Defense against Code-injection, and Code-reuse Attack
|
|
- Ella Thornton
- 5 years ago
- Views:
Transcription
1 Operating Systems Security Defense against Code-injection, and Code-reuse Attack Computer Security & OS lab. Cho, Seong-je ( 조성제 ) sjcho at dankook.ac.kr Fall, 2018
2 Contents Buffer Overflows: Stack Smashing, Heap overflow, Global data overflow Background knowledge: Little endian vs. Big endian, Assembly language, Code-injection attacks & defenses Return-to-Shellcode Attack Code-reuse attacks: Return-to-Libc Attacks References & Source (Credit): Lecture: Code-reuse attacks and defenses, Lucas Davi, University of Duisbure-Essen Code-Reuse Attacks and Defenses, MSc. Lucas Vincenzo Davi, Technische Universitat Darmstadt Computer Security, Principles and Practice, 3 rd ed., William Stallings & Lawrie Brown EECS710: Information Security, Professor Hossein Saiedian, Fall 2014, Electrical Engineering and Computer Science, KU Return-Oriented Programming, David Brumley, CMU Introduction to Information Security, , Spring 2016, Control Hijacking, Avishar Wool, Tel Aviv University CAP6135: Malware and Software Vulnerability Analysis, Buffer Overflow I & II: Attack/Defense, Cliff Zou, Spring 2012/2014, UCF -2-
3 Learning Objectives Review Buffer overflows & Shellcode Understanding of Control hijacking attacks After studying this chapter, you should be able to: Describe how we can defend against code-injection attacks Define return-to-libc (Ret2Libc) attacks Describe what are the differences between basic BoF and Ret2Libc Hands-on experience on Ret2Libc Buffer overflow vulnerability lab with LoB -3-
4 Control Hijacking Attacks Control flow the order in which individual statements, instructions or function calls of an imperative program are executed or evaluated Control Hijacking Attacks (Runtime exploit) A control hijacking attack exploits a program error, particularly a memory corruption vulnerability, at application runtime to subvert the intended controlflow of a program. Control-hijacking attacks = Control-flow hijacking attacks Change of control flow Alter a code pointer (i.e., value that influences program counter) or, Gain control of the instruction pointer %eip Change memory region that should not be accessed E.g.) Code injection attacks, Code reuse attacks -4-
5 Control Flow Graphs (CFG) -5-
6 Control Hijacking Attacks Control Flow Graph (CFG) a representation, using graph notation, of all paths that might be traversed through a program during its execution Code injection attacks Adding a new node to the CFG Adversary can execute arbitrary malicious code Examples: Return to Shellcode (= Ret2Shellcode) Code-reuse attacks Adding a new path to the CFG Adversary is limited to the code nodes that are available in the CFG Examples: Ret2Libc ROP JOP (Jump-oriented programming) -6-
7 General Principle of Code Injection Attacks Source: Lecture: Code-Reuse Attacks and Defenses, Lucas Davi, Winter School on Binary Analysis,
8 General Principle of Code-Reuse Attacks -8-
9 Basic Execution -9-
10 Attacker s goal: Control Hijacking Attacks Take over target machine (e.g. Web server) Execute arbitrary code on target by hijacking the execution flow of a running program Common control hijacking methods Buffer overflows Integer overflows Heap overflows Format string vulnerability -10-
11 Buffer Overflow Buffer Overflow by NIST s Definition (NIST Glossary of Key Information Security Terms) A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Attackers exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system. A buffer overflow occurs when data is written outside of the space allocated for the buffer. C does not check that writes are in-bound Buffer overflow = Buffer overrun Where can a buffer be located? -11-
12 cdecl the default for Linux & gcc -12-
13 Buffer Overflows Stack-based attacks (stack smashing) = stack overflows Heap-based attacks More advanced Very dependent on system and library version Return-to-libc (Ret2Libc) Return-into-libc Return-Oriented Programming (ROP) -13-
14 Brief History of Buffer Overflow Attacks Buffer overflow is a very common attack mechanism from 1988 Morris Worm to Code Red, Slammer, Sasser and many others -14-
15 Buffer Overflow & Programming Language Buffer Overflow: A Well-Known Problem A very common attack mechanism Prevention techniques known Still of major concern due to legacy of buggy code in widely deployed OSes and applications continued careless programming practices by programmers A Little Programming Language History At machine level, all data are stored in an array of bytes interpretation depends on instructions used Modern high-level languages have a strong notion of type and valid operations not vulnerable to buffer overflows does incur overhead, some limits on use C and related languages have high-level control structures, but allow direct access to memory hence are vulnerable to buffer overflow have a large legacy of widely used, unsafe, and hence vulnerable code -15-
16 Buffer Overflow Basics Mostly relevant for C/C++ programs Caused by programming error Allows more data to be stored than capacity available in a fixed sized buffer buffer can be on stack, heap, global data Overwriting adjacent memory locations Consequences: corruption of program data unexpected transfer of control memory access violation execution of code chosen by attacker -16-
