machines infected in 14 hours

13 We re going to focus on C The harm can be substantial SQL Slammer Exploited an overflow in the MS-SQL server 75,000 machines infected in 10 minutes

14

15

16 GHOST: glibc vulnerability introduced in 2000, only just announced two days ago

17 Buffer overflows are prevalent 24 Percent of all vulnerabilities

18 Buffer overflows are prevalent 900 Total number of buffer overflow vulnerabilities

19 This class

20 This class E-voting

21 Later This class Later E-voting Later

22 Our goals Understand how these attacks work, and how to defend against them These require knowledge about: The compiler The OS The architecture Analyzing security requires a whole-systems view

23 Memory layout

24 Refresher How is program data laid out in memory? What does the stack look like? What effect does calling (and returning from) a function have on memory? We are focusing on the Linux process model Similar to other operating systems

25 All programs are stored in memory 4G 0

26 All programs are stored in memory 4G 0xffffffff 0 0x

27 All programs are stored in memory 4G 0xffffffff The process s view of memory is that it owns all of it 0 0x

28 All programs are stored in memory 4G 0xffffffff The process s view of memory is that it owns all of it In reality, these are virtual addresses; the OS/CPU map them to physical addresses 0 0x

29 The instructions themselves are in memory 4G 0xffffffff Text 0 0x

30 The instructions themselves are in memory 4G 0xffffffff Text 0x4c2 sub $0x224,%esp 0x4c1 push %ecx 0x4bf mov %esp, 0x4be push 0 0x

31 Data s location depends on how it s created 4G 0xffffffff Text 0 0x

32 Data s location depends on how it s created 4G 0xffffffff Init d data static const int y=10; Text 0 0x

33 Data s location depends on how it s created 4G 0xffffffff Uninit d data static int x; Init d data static const int y=10; Text 0 0x

34 Data s location depends on how it s created 4G 0xffffffff Known at compile time 0 Uninit d data static int x; Init d data Text static const int y=10; 0x

35 Data s location depends on how it s created 4G cmdline & env 0xffffffff Known at compile time Uninit d data static int x; Init d data Text static const int y=10; 0 0x

36 Data s location depends on how it s created Set when process starts 4G cmdline & env 0xffffffff Known at compile time Uninit d data static int x; Init d data Text static const int y=10; 0 0x

37 Data s location depends on how it s created Set when process starts 4G cmdline & env Stack 0xffffffff int f() { int x; Known at compile time Uninit d data static int x; Init d data Text static const int y=10; 0 0x

38 Data s location depends on how it s created Set when process starts 4G cmdline & env Stack 0xffffffff int f() { int x; Heap malloc(sizeof(long)); Known at compile time Uninit d data static int x; Init d data Text static const int y=10; 0 0x

39 Data s location depends on how it s created 4G Set when process starts Runtime cmdline & env Stack Heap 0xffffffff int f() { int x; malloc(sizeof(long)); Known at compile time Uninit d data static int x; Init d data Text static const int y=10; 0 0x

40 We are going to focus on runtime attacks Stack and heap grow in opposite directions 0x xffffffff Heap Stack

41 We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that adjusts the size of the stack at runtime 0x xffffffff Heap Stack

42 We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that adjusts the size of the stack at runtime 0x xffffffff Heap Stack Stack pointer

43 We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that adjusts the size of the stack at runtime 0x xffffffff Heap Stack Stack pointer push 1 push 2 push 3

44 We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that adjusts the size of the stack at runtime 0x xffffffff Heap Stack Stack pointer push 1 push 2 push 3

45 We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that adjusts the size of the stack at runtime 0x xffffffff Heap Stack Stack pointer push 1 push 2 push 3

46 We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that adjusts the size of the stack at runtime 0x xffffffff Heap 1 Stack Stack pointer push 1 push 2 push 3

47 We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that adjusts the size of the stack at runtime 0x xffffffff Heap 1 Stack Stack pointer push 1 push 2 push 3

48 We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that adjusts the size of the stack at runtime 0x xffffffff Heap 2 1 Stack Stack pointer push 1 push 2 push 3

49 We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that adjusts the size of the stack at runtime 0x xffffffff Heap 2 1 Stack Stack pointer push 1 push 2 push 3

50 We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that adjusts the size of the stack at runtime 0x xffffffff Heap Stack Stack pointer push 1 push 2 push 3

