CMPSC 497 Other Memory Vulnerabilities
|
|
- Jemimah Hodges
- 5 years ago
- Views:
Transcription
1 Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Other Memory Vulnerabilities Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Page 1
2 Memory Error A memory error allows a program statement to access memory beyond that allocated for the variables processed in the statement Common case: Buffer overflow But, there are other ways to exploit memory errors to access unauthorized memory No need to overflow a buffer Two examples Use-after-free Type confusion Page 2
3 Use After Free Flaw: Program frees data on the heap, but then references that memory as if it were still valid Accessible: Adversary can control data written using the freed pointer Exploit: Another write-what-where vulnerability Page 3
4 Use After Free What happens here? int main(int argc, char **argv) { char *buf1r1; char *buf2r1; char *buf2r2; char *buf3r2; buf1r1 = (char *) malloc(bufsizer1); buf2r1 = (char *) malloc(bufsizer1); free(buf2r1); buf2r2 = (char *) malloc(bufsizer2); buf3r2 = (char *) malloc(bufsizer2); } strncpy(buf2r1, argv[1], BUFSIZER1-1); free(buf1r1); free(buf2r2); free(buf3r2); Page 4
5 Use After Free When the second R1 buffer (buf2r1) is freed that memory is available for reuse right away buf1r1 = (char *) malloc(bufsizer1); buf2r1 = (char *) malloc(bufsizer1); free(buf2r1); Then, the R2 buffers are allocated within that memory region (buf2r1s) buf2r2 = (char *) malloc(bufsizer2); buf3r2 = (char *) malloc(bufsizer2); Finally, the write using the freed pointer will overwrite the R2 buffers (and metadata between) strncpy(buf2r1, argv[1], BUFSIZER1-1); Page 5
6 Use After Free Most effective attacks exploit data of another type struct A { void (*fnptr)(char *arg); char buffer[40]; }; struct B { }; int B1; int B2; char info[32]; Page 6
7 Use After Free Free A, and allocate B does what? struct A { void (*fnptr)(char *arg); char buffer[40]; }; x = (struct A *)malloc(sizeof(struct A)); free(x); y = (struct B *)malloc(sizeof(struct B)); struct B { }; int B1; int B2; char info[32]; Page 7
8 Use After Free How do you think you exploit this? struct A { void (*fnptr)(char *arg); char buffer[40]; }; x = (struct A *)malloc(sizeof(struct A)); free(x); y = (struct B *)malloc(sizeof(struct B)); struct B { }; int B1; int B2; char info[32]; Page 8
9 Use After Free How do you think you exploit this? struct A { void (*fnptr)(char *arg); x = (struct A *)malloc(sizeof(struct A)); free(x); char buffer[40]; y = (struct B *)malloc(sizeof(struct B)); }; y->b1 = 0xDEADBEEF; struct B { }; int B1; int B2; char info[32]; x->fnptr(buf); Page 9
10 Use After Free Adversary chooses function pointer value Adversary may also choose address for buf To implement a write-what-where struct A { void (*fnptr)(char *arg); char buffer[40]; }; y->b1 = 0xDEADBEEF; struct B { int B1; }; int B2; char info[32]; x = (struct A *)malloc(sizeof(struct A)); free(x); y = (struct B *)malloc(sizeof(struct B)); x->fnptr(buf); Page 10
11 Use After Free Flaw: program frees data on the heap, but then references that memory as if it were still valid Accessible: Adversary can control data written using the freed pointer Exploit: Another write-what-where vulnerability Become a popular vulnerability to exploit over 60% of CVEs Page 11
12 Prevent Use After Free Difficult to detect because these often occur in complex runtime states Allocate in one function Free in another function Use in a third function Are all uses accessing a valid (not freed) reference? In all possible runtime states It is not fun to check source code for all possible pointers Page 12
13 Prevent Use After Free What can you do that is not too complex? Page 13
14 Prevent Use After Free What can you do that is not too complex? You can set all freed pointers to NULL Then, no one can use them after they are freed Page 14
15 Related Problem: Double Free What is going on here? main(int argc, char **argv) { buf1r1 = (char *) malloc(bufsize2); buf2r1 = (char *) malloc(bufsize2); free(buf1r1); free(buf2r1); buf1r2 = (char *) malloc(bufsize1); strncpy(buf1r2, argv[1], BUFSIZE1-1); } free(buf2r1); free(buf1r2); Page 15
16 Double Free Free the R1 buffers free(buf1r1); free(buf2r1); Allocate a new buffer R2 and supply data buf1r2 = (char *) malloc(bufsize1); strncpy(buf1r2, argv[1], BUFSIZE1-1); Free the R1 again, which uses R2 data as metadata free(buf2r1); Then, free R2 which uses really messed up metadata enabling a write-what-where attack (like heap overflow) free(buf1r2); Page 16
17 Double Free So, double free achieves the same effect as the heap overflow vulnerabilities So, can be addressed in the same way But, you can also save yourself some headache by setting freed pointers to NULL But, we are only still talking about this pageid= Hopefully, will be part of systems in the near future, but people don t like to tinker with the C language spec Page 17
18 Type Confusion Cause the program to process data of one type when it expects data of another type Provides same affect as we did with use-after-free But, without the free just need an ambiguous use Page 18
19 Type Confusion Cause the program to process data of one type when it expects data of another type Provides same affect as we did with use-after-free But, without the free just need an ambiguous use Where s the error below? class Ancestor { int x; } class Descendent : Ancestor { int y; } Ancestor *A = new A; Descendant *D = static cast <Ancestor *> A; D->y = 7; HexType Jeon et al. ACM CCS 2017 Page 19