17 Buffer Overflow Attacks To exploit a buffer overflow an attacker needs: must identify a buffer overflow vulnerability in some program Identifying vulnerable programs can be done by: Inspection of program source tracing the execution of programs as they process oversized input Using tools such as fuzzing to automatically identify potentially vulnerable programs understand how buffer is stored in memory and determine potential for corruption Stack Buffer Overflow Occurs when buffer is located on stack used by Morris Worm Smashing the Stack paper popularized it Have local variables below saved frame pointer and return address hence overflow of a local buffer can potentially overwrite these key control items Attacker overwrites return address with address of desired code program, system library or loaded in buffer -17-
18 Vulnerable APIs and Target programs in Buffer Overflows Table 10.2 Some Common Unsafe C Standard Library Routines Some Common Unsafe C Standard Library Routines gets(char *str) sprintf(char *str, char *format,...) strcat(char *dest, char *src) strcpy(char *dest, char *src) vsprintf(char *str, char *fmt, va_list ap) read line from standard input into str create str according to supplied format and variables append contents of string src to string dest copy contents of string src to string dest create str according to supplied format and variables strcpy() strncpy() strlcpy() In Buffer overflow attacks, Target program can be: A trusted system utility Network service daemon Commonly used library code, which handles common document formats (e.g., the library routines used to decode and display GIF or JPEG images) The input is not from a terminal or network connection, but from the file being decoded and displayed -18-
19 Buffer Overflows: Code-injection Attacks Code-injection Attacks a subclass of control hijacking attacks that subverts the intended controlflow of a program to previously injected malicious code Shellcode code supplied by attacker often saved in buffer being overflowed traditionally transferred control to a shell (user command-line interpreter) machine code specific to processor and OS traditionally needed good assembly language skills to create more recently have automated sites/tools -19-
20 Code-injection Attacks An example of malicious code is shellcode One of Control-Flow Attacks -20-
21 Unix Shellcode In Windows terms: command.exe -21-
22 Big-endian vs. Little-endian Big-endian (POWER family): Linux on SPARC, PowerPC, and z/architecture, Mac OS X on Power PC Little-endian (x86 family): Linux/Windows on x86, x64, and Itanium -22-
23 Linux strings command -23-
24 x86 Assembly language on AT&T vs. Intel AT&T syntax, which is the default for objdump, uses <src>, <dst> Mnemonic Meaning mov ebx, eax Move contents of ebx into eax add ebx, eax Calculate eax = eax + ebx shl $2, ecx Calculate ecx = ecx << 2 Intel syntax, which uses <dst>, <src> Mnemonic Meaning mov eax, ebx Move contents of ebx into eax add eax, ebx Calculate eax = eax + ebx shl ecx, 2 Calculate ecx = ecx << 2-24-
25 Advantages very effective Buffer Overflows attack code runs with privileges of exploited process can be exploited locally and remotely interesting for network services Disadvantages architecture dependent directly inject assembler code operating system dependent use call system functions some guesswork involved (correct addresses) -25-
26 Overflow Types Overflow memory region on the stack overflow function return address overflow function frame (base) pointer overflow longjump buffer Overflow (dynamically allocated) memory region on the heap Overflow function pointers stack, heap, BSS -26-
27 Other Overflow Attacks (Other Forms of Overflow Attacks) Heap overflow Global Data overflow -27-
28 Programs and Processes Figure 10.4 Program Loading into Process Memory -28-
29 Attack buffer located in heap Heap Overflow typically located above program code memory is requested by programs to use in dynamic data structures (such as linked lists of records) No return address hence no easy transfer of control may have function pointer, buffer, and vulnerable function gets() or manipulate management data structures Defenses Move function pointers Q) Which has higher address of inp and process variables on next slide? Making the heap non-executable -29-
30 Heap Overflow Example Target address could be 0x080497b8 (with bytes reversed because x86 is littleendian) -30-
31 Global Data Overflow can attack buffer located in global data may be located above program code if has function pointer and vulnerable buffer & function or adjacent process management tables aim to overwrite function pointer later called Defenses Move function pointers arranging function pointers to be located below any other types of data Making global data region non-executable -31-
32 Global Data Overflow Example The global structure was found to be at address 0x , which was used as the target address in the attack. -32-
33 Defense against Code-injection Attacks Data Execution Prevention -33-