51 We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that adjusts the size of the stack at runtime 0x xffffffff Heap Stack Stack pointer push 1 push 2 push 3 return

52 We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that adjusts the size of the stack at runtime 0x xffffffff Heap Stack Stack pointer push 1 push 2 push 3 return

53 We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that adjusts the size of the stack at runtime 0x xffffffff Heap Stack { apportioned by the OS; managed in-process by malloc Stack pointer push 1 push 2 push 3 return

54 We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that adjusts the size of the stack at runtime 0x xffffffff Heap Stack { apportioned by the OS; managed in-process by malloc Stack pointer push 1 push 2 push 3 return Focusing on the stack for now

55 Stack layout when calling functions What do we do when we call a function? What data need to be stored? Where do they go? How do we return from a function? What data need to be restored? Where do they come from? Code examples

56 Stack layout when calling functions void func(char *arg1, int arg2, int arg3) { char loc1[4] int loc2; int loc3; } 0x xffffffff caller s data

57 Stack layout when calling functions void func(char *arg1, int arg2, int arg3) { char loc1[4] int loc2; int loc3; } 0x xffffffff arg1 arg2 arg3 caller s data Arguments pushed in reverse order of code

58 Stack layout when calling functions void func(char *arg1, int arg2, int arg3) { char loc1[4] int loc2; int loc3; } 0x xffffffff loc2 loc1 arg1 arg2 arg3 caller s data Local variables pushed in the same order as they appear in the code Arguments pushed in reverse order of code

59 Stack layout when calling functions void func(char *arg1, int arg2, int arg3) { char loc1[4] int loc2; int loc3; } 0x xffffffff loc2 loc1?????? arg1 arg2 arg3 caller s data Local variables pushed in the same order as they appear in the code Arguments pushed in reverse order of code

60 Accessing variables void func(char *arg1, int arg2, int arg3) { char loc1[4] int loc2; int loc3; loc2++; } 0x xffffffff loc2 loc1?????? arg1 arg2 arg3 caller s data

61 Accessing variables void func(char *arg1, int arg2, int arg3) { char loc1[4] int loc2; int loc3; loc2++; Q: Where is (this) loc2? } 0x xffffffff loc2 loc1?????? arg1 arg2 arg3 caller s data

62 Accessing variables void func(char *arg1, int arg2, int arg3) { char loc1[4] int loc2; int loc3; loc2++; Q: Where is (this) loc2? } 0x xffffffff loc2 loc1?????? arg1 arg2 arg3 caller s data 0xbffff323

63 Accessing variables void func(char *arg1, int arg2, int arg3) { char loc1[4] int loc2; int loc3; loc2++; Q: Where is (this) loc2? } 0x xffffffff loc2 loc1?????? arg1 arg2 arg3 caller s data 0xbffff323 Undecidable at compile time

64 Accessing variables void func(char *arg1, int arg2, int arg3) { char loc1[4] int loc2; int loc3; loc2++; Q: Where is (this) loc2? } 0x xffffffff loc2 loc1?????? arg1 arg2 arg3 caller s data 0xbffff323 Undecidable at compile time - I don t know where loc2 is,

65 Accessing variables void func(char *arg1, int arg2, int arg3) { char loc1[4] int loc2; int loc3; loc2++; Q: Where is (this) loc2? } 0x xffffffff loc2 loc1?????? arg1 arg2 arg3 caller s data 0xbffff323 Undecidable at compile time - I don t know where loc2 is, - and I don t know how many args

66 Accessing variables void func(char *arg1, int arg2, int arg3) { char loc1[4] int loc2; int loc3; loc2++; Q: Where is (this) loc2? } 0x xffffffff loc2 loc1?????? arg1 arg2 arg3 caller s data 0xbffff323 Undecidable at compile time - I don t know where loc2 is, - and I don t know how many args - but loc2 is always 8B before??? s

67 Accessing variables void func(char *arg1, int arg2, int arg3) { char loc1[4] int loc2; int loc3; loc2++; Q: Where is (this) loc2? } 0x xffffffff loc2 loc1?????? arg1 arg2 arg3 caller s data - I don t know where loc2 is, - and I don t know how many args - but loc2 is always 8B before??? s

