MEMORY SAFETY ATTACKS & DEFENSES
Size: px
Start display at page:

Download "MEMORY SAFETY ATTACKS & DEFENSES"

Transcription

1 MEMORY SAFETY ATTACKS & DEFENSES CMSC 414 FEB

2 void safe() { char buf[80]; fgets(buf, 80, stdin); void safer() { char buf[80]; fgets(buf, sizeof(buf), stdin);

3 void safe() { char buf[80]; fgets(buf, 80, stdin); void safer() { char buf[80]; fgets(buf, sizeof(buf), stdin); void vulnerable() { char buf[80]; if(fgets(buf, sizeof(buf), stdin)==null) return; printf(buf);

4 void safe() { char buf[80]; fgets(buf, 80, stdin); void safer() { char buf[80]; fgets(buf, sizeof(buf), stdin); void vulnerable() { char buf[80]; if(fgets(buf, sizeof(buf), stdin)==null) return; printf(buf);

5 FORMAT STRING VULNERABILITIES

6 PRINTF FORMAT STRINGS int i = 10; printf( %d %p\n, i, &i);

7 PRINTF FORMAT STRINGS int i = 10; printf( %d %p\n, i, &i); 0x xffffffff %ebp %eip &fmt 10 &i

8 PRINTF FORMAT STRINGS int i = 10; printf( %d %p\n, i, &i); 0x xffffffff %ebp %eip &fmt 10 &i printf s stack frame

9 PRINTF FORMAT STRINGS int i = 10; printf( %d %p\n, i, &i); 0x xffffffff %ebp %eip &fmt 10 &i printf s stack frame caller s stack frame

10 PRINTF FORMAT STRINGS int i = 10; printf( %d %p\n, i, &i); 0x xffffffff %ebp %eip &fmt 10 &i printf s stack frame caller s stack frame

11 PRINTF FORMAT STRINGS int i = 10; printf( %d %p\n, i, &i); 0x xffffffff %ebp %eip &fmt 10 &i printf s stack frame printf takes variable number of arguments caller s stack frame printf pays no mind to where the stack frame ends It presumes that you called it with (at least) as many arguments as specified in the format string

12 PRINTF FORMAT STRINGS int i = 10; printf( %d %p\n, i, &i); 0x xffffffff %ebp %eip &fmt 10 &i printf s stack frame printf takes variable number of arguments caller s stack frame printf pays no mind to where the stack frame ends It presumes that you called it with (at least) as many arguments as specified in the format string

13 PRINTF FORMAT STRINGS int i = 10; printf( %d %p\n, i, &i); 0x xffffffff %ebp %eip &fmt 10 &i printf s stack frame printf takes variable number of arguments caller s stack frame printf pays no mind to where the stack frame ends It presumes that you called it with (at least) as many arguments as specified in the format string

14 PRINTF FORMAT STRINGS int i = 10; printf( %d %p\n, i, &i); 0x xffffffff %ebp %eip &fmt 10 &i printf s stack frame printf takes variable number of arguments caller s stack frame printf pays no mind to where the stack frame ends It presumes that you called it with (at least) as many arguments as specified in the format string

15 void vulnerable() { char buf[80]; if(fgets(buf, sizeof(buf), stdin)==null) return; printf(buf);

16 void vulnerable() { char buf[80]; if(fgets(buf, sizeof(buf), stdin)==null) return; printf(buf); %d %x"

17 void vulnerable() { char buf[80]; if(fgets(buf, sizeof(buf), stdin)==null) return; printf(buf); %d %x" 0x xffffffff %ebp %eip &fmt caller s stack frame

18 void vulnerable() { char buf[80]; if(fgets(buf, sizeof(buf), stdin)==null) return; printf(buf); %d %x" 0x xffffffff %ebp %eip &fmt caller s stack frame

19 void vulnerable() { char buf[80]; if(fgets(buf, sizeof(buf), stdin)==null) return; printf(buf); %d %x" 0x xffffffff %ebp %eip &fmt caller s stack frame

20 FORMAT STRING VULNERABILITIES

21 FORMAT STRING VULNERABILITIES printf( 100% dml );

22 FORMAT STRING VULNERABILITIES printf( 100% dml ); Prints stack entry 4 byes above saved %eip

23 FORMAT STRING VULNERABILITIES printf( 100% dml ); Prints stack entry 4 byes above saved %eip printf( %s );

24 FORMAT STRING VULNERABILITIES printf( 100% dml ); Prints stack entry 4 byes above saved %eip printf( %s ); Prints bytes pointed to by that stack entry

25 FORMAT STRING VULNERABILITIES printf( 100% dml ); Prints stack entry 4 byes above saved %eip printf( %s ); Prints bytes pointed to by that stack entry printf( %d %d %d %d );

26 FORMAT STRING VULNERABILITIES printf( 100% dml ); Prints stack entry 4 byes above saved %eip printf( %s ); Prints bytes pointed to by that stack entry printf( %d %d %d %d ); Prints a series of stack entries as integers