34 Buffer Overflow Defenses Buffer overflows are widely exploited Large amount of vulnerable code in use despite cause and countermeasures known Two broad defense approaches compile-time - harden new programs run-time - handle attacks on existing programs Control hijacking: Platform defenses Hardware + Operating system -34-
35 Non Executable Address Space (Run-time defense) Many BO attacks copy machine code into buffer and transfer control to it Use virtual memory support to make some regions of memory nonexecutable (to avoid exec of attacker s code) e.g. stack, heap, global data need H/W support in MMU long existed on SPARC/Solaris systems recent on x86 Linux/Unix/Windows systems The adversary can only inject his malicious code, but cannot execute it Issues: support for executable stack code Some apps need executable stack (e.g. LISP interpreters) Special provisions are needed -35-
36 Marking memory as non-execute (W X) Prevent attack code execution by marking stack, heap, data as non-executable. (von Neumann architecture Harvard-based computing architecture) Harvard architecture: code and data are strictly separated from each other AMD: NX-bit ( No Execute, from AMD Athlon 64) Intel: XD-bit ( Executable Disable, from Intel P4 Prescott) NX bit in every Page Table Entry (PTE) Modern OSes enable W X by default (Windows, Linux, ios, Android): Linux (via PaX project); OpenBSD Windows: since XP SP2 ( DEP (Data Execution Prevention)) Boot.ini : /noexecute=optin or AlwaysOn Visual Studio: /NXCompat[:NO] Limitations: Some apps need executable heap (e.g. JITs). Does not defend against `return-to-libc exploits -36-
37 Data Execution Prevention (DEP) Prevent execution from a writable memory (data) area -37-
38 Examples: DEP control in Windows 7 Computer > right-click Properties > Advanced system settings > Performance (Settings) > Data Execution Prevention DEP terminating a program -38-
39 Code-Reuse Attacks (An Overflow Variant) Return to Libc (Ret2Libc) attacks Return-Oriented Programming attacks -39-
40 Code-Reuse Attacks Where are normally executable codes located? -40-
41 Return-to-Libc attacks Basic idea of return-to-libc attacks Overwrite RET addr with addr of libc function Use existing code instead of injecting code (No injected code) Subvert the usual execution flow by redirecting it to functions in linked system libraries The process's image consists of 1 writable memory areas like stack, data and heap, 2 and executable memory areas such as the code segment and the linked system libraries The target for useful code can be found in the C library libc The library libc Libc is linked to nearly every Unix/Linux program This library defines system calls and other basic facilities such as open(), malloc(), printf(), system(), execve(), etc. E.g., system ( /bin/sh") -41-
42 Useful Functions in Libc Libc provides the following useful functions to the adversary The system() function Executes a new program within a running program. Example: system ( /bin/sh") This function executes the /bin/sh le (i.e., a new shell is launched) The execve() function Execute a new program and replace the (old) running program. Example: execve (argv[0], argv, NULL); argv is a string array, whereas argv[0] = /bin/sh" This function launches a new shell and replaces the running program -42-
43 Return to Libc Attack Control hijacking without code injection Code-Reuse Attack: a subclass of control-flow attacks that subverts the intended control-flow of a program to invoke an unintended execution path inside the original program code. -43-
44 Adversary transmits malicious input Return-to-Libc (1) -44-
45 Return-to-Libc (2) Input contains pattern bytes, a new ret_addr pointing to system(), -45-
46 Return-to-Libc (3), and a pointer to the /bin/sh string -46-
47 Return-to-Libc (4) When echo() returns, system() launches a new shell -47-
48 Return-to-libc (1/2) Using existing code (e.g.,: libc function) instead of injecting code E.g.) system( /bin/sh ); execve (argv[0], argv, NULL); 0x400fbff9 #include <stdio.h> void echo ( ) { char buffer[80]; gets (buffer); puts (buffer); } int main ( ) { echo ( ); printf ( "Done" ); return 0; } 0x40058ae0 Exploit 예 A *80 + B *4 + \xe0\x8a\x05\x40 + AAAA + \xf9\xbf\x0f\x40-48-
49 Return-to-libc (2/2) When echo() returns, system() launches a new shell Bypass W X model -49-
50 Return to Libc Attack Basic idea is that most c programs will be compiled with libc and thus you ll have access to these functions (like printf, gets, system, exit, etc) Even though stack/heap is nx, libc programs loaded in memory can be used Using ret2libc One interesting thing that ret2libc can do is to actually execute a shell payload would look like this: junk to overwrite ebp+address to system() + 4bytes junk or address to exit() + address to /bin/ sh of course /bin/sh has to be loaded in memory somewhere Execute a shell Note: there are multiple ways to do this for purposes of shell popping, you can use an environmental variable to load /bin/sh and search for it. A helpful command to search for environmental variable address in gdb is x/32s *environ -50-
51 Ret2Libc What if we don t know the absolute address any pointers to /bin/sh (objdump gives addresses, but we don t know ASLR constants) ptr to argv /bin/sh argc return addr &system caller s ebp %ebp Return to Libc Generalization: can generate arbitrary programs using return oriented programming (ROP) buf (64 bytes) argv[1] buf %esp -51-
