Buffer overflow prevention, and other attacks

Size: px
Start display at page:

Download "Buffer overflow prevention, and other attacks"

Transcription

1 Buffer prevention, and other attacks Comp Sci 3600 Security

2 Outline 1 2

3 Two approaches to buffer defense Aim to harden programs to resist attacks in new programs Run time Aim to detect and abort attacks in existing programs

4 Outline 1 2

5 Prevent or detect buffer s by instrumenting programs when they are compiled. Examples include: choosing a high-level that does not permit buffer s, safe coding standards, safe standard libraries, or including additional code to detect corruption of the

6 Use a modern high-level (python, java, rust, ruby, etc) Not vulnerable to buffer attacks Compiler enforces range checks and permissible operations on variables Disadvantages Additional code must be executed at run time to impose checks Flexibility and safety comes at a cost in resource use Distance from the underlying machine and architecture means that access to some instructions and hardware resources is lost Limits their usefulness in writing code, such as device drivers, that must interact with such resources

7 Examples

8 Safe Coding Techniques C designers placed much more emphasis on space efficiency and performance considerations than on type safety Assumed programmers would exercise due care in writing code Programmers need to inspect the code and rewrite any unsafe coding. An example of this is the OpenBSD project, where programmers have audited the existing code base, including the operating system, standard libraries, and common utilities, and this has resulted in what is widely regarded as one of the safest operating systems in widespread use

9 Classic void copydata ( char u s e r I d ) { char s m a l l B u f f e r [ 1 0 ] ; // s i z e o f 10 s t r c p y ( s m a l l B u f f e r, u s e r I d ) ; } i n t main ( i n t argc, char argv [ ] ) { } // Payload o f 11 char u s e r I d = ; // t h i s s h a l l cause a b u f f e r o v e r l o a d copydata ( u s e r I d ) ;

10 Unsafe functions Range checking with strncopy, strncat, cin.getline, etc is often suggested

11 Classic fix? #i n clude <i o s t r e a m > #i n clude <c s t r i n g > i n t main ( void ) { char s t r D e s t [3]= h i ; char s t r S r c []= Welcome ; char a n o t h e r C s t r i n g []= H e l l o ; } s t r n c p y ( s t r D e s t, s t r S r c, 5 ) ; s t d : : cout << s t r D e s t ; return 0 ; strncopy can cause another too (no NULL check)

12 Unsafe functions Additional checks on buffer size are performed * s are Windows, and strl* are Unix

13 Format Strings Format string buffer s (usually called format string vulnerabilities ) are highly specialized buffer s that can have the same effects as other buffer attacks. Format string vulnerabilities take advantage of the mixture of data and control information in certain functions, such as C/C++ s printf.

14 Format Strings Some format parameters: %x // h e x a d e c i m a l ( u n s i g n e d i n t ) %s // s t r i n g ( ( c o n s t ) ( u n s i g n e d ) char ) %n // number o f b y t e s w r i t t e n so f a r, ( i n t ) %d // d e c i m a l ( i n t ) %u // u n s i g n e d d e c i m a l ( u n s i g n e d i n t ) // Example p r i n t f ( H e l l o :% s \n, a ) ;

15 Format Strings Some format parameters: %x // h e x a d e c i m a l ( u n s i g n e d i n t ) %s // s t r i n g ( ( c o n s t ) ( u n s i g n e d ) char ) %n // number o f b y t e s w r i t t e n so f a r, ( i n t ) %d // d e c i m a l ( i n t ) %u // u n s i g n e d d e c i m a l ( u n s i g n e d i n t ) p r i n t f ( U s e r I n p u t ) ; // V u l n e r a b i l i t y : // Attack : %s%s%s%s%s%s%s%s%s%s%s%s p r i n t f ( %s, s t r ) ; // F i x : For every % in the argument the printf function finds it assumes that there is an associated value on the stack. In this way the function walks the stack downwards reading the corresponding values from the stack and printing them to the user.

16 Integer i n t main ( void ){ i n t v a l ; v a l = 0 x 7 f f f f f f f ; / / p r i n t f ( v a l=%d (0 x%x )\ n, val, v a l ) ; / Overflow the i n t / p r i n t f ( v a l+1=%d (0 x%x )\ n, v a l +1, v a l +1); return 0 ; } The binary representation of 0x7fffffff is ; this integer is initialized with the highest positive value a signed long integer can hold. Here when we add 1 to the hex value of 0x7fffffff the value of the integer s and goes to a negative number (0x7fffffff + 1 = ) In decimal this is ( ).