27 FORMAT STRING VULNERABILITIES printf( 100% dml ); Prints stack entry 4 byes above saved %eip printf( %s ); Prints bytes pointed to by that stack entry printf( %d %d %d %d ); Prints a series of stack entries as integers printf( %08x %08x %08x %08x );

28 FORMAT STRING VULNERABILITIES printf( 100% dml ); Prints stack entry 4 byes above saved %eip printf( %s ); Prints bytes pointed to by that stack entry printf( %d %d %d %d ); Prints a series of stack entries as integers printf( %08x %08x %08x %08x ); Same, but nicely formatted hex

29 FORMAT STRING VULNERABILITIES printf( 100% dml ); Prints stack entry 4 byes above saved %eip printf( %s ); Prints bytes pointed to by that stack entry printf( %d %d %d %d ); Prints a series of stack entries as integers printf( %08x %08x %08x %08x ); Same, but nicely formatted hex printf( 100% no way! )

30 FORMAT STRING VULNERABILITIES printf( 100% dml ); Prints stack entry 4 byes above saved %eip printf( %s ); Prints bytes pointed to by that stack entry printf( %d %d %d %d ); Prints a series of stack entries as integers printf( %08x %08x %08x %08x ); Same, but nicely formatted hex printf( 100% no way! ) WRITES the number 3 to address pointed to by stack entry

31 FORMAT STRING PREVALENCE % of vulnerabilities that involve format string bugs

32 WHAT S WRONG WITH THIS CODE? #define BUF_SIZE 16 char buf[buf_size]; void vulnerable() { int len = read_int_from_network(); char *p = read_string_from_network(); if(len > BUF_SIZE) { printf( Too large\n ); return; memcpy(buf, p, len);

33 WHAT S WRONG WITH THIS CODE? #define BUF_SIZE 16 char buf[buf_size]; void vulnerable() { int len = read_int_from_network(); char *p = read_string_from_network(); if(len > BUF_SIZE) { printf( Too large\n ); return; memcpy(buf, p, len); void *memcpy(void *dest, const void *src, size_t n);

34 WHAT S WRONG WITH THIS CODE? #define BUF_SIZE 16 char buf[buf_size]; void vulnerable() { int len = read_int_from_network(); char *p = read_string_from_network(); if(len > BUF_SIZE) { printf( Too large\n ); return; memcpy(buf, p, len); void *memcpy(void *dest, const void *src, size_t n); typedef unsigned int size_t;

35 WHAT S WRONG WITH THIS CODE? #define BUF_SIZE 16 char buf[buf_size]; void vulnerable() { Negative int len = read_int_from_network(); char *p = read_string_from_network(); if(len > BUF_SIZE) { printf( Too large\n ); return; memcpy(buf, p, len); void *memcpy(void *dest, const void *src, size_t n); typedef unsigned int size_t;

36 WHAT S WRONG WITH THIS CODE? #define BUF_SIZE 16 char buf[buf_size]; void vulnerable() { Negative int len = read_int_from_network(); char *p = read_string_from_network(); Ok if(len > BUF_SIZE) { printf( Too large\n ); return; memcpy(buf, p, len); void *memcpy(void *dest, const void *src, size_t n); typedef unsigned int size_t;

37 WHAT S WRONG WITH THIS CODE? #define BUF_SIZE 16 char buf[buf_size]; void vulnerable() { Negative int len = read_int_from_network(); char *p = read_string_from_network(); Ok if(len > BUF_SIZE) { printf( Too large\n ); return; memcpy(buf, p, len); Implicit cast to unsigned void *memcpy(void *dest, const void *src, size_t n); typedef unsigned int size_t;

38 INTEGER OVERFLOW VULNERABILITIES

39 WHAT S WRONG WITH THIS CODE? void vulnerable() { size_t len; char *buf; len = read_int_from_network(); buf = malloc(len + 5); read(fd, buf, len);...

40 WHAT S WRONG WITH THIS CODE? void vulnerable() { size_t len; char *buf; HUGE len = read_int_from_network(); buf = malloc(len + 5); read(fd, buf, len);...

41 WHAT S WRONG WITH THIS CODE? void vulnerable() { size_t len; char *buf; HUGE len = read_int_from_network(); buf = malloc(len + 5); read(fd, buf, len);... Wrap-around

42 WHAT S WRONG WITH THIS CODE? void vulnerable() { size_t len; char *buf; HUGE len = read_int_from_network(); buf = malloc(len + 5); read(fd, buf, len);... Wrap-around Takeaway: You have to know the semantics of your programming language to avoid these errors

43 INTEGER OVERFLOW PREVALENCE % of vulnerabilities that involve integer overflows

Similar documents

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow

More information

Required reading: StackGuard: Simple Stack Smash Protection for GCC

Required reading: StackGuard: Simple Stack Smash Protection for GCC Continuing with Software Security Writing & testing for Secure Code Required reading: StackGuard: Simple Stack Smash Protection for GCC Optional reading: Basic Integer Overflows Exploiting Format String