68 Accessing variables void func(char *arg1, int arg2, int arg3) { char loc1[4] int loc2; int loc3; loc2++; Q: Where is (this) loc2? } 0x xffffffff loc2 loc1?????? arg1 arg2 arg3 caller s data Stack frame for this call to func - I don t know where loc2 is, - and I don t know how many args - but loc2 is always 8B before??? s

69 Accessing variables void func(char *arg1, int arg2, int arg3) { char loc1[4] int loc2; int loc3; loc2++; Q: Where is (this) loc2? } 0x xffffffff loc2 loc1?????? arg1 arg2 arg3 caller s data Frame pointer Stack frame for this call to func - I don t know where loc2 is, - and I don t know how many args - but loc2 is always 8B before??? s

70 Accessing variables void func(char *arg1, int arg2, int arg3) { char loc1[4] int loc2; int loc3; loc2++; Q: Where is (this) loc2? A: -8() } 0x xffffffff loc2 loc1?????? arg1 arg2 arg3 caller s data Frame pointer Stack frame for this call to func - I don t know where loc2 is, - and I don t know how many args - but loc2 is always 8B before??? s

71 Notation A memory address () The value at memory address (like dereferencing a pointer)

72 Notation A memory address () The value at memory address (like dereferencing a pointer) x xffffffff

73 Notation 0xbfff03b8 A memory address () The value at memory address (like dereferencing a pointer) x xffffffff

74 Notation 0xbfff03b8 A memory address () The value at memory address (like dereferencing a pointer) 0xbfff03b8 x xffffffff

75 Notation 0xbfff03b8 A memory address 0xbfff0720 () The value at memory address (like dereferencing a pointer) x xbfff03b8 0xbfff0720 0xffffffff

76 Notation 0xbfff03b8 A memory address 0xbfff0720 () The value at memory address (like dereferencing a pointer) pushl x xbfff03b8 0xbfff0720 0xffffffff

77 Notation 0xbfff03b8 A memory address 0xbfff0720 () The value at memory address (like dereferencing a pointer) pushl %esp 0xbfff03b8 x xbfff0720 0xffffffff

78 Notation 0xbfff03b8 A memory address 0xbfff0720 () The value at memory address (like dereferencing a pointer) pushl %esp 0xbfff03b8 x xbfff0720 0xffffffff

79 Notation 0xbfff03b8 A memory address 0xbfff0720 () The value at memory address (like dereferencing a pointer) pushl %esp 0xbfff03b8 x xbfff0720 0xffffffff

80 Notation 0xbfff03b8 A memory address 0xbfff0720 () The value at memory address (like dereferencing a pointer) pushl x %esp 0xbfff03b8 0xbfff03b8 0xbfff0720 0xffffffff

81 Notation 0xbfff03b8 A memory address 0xbfff0720 () The value at memory address (like dereferencing a pointer) pushl movl %esp /* = %esp */ x %esp 0xbfff03b8 0xbfff03b8 0xbfff0720 0xffffffff

82 Notation 0xbfff03b8 A memory address 0xbfff0720 () The value at memory address (like dereferencing a pointer) pushl movl %esp /* = %esp */ x %esp 0xbfff03b8 0xbfff03b8 0xbfff0720 0xffffffff

83 Notation 0xbfff03b8 A memory address 0xbfff0720 () The value at memory address (like dereferencing a pointer) pushl movl %esp /* = %esp */ 0xbfff0200 %esp 0xbfff03b8 x xbfff03b8 0xbfff0720 0xffffffff

84 Notation 0xbfff03b8 0xbfff0200 A memory address 0xbfff0720 () The value at memory address (like dereferencing a pointer) pushl movl %esp /* = %esp */ 0xbfff0200 x %esp 0xbfff03b8 0xbfff03b8 0xbfff0720 0xffffffff

85 Notation 0xbfff03b8 0xbfff0200 A memory address 0xbfff0720 0xbfff03b8 () The value at memory address (like dereferencing a pointer) pushl movl %esp /* = %esp */ 0xbfff0200 x %esp 0xbfff03b8 0xbfff03b8 0xbfff0720 0xffffffff

86 Returning from functions int main() { func( Hey, 10, -3); } 0x xffffffff loc2 loc1?????? arg1 arg2 arg3 caller s data Stack frame for this call to func

87 Returning from functions int main() { func( Hey, 10, -3); } 0x xffffffff loc2 loc1?????? arg1 arg2 arg3 caller s data Stack frame for this call to func