17 Integer #i n clude < l i m i t s. h> i n t s a f e a d d ( i n t a, i n t b ) { i f ( a > 0 && b > INT MAX a ) { / h a n d l e o v e r f l o w / } e l s e i f ( a < 0 && b < INT MIN a ) { / h a n d l e u n d e r f l o w / } return a + b ; }

18 Array bounds checking Code copies len bytes out of the from array into the to array starting at position pos and returning the end position. Unfortunately, this function is given no information about the actual size of the destination buffer to and hence is unable to ensure an does not occur. In this case, the calling code should to ensure that the value of size+len is not larger than the size of the to array. Also, input is not necessarily a string; it could just as easily be binary data, just carelessly manipulated.

19 A common concern with C comes from the use of unsafe routines, especially some of the string manipulation routines. One approach to improving the safety of systems has been to replace these with safer variants. Using these requires rewriting the source to conform to the new safer semantics. Programs and libraries need to be recompiled Likely to have problems with third-party applications One approach has been to replace these with safer variants; Libsafe is an example implemented as a library arranged to load before the existing standard libraries, so programs don t need to be recompiled

20 Protection Add function entry and exit code to check stack for signs of corruption of the Insert random canary below the old frame pointer address, before the of space for local variables Value needs to be unpredictable Should be different on different systems Added function exit code checks that the canary value has not changed before continuing with the usual function exit operations of restoring the old frame pointer and transferring control back to the return address. Requires recompiling GCC extensions that include additional function entry and exit code Function entry writes a copy of the return address to a safe region of Function exit code checks the return address in the stack frame against the saved copy If change is found, aborts the program

21 Outline 1 2

22 Most of the compile-time approaches require recompilation of existing programs. Hence, there is interest in run-time that can be deployed as operating systems updates to provide some for existing vulnerable programs. These involve changes to the management of the virtual of processes. These changes act to either alter the properties of regions of, or to make predicting the location of targeted buffers sufficiently difficult to thwart many of attacks.

23 Address Space Protection Overview Many of the buffer attacks, such as the stack examples in this chapter, involve copying machine code into the targeted buffer and then transferring execution to it. A defense is to block the execution of code on the stack, on the assumption that executable code should only be found elsewhere in the processes. Making the stack (and heap) nonexecutable provides a high degree of against many of buffer attacks for existing programs; hence the inclusion of this practice is standard in a number of recent operating systems releases. Issues One issue is support for programs that do need to place executable code on the stack.

24 Address Space ization To implement the classic stack attack, the attacker needs to be able to predict the approximate location of the targeted buffer to determine a suitable return address to use in the attack to transfer control to the shellcode. One technique to greatly increase the difficulty of this prediction is to change the address at which the stack is located in a random manner for each process. The range of addresses available on modern processors is large (32 bits), and most programs only need a small fraction of that. Therefore, moving the stack region around by a megabyte or so has minimal impact on most programs but makes predicting the targeted buffer s address almost impossible. This amount of variation is also much larger than the size of most vulnerable buffers

25 Similar to There is a class of heap buffer attacks that exploit the expected proximity of successive al, or indeed the arrangement of the heap management data structures. izing the of on the heap makes the possibility of predicting the address of targeted buffers extremely difficult, thus thwarting the successful execution of some heap attacks.

26 Another target of attack is the location of routines. In an attempt to bypass s such as nonexecutable stacks, some buffer variants exploit existing code in standard libraries. These are typically loaded at the same address by the same program. To counter this form of attack, we can use a security extension that randomizes the order of loading standard libraries by a program and their virtual address. This makes the address of any specific function sufficiently unpredictable as to render the chance of a given attack correctly predicting its address, very low.