More information

Software Security: Buffer Overflow Attacks

Software Security: Buffer Overflow Attacks CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,

More information

Overflows, Injection, & Memory Safety

Overflows, Injection, & Memory Safety Overflows, Injection, & Memory Safety 1 Announcements... Computer Science 161 Fall 2018 Project 1 is now live! Due Friday September 14th Start it early: The add/drop deadline got reduced to September 12th

More information

Software Security: Misc and Principles

Software Security: Misc and Principles CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Misc and Principles Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,

More information

CSE 565 Computer Security Fall 2018

CSE 565 Computer Security Fall 2018 CSE 565 Computer Security Fall 2018 Lecture 15: Software Security II Department of Computer Science and Engineering University at Buffalo 1 Software Vulnerabilities Buffer overflow vulnerabilities account

More information

Software Security: Buffer Overflow Defenses and Miscellaneous

Software Security: Buffer Overflow Defenses and Miscellaneous CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses and Miscellaneous Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter

More information

Memory safety, continued

Memory safety, continued Memory safety, continued With material from Mike Hicks and Dave Levin http://images.myhardhatstickers.com/img/lg/h/everybody-safety-hard-hat-label-hh-0115.gif Today s agenda gdb tutorial Other memory exploits

More information

Software Security: Buffer Overflow Attacks and Beyond

Software Security: Buffer Overflow Attacks and Beyond CSE 484 / CSE M 584 (Autumn 2011) Software Security: Buffer Overflow Attacks and Beyond Daniel Halperin Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov,

More information

Software Security: Miscellaneous

Software Security: Miscellaneous CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Miscellaneous Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin,

More information

Software Security; Common Implementation Flaws

Software Security; Common Implementation Flaws CS 334 Computer Security Fall 2008 Prof. Szajda Software Security; Common Implementation Flaws The purpose of the next few lectures is to teach you about software security. Even if we ve got the perfect

More information

CS 161 Computer Security

CS 161 Computer Security Paxson Spring 2017 CS 161 Computer Security 1/24 Memory safety Attacks and Defenses In the first few lectures we will be looking at software security problems associated with the software implementation.

More information

Memory Corruption Vulnerabilities, Part II

Memory Corruption Vulnerabilities, Part II Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Integer Overflow Vulnerabilities * slides adapted from those by Seacord 3 Integer Overflows

More information

Software Security: Buffer Overflow Attacks and Beyond

Software Security: Buffer Overflow Attacks and Beyond CSE 484 (Winter 2011) Software Security: Buffer Overflow Attacks and Beyond Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many

More information

So$ware Security (II): Buffer- overflow Defenses

So$ware Security (II): Buffer- overflow Defenses Computer Security Course. Dawn Song So$ware Security (II): Buffer- overflow Defenses Dawn Song 1 PrevenBng hijacking afacks Fix bugs: Audit so$ware Automated tools: Coverity, Prefast/Prefix, ForBfy Rewrite

More information

CYSE 411/AIT681 Secure Software Engineering Topic #10. Secure Coding: Integer Security

CYSE 411/AIT681 Secure Software Engineering Topic #10. Secure Coding: Integer Security CYSE 411/AIT681 Secure Software Engineering Topic #10. Secure Coding: Integer Security Instructor: Dr. Kun Sun 1 This lecture: [Seacord]: Chapter 5 Readings 2 Secure Coding String management Pointer Subterfuge

More information

2/9/18. Readings. CYSE 411/AIT681 Secure Software Engineering. Introductory Example. Secure Coding. Vulnerability. Introductory Example.

2/9/18. Readings. CYSE 411/AIT681 Secure Software Engineering. Introductory Example. Secure Coding. Vulnerability. Introductory Example. This lecture: [Seacord]: Chapter 5 Readings CYSE 411/AIT681 Secure Software Engineering Topic #10. Secure Coding: Integer Security Instructor: Dr. Kun Sun 1 2 String management Pointer Subterfuge Secure

More information

2/9/18. CYSE 411/AIT681 Secure Software Engineering. Readings. Secure Coding. This lecture: String management Pointer Subterfuge

2/9/18. CYSE 411/AIT681 Secure Software Engineering. Readings. Secure Coding. This lecture: String management Pointer Subterfuge CYSE 411/AIT681 Secure Software Engineering Topic #10. Secure Coding: Integer Security Instructor: Dr. Kun Sun 1 This lecture: [Seacord]: Chapter 5 Readings 2 String management Pointer Subterfuge Secure

More information

Page 1. Goals for Today. Buffer Overrun Vulnerabilities. Simple Example. More Serious Exploit Example. Modified Example

Page 1. Goals for Today. Buffer Overrun Vulnerabilities. Simple Example. More Serious Exploit Example. Modified Example CS 194-1 (CS 161) Computer Security Lecture 13 Software security; Common implementation flaws; Principles October 16, 2006 Prof. Anthony D. Joseph http://cs161.org/ Goals for Today Next 3 lectures are