52 Return-to-Libc (Ret2Libc) Attack stack overflow variant replaces return address with standard library function response to non-executable stack defences attacker constructs suitable parameters on stack above return address function returns and library function executes e.g. system( shell commands ) attacker may need exact buffer address can even chain two library calls Scorecard for ret2libc No injected code DEP ineffective Requires knowing address of system... or does it. -52-
53 Countermeasures for Ret2Libc What if we don t know the address of system()? What if system() is removed from libc.so? Remove security-sensitive functions from shared libraries? This might break legitimate uses Address Space Layout Randomization (ASLR) Control-Flow Integrity (CFI) -53-
54 Basics of Memory Randomization ASLR randomizes the base address of code/data segments -54-
55 ASLR Example Booting twice loads libraries into different locations: -55-
56 Defense against return to libc : randomization ASLR: (Address Space Layout Randomization) Map shared libraries to random location in process memory Attacker cannot jump directly to exec function Deployment on 32-bit OS: Windows Vista: 8 bits of randomness for DLLs aligned to 64K page in a 16MB region 256 choices Linux (via PaX): 16 bits of randomness for libraries More effective on 64-bit architectures Other randomization methods: System-call randomization: randomize system-call IDs Instruction Set Randomization (ISR) Generally: Software Diversity -56-
57 Control-Flow Integrity (CFI) Defense against code injection & code-reuse attacks -57-
58 CFI CFI indirect jump check -58-
59 Summary of Buffer Overflows Buffer Overflow Attacks = One of Control Hijacking Attacks -59-
60 Code injection attacks Code-reuse attacks Control Hijacking Attacks -60-
61 Control Hijacking Attacks & Defenses Control hijacking attacks = Control flow hijacking attacks Attacker s goal: Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control flow Examples: Buffer overflow, Integer overflows, Format string attacks Control Hijacking Attacks Code injection Injected code, shellcode Code-reuse attacks Existing code, Ret2Libc, Return Oriented Programming (ROP), Protection Writable xor executable (W X), DEP ASLR Control Flow Integrity -61-
62 Buffer Overflows and Defenses Buffer overflows are one of Control hijacking attacks Stack buffer overflows targeted buffer is located on the stack shellcode shellcode development position independent cannot contain NULL values heap overflows global data area overflows A defence against Buffer overflow NX, DEP, W X ASLR, CFI -62-
Buffer overflow background
and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer
More information2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks
Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks
More informationBasic Buffer Overflows
Operating Systems Security Basic Buffer Overflows (Stack Smashing) Computer Security & OS lab. Cho, Seong-je ( 조성제 ) Fall, 2018 sjcho at dankook.ac.kr Chapter 10 Buffer Overflow 2 Contents Virtual Memory
More informationLecture Embedded System Security A. R. Darmstadt, Runtime Attacks
2 ARM stands for Advanced RISC Machine Application area: Embedded systems Mobile phones, smartphones (Apple iphone, Google Android), music players, tablets, and some netbooks Advantage: Low power consumption
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 14: Software Security Department of Computer Science and Engineering University at Buffalo 1 Software Security Exploiting software vulnerabilities is paramount
More informationCS 161 Computer Security
Paxson Spring 2017 CS 161 Computer Security Discussion 2 Question 1 Software Vulnerabilities (15 min) For the following code, assume an attacker can control the value of basket passed into eval basket.
More informationReturn-orientated Programming
Return-orientated Programming or The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Hovav Shacham, CCS '07 Return-Oriented oriented Programming programming
More informationInject malicious code Call any library functions Modify the original code
Inject malicious code Call any library functions Modify the original code 2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks 2 3 Sadeghi, Davi TU Darmstadt
More informationCSC 591 Systems Attacks and Defenses Return-into-libc & ROP
CSC 591 Systems Attacks and Defenses Return-into-libc & ROP Alexandros Kapravelos akaprav@ncsu.edu NOEXEC (W^X) 0xFFFFFF Stack Heap BSS Data 0x000000 Code RW RX Deployment Linux (via PaX patches) OpenBSD
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2016/2017 Department of Electrical and Electronic Engineering
More informationRuntime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include
2 Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include injection of malicious code Reasons for runtime attacks
More informationLecture 08 Control-flow Hijacking Defenses
Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation
More informationCMPSC 497 Buffer Overflow Vulnerabilities
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Buffer Overflow
More informationIs stack overflow still a problem?