27 Guard Pages A process has much more virtual available than it typically needs Place gaps (guard pages) between regions of (either large divisions like stack and heap, or smaller like s) Flagged as illegal addresses Any attempted access aborts process Further extension places guard pages Between stack frames and heap buffers Cost in execution time to support the large number of page mappings necessary

28 Outline 1 2

29 Outline 1 2

30 Frame Variant that overwrites buffer and saved frame pointer address Saved frame pointer value is changed to refer to a dummy Current function returns to calling function Then when calling function returns, control is transferred to the shellcode in the overwritten buffer Can be used to overcome limitations in buffer size or content Off-by-one vulnerability: Coding error that allows one more byte to be copied than there is space available Any stack mechanisms to detect modifications to the or return address by function exit code Use non-executable stacks ization of the stack in and of system libraries

31 Outline 1 2

32 System Call variant replaces return address with function Response to non-executable stack Transfer to, and trick the to then execute malicious code Any stack mechanisms to detect modifications to the or return address by function exit code Use non-executable stacks ization of the stack in and of system libraries

33 Outline 1 2

34 Attack buffer located in heap Typically located above program code, and grows up Memory is requested by programs to use in data structures (such as linked lists of records) No return address Hence no easy transfer of control However, if there are pointers to functions, control can be transferred Or manipulate management data structures Making the heap non-executable izing the of on the heap

35 Outline 1 2

36 Global Data Overflow Can attack buffer located in global data May be located above program code If has function pointer and vulnerable buffer Or adjacent process management tables, e.g., with references to destructor function Aim to overwrite function pointer later called Non executable or random global data region Move function pointers

Buffer overflow background

Buffer overflow background and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer

More information

CSE 565 Computer Security Fall 2018

CSE 565 Computer Security Fall 2018 CSE 565 Computer Security Fall 2018 Lecture 14: Software Security Department of Computer Science and Engineering University at Buffalo 1 Software Security Exploiting software vulnerabilities is paramount

More information

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks

More information

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS) Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus(MSR) and Brandon Baker (MS) Buffer Overflows and How they Occur Buffer is a contiguous segment of memory of a fixed

More information

Buffer Overflow Defenses

Buffer Overflow Defenses Buffer Overflow Defenses Some examples, pros, and cons of various defenses against buffer overflows. Caveats: 1. Not intended to be a complete list of products that defend against buffer overflows. 2.

More information

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows Betriebssysteme und Sicherheit Sicherheit Buffer Overflows Software Vulnerabilities Implementation error Input validation Attacker-supplied input can lead to Corruption Code execution... Even remote exploitation

More information

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows) Secure Programming Lecture 3: Memory Corruption I (Stack Overflows) David Aspinall, Informatics @ Edinburgh 24th January 2017 Outline Roadmap Memory corruption vulnerabilities Instant Languages and Runtimes

More information

Software Security II: Memory Errors - Attacks & Defenses

Software Security II: Memory Errors - Attacks & Defenses 1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow

More information

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta 1 Stack Vulnerabilities CS4379/5375 System Security Assurance Dr. Jaime C. Acosta Part 1 2 3 An Old, yet Still Valid Vulnerability Buffer/Stack Overflow ESP Unknown Data (unused) Unknown Data (unused)

More information

Stack Overflow COMP620

Stack Overflow COMP620 Stack Overflow COMP620 There are two kinds of people in America today: those who have experienced a foreign cyber attack and know it, and those who have experienced a foreign cyber attack and don t know

More information

CSE 565 Computer Security Fall 2018

CSE 565 Computer Security Fall 2018 CSE 565 Computer Security Fall 2018 Lecture 15: Software Security II Department of Computer Science and Engineering University at Buffalo 1 Software Vulnerabilities Buffer overflow vulnerabilities account

More information

SoK: Eternal War in Memory

SoK: Eternal War in Memory SoK: Eternal War in Memory László Szekeres, Mathias Payer, Tao Wei, Dawn Song Presenter: Wajih 11/7/2017 Some slides are taken from original S&P presentation 1 What is SoK paper? Systematization of Knowledge

More information

Software Security: Buffer Overflow Defenses

Software Security: Buffer Overflow Defenses CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,

More information

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers. Buffer Overflows A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers. By: Brian Roberts What is a buffer overflow? In languages that deal with data structures

More information

Software Security: Buffer Overflow Attacks

Software Security: Buffer Overflow Attacks CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,

More information

CS 161 Computer Security

CS 161 Computer Security Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.