More information

CSCI-243 Exam 1 Review February 22, 2015 Presented by the RIT Computer Science Community

CSCI-243 Exam 1 Review February 22, 2015 Presented by the RIT Computer Science Community CSCI-243 Exam 1 Review February 22, 2015 Presented by the RIT Computer Science Community http://csc.cs.rit.edu History and Evolution of Programming Languages 1. Explain the relationship between machine

More information

Software Security: Buffer Overflow Attacks and Beyond

Software Security: Buffer Overflow Attacks and Beyond CSE 484 / CSE M 584 (Winter 2013) Software Security: Buffer Overflow Attacks and Beyond Tadayoshi Kohno Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, John Manferdelli, John Mitchell, Vitaly Shmatikov,

More information

UMSSIA LECTURE I: SOFTWARE SECURITY

UMSSIA LECTURE I: SOFTWARE SECURITY UMSSIA LECTURE I: SOFTWARE SECURITY THINKING LIKE AN ADVERSARY SECURITY ASSESSMENT Confidentiality? Availability? Dependability? Security by Obscurity: a system that is only secure if the adversary doesn

More information

Detecting and exploiting integer overflows

Detecting and exploiting integer overflows Detecting and exploiting integer overflows Guillaume TOURON Laboratoire Verimag, Ensimag - Grenoble INP Marie-Laure Potet, Laurent Mounier 20/05/11 1 / 18 Context Binary representation Integers misinterpretation

More information

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Finding the return address (guess

More information

ECE 264 Exam 2. 6:30-7:30PM, March 9, You must sign here. Otherwise you will receive a 1-point penalty.

ECE 264 Exam 2. 6:30-7:30PM, March 9, You must sign here. Otherwise you will receive a 1-point penalty. ECE 264 Exam 2 6:30-7:30PM, March 9, 2011 I certify that I will not receive nor provide aid to any other student for this exam. Signature: You must sign here. Otherwise you will receive a 1-point penalty.

More information

Programming refresher and intro to C programming

Programming refresher and intro to C programming Applied mechatronics Programming refresher and intro to C programming Sven Gestegård Robertz sven.robertz@cs.lth.se Department of Computer Science, Lund University 2018 Outline 1 C programming intro 2

More information

Static Vulnerability Analysis

Static Vulnerability Analysis Static Vulnerability Analysis Static Vulnerability Detection helps in finding vulnerabilities in code that can be extracted by malicious input. There are different static analysis tools for different kinds

More information

CS 161: Computer Security

CS 161: Computer Security CS 161: Computer Security http://inst.eecs.berkeley.edu/~cs161/ January 16, 2017 ROOM FIRE CODE Prof. Raluca Ada Popa And a team of a talented TAs Head TAs: Keyhan and Won and talented readers Jianan Lu

More information

Jared DeMott Crucial Security, Inc. Black Hat Special thanks to ISE for smoking me with this test once upon an interview

Jared DeMott Crucial Security, Inc. Black Hat Special thanks to ISE for smoking me with this test once upon an interview Jared DeMott Crucial Security, Inc. Black Hat 2008 Special thanks to ISE for smoking me with this test once upon an interview Why? To make software better, or to hack software How? With automated tools

More information

Computer Programming: Skills & Concepts (CP) Strings

Computer Programming: Skills & Concepts (CP) Strings CP 14 slide 1 Tuesday 31 October 2017 Computer Programming: Skills & Concepts (CP) Strings Ajitha Rajan Tuesday 31 October 2017 Last lecture Input handling char CP 14 slide 2 Tuesday 31 October 2017 Today

More information

CS Programming In C

CS Programming In C CS 24000 - Programming In C Week Seven: More on memory operations, and structures. Union, function pointer, and bit operations Zhiyuan Li Department of Computer Science Purdue University, USA 2 Academic

More information

A brief introduction to C programming for Java programmers

A brief introduction to C programming for Java programmers A brief introduction to C programming for Java programmers Sven Gestegård Robertz September 2017 There are many similarities between Java and C. The syntax in Java is basically

More information

Brave New 64-Bit World. An MWR InfoSecurity Whitepaper. 2 nd June Page 1 of 12 MWR InfoSecurity Brave New 64-Bit World

Brave New 64-Bit World. An MWR InfoSecurity Whitepaper. 2 nd June Page 1 of 12 MWR InfoSecurity Brave New 64-Bit World Brave New 64-Bit World An MWR InfoSecurity Whitepaper 2 nd June 2010 2010-06-02 Page 1 of 12 Abstract Abstract Memory requirements on server and desktop systems have risen considerably over the past few

More information

Final Exam, Spring 2012 Date: May 14th, 2012

Final Exam, Spring 2012 Date: May 14th, 2012 Full Name: Final Exam, Spring 2012 Date: May 14th, 2012 Instructions: This final exam takes 1 hour and 30 minutes. Read through all the problemsandcompletetheeasy ones first. This exam is OPEN BOOK. You