88 Returning from functions int main() { func( Hey, 10, -3); } 0x xffffffff loc2 loc1?????? arg1 arg2 arg3 caller s data Stack frame for this call to func

89 Returning from functions int main() { func( Hey, 10, -3); } Q: How do we restore? 0x xffffffff loc2 loc1?????? arg1 arg2 arg3 caller s data Stack frame for this call to func

90 Returning from functions int main() { func( Hey, 10, -3); } Q: How do we restore? 0x xffffffff??? arg1 arg2 arg3 caller s data Stack frame for this call to func

91 Returning from functions int main() { func( Hey, 10, -3); } Q: How do we restore? 0x %esp 0xffffffff??? arg1 arg2 arg3 caller s data Stack frame for this call to func

92 Returning from functions int main() { func( Hey, 10, -3); } Q: How do we restore? 0x %esp 0xffffffff??? arg1 arg2 arg3 caller s data 1. Push before locals Stack frame for this call to func

93 Returning from functions int main() { func( Hey, 10, -3); } Q: How do we restore? 0x %esp 0xffffffff??? arg1 arg2 arg3 caller s data 1. Push before locals 2. Set to current %esp Stack frame for this call to func

94 Returning from functions int main() { func( Hey, 10, -3); } Q: How do we restore? 0x %esp 0xffffffff??? arg1 arg2 arg3 caller s data 1. Push before locals 2. Set to current %esp Stack frame for this call to func 3. Set to() at return

95 Returning from functions int main() { func( Hey, 10, -3); } 0x xffffffff loc2 loc1??? arg1 arg2 arg3 caller s data Stack frame for this call to func

96 Returning from functions int main() { func( Hey, 10, -3); } Q: How do we resume here? 0x xffffffff loc2 loc1??? arg1 arg2 arg3 caller s data Stack frame for this call to func

97 The instructions themselves are in memory 4G 0xffffffff Text 0x4a7 mov $0x0,%eax 0x4a2 call <func> 0x49b movl $0x804..,(%esp) 0x493 movl $0xa,0x4(%esp) 0 0x

98 The instructions themselves are in memory 4G 0xffffffff Text 0x4a7 mov $0x0,%eax 0x4a2 call <func> 0x49b movl $0x804..,(%esp) 0x493 movl $0xa,0x4(%esp) %eip 0 0x

99 The instructions themselves are in memory 4G 0xffffffff Text 0x4a7 mov $0x0,%eax 0x4a2 call <func> 0x49b movl $0x804..,(%esp) 0x493 movl $0xa,0x4(%esp) %eip 0 0x

100 The instructions themselves are in memory 4G 0xffffffff Text 0x4a7 mov $0x0,%eax 0x4a2 call <func> 0x49b movl $0x804..,(%esp) 0x493 movl $0xa,0x4(%esp) %eip 0 0x

101 The instructions themselves are in memory 4G 0xffffffff 0x5bf mov %esp, 0x5be push Text 0x4a7 mov $0x0,%eax 0x4a2 call <func> 0x49b movl $0x804..,(%esp) 0x493 movl $0xa,0x4(%esp) %eip 0 0x

102 The instructions themselves are in memory 4G 0xffffffff 0x5bf mov %esp, 0x5be push %eip Text 0x4a7 mov $0x0,%eax 0x4a2 call <func> 0x49b movl $0x804..,(%esp) 0x493 movl $0xa,0x4(%esp) 0 0x

103 The instructions themselves are in memory 4G 0xffffffff 0x5bf mov %esp, 0x5be push %eip Text 0x4a7 mov $0x0,%eax 0x4a2 call <func> 0x49b movl $0x804..,(%esp) 0x493 movl $0xa,0x4(%esp) 0 0x

104 The instructions themselves are in memory 4G 0xffffffff 0x5bf mov %esp, 0x5be push Text 0x4a7 mov $0x0,%eax 0x4a2 call <func> 0x49b movl $0x804..,(%esp) 0x493 movl $0xa,0x4(%esp) %eip 0 0x

105 Returning from functions int main() { func( Hey, 10, -3); } Q: How do we resume here? 0x xffffffff loc2 loc1??? arg1 arg2 arg3 caller s data Stack frame for this call to func

106 Returning from functions int main() { func( Hey, 10, -3); } Q: How do we resume here? 0x xffffffff loc2 loc1??? arg1 arg2 arg3 caller s data Stack frame for this call to func Push next %eip before call