More information

Secure Programming I. Steven M. Bellovin September 28,

Secure Programming I. Steven M. Bellovin September 28, Secure Programming I Steven M. Bellovin September 28, 2014 1 If our software is buggy, what does that say about its security? Robert H. Morris Steven M. Bellovin September 28, 2014 2 The Heart of the Problem

More information

Buffer Overflows Defending against arbitrary code insertion and execution

Buffer Overflows Defending against arbitrary code insertion and execution www.harmonysecurity.com info@harmonysecurity.com Buffer Overflows Defending against arbitrary code insertion and execution By Stephen Fewer Contents 1 Introduction 2 1.1 Where does the problem lie? 2 1.1.1

More information

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities Secure Programming Lecture 3: Memory Corruption I (introduction) David Aspinall, Informatics @ Edinburgh 24th January 2019 Roadmap: Security in the software lifecycle Security is considered at different

More information

Runtime Defenses against Memory Corruption

Runtime Defenses against Memory Corruption CS 380S Runtime Defenses against Memory Corruption Vitaly Shmatikov slide 1 Reading Assignment Cowan et al. Buffer overflows: Attacks and defenses for the vulnerability of the decade (DISCEX 2000). Avijit,

More information

Modern Buffer Overflow Prevention Techniques: How they work and why they don t

Modern Buffer Overflow Prevention Techniques: How they work and why they don t Modern Buffer Overflow Prevention Techniques: How they work and why they don t Russ Osborn CS182 JT 4/13/2006 1 In the past 10 years, computer viruses have been a growing problem. In 1995, there were approximately

More information

Buffer Overflow Attack (AskCypert CLaaS)

Buffer Overflow Attack (AskCypert CLaaS) Buffer Overflow Attack (AskCypert CLaaS) ---------------------- BufferOverflow.c code 1. int main(int arg c, char** argv) 2. { 3. char name[64]; 4. printf( Addr;%p\n, name); 5. strcpy(name, argv[1]); 6.

More information

Inject malicious code Call any library functions Modify the original code

Inject malicious code Call any library functions Modify the original code Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2 3 Sadeghi, Davi TU Darmstadt

More information

Brave New 64-Bit World. An MWR InfoSecurity Whitepaper. 2 nd June Page 1 of 12 MWR InfoSecurity Brave New 64-Bit World

Brave New 64-Bit World. An MWR InfoSecurity Whitepaper. 2 nd June Page 1 of 12 MWR InfoSecurity Brave New 64-Bit World Brave New 64-Bit World An MWR InfoSecurity Whitepaper 2 nd June 2010 2010-06-02 Page 1 of 12 Abstract Abstract Memory requirements on server and desktop systems have risen considerably over the past few

More information

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Security and Privacy in Computer Systems. Lecture 5: Application Program Security CS 645 Security and Privacy in Computer Systems Lecture 5: Application Program Security Buffer overflow exploits More effective buffer overflow attacks Preventing buffer overflow attacks Announcement Project

More information

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 1 Programming Why do we write programs? Function What functions do we enable via our programs?

More information

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018 CSCE 548 Building Secure Software Buffer Overflow Professor Lisa Luo Spring 2018 Previous Class Virus vs. Worm vs. Trojan & Drive-by download Botnet & Rootkit Malware detection Scanner Polymorphic malware

More information

Memory Safety (cont d) Software Security

Memory Safety (cont d) Software Security Memory Safety (cont d) Software Security CS 161: Computer Security Prof. Raluca Ada Popa January 17, 2016 Some slides credit to David Wagner and Nick Weaver Announcements Discussion sections and office

More information

Stack overflow exploitation

Stack overflow exploitation Stack overflow exploitation In order to illustrate how the stack overflow exploitation goes I m going to use the following c code: #include #include #include static void

More information

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 Programming Why do we write programs? Function What functions do we enable via our programs?

More information

A program execution is memory safe so long as memory access errors never occur:

A program execution is memory safe so long as memory access errors never occur: A program execution is memory safe so long as memory access errors never occur: Buffer overflows, null pointer dereference, use after free, use of uninitialized memory, illegal free Memory safety categories

More information

Memory corruption countermeasures

Memory corruption countermeasures Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 30th January 2014 Outline Announcement Recap Containment and curtailment Stack tamper detection

More information

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Software Vulnerabilities August 31, 2011 / CS261 Computer Security Software Vulnerabilities August 31, 2011 / CS261 Computer Security Software Vulnerabilities...1 Review paper discussion...2 Trampolining...2 Heap smashing...2 malloc/free...2 Double freeing...4 Defenses...5

More information

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 Programming Why do we write programs? Function What functions do we enable via our programs?