More information

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts This time We will begin our 1st section: Software Security By investigating Buffer overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Software security

More information

C strings. (Reek, Ch. 9) 1 CS 3090: Safety Critical Programming in C

C strings. (Reek, Ch. 9) 1 CS 3090: Safety Critical Programming in C C strings (Reek, Ch. 9) 1 Review of strings Sequence of zero or more characters, terminated by NUL (literally, the integer value 0) NUL terminates a string, but isn t part of it important for strlen()

More information

Fundamentals of Computer Security

Fundamentals of Computer Security Fundamentals of Computer Security Spring 2015 Radu Sion Software Errors Buffer Overflow TOCTTOU 2005-15 Portions copyright by Bogdan Carbunar and Wikipedia. Used with permission Why Security Vulnerabilities?

More information

Lecture 4 September Required reading materials for this class

Lecture 4 September Required reading materials for this class EECS 261: Computer Security Fall 2007 Lecture 4 September 6 Lecturer: David Wagner Scribe: DK Moon 4.1 Required reading materials for this class Beyond Stack Smashing: Recent Advances in Exploiting Buffer

More information

System Security Class Notes 09/23/2013

System Security Class Notes 09/23/2013 System Security Class Notes 09/23/2013 1 Format String Exploits a Format String bugs The printf family consists of functions with variable arguments i printf (char* format, ) ii sprint (char* dest, char*

More information

BUFFER OVERFLOW. Jo, Heeseung

BUFFER OVERFLOW. Jo, Heeseung BUFFER OVERFLOW Jo, Heeseung IA-32/LINUX MEMORY LAYOUT Heap Runtime stack (8MB limit) Dynamically allocated storage When call malloc(), calloc(), new() DLLs (shared libraries) Data Text Dynamically linked

More information

Buffer Overflow. Jo, Heeseung

Buffer Overflow. Jo, Heeseung Buffer Overflow Jo, Heeseung IA-32/Linux Memory Layout Heap Runtime stack (8MB limit) Dynamically allocated storage When call malloc(), calloc(), new() DLLs (shared libraries) Data Text Dynamically linked

More information

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University Buffer Overflow Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu IA-32/Linux Memory Layout Runtime stack (8MB limit) Heap Dynamically allocated storage

More information

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM x86-64 Linux Memory Layout 0x00007fffffffffff not drawn to scale Stack... Caller

More information

Security Lab. Episode 6: Format String Vulnerabilities. Jan Nordholz, Matthias Petschick, Julian Vetter

Security Lab. Episode 6: Format String Vulnerabilities. Jan Nordholz, Matthias Petschick, Julian Vetter Security Lab Episode 6: Format String Vulnerabilities Jan Nordholz, Matthias Petschick, Julian Vetter Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2015 jan, matthias, julian

More information

Program Security and Vulnerabilities Class 2

Program Security and Vulnerabilities Class 2 Program Security and Vulnerabilities Class 2 CEN-5079: 28.August.2017 1 Secure Programs Programs Operating System Device Drivers Network Software (TCP stack, web servers ) Database Management Systems Integrity

More information

Integer overflows. Integer overflow types. Signed vs unsigned integers. Casting between different size integer types. Arithmetic wraparound

Integer overflows. Integer overflow types. Signed vs unsigned integers. Casting between different size integer types. Arithmetic wraparound Integer overflows Integer overflow types Signed vs unsigned integers Casting between different size integer types Arithmetic wraparound Pointer arithmetics Why is it bad? How to detect and prevent integer

More information

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics. Lecture 6B Machine-Level Programming V: Miscellaneous Topics Topics Linux Memory Layout Understanding Pointers Buffer Overflow Upper 2 hex digits of address Red Hat v. 6.2 ~1920MB memory limit FF C0 Used

More information

Buffer overflow prevention, and other attacks

Buffer overflow prevention, and other attacks Buffer prevention, and other attacks Comp Sci 3600 Security Outline 1 2 Two approaches to buffer defense Aim to harden programs to resist attacks in new programs Run time Aim to detect and abort attacks

More information

CS 261 Fall Mike Lam, Professor. Structs and I/O

CS 261 Fall Mike Lam, Professor. Structs and I/O CS 261 Fall 2018 Mike Lam, Professor Structs and I/O Typedefs A typedef is a way to create a new type name Basically a synonym for another type Useful for shortening long types or providing more meaningful

More information

C: Pointers, Arrays, and strings. Department of Computer Science College of Engineering Boise State University. August 25, /36

C: Pointers, Arrays, and strings. Department of Computer Science College of Engineering Boise State University. August 25, /36 Department of Computer Science College of Engineering Boise State University August 25, 2017 1/36 Pointers and Arrays A pointer is a variable that stores the address of another variable. Pointers are similar