20 Type Confusion Cause the program to process data of one type when it expects data of another type Provides same affect as we did with use-after-free But, without the free just need an ambiguous use Where s the error below? class Ancestor { int x; } class Descendent : Ancestor { int y; } Ancestor *A = new A; Descendant *D = static cast <Ancestor *> A; D->y = 7; // not part of memory referenced by D cast from A HexType Jeon et al. ACM CCS 2017 Page 20
21 Type Hierarchies C++ allows you to construct type hierarchies Upcast Downcast HexType Jeon et al. ACM CCS 2017 Page 21
22 Type Hierarchies C++ allows you to construct type hierarchies Which type of cast is safe and why? Upcast Downcast HexType Jeon et al. ACM CCS 2017 Page 22
23 Type Confusion Safety Upcasts are always safe because they only reduce the type structure That is, subtypes extend the structure definitions only Thus, downcasts (as in the example) and arbitrary casts (that do not follow the hierarchy) are unsafe However, programming environments trust programmers to do the right thing Page 23
24 Type Confusion (Flash) Flash is notorious for type confusion vulnerabilities From reading var filter = new flash.filters.blurfilter(); object.filters = [filter]; flash.filters.blurfilter = flash.filters.convolutionfilter; var f = object.filters; var d = f[0]; Page 24
25 Type Confusion (Flash) What does this code do? Creates a BlurFilter assigned to object.filters var filter = new flash.filters.blurfilter(); object.filters = [filter]; Resets constructor BlurFilter to ConvolutionFilter flash.filters.blurfilter = flash.filters.convolutionfilter; Getter method called creates an ConvolutionFilter object instead var f = object.filters; var d = f[0]; Page 25
26 Type Confusion (Flash) What does this code do? Creates a BlurFilter assigned to object.filters var filter = new flash.filters.blurfilter(); object.filters = [filter]; Resets constructor BlurFilter to ConvolutionFilter flash.filters.blurfilter = flash.filters.convolutionfilter; Getter method called here creates an ConvolutionFilter object instead so, what is f? var f = object.filters; var d = f[0]; Page 26
27 Type Confusion (Flash) So what is f? Can be a lot of things Displacement MapFilter <super> BitmapData *bitmap int posx int posy <internal> Bevel Filter <super> int hcolor int scolor float blurx float blury int quality Page 27
28 Type Confusion (Flash) Attack goal is to modify the vtable in BitmapData (or any object) to control the program execution Displacement MapFilter <super> BitmapData *bitmap int posx int posy <internal> BitmapData <vtable> void *bits Bevel Filter <super> int hcolor int scolor float blurx float blury int quality Page 28
29 Type Confusion (Flash) By accessing hcolor and scolor fields, we can compute the bitmap pointer Displacement MapFilter <super> BitmapData *bitmap int posx int posy <internal> Bevel Filter <super> int hcolor int scolor float blurx float blury int quality Page 29
30 Type Confusion (Flash) Can retrieve vtable by setting the bitmapdata address to posx and posy and read matrix Displacement MapFilter <super> BitmapData *bitmap int posx int posy <internal> BitmapData <vtable> void *bits Convolution Filter <super> int matx int maty float *matrix int quality Page 30
31 Type Confusion (Flash) Then, idea is to create a matrix referencing the BitmapData as a vtable of your choice Displacement MapFilter <super> BitmapData *bitmap int posx int posy <internal> BitmapData <vtable> void *bits Convolution Filter <super> int matx int maty float *matrix int quality Page
32 Preventing Type Confusion Casts may be checked at runtime to verify that they are safe Research project: HexType converts all static checks to runtime checks Is it true that we only want to allow (safe) upcasts if programmers manually create unsafe casts? Or are these just programmer errors? Can some forms of downcasts or arbitrary casts be made safe? Determining an acceptable policy that balances function and security can be hard Page 32
33 Format String Vulnerabilities Who uses printf in their programs? printf ("This class is %s\n", string); In some cases, printf can be exploited Page 33
34 Format String Vulnerabilities Who uses printf in their programs? printf ("This class is %s\n", string); In some cases, printf can be exploited Printf takes a format string and an arbitrary number of subsequent arguments Format string determines what to print Including a set of format parameters Arguments supply input for format parameters Which may be values (e.g., %d) or references (e.g., %s) An argument for each format parameter Page 34
35 Format String Vulnerabilities Who uses printf in their programs? In some cases, printf can be exploited As usual, arguments are retrieved from the stack What happens when the following is done? printf( %s%s%s%s ); Page 35
36 Format String Vulnerabilities Who uses printf in their programs? In some cases, printf can be exploited As usual, arguments are retrieved from the stack What happens when the following is done? printf( %s%s%s%s ); Traditionally, compilers do not check for a match between arguments and format string do now So, printf would print strings using next four values on stack as string addresses whatever they are Page 36