107 Returning from functions int main() { func( Hey, 10, -3); } Q: How do we resume here? 0x xffffffff loc2 loc1 %eip??? arg1 arg2 arg3 caller s data Stack frame for this call to func Push next %eip before call

108 Returning from functions int main() { func( Hey, 10, -3); } Q: How do we resume here? 0x xffffffff loc2 loc1 %eip??? arg1 arg2 arg3 caller s data Stack frame for this call to func Set %eip to 4() at return Push next %eip before call

109 Stack and functions: Summary

110 Stack and functions: Summary Calling function: 1.Push arguments onto the stack (in reverse) 2.Push the return address, i.e., the address of the instruction you want run after control returns to you: %eip+something 3.Jump to the function s address

111 Stack and functions: Summary Calling function: 1.Push arguments onto the stack (in reverse) 2.Push the return address, i.e., the address of the instruction you want run after control returns to you: %eip+something 3.Jump to the function s address Called function: 4.Push the old frame pointer onto the stack: 5.Set frame pointer to where the end of the stack is right now: %esp 6.Push local variables onto the stack; access them as offsets from

112 Stack and functions: Summary Calling function: 1.Push arguments onto the stack (in reverse) 2.Push the return address, i.e., the address of the instruction you want run after control returns to you: %eip+something 3.Jump to the function s address Called function: 4.Push the old frame pointer onto the stack: 5.Set frame pointer to where the end of the stack is right now: %esp 6.Push local variables onto the stack; access them as offsets from Returning function: 7.Reset the previous stack frame: = () 8.Jump back to return address: %eip = 4()

113 Buffer overflows

114 Buffer overflows from 10,000 ft Buffer = Contiguous set of a given data type Common in C - All strings are buffers of char s Overflow = Put more into the buffer than it can hold Where does the extra data go? Well now that you re experts in memory layouts

115 A buffer overflow example void func(char *arg1) { char buffer[4]; strcpy(buffer, arg1); } int main() { char *mystr = AuthMe! ; func(mystr); }

116 A buffer overflow example void func(char *arg1) { char buffer[4]; strcpy(buffer, arg1); } int main() { char *mystr = AuthMe! ; func(mystr); }

117 A buffer overflow example void func(char *arg1) { char buffer[4]; strcpy(buffer, arg1); } int main() { char *mystr = AuthMe! ; func(mystr); } &arg1

118 A buffer overflow example void func(char *arg1) { char buffer[4]; strcpy(buffer, arg1); } int main() { char *mystr = AuthMe! ; func(mystr); } %eip &arg1

119 A buffer overflow example void func(char *arg1) { char buffer[4]; strcpy(buffer, arg1); } int main() { char *mystr = AuthMe! ; func(mystr); } %eip &arg1

120 A buffer overflow example void func(char *arg1) { char buffer[4]; strcpy(buffer, arg1); } int main() { char *mystr = AuthMe! ; func(mystr); } %eip &arg1 buffer

121 A buffer overflow example void func(char *arg1) { char buffer[4]; strcpy(buffer, arg1); } int main() { char *mystr = AuthMe! ; func(mystr); } A u t h %eip &arg1 buffer

122 A buffer overflow example void func(char *arg1) { char buffer[4]; strcpy(buffer, arg1); } int main() { char *mystr = AuthMe! ; func(mystr); } M e! \0 00 A 00 u 00 t 00 h 4d %eip &arg1 buffer

123 A buffer overflow example void func(char *arg1) { char buffer[4]; strcpy(buffer, arg1); } int main() { char *mystr = AuthMe! ; func(mystr); } Upon return, sets to 0x d M e! \0 00 A 00 u 00 t 00 h 4d %eip &arg1 buffer

124 A buffer overflow example void func(char *arg1) { char buffer[4]; strcpy(buffer, arg1); } int main() { char *mystr = AuthMe! ; func(mystr); } Upon return, sets to 0x d M e! \0 00 A 00 u 00 t 00 h 4d %eip &arg1 buffer SEGFAULT (0x )

125 A buffer overflow example void func(char *arg1) { int authenticated = 0; char buffer[4]; strcpy(buffer, arg1); if(authenticated) { } int main() { char *mystr = AuthMe! ; func(mystr); }