More information

Topics in Software Security Vulnerability

Topics in Software Security Vulnerability Topics in Software Security Vulnerability Software vulnerability What are software vulnerabilities? Types of vulnerabilities E.g., Buffer Overflows How to find these vulnerabilities and prevent them? Classes

More information

Secure C Coding...yeah right. Andrew Zonenberg Alex Radocea

Secure C Coding...yeah right. Andrew Zonenberg Alex Radocea Secure C Coding...yeah right Andrew Zonenberg Alex Radocea Agenda Some Quick Review Data Representation Pointer Arithmetic Memory Management Basic C Vulnerabilities Memory Corruption Ignoring Return values

More information

Final Exam. Fall Semester 2016 KAIST EE209 Programming Structures for Electrical Engineering. Name: Student ID:

Final Exam. Fall Semester 2016 KAIST EE209 Programming Structures for Electrical Engineering. Name: Student ID: Fall Semester 2016 KAIST EE209 Programming Structures for Electrical Engineering Final Exam Name: This exam is open book and notes. Read the questions carefully and focus your answers on what has been

More information

Software Security: Buffer Overflow Defenses

Software Security: Buffer Overflow Defenses CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,

More information

Buffer overflow risks have been known for over 30 years. Is it still a problem? Try searching at to see.

Buffer overflow risks have been known for over 30 years. Is it still a problem? Try searching at to see. Memory corruption recap Other memory corruption errors Secure Programming Lecture 5: Memory Corruption III (Countermeasures) David Aspinall, Informatics @ Edinburgh 1st February 2018 Buffer overflow is

More information

Systems I. Machine-Level Programming V: Procedures

Systems I. Machine-Level Programming V: Procedures Systems I Machine-Level Programming V: Procedures Topics abstraction and implementation IA32 stack discipline Procedural Memory Usage void swap(int *xp, int *yp) int t0 = *xp; int t1 = *yp; *xp = t1; *yp

More information

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS) Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus(MSR) and Brandon Baker (MS) Buffer Overflows and How they Occur Buffer is a contiguous segment of memory of a fixed

More information

Systems Programming and Computer Architecture ( )

Systems Programming and Computer Architecture ( ) Systems Group Department of Computer Science ETH Zürich Systems Programming and Computer Architecture (252-0061-00) Timothy Roscoe Herbstsemester 2016 1 3: Integers in C Computer Architecture and Systems

More information

U23 - Binary Exploitation

U23 - Binary Exploitation U23 - Binary Exploitation Stratum Auhuur robbje@aachen.ccc.de November 21, 2016 Context OS: Linux Context OS: Linux CPU: x86 (32 bit) Context OS: Linux CPU: x86 (32 bit) Address Space Layout Randomization:

More information

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Introduction to Computer Systems , fall th Lecture, Sep. 28 th Introduction to Computer Systems 15 213, fall 2009 9 th Lecture, Sep. 28 th Instructors: Majd Sakr and Khaled Harras Last Time: Structures struct rec { int i; int a[3]; int *p; }; Memory Layout i a p 0

More information

Computer Systems CEN591(502) Fall 2011

Computer Systems CEN591(502) Fall 2011 Computer Systems CEN591(502) Fall 2011 Sandeep K. S. Gupta Arizona State University 4 th lecture Data representation in computer systems (Slides adapted from CSAPP book) Announcements Programming assignment

More information

Module: Safe Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Safe Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security CSE543 - Introduction to Computer and Network Security Module: Safe Programming Professor Trent Jaeger 1 1 Avoiding Vulnerabilities How do we write programs to avoid mistakes that lead to vulnerabilities?

More information

Buffer Overflows. Buffer Overflow. Many of the following slides are based on those from

Buffer Overflows. Buffer Overflow. Many of the following slides are based on those from s Many of the following slides are based on those from 1 Complete Powerpoint Lecture Notes for Computer Systems: A Programmer's Perspective (CS:APP) Randal E. Bryant and David R. O'Hallaron http://csapp.cs.cmu.edu/public/lectures.html

More information

414-S17 (Shankar) Exam 1 PRACTICE PROBLEMS SOLUTIONS Page 1/7

414-S17 (Shankar) Exam 1 PRACTICE PROBLEMS SOLUTIONS Page 1/7 1-S17 (Shankar) Exam 1 PRACTICE PROBLEMS SOLUTIONS Page 1/7 1. Short answers: must be less than 30 words. In an exam, we will use a format with much shorter answers (eg, multiple-choice). What is difference

More information

Secure Programming Lecture 5: Memory Corruption III (Countermeasures)

Secure Programming Lecture 5: Memory Corruption III (Countermeasures) Secure Programming Lecture 5: Memory Corruption III (Countermeasures) David Aspinall, Informatics @ Edinburgh 1st February 2018 Memory corruption recap Buffer overflow is still one of the most common vulnerabilities