Morris Worm (1998) Code Red (2001) Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 31st January 2017 Memory corruption Buffer overflow remains
More informationCSE 127: Computer Security. Memory Integrity. Kirill Levchenko
CSE 127: Computer Security Memory Integrity Kirill Levchenko November 18, 2014 Stack Buffer Overflow Stack buffer overflow: writing past end of a stackallocated buffer Also called stack smashing One of
More informationBeyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus(MSR) and Brandon Baker (MS) Buffer Overflows and How they Occur Buffer is a contiguous segment of memory of a fixed
More informationProgram Security and Vulnerabilities Class 2
Program Security and Vulnerabilities Class 2 CEN-5079: 28.August.2017 1 Secure Programs Programs Operating System Device Drivers Network Software (TCP stack, web servers ) Database Management Systems Integrity
More informationUniversità Ca Foscari Venezia
Stack Overflow Security 1 2018-19 Università Ca Foscari Venezia www.dais.unive.it/~focardi secgroup.dais.unive.it Introduction Buffer overflow is due to careless programming in unsafe languages like C
More informationSoftware Security: Buffer Overflow Defenses
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationSecurity and Privacy in Computer Systems. Lecture 5: Application Program Security
CS 645 Security and Privacy in Computer Systems Lecture 5: Application Program Security Buffer overflow exploits More effective buffer overflow attacks Preventing buffer overflow attacks Announcement Project
More informationExercise 6: Buffer Overflow and return-into-libc Attacks
Technische Universität Darmstadt Fachbereich Informatik System Security Lab Prof. Dr.-Ing. Ahmad-Reza Sadeghi M.Sc. David Gens Exercise 6: Buffer Overflow and return-into-libc Attacks Course Secure, Trusted
More informationBetriebssysteme und Sicherheit Sicherheit. Buffer Overflows
Betriebssysteme und Sicherheit Sicherheit Buffer Overflows Software Vulnerabilities Implementation error Input validation Attacker-supplied input can lead to Corruption Code execution... Even remote exploitation
More informationBuffer Overflows Defending against arbitrary code insertion and execution
www.harmonysecurity.com info@harmonysecurity.com Buffer Overflows Defending against arbitrary code insertion and execution By Stephen Fewer Contents 1 Introduction 2 1.1 Where does the problem lie? 2 1.1.1
More informationSelected background on ARM registers, stack layout, and calling convention
Selected background on ARM registers, stack layout, and calling convention ARM Overview ARM stands for Advanced RISC Machine Main application area: Mobile phones, smartphones (Apple iphone, Google Android),
More informationBuffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.
Outline Morris Worm (1998) Infamous attacks Secure Programming Lecture 4: Memory Corruption II (Stack Overflows) David Aspinall, Informatics @ Edinburgh 23rd January 2014 Recap Simple overflow exploit
More informationSecure Programming Lecture 3: Memory Corruption I (Stack Overflows)
Secure Programming Lecture 3: Memory Corruption I (Stack Overflows) David Aspinall, Informatics @ Edinburgh 24th January 2017 Outline Roadmap Memory corruption vulnerabilities Instant Languages and Runtimes
More informationWe will focus on Buffer overflow attacks SQL injections. See book for other examples
We will focus on Buffer overflow attacks SQL injections See book for other examples Buffer overrun is another common term Buffer Overflow A condition at an interface under which more input can be placed
More informationThe Geometry of Innocent Flesh on the Bone
The Geometry of Innocent Flesh on the Bone Return-into-libc without Function Calls (on the x86) Hovav Shacham hovav@cs.ucsd.edu CCS 07 Technical Background Gadget: a short instructions sequence (e.x. pop
More informationCS 161 Computer Security
Paxson Spring 2011 CS 161 Computer Security Discussion 1 January 26, 2011 Question 1 Buffer Overflow Mitigations Buffer overflow mitigations generally fall into two categories: (i) eliminating the cause
More information20: Exploits and Containment
20: Exploits and Containment Mark Handley Andrea Bittau What is an exploit? Programs contain bugs. These bugs could have security implications (vulnerabilities) An exploit is a tool which exploits a vulnerability
More informationThis time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask
This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2017/2018 Department of Electrical and Electronic Engineering
More informationSoftware Security: Buffer Overflow Attacks (continued)
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Spring 2015 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationFundamentals of Computer Security
Fundamentals of Computer Security Spring 2015 Radu Sion Software Errors Buffer Overflow TOCTTOU 2005-15 Portions copyright by Bogdan Carbunar and Wikipedia. Used with permission Why Security Vulnerabilities?