126 A buffer overflow example void func(char *arg1) { int authenticated = 0; char buffer[4]; strcpy(buffer, arg1); if(authenticated) { } int main() { char *mystr = AuthMe! ; func(mystr); }

127 A buffer overflow example void func(char *arg1) { int authenticated = 0; char buffer[4]; strcpy(buffer, arg1); if(authenticated) { } int main() { char *mystr = AuthMe! ; func(mystr); } &arg1

128 A buffer overflow example void func(char *arg1) { int authenticated = 0; char buffer[4]; strcpy(buffer, arg1); if(authenticated) { } int main() { char *mystr = AuthMe! ; func(mystr); } %eip &arg1

129 A buffer overflow example void func(char *arg1) { int authenticated = 0; char buffer[4]; strcpy(buffer, arg1); if(authenticated) { } int main() { char *mystr = AuthMe! ; func(mystr); } %eip &arg1

130 A buffer overflow example void func(char *arg1) { int authenticated = 0; char buffer[4]; strcpy(buffer, arg1); if(authenticated) { } int main() { char *mystr = AuthMe! ; func(mystr); } %eip &arg1 authenticated

131 A buffer overflow example void func(char *arg1) { int authenticated = 0; char buffer[4]; strcpy(buffer, arg1); if(authenticated) { } int main() { char *mystr = AuthMe! ; func(mystr); } %eip &arg1 buffer authenticated

132 A buffer overflow example void func(char *arg1) { int authenticated = 0; char buffer[4]; strcpy(buffer, arg1); if(authenticated) { } int main() { char *mystr = AuthMe! ; func(mystr); } 00 A 00 u 00 t 00 h %eip &arg1 buffer authenticated

133 A buffer overflow example void func(char *arg1) { int authenticated = 0; char buffer[4]; strcpy(buffer, arg1); if(authenticated) { } int main() { char *mystr = AuthMe! ; func(mystr); } M e! \0 00 A 00 u 00 t 00 h 4d %eip &arg1 buffer authenticated

134 A buffer overflow example void func(char *arg1) { int authenticated = 0; char buffer[4]; strcpy(buffer, arg1); if(authenticated) { } int main() { char *mystr = AuthMe! ; func(mystr); } Code still runs; user now authenticated M e! \0 00 A 00 u 00 t 00 h 4d %eip &arg1 buffer authenticated

135 void vulnerable() { char buf[80]; gets(buf); }

136 void vulnerable() { char buf[80]; gets(buf); } void still_vulnerable() { char *buf = malloc(80); gets(buf); }

137 void safe() { char buf[80]; fgets(buf, 64, stdin); }

138 void safe() { char buf[80]; fgets(buf, 64, stdin); } void safer() { char buf[80]; fgets(buf, sizeof(buf), stdin); }

139

140 User-supplied strings In these examples, we were providing our own strings But they come from users in myriad aways Text input Packets Environment variables File input

141 What s the worst that could happen? void func(char *arg1) { char buffer[4]; strcpy(buffer, arg1); } %eip &mystr buffer

142 What s the worst that could happen? void func(char *arg1) { char buffer[4]; strcpy(buffer, arg1); } %eip &mystr buffer strcpy will let you write as much as you want (til a \0 )

143 What s the worst that could happen? void func(char *arg1) { char buffer[4]; strcpy(buffer, arg1); } All ours! %eip &mystr buffer strcpy will let you write as much as you want (til a \0 )

144 What s the worst that could happen? void func(char *arg1) { char buffer[4]; strcpy(buffer, arg1); } All ours! %eip &mystr buffer strcpy will let you write as much as you want (til a \0 ) What could you write to memory to wreak havoc?

145 Code injection

146 High-level idea void func(char *arg1) { char buffer[4]; sprintf(buffer, arg1); } %eip &arg buffer

147 High-level idea void func(char *arg1) { char buffer[4]; sprintf(buffer, arg1); } %eip &arg Haxx0r c0d3 buffer (1) Load my own code into memory

148 High-level idea void func(char *arg1) { char buffer[4]; sprintf(buffer, arg1); } %eip Text %eip &arg buffer Haxx0r c0d3 (1) Load my own code into memory (2) Somehow get %eip to point to it

149 High-level idea void func(char *arg1) { char buffer[4]; sprintf(buffer, arg1); } %eip Text %eip &arg buffer Haxx0r c0d3 (1) Load my own code into memory (2) Somehow get %eip to point to it