More information

5.Coding for 64-Bit Programs

5.Coding for 64-Bit Programs Chapter 5 5.Coding for 64-Bit Programs This chapter provides information about ways to write/update your code so that you can take advantage of the Silicon Graphics implementation of the IRIX 64-bit operating

More information

COMP 2355 Introduction to Systems Programming

COMP 2355 Introduction to Systems Programming COMP 2355 Introduction to Systems Programming Christian Grothoff christian@grothoff.org http://grothoff.org/christian/ 1 Pointers Pointers denote addresses in memory In C types, the * represents the use

More information

Project 1 Buffer Overflow

Project 1 Buffer Overflow Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Project 1 Buffer Overflow

More information

CSC 252: Computer Organization Spring 2018: Lecture 9

CSC 252: Computer Organization Spring 2018: Lecture 9 CSC 252: Computer Organization Spring 2018: Lecture 9 Instructor: Yuhao Zhu Department of Computer Science University of Rochester Action Items: Assignment 2 is due tomorrow, midnight Assignment 3 is out

More information

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows Betriebssysteme und Sicherheit Sicherheit Buffer Overflows Software Vulnerabilities Implementation error Input validation Attacker-supplied input can lead to Corruption Code execution... Even remote exploitation

More information

5) Attacker causes damage Different to gaining control. For example, the attacker might quit after gaining control.

5) Attacker causes damage Different to gaining control. For example, the attacker might quit after gaining control. Feb 23, 2009 CSE, 409/509 Mitigation of Bugs, Life of an exploit 1) Bug inserted into code 2) Bug passes testing 3) Attacker triggers bug 4) The Attacker gains control of the program 5) Attacker causes

More information

Lecture 8 Dynamic Memory Allocation

Lecture 8 Dynamic Memory Allocation Lecture 8 Dynamic Memory Allocation CS240 1 Memory Computer programs manipulate an abstraction of the computer s memory subsystem Memory: on the hardware side 3 @ http://computer.howstuffworks.com/computer-memory.htm/printable

More information

CSE 565 Computer Security Fall 2018

CSE 565 Computer Security Fall 2018 CSE 565 Computer Security Fall 2018 Lecture 14: Software Security Department of Computer Science and Engineering University at Buffalo 1 Software Security Exploiting software vulnerabilities is paramount

More information

Secure Software Programming and Vulnerability Analysis

Secure Software Programming and Vulnerability Analysis Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Heap Buffer Overflows and Format String Vulnerabilities Secure Software

More information

11 'e' 'x' 'e' 'm' 'p' 'l' 'i' 'f' 'i' 'e' 'd' bool equal(const unsigned char pstr[], const char *cstr) {

11 'e' 'x' 'e' 'm' 'p' 'l' 'i' 'f' 'i' 'e' 'd' bool equal(const unsigned char pstr[], const char *cstr) { This document contains the questions and solutions to the CS107 midterm given in Spring 2016 by instructors Julie Zelenski and Michael Chang. This was an 80-minute exam. Midterm questions Problem 1: C-strings

More information

3/7/2018. Sometimes, Knowing Which Thing is Enough. ECE 220: Computer Systems & Programming. Often Want to Group Data Together Conceptually

3/7/2018. Sometimes, Knowing Which Thing is Enough. ECE 220: Computer Systems & Programming. Often Want to Group Data Together Conceptually University of Illinois at Urbana-Champaign Dept. of Electrical and Computer Engineering ECE 220: Computer Systems & Programming Structured Data in C Sometimes, Knowing Which Thing is Enough In MP6, we

More information

a) Write the signed (two s complement) binary number in decimal: b) Write the unsigned binary number in hexadecimal:

a) Write the signed (two s complement) binary number in decimal: b) Write the unsigned binary number in hexadecimal: CS107 Autumn 2018 CS107 Midterm Practice Problems Cynthia Lee Problem 1: Integer Representation There is a small amount of scratch space between problems for you to write your work, but it is not necessary

More information

Memory Corruption Vulnerabilities, Part I

Memory Corruption Vulnerabilities, Part I Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Some Terminology Software error A programming mistake that make the software not meet its

More information

CSE / / 60567: Computer Security. Software Security 4

CSE / / 60567: Computer Security. Software Security 4 CSE 40567 / 44567 / 60567: Computer Security Software Security 4 91 Homework #5 Due: Tonight at 11:59PM Eastern Time (ND) / Pacific Time (SV) See Assignments Page on the course website for details 92 Notes

More information

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.858 Fall 2010 Quiz I All problems are open-ended questions. In order to receive credit you must answer

More information

Automatically Fixing C Buffer Overflows Using Program Transformations

Automatically Fixing C Buffer Overflows Using Program Transformations Automatically Fixing C Buffer Overflows Using Program Transformations Alex Shaw Auburn University Auburn, AL, USA ajs0031@auburn.edu Dusten Doggett Auburn University Auburn, AL, USA djd0001@auburn.edu