More informationRobust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin
CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April 16 th,
More informationCSc 466/566. Computer Security. 20 : Operating Systems Application Security
1/68 CSc 466/566 Computer Security 20 : Operating Systems Application Security Version: 2014/11/20 13:07:28 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2014 Christian
More informationSoftware Security II: Memory Errors - Attacks & Defenses
1 Software Security II: Memory Errors - Attacks & Defenses Chengyu Song Slides modified from Dawn Song 2 Administrivia Lab1 Writeup 3 Buffer overflow Out-of-bound memory writes (mostly sequential) Allow
More informationCNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated
CNIT 127: Exploit Development Ch 14: Protection Mechanisms Updated 3-25-17 Topics Non-Executable Stack W^X (Either Writable or Executable Memory) Stack Data Protection Canaries Ideal Stack Layout AAAS:
More informationCNIT 127: Exploit Development. Ch 1: Before you begin. Updated
CNIT 127: Exploit Development Ch 1: Before you begin Updated 1-14-16 Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend, such as Denial
More informationPractical Malware Analysis
Practical Malware Analysis Ch 4: A Crash Course in x86 Disassembly Revised 1-16-7 Basic Techniques Basic static analysis Looks at malware from the outside Basic dynamic analysis Only shows you how the
More informationArchitecture-level Security Vulnerabilities
Architecture-level Security Vulnerabilities Björn Döbel Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The Battlefield:
More informationCSE 127 Computer Security
CSE 127 Computer Security Alex Gantman, Spring 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on
More informationSecure Systems Engineering
Secure Systems Engineering Chester Rebeiro Indian Institute of Technology Madras Flaws that would allow an attacker access the OS flaw Bugs in the OS The Human factor Chester Rebeiro, IITM 2 Program Bugs
More informationLinux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.
Lecture 6B Machine-Level Programming V: Miscellaneous Topics Topics Linux Memory Layout Understanding Pointers Buffer Overflow Upper 2 hex digits of address Red Hat v. 6.2 ~1920MB memory limit FF C0 Used
More informationOutline. Memory Exploit
Outline CS 6V81-05: System Security and Malicious Code Analysis Robust Shell Code Return Oriented Programming and HeapSpray Zhiqiang Lin Department of Computer Science University of Texas at Dallas April
More informationRoadmap: Security in the software lifecycle. Memory corruption vulnerabilities
Secure Programming Lecture 3: Memory Corruption I (introduction) David Aspinall, Informatics @ Edinburgh 24th January 2019 Roadmap: Security in the software lifecycle Security is considered at different
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 Anatomy of Control-Flow Exploits 2 Anatomy of Control-Flow Exploits Two steps in control-flow
More informationBiography. Background
From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ KTH, January 2019 1 / 28 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail: calle.svensson@zeta-two.com
More informationLecture 4 September Required reading materials for this class
EECS 261: Computer Security Fall 2007 Lecture 4 September 6 Lecturer: David Wagner Scribe: DK Moon 4.1 Required reading materials for this class Beyond Stack Smashing: Recent Advances in Exploiting Buffer
More informationSmashing the Buffer. Miroslav Štampar
Smashing the Buffer Miroslav Štampar (mstampar@zsis.hr) Summary BSidesVienna 2014, Vienna (Austria) November 22nd, 2014 2 Buffer overflow (a.k.a.) Buffer overrun An anomaly where a program, while writing
More informationSoftware Security: Buffer Overflow Attacks
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann,
More informationCSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko
CSE 127: Computer Security Control Flow Hijacking Kirill Levchenko October 17, 2017 Control Flow Hijacking Defenses Avoid unsafe functions Stack canary Separate control stack Address Space Layout Randomization
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Fall 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on the
More informationBUFFER OVERFLOW. Jo, Heeseung
BUFFER OVERFLOW Jo, Heeseung IA-32/LINUX MEMORY LAYOUT Heap Runtime stack (8MB limit) Dynamically allocated storage When call malloc(), calloc(), new() DLLs (shared libraries) Data Text Dynamically linked
More informationBuffer Overflow. Jo, Heeseung
Buffer Overflow Jo, Heeseung IA-32/Linux Memory Layout Heap Runtime stack (8MB limit) Dynamically allocated storage When call malloc(), calloc(), new() DLLs (shared libraries) Data Text Dynamically linked
More informationBuffer overflow prevention, and other attacks
Buffer prevention, and other attacks Comp Sci 3600 Security Outline 1 2 Two approaches to buffer defense Aim to harden programs to resist attacks in new programs Run time Aim to detect and abort attacks
More informationControl Hijacking Attacks
Control Hijacking Attacks Alexandros Kapravelos kapravelos@ncsu.edu (Derived from slides from Chris Kruegel) Attacker s mindset Take control of the victim s machine Hijack the execution flow of a running
More informationLecture 1: Buffer Overflows
CS5431 Computer Security Practicum Spring 2017 January 27, 2017 1 Conficker Lecture 1: Buffer Overflows Instructor: Eleanor Birrell In November 2008, a new piece of malware was observed in the wild. This
More informationThe first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.