More information

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned Other array problems CSci 5271 Introduction to Computer Security Day 4: Low-level attacks Stephen McCamant University of Minnesota, Computer Science & Engineering Missing/wrong bounds check One unsigned

More information

Buffer Overflow Attacks

Buffer Overflow Attacks Buffer Overflow Attacks 1. Smashing the Stack 2. Other Buffer Overflow Attacks 3. Work on Preventing Buffer Overflow Attacks Smashing the Stack An Evil Function void func(char* inp){ } char buffer[16];

More information

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2 CIS 551 / TCOM 401 Computer and Network Security Spring 2007 Lecture 2 Announcements First project is on the web Due: Feb. 1st at midnight Form groups of 2 or 3 people If you need help finding a group,

More information

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32. Lab session this afternoon Memory corruption attacks Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 2nd February 2016 The first Secure Programming

More information

Code with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function

Code with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function 1 Code with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function IsPasswordOK(), and compares it with the correct password.

More information

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08 Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08 For your solutions you should submit a hard copy; either hand written pages stapled together or a print out of a typeset document

More information

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 2nd February 2016 Outline Announcement Recap Containment and curtailment Tamper detection Memory

More information

CSE 127 Computer Security

CSE 127 Computer Security CSE 127 Computer Security Alex Gantman, Spring 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on

More information

CS 161 Computer Security

CS 161 Computer Security Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause

More information

CSCE 548 Building Secure Software Integers & Integer-related Attacks & Format String Attacks. Professor Lisa Luo Spring 2018

CSCE 548 Building Secure Software Integers & Integer-related Attacks & Format String Attacks. Professor Lisa Luo Spring 2018 CSCE 548 Building Secure Software Integers & Integer-related Attacks & Format String Attacks Professor Lisa Luo Spring 2018 Previous Class Buffer overflows can be devastating It occurs when the access

More information

ECS 153 Discussion Section. April 6, 2015

ECS 153 Discussion Section. April 6, 2015 ECS 153 Discussion Section April 6, 2015 1 What We ll Cover Goal: To discuss buffer overflows in detail Stack- based buffer overflows Smashing the stack : execution from the stack ARC (or return- to- libc)

More information

Introduction to software exploitation ISSISP 2017

Introduction to software exploitation ISSISP 2017 Introduction to software exploitation ISSISP 2017 1 VM https://drive.google.com/open?id=0b8bzf4ybu s1kltjsnlnwqjhss1e (sha1sum: 36c32a596bbc908729ea9333f3da10918e24d767) Login / pass: issisp / issisp 2

More information

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction Outline CSci 5271 Introduction to Computer Security Day 3: Low-level vulnerabilities Stephen McCamant University of Minnesota, Computer Science & Engineering Race conditions Classic races: files in /tmp

More information

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks 2 ARM stands for Advanced RISC Machine Application area: Embedded systems Mobile phones, smartphones (Apple iphone, Google Android), music players, tablets, and some netbooks Advantage: Low power consumption

More information

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.858 Fall 2010 Quiz I All problems are open-ended questions. In order to receive credit you must answer

More information

Software Security: Buffer Overflow Attacks (continued)

Software Security: Buffer Overflow Attacks (continued) CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,

More information

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka September 24, 2011. 1 Introduction to the topic

More information

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.858 Fall 2010 Quiz I All problems are open-ended questions. In order to receive credit you must answer

More information

Overview AEG Conclusion CS 6V Automatic Exploit Generation (AEG) Matthew Stephen. Department of Computer Science University of Texas at Dallas

Overview AEG Conclusion CS 6V Automatic Exploit Generation (AEG) Matthew Stephen. Department of Computer Science University of Texas at Dallas CS 6V81.005 Automatic Exploit Generation (AEG) Matthew Stephen Department of Computer Science University of Texas at Dallas February 20 th, 2012 Outline 1 Overview Introduction Considerations 2 AEG Challenges