150 High-level idea void func(char *arg1) { char buffer[4]; sprintf(buffer, arg1); } %eip Text %eip &arg buffer Haxx0r c0d3 (1) Load my own code into memory (2) Somehow get %eip to point to it

151 This is nontrivial Pulling off this attack requires getting a few things really right (and some things sorta right) Think about what is tricky about the attack The key to defending it will be to make the hard parts really hard

152 Challenge 1 Loading code into memory It must be the machine code instructions (i.e., already compiled and ready to run) We have to be careful in how we construct it: It can t contain any all-zero bytes - Otherwise, sprintf / gets / scanf / will stop copying - How could you write assembly to never contain a full zero byte? It can t make use of the loader (we re injecting) It can t use the stack (we re going to smash it)

153 What kind of code would we want to run? Goal: full-purpose shell The code to launch a shell is called shell code It is nontrivial to it in a way that works as injected code - No zeroes, can t use the stack, no loader dependence There are many out there - And competitions to see who can write the smallest Goal: privilege escalation Ideally, they go from guest (or non-user) to root

154 Shellcode #include <stdio.h> int main( ) { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); }

155 Shellcode #include <stdio.h> int main( ) { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } Assembly xorl %eax, %eax pushl %eax pushl $0x68732f2f pushl $0x6e69622f movl %esp,%ebx pushl %eax

156 Shellcode #include <stdio.h> int main( ) { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } Assembly xorl %eax, %eax pushl %eax pushl $0x68732f2f pushl $0x6e69622f movl %esp,%ebx pushl %eax

157 Shellcode #include <stdio.h> int main( ) { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } Assembly xorl %eax, %eax pushl %eax pushl $0x68732f2f pushl $0x6e69622f movl %esp,%ebx pushl %eax \x31\xc0 \x50 \x68 //sh \x68 /bin \x89\xe3 \x50 Machine code

158 Shellcode #include <stdio.h> int main( ) { char *name[2]; name[0] = /bin/sh ; name[1] = NULL; execve(name[0], name, NULL); } Assembly xorl %eax, %eax pushl %eax pushl $0x68732f2f pushl $0x6e69622f movl %esp,%ebx pushl %eax \x31\xc0 \x50 \x68 //sh \x68 /bin \x89\xe3 \x50 Machine code (Part of) your input

159 Privilege escalation Permissions later, but for now Recall that each file has: Permissions: read / write / execute For each of: owner / group / everyone else Consider a service like passwd Owned by root (and needs to do root-y things) But you want any user to be able to run it

160 Effective userid Userid = the user who ran the process Effective userid = what is used to determine what access the process has Consider passwd: getuid() will return you (real userid) seteuid(0) to set the effective userid to root - It s allowed to because root is the owner What is the potential attack?

161 Effective userid Userid = the user who ran the process Effective userid = what is used to determine what access the process has Consider passwd: getuid() will return you (real userid) seteuid(0) to set the effective userid to root - It s allowed to because root is the owner What is the potential attack? If you can get a root-owned process to run setuid(0)/seteuid(0), then you get root permissions

162 Challenge 2 Getting our injected code to run We can t insert a jump into my code instruction We have to use whatever code is already running %eip &arg \x0f \x3c \x2f buffer Thoughts?

163 Challenge 2 Getting our injected code to run We can t insert a jump into my code instruction We have to use whatever code is already running %eip Text %eip &arg \x0f \x3c \x2f buffer Thoughts?

164 Challenge 2 Getting our injected code to run We can t insert a jump into my code instruction We have to use whatever code is already running %eip Text %eip &arg \x0f \x3c \x2f buffer Thoughts?

165 Challenge 2 Getting our injected code to run We can t insert a jump into my code instruction We have to use whatever code is already running %eip Text %eip &arg \x0f \x3c \x2f buffer Thoughts?