37 Printf and the Stack Address of Format str Arg 1 Arg 2 Arg 3 Remember these are parameters to a function call So, the function expects them on the stack Printf will just start reading whatever is above the format string address 37 Page
38 Format String Vulnerabilities Who uses printf in their programs? In some cases, printf can be exploited As usual, arguments are retrieved from the stack What happens when the following is done? printf(arg); Page 38
39 Format String Vulnerabilities Who uses printf in their programs? In some cases, printf can be exploited As usual, arguments are retrieved from the stack What happens when the following is done? printf(arg); Printf can take a variable as an argument treated as a format string If an adversary can control this argument and put values on the stack, they can direct printf to access that memory %s%s%s Page 39
40 Format String Vulnerabilities Who uses printf in their programs? In some cases, printf can be exploited As usual, arguments are retrieved from the stack What happens when the following is done? printf(arg); An interesting format parameter type %n %n in a format string tells the printf to write the number of bytes written via the format string processing up to that point to an address specified by the argument Page 40
41 Printf and the Stack Address of Format str Arg 1 Arg 2 Arg 3 Suppose format string generates an adversarycontrolled number of bytes Suppose adversary controls Arg1-Arg3 on stack Adversary can control number of bytes generated by format string with Arg1 and Arg2 Adversary can direct where to write that number (of bytes) using %n with address at Arg3 41 Page
42 Printf-oriented Programming Address of Format str Arg 1 Arg 2 Arg 3 If the program has a loop that calls printf under adversary control An adversary can supply inputs to write to any memory address Over and over To control the execution of the program arbitrarily (Turing complete) 42 Page
43 Prevent Format String Vulnerabilities Preventing format string vulnerabilities means limiting the ability of adversaries to control the format string Hard-coded strings w/ no arguments when you can Hard-coded format strings at least no printf(arg) Do not use %n Be careful with other references - %s and sprintf can be used to created disclosure attacks Compiler support to match printf arguments with format string Page 43
44 Take Away There are other ways to implement powerful attacks besides overflow vulnerabilities We examined a few of the common ones Use-after-free and double-free Type confusion Format string vulnerabilities Each are capable of implementing write-whatwhere attacks that give an adversary arbitrary control of memory We will want to prevent these vulnerabilities Page 44
Memory Corruption Vulnerabilities, Part II
Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Integer Overflow Vulnerabilities * slides adapted from those by Seacord 3 Integer Overflows
More informationMemory Corruption 101 From Primitives to Exploit
Memory Corruption 101 From Primitives to Exploit Created by Nick Walker @ MWR Infosecurity / @tel0seh What is it? A result of Undefined Behaviour Undefined Behaviour A result of executing computer code
More informationCMPSC 497 Buffer Overflow Vulnerabilities
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Buffer Overflow
More informationAdvanced Systems Security: New Threats
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationCMPSC 497: Static Analysis
CMPSC 497: Static Analysis Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Page 1 Our Goal In this course,
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationCMPSC 497: Static Analysis
CMPSC 497: Static Analysis Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Page 1 Our Goal In this course,
More informationAdvanced Systems Security: Ordinary Operating Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationAdvanced System Security: Vulnerabilities
Advanced System Security: Vulnerabilities Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University CSE544 -Advanced
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 15: Software Security II Department of Computer Science and Engineering University at Buffalo 1 Software Vulnerabilities Buffer overflow vulnerabilities account
More informationHomework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08
Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08 For your solutions you should submit a hard copy; either hand written pages stapled together or a print out of a typeset document
More informationCS 31: Intro to Systems Pointers and Memory. Martin Gagne Swarthmore College February 16, 2016
CS 31: Intro to Systems Pointers and Memory Martin Gagne Swarthmore College February 16, 2016 So we declared a pointer How do we make it point to something? 1. Assign it the address of an existing variable
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationModule: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 Programming Why do we write programs? Function What functions do we enable via our programs?
More informationLecture 4 September Required reading materials for this class
EECS 261: Computer Security Fall 2007 Lecture 4 September 6 Lecturer: David Wagner Scribe: DK Moon 4.1 Required reading materials for this class Beyond Stack Smashing: Recent Advances in Exploiting Buffer
More informationCSE 544 Advanced Systems Security
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CSE 544 Advanced Systems
More informationCCured. One