More information

Changelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part

Changelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part 1 Changelog 1 Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part OVER questions? 2 last time 3 memory management problems

More information

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40 Security Workshop HTS LSE Team EPITA 2018 February 3rd, 2016 1 / 40 Introduction What is this talk about? Presentation of some basic memory corruption bugs Presentation of some simple protections Writing

More information

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow

More information

Outline. Format string attack layout. Null pointer dereference

Outline. Format string attack layout. Null pointer dereference CSci 5271 Introduction to Computer Security Day 5: Low-level defenses and counterattacks Stephen McCamant University of Minnesota, Computer Science & Engineering Null pointer dereference Format string

More information

Università Ca Foscari Venezia

Università Ca Foscari Venezia Stack Overflow Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it Introduction Buffer overflow is due to careless programming in unsafe languages like C

More information

COSC345 Software Engineering. Basic Computer Architecture and The Stack

COSC345 Software Engineering. Basic Computer Architecture and The Stack COSC345 Software Engineering Basic Computer Architecture and The Stack Outline Architectural models A little about the 68HC11 Memory map Registers A little bit of assembly (never did us any harm) The program

More information

Is Exploitation Over? Bypassing Memory Protections in Windows 7

Is Exploitation Over? Bypassing Memory Protections in Windows 7 Is Exploitation Over? Bypassing Memory Protections in Windows 7 Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Published research into reliable exploitation techniques: Heap

More information

Software Security Buffer Overflows more countermeasures. Erik Poll. Digital Security Radboud University Nijmegen

Software Security Buffer Overflows more countermeasures. Erik Poll. Digital Security Radboud University Nijmegen Software Security Buffer Overflows more countermeasures Erik Poll Digital Security Radboud University Nijmegen Recap last week Recurring security problems in C(++) code buffer overflows bugs with pointers

More information

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software. Outline Morris Worm (1998) Infamous attacks Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 23rd January 2014 Recap Simple overflow exploit

More information

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

CSc 466/566. Computer Security. 20 : Operating Systems Application Security 1/68 CSc 466/566 Computer Security 20 : Operating Systems Application Security Version: 2014/11/20 13:07:28 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2014 Christian

More information

Foundations of Network and Computer Security

Foundations of Network and Computer Security Foundations of Network and Computer Security John Black Lecture #19 Nov 2 nd 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Quiz #3 This Thursday Covers material from midterm through today Project #3

More information

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras Week 08 Lecture 38 Preventing Buffer Overflow Attacks Hello.

More information

Inline Reference Monitoring Techniques

Inline Reference Monitoring Techniques Inline Reference Monitoring Techniques In the last lecture, we started talking about Inline Reference Monitors. The idea is that the policy enforcement code runs with the same address space as the code

More information

Bypassing Browser Memory Protections

Bypassing Browser Memory Protections Bypassing Browser Memory Protections Network Security Instructor: Dr. Shishir Nagaraja September 10, 2011. 1 Introduction to the topic A number of memory protection mechanisms like GS, SafeSEH, DEP and

More information

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Solutions

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Solutions Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.893 Fall 2009 Quiz I Solutions All problems are open-ended questions. In order to receive credit you must

More information

Code Injection Attacks Buffer Overflows

Code Injection Attacks Buffer Overflows CSE 5095 & ECE 4451 & ECE 5451 Spring 2017 System Security Lecture 1 Code Injection Attacks Buffer Overflows Based on and extracted from Nickolai Zeldovitch, Computer System Security, course material at

More information

Is stack overflow still a problem?

Is stack overflow still a problem? Morris Worm (1998) Code Red (2001) Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 31st January 2017 Memory corruption Buffer overflow remains

More information

CS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities

CS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities CS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities Given: November 13, 2003 Due: November 20, 2003 1 Motivation Buffer overflows and format string vulnerabilities are widespread

More information

Analysis of MS Multiple Excel Vulnerabilities

Analysis of MS Multiple Excel Vulnerabilities Analysis of MS-07-036 Multiple Excel Vulnerabilities I. Introduction This research was conducted using the Office 2003 Excel Viewer application and the corresponding security patch for MS-07-036 - Vulnerabilities

More information

Buffer Overflow Vulnerability

Buffer Overflow Vulnerability Buffer Overflow Vulnerability 1 Buffer Overflow Vulnerability Copyright c 2006 2014 Wenliang Du, Syracuse University. The development of this document is/was funded by three grants from the US National

More information

CSci 4061 Introduction to Operating Systems. Programs in C/Unix

CSci 4061 Introduction to Operating Systems. Programs in C/Unix CSci 4061 Introduction to Operating Systems Programs in C/Unix Today Basic C programming Follow on to recitation Structure of a C program A C program consists of a collection of C functions, structs, arrays,

More information

Program Security and Vulnerabilities Class 2

Program Security and Vulnerabilities Class 2 Program Security and Vulnerabilities Class 2 CEN-5079: 28.August.2017 1 Secure Programs Programs Operating System Device Drivers Network Software (TCP stack, web servers ) Database Management Systems Integrity

More information

Practical Malware Analysis

Practical Malware Analysis Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the

More information

Outline. Heap meta-data. Non-control data overwrite

Outline. Heap meta-data. Non-control data overwrite Outline CSci 5271 Introduction to Computer Security Day 5: Low-level defenses and counterattacks Stephen McCamant University of Minnesota, Computer Science & Engineering Non-control data overwrite Heap

More information

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial

More information

CNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated

CNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated CNIT 127: Exploit Development Ch 14: Protection Mechanisms Updated 3-25-17 Topics Non-Executable Stack W^X (Either Writable or Executable Memory) Stack Data Protection Canaries Ideal Stack Layout AAAS:

More information

Exploits and gdb. Tutorial 5

Exploits and gdb. Tutorial 5 Exploits and gdb Tutorial 5 Exploits and gdb 1. Buffer Vulnerabilities 2. Code Injection 3. Integer Attacks 4. Advanced Exploitation 5. GNU Debugger (gdb) Buffer Vulnerabilities Basic Idea Overflow or

More information

CYSE 411/AIT681 Secure Software Engineering Topic #12. Secure Coding: Formatted Output

CYSE 411/AIT681 Secure Software Engineering Topic #12. Secure Coding: Formatted Output CYSE 411/AIT681 Secure Software Engineering Topic #12. Secure Coding: Formatted Output Instructor: Dr. Kun Sun 1 This lecture: [Seacord]: Chapter 6 Readings 2 Secure Coding String management Pointer Subterfuge

More information

2/9/18. CYSE 411/AIT681 Secure Software Engineering. Readings. Secure Coding. This lecture: String management Pointer Subterfuge

2/9/18. CYSE 411/AIT681 Secure Software Engineering. Readings. Secure Coding. This lecture: String management Pointer Subterfuge CYSE 411/AIT681 Secure Software Engineering Topic #12. Secure Coding: Formatted Output Instructor: Dr. Kun Sun 1 This lecture: [Seacord]: Chapter 6 Readings 2 String management Pointer Subterfuge Secure

More information

CSE 12 Spring 2016 Week One, Lecture Two

CSE 12 Spring 2016 Week One, Lecture Two CSE 12 Spring 2016 Week One, Lecture Two Homework One and Two: hw2: Discuss in section today - Introduction to C - Review of basic programming principles - Building from fgetc and fputc - Input and output

More information

20: Exploits and Containment

20: Exploits and Containment 20: Exploits and Containment Mark Handley Andrea Bittau What is an exploit? Programs contain bugs. These bugs could have security implications (vulnerabilities) An exploit is a tool which exploits a vulnerability

More information

Offensive Security My First Buffer Overflow: Tutorial

Offensive Security My First Buffer Overflow: Tutorial Offensive Security My First Buffer Overflow: Tutorial César Bernardini University of Trento cesar.bernardini@unitn.it October 12, 2015 2 Cesar Bernardini Postdoctoral Fellow at UNITN PhD Student at INRIA-LORIA

More information

Memory Corruption 101 From Primitives to Exploit

Memory Corruption 101 From Primitives to Exploit Memory Corruption 101 From Primitives to Exploit Created by Nick Walker @ MWR Infosecurity / @tel0seh What is it? A result of Undefined Behaviour Undefined Behaviour A result of executing computer code