166 Stack and functions: Summary Calling function: 1.Push arguments onto the stack (in reverse) 2.Push the return address, i.e., the address of the instruction you want run after control returns to you: %eip+something 3.Jump to the function s address Called function: 4.Push the old frame pointer onto the stack: 5.Set frame pointer to where the end of the stack is right now: %esp 6.Push local variables onto the stack; access them as offsets from Returning function: 7.Reset the previous stack frame: = () 8.Jump back to return address: %eip = 4()

167 Hijacking the saved %eip %eip Text %eip &arg1 \x0f \x3c \x2f buffer 0xbff

168 Hijacking the saved %eip %eip Text %eip 0xbff &arg1 \x0f \x3c \x2f buffer 0xbff

169 Hijacking the saved %eip %eip Text %eip 0xbff &arg1 \x0f \x3c \x2f buffer 0xbff

170 Hijacking the saved %eip %eip Text %eip 0xbff &arg1 \x0f \x3c \x2f buffer 0xbff But how do we know the address?

171 Hijacking the saved %eip What if we are wrong? %eip Text %eip 0xbff &arg1 \x0f \x3c \x2f buffer 0xbff

172 Hijacking the saved %eip What if we are wrong? %eip Text %eip 0xbff &arg1 0xbdf \x0f \x3c \x2f buffer 0xbff

173 Hijacking the saved %eip What if we are wrong? %eip Text %eip 0xbff &arg1 0xbdf \x0f \x3c \x2f buffer 0xbff

174 Hijacking the saved %eip What if we are wrong? %eip Text %eip 0xbff 0xbdf &arg1 \x0f \x3c \x2f buffer 0xbff This is most likely data, so the CPU will panic (Invalid Instruction)

175 Challenge 3 Finding the return address

176 Challenge 3 Finding the return address If we don t have access to the code, we don t know how far the buffer is from the saved

177 Challenge 3 Finding the return address If we don t have access to the code, we don t know how far the buffer is from the saved One approach: just try a lot of different values!

178 Challenge 3 Finding the return address If we don t have access to the code, we don t know how far the buffer is from the saved One approach: just try a lot of different values! Worst case scenario: it s a 32 (or 64) bit memory space, which means 2 32 (2 64 ) possible answers

179 Challenge 3 Finding the return address If we don t have access to the code, we don t know how far the buffer is from the saved One approach: just try a lot of different values! Worst case scenario: it s a 32 (or 64) bit memory space, which means 2 32 (2 64 ) possible answers But without address randomization: The stack always starts from the same, fixed address The stack will grow, but usually it doesn t grow very deeply (unless the code is heavily recursive)

180 gdb tutorial

181 Improving our chances: nop sleds nop is a single-byte instruction (just moves to the next instruction) %eip Text %eip 0xbff 0xbdf &arg1 \x0f \x3c \x2f buffer 0xbff

182 Improving our chances: nop sleds nop is a single-byte instruction (just moves to the next instruction) %eip Text %eip 0xbff 0xbdf &arg1 nop nop nop \x0f \x3c \x2f buffer 0xbff

183 Improving our chances: nop sleds nop is a single-byte instruction (just moves to the next instruction) %eip Jumping anywhere here will work Text %eip 0xbff 0xbdf &arg1 nop nop nop \x0f \x3c \x2f buffer 0xbff

184 Improving our chances: nop sleds nop is a single-byte instruction (just moves to the next instruction) %eip Jumping anywhere here will work Text %eip 0xbdf xbff &arg1 nop nop nop \x0f \x3c \x2f buffer

185 Improving our chances: nop sleds nop is a single-byte instruction (just moves to the next instruction) %eip Jumping anywhere here will work Text %eip 0xbdf xbff &arg1 nop nop nop \x0f \x3c \x2f buffer Now we improve our chances of guessing by a factor of #nops

186 Putting it all together %eip padding good guess Text %eip 0xbdf &arg xbff nop nop nop buffer nop sled \x0f \x3c \x2f malicious code

187 Putting it all together But it has to be something; we have to start writing wherever the input to gets/etc. begins. %eip padding good guess Text %eip 0xbdf &arg xbff nop nop nop buffer nop sled \x0f \x3c \x2f malicious code

188 Putting it all together But it has to be something; we have to start writing wherever the input to gets/etc. begins. padding good guess %eip Text %eip 0xbdf &arg xbff nop nop nop buffer nop sled \x0f \x3c \x2f malicious code

189 Putting it all together But it has to be something; we have to start writing wherever the input to gets/etc. begins. padding good guess %eip Text %eip 0xbdf &arg xbff nop nop nop buffer nop sled \x0f \x3c \x2f malicious code

190 Next time Continuing with Software Security More attacks, and Defenses Required reading: StackGuard: Simple Stack Smash Protection for GCC