Lab session this afternoon Memory corruption attacks Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 2nd February 2016 The first Secure Programming
More informationControl Flow Hijacking Attacks. Prof. Dr. Michael Backes
Control Flow Hijacking Attacks Prof. Dr. Michael Backes Control Flow Hijacking malicious.pdf Contains bug in PDF parser Control of viewer can be hijacked Control Flow Hijacking Principles Normal Control
More informationFrom Over ow to Shell
From Over ow to Shell An Introduction to low-level exploitation Carl Svensson @ Google, December 2018 1 / 25 Biography MSc in Computer Science, KTH Head of Security, KRY/LIVI CTF: HackingForSoju E-mail:
More informationModule: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Return-oriented Programming Professor Trent Jaeger 1 1 Anatomy of Control-Flow Exploits Two steps in control-flow exploitation First -- attacker
More informationBuffer Overflow Attack
Chapter 4 This is a sample chapter in the book titled "Computer Security: A Hands-on Approach" authored by Wenliang Du. Buffer Overflow Attack From Morris worm in 1988, Code Red worm in 2001, SQL Slammer
More informationArchitecture-level Security Vulnerabilities. Julian Stecklina
Architecture-level Security Vulnerabilities Julian Stecklina Outline How stacks work Smashing the stack for fun and profit Preventing stack smashing attacks Circumventing stack smashing prevention The
More informationSecure Programming Lecture 6: Memory Corruption IV (Countermeasures)
Secure Programming Lecture 6: Memory Corruption IV (Countermeasures) David Aspinall, Informatics @ Edinburgh 2nd February 2016 Outline Announcement Recap Containment and curtailment Tamper detection Memory
More informationCSE 127 Computer Security
CSE 127 Computer Security Stefan Savage, Spring 2018, Lecture 4 Low Level Software Security II: Format Strings, Shellcode, & Stack Protection Review Function arguments and local variables are stored on
More informationExploits and gdb. Tutorial 5
Exploits and gdb Tutorial 5 Exploits and gdb 1. Buffer Vulnerabilities 2. Code Injection 3. Integer Attacks 4. Advanced Exploitation 5. GNU Debugger (gdb) Buffer Vulnerabilities Basic Idea Overflow or
More informationCSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018
CSCE 548 Building Secure Software Buffer Overflow Professor Lisa Luo Spring 2018 Previous Class Virus vs. Worm vs. Trojan & Drive-by download Botnet & Rootkit Malware detection Scanner Polymorphic malware
More informationCountermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)
Countermeasures in Modern Operating Systems Yves Younan, Vulnerability Research Team (VRT) Introduction Programs in C/C++: memory error vulnerabilities Countermeasures (mitigations): make exploitation
More informationControl Hijacking Attacks
Control Hijacking Attacks Note: project 1 is out Section this Friday 4:15pm (Gates B03) Control hijacking attacks Attacker s goal: Take over target machine (e.g. web server) Execute arbitrary code on target
More informationBuffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Buffer Overflow Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu IA-32/Linux Memory Layout Runtime stack (8MB limit) Heap Dynamically allocated storage
More informationExploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it
Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it 29.11.2012 Secure Software Engineering Andreas Follner 1 Andreas Follner Graduated earlier
More informationString Oriented Programming Exploring Format String Attacks. Mathias Payer
String Oriented Programming Exploring Format String Attacks Mathias Payer Motivation Additional protection mechanisms prevent many existing attack vectors Format string exploits are often overlooked Drawback:
More informationOutline. Heap meta-data. Non-control data overwrite
Outline CSci 5271 Introduction to Computer Security Day 5: Low-level defenses and counterattacks Stephen McCamant University of Minnesota, Computer Science & Engineering Non-control data overwrite Heap
More informationSoftware Vulnerabilities August 31, 2011 / CS261 Computer Security
Software Vulnerabilities August 31, 2011 / CS261 Computer Security Software Vulnerabilities...1 Review paper discussion...2 Trampolining...2 Heap smashing...2 malloc/free...2 Double freeing...4 Defenses...5
More informationOutline. Format string attack layout. Null pointer dereference
CSci 5271 Introduction to Computer Security Day 5: Low-level defenses and counterattacks Stephen McCamant University of Minnesota, Computer Science & Engineering Null pointer dereference Format string
More informationSecure Software Development: Theory and Practice
Secure Software Development: Theory and Practice Suman Jana MW 2:40-3:55pm 415 Schapiro [SCEP] *Some slides are borrowed from Dan Boneh and John Mitchell Software Security is a major problem! Why writing
More informationidkwim in SecurityFirst 0x16 years old Linux system security researcher idkwim.tistory.com idkwim.linknow.