More information

Black Hat Webcast Series. C/C++ AppSec in 2014

Black Hat Webcast Series. C/C++ AppSec in 2014 Black Hat Webcast Series C/C++ AppSec in 2014 Who Am I Chris Rohlf Leaf SR (Security Research) - Founder / Consultant BlackHat Speaker { 2009, 2011, 2012 } BlackHat Review Board Member http://leafsr.com

More information

CE221 Programming in C++ Part 2 References and Pointers, Arrays and Strings

CE221 Programming in C++ Part 2 References and Pointers, Arrays and Strings CE221 Programming in C++ Part 2 References and Pointers, Arrays and Strings 19/10/2017 CE221 Part 2 1 Variables and References 1 In Java a variable of primitive type is associated with a memory location

More information

Buffer Overflow and Format String Overflow Vulnerabilities

Buffer Overflow and Format String Overflow Vulnerabilities Syracuse University SURFACE Electrical Engineering and Computer Science College of Engineering and Computer Science 2002 Buffer Overflow and Format String Overflow Vulnerabilities Kyung-suk Lhee Syracuse

More information

CSE 509: Computer Security

CSE 509: Computer Security CSE 509: Computer Security Date: 2.16.2009 BUFFER OVERFLOWS: input data Server running a daemon Attacker Code The attacker sends data to the daemon process running at the server side and could thus trigger

More information

Type Checking and Type Equality

Type Checking and Type Equality Type Checking and Type Equality Type systems are the biggest point of variation across programming languages. Even languages that look similar are often greatly different when it comes to their type systems.

More information

Static Vulnerability Analysis

Static Vulnerability Analysis Static Vulnerability Analysis Static Vulnerability Detection helps in finding vulnerabilities in code that can be extracted by malicious input. There are different static analysis tools for different kinds

More information

Part 7. Stacks. Stack. Stack. Examples of Stacks. Stack Operation: Push. Piles of Data. The Stack

Part 7. Stacks. Stack. Stack. Examples of Stacks. Stack Operation: Push. Piles of Data. The Stack Part 7 Stacks The Stack Piles of Data Stack Stack A stack is an abstract data structure that stores objects Based on the concept of a stack of items like a stack of dishes Data can only be added to or

More information

Lecture 03 Bits, Bytes and Data Types

Lecture 03 Bits, Bytes and Data Types Lecture 03 Bits, Bytes and Data Types Computer Languages A computer language is a language that is used to communicate with a machine. Like all languages, computer languages have syntax (form) and semantics

More information

Secure Coding in C and C++

Secure Coding in C and C++ Secure Coding in C and C++ Dynamic Memory Management Lecture 5 Sept 21, 2017 Acknowledgement: These slides are based on author Seacord s original presentation Issues Dynamic Memory Management Common Dynamic

More information

Lecture 4 September Required reading materials for this class

Lecture 4 September Required reading materials for this class EECS 261: Computer Security Fall 2007 Lecture 4 September 6 Lecturer: David Wagner Scribe: DK Moon 4.1 Required reading materials for this class Beyond Stack Smashing: Recent Advances in Exploiting Buffer

More information

Fundamentals of Computer Security

Fundamentals of Computer Security Fundamentals of Computer Security Spring 2015 Radu Sion Software Errors Buffer Overflow TOCTTOU 2005-15 Portions copyright by Bogdan Carbunar and Wikipedia. Used with permission Why Security Vulnerabilities?

More information

COMP3441 Lecture 7: Software Vulnerabilities

COMP3441 Lecture 7: Software Vulnerabilities COMP3441 Lecture 7: Software Vulnerabilities Ron van der Meyden (University of New South Wales Sydney, Australia) April 22, 2013 Overview Buffer overflow attacks SQL injection attacks Defensive measures

More information

Lecture 1: Buffer Overflows

Lecture 1: Buffer Overflows CS5431 Computer Security Practicum Spring 2017 January 27, 2017 1 Conficker Lecture 1: Buffer Overflows Instructor: Eleanor Birrell In November 2008, a new piece of malware was observed in the wild. This

More information

Basic Buffer Overflows

Basic Buffer Overflows Operating Systems Security Basic Buffer Overflows (Stack Smashing) Computer Security & OS lab. Cho, Seong-je ( 조성제 ) Fall, 2018 sjcho at dankook.ac.kr Chapter 10 Buffer Overflow 2 Contents Virtual Memory

More information