More information

Tutorial 1: C-Language

Tutorial 1: C-Language Tutorial 1: C-Language Problem 1: Data Type What are the ranges of the following data types? int 32 bits 2 31..2 31-1 OR -2147483648..2147483647 (0..4294967295 if unsiged) in some machines int is same

More information

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013 CS 645: Lecture 3 Software Vulnerabilities Rachel Greenstadt July 3, 2013 Project 1: Software exploits Individual project - done in virtual machine environment This assignment is hard. Don t leave it until

More information

Computer Systems Programming. Practice Midterm. Name:

Computer Systems Programming. Practice Midterm. Name: Computer Systems Programming Practice Midterm Name: 1. (4 pts) (K&R Ch 1-4) What is the output of the following C code? main() { int i = 6; int j = -35; printf( %d %d\n,i++, ++j); i = i >

More information

Operating Systems CS 217. Provides each process with a virtual machine. Promises each program the illusion of having whole machine to itself

Operating Systems CS 217. Provides each process with a virtual machine. Promises each program the illusion of having whole machine to itself Operating Systems CS 217 Operating System (OS) Provides each process with a virtual machine Promises each program the illusion of having whole machine to itself Process Process Process Process OS Kernel

More information

Lecture 9 Assertions and Error Handling CS240

Lecture 9 Assertions and Error Handling CS240 Lecture 9 Assertions and Error Handling CS240 The C preprocessor The C compiler performs Macro expansion and directive handling Preprocessing directive lines, including file inclusion and conditional compilation,

More information

Exercise Session 2 Systems Programming and Computer Architecture

Exercise Session 2 Systems Programming and Computer Architecture Systems Group Department of Computer Science ETH Zürich Exercise Session 2 Systems Programming and Computer Architecture Herbstsemester 216 Agenda Linux vs. Windows Working with SVN Exercise 1: bitcount()

More information

Administrivia. Introduction to Computer Systems. Pointers, cont. Pointer example, again POINTERS. Project 2 posted, due October 6

Administrivia. Introduction to Computer Systems. Pointers, cont. Pointer example, again POINTERS. Project 2 posted, due October 6 CMSC 313 Introduction to Computer Systems Lecture 8 Pointers, cont. Alan Sussman als@cs.umd.edu Administrivia Project 2 posted, due October 6 public tests s posted Quiz on Wed. in discussion up to pointers

More information

Pointers as Arguments

Pointers as Arguments Introduction as Arguments How it Works called program on start of execution xw = &i xf = &d after excution xw = &i xf = &d caller program i? d? i 3 d.14159 x 3.14159 x 3.14159 R. K. Ghosh (IIT-Kanpur)

More information

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08 Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08 For your solutions you should submit a hard copy; either hand written pages stapled together or a print out of a typeset document

More information

CSE 509: Computer Security

CSE 509: Computer Security CSE 509: Computer Security Date: 2.16.2009 BUFFER OVERFLOWS: input data Server running a daemon Attacker Code The attacker sends data to the daemon process running at the server side and could thus trigger

More information

Biography. Background

Biography. Background From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ KTH, January 2019 1 / 28 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail: calle.svensson@zeta-two.com

More information

CS240: Programming in C

CS240: Programming in C CS240: Programming in C Lecture 13 si 14: Unix interface for working with files. Cristina Nita-Rotaru Lecture 13/Fall 2013 1 Working with Files (I/O) File system: specifies how the information is organized

More information

Hacking in C. Pointers. Radboud University, Nijmegen, The Netherlands. Spring 2019

Hacking in C. Pointers. Radboud University, Nijmegen, The Netherlands. Spring 2019 Hacking in C Pointers Radboud University, Nijmegen, The Netherlands Spring 2019 Allocation of multiple variables Consider the program main(){ char x; int i; short s; char y;... } What will the layout of

More information

CSC209H Lecture 4. Dan Zingaro. January 28, 2015

CSC209H Lecture 4. Dan Zingaro. January 28, 2015 CSC209H Lecture 4 Dan Zingaro January 28, 2015 Strings (King Ch 13) String literals are enclosed in double quotes A string literal of n characters is represented as a n+1-character char array C adds a

More information

Introduction to Security

Introduction to Security IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 11 Nov 30, 2010 Vulnerability related to Integers. String, Race Conditions 1 Objectives Understand/explain issues

More information

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

CSc 466/566. Computer Security. 20 : Operating Systems Application Security 1/68 CSc 466/566 Computer Security 20 : Operating Systems Application Security Version: 2014/11/20 13:07:28 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2014 Christian

More information

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial

More information

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction Outline CSci 5271 Introduction to Computer Security Day 3: Low-level vulnerabilities Stephen McCamant University of Minnesota, Computer Science & Engineering Race conditions Classic races: files in /tmp

More information

How Software Executes

How Software Executes How Software Executes CS-576 Systems Security Instructor: Georgios Portokalidis Overview Introduction Anatomy of a program Basic assembly Anatomy of function calls (and returns) Memory Safety Intel x86

More information
2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback