Lab 2: Buffer Overflows

Transcription

1 Lab 2: Buffer Overflows Fengwei Zhang Wayne State University Course: Cyber Security 1

2 Buffer Overflows One of the most common in soeware Programming languages commonly associated with buffer overflows including C and C++ Opera@ng systems including Windows, Linux and Mac OS X are wrimen in C or C++ Wayne State University Course: Cyber Security Prac@ce 2

3 How It Works define buffers in the memory Unsigned char [10] use adjacent memory to store variables, arguments, and return address of a func@on. Buffer Overflows occurs when data wrimen to a buffer exceeds its size. Wayne State University Course: Cyber Security Prac@ce 3

4 Overflowing Buffer Defining a buffer in C char buf[10]; Overflowing the buffer Char buf [10] = x ; strcpy(buf, ) Wayne State University Course: Cyber Security Prac@ce 4

5 Why We Care Because adjacent memory stores program variables, parameters, and arguments Mackers can change these values through overflowing a buffer Mackers can gain control over the program flow to execute arbitrary code Wayne State University Course: Cyber Security Prac@ce 5

6 Process Memory Layout High memory Stack Heap Data Segment Low memory Text Segment Wayne State University Course: Cyber Security 6

7 Memory Layout for 32-bit Linux 1GB Kernel Space Stack Local variable: int a 3GB Heap BSS Segment Data Segment Text Segment (ELF) Func@on malloc() Unini@alized sta@c variables: sta@c char *u sta@c char *s = Hello world Binary of the program Wayne State University Course: Cyber Security Prac@ce 7

8 Virtual Memory Layout Wayne State University Course: Cyber Security 8

9 Stack Frame The stack contains frames including local variables, parameters, and return address at the highest memory address and growing downwards Last in first out Wayne State University Course: Cyber Security 9

10 Simple Program dd (2,3) High memory int add (int a, int b) { int c; c = 1+b; return c; } 3 2 Ret ddress EBP C Low memory ESP Wayne State University Course: Cyber Security Prac@ce 10

11 nother Program int func (char * str) { char mybuff[512]; strcpy(mybuff, str); return 1; } Draw the Stack Frame! int main (int argc, char ** argv) { func (argv[1]); return 1; } Wayne State University Course: Cyber Security Prac@ce 11

12 Overflowing mybuff High memory Low memory () str() Ret addr() EBP() ESP Wayne State University Course: Cyber Security 12

13 Buffer Overflow Defenses The amack described is a classical stack smashing amack which execute the code on the stack It does not work today NX non-executable stack. Most compilers now default to a non-executable stack. Meaning a segmenta@on fault occurs if running code from the stack (i.e., Data Execu@on Preven@on - DEP) Disable it with zexecstack op@on Check it with readelf e <PROGRM> grep STCK StackGuard: Cannaries Disable it with fno-stack-protector op@on Enable it with fstack-protector op@on Wayne State University Course: Cyber Security Prac@ce 13

14 Stack Canaries Stack smashing amacks do two things Overwrite the return address Wait for algorithm to complete and call RET Stack Canaries: Stack Smashing Protector (SSP) Placing a integer value to stack just before the return address To overwrite the return address, the canary value would also be modified Checking this value before the func@on returns Wayne State University Course: Cyber Security Prac@ce 14

15 Stack Canaries (cont d) High memory Low memory () str() Ret addr() EBP() Canary() ESP Wayne State University Course: Cyber Security 15

16 Bypassing NX and Canaries NX - non-executable stack Execu@ng code in the heap Data Execu@on Preven@on (DEP) Return Oriented Programming (ROP) Stack Canaries Overwri@ng the Canary with the same value Brute force amack (e.g., DynaGuard in CSC 15) Wayne State University Course: Cyber Security Prac@ce 16

17 Reminders Lab 0 Turn in the class agreement Lab 1 Due today at 11:59pm Late assignment policy Submit it via Blackboard Lab 2 instruc@ons Wayne State University Course: Cyber Security Prac@ce 17