idkwim@gmail.com idkwim in SecurityFirst 0x16 years old Linux system security researcher idkwim.tistory.com choicy90@nate.com (Nate-On) @idkwim idkwim.linknow.kr Zombie PC?? -> No! Return Oriented Programming
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationQ: Exploit Hardening Made Easy
Q: Exploit Hardening Made Easy E.J. Schwartz, T. Avgerinos, and D. Brumley. In Proc. USENIX Security Symposium, 2011. CS 6301-002: Language-based Security Dr. Kevin Hamlen Attacker s Dilemma Problem Scenario
More informationCIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2
CIS 551 / TCOM 401 Computer and Network Security Spring 2007 Lecture 2 Announcements First project is on the web Due: Feb. 1st at midnight Form groups of 2 or 3 people If you need help finding a group,
More informationBuffer-Overflow Attacks on the Stack
Computer Systems Buffer-Overflow Attacks on the Stack Introduction A buffer overflow occurs when a program, while writing data to a buffer, overruns the buffer's boundary and overwrites memory in adjacent
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationCNIT 127: Exploit Development. Ch 3: Shellcode. Updated
CNIT 127: Exploit Development Ch 3: Shellcode Updated 1-30-17 Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object files strace System Call Tracer Removing
More informationIntroduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras
Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras Week 08 Lecture 38 Preventing Buffer Overflow Attacks Hello.
More informationIs Exploitation Over? Bypassing Memory Protections in Windows 7
Is Exploitation Over? Bypassing Memory Protections in Windows 7 Alexander Sotirov alex@sotirov.net About me Exploit development since 1999 Published research into reliable exploitation techniques: Heap
More informationBuffer-Overflow Attacks on the Stack
Computer Systems Buffer-Overflow Attacks on the Stack Introduction A buffer overflow occurs when a program, while writing data to a buffer, overruns the buffer's boundary and overwrites memory in adjacent
More informationCS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly
Raluca Popa Spring 2018 CS 161 Computer Security Discussion 1 Week of January 22, 2018: GDB and x86 assembly Objective: Studying memory vulnerabilities requires being able to read assembly and step through
More informationputting m bytes into a buffer of size n, for m>n corrupts the surrounding memory check size of data before/when writing
Secure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows) David Aspinall, Informatics @ Edinburgh 28th January 2019 Memory corruption Buffer overflow is a common vulnerability Simple
More informationSecure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows)
Secure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows) David Aspinall, Informatics @ Edinburgh 28th January 2019 Memory corruption Buffer overflow is a common vulnerability. Simple
More information1/31/2007 C. Edward Chow. CS591 Page 1
Page 1 History of Buffer Overflow Attacks Buffer Overflow Attack and related Background Knowledge Linux VirtualMemory Map Shellcode Egg: No-ops/shellcode/returnAddresses Countermeasures: StackGuard StackShield
More informationSoK: Eternal War in Memory
SoK: Eternal War in Memory László Szekeres, Mathias Payer, Tao Wei, Dawn Song Presenter: Wajih 11/7/2017 Some slides are taken from original S&P presentation 1 What is SoK paper? Systematization of Knowledge
More information18-600: Recitation #4 Exploits
18-600: Recitation #4 Exploits 20th September 2016 Agenda More x86-64 assembly Buffer Overflow Attack Return Oriented Programming Attack 3 Recap: x86-64: Register Conventions Arguments passed in registers:
More informationWriting Exploits. Nethemba s.r.o.
Writing Exploits Nethemba s.r.o. norbert.szetei@nethemba.com Motivation Basic code injection W^X (DEP), ASLR, Canary (Armoring) Return Oriented Programming (ROP) Tools of the Trade Metasploit A Brief History
More informationAdvanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2
Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2 Clemens Hlauschek, Christian Schanes INSO Industrial Software Institute of Information Systems Engineering Faculty of
More informationIntro to x86 Binaries. From ASM to exploit
Intro to x86 Binaries From ASM to exploit Intro to x86 Binaries I lied lets do a quick ctf team thing Organization Ideas? Do we need to a real structure right now? Mailing list is OTW How do we get more
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationBuffer Overflow Vulnerability
Buffer Overflow Vulnerability 1 Buffer Overflow Vulnerability Copyright c 2006 2014 Wenliang Du, Syracuse University. The development of this document is/was funded by three grants from the US National
More informationBUFFER OVERFLOW DEFENSES & COUNTERMEASURES
BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Finding the return address (guess
More informationECS 153 Discussion Section. April 6, 2015
ECS 153 Discussion Section April 6, 2015 1 What We ll Cover Goal: To discuss buffer overflows in detail Stack- based buffer overflows Smashing the stack : execution from the stack ARC (or return- to- libc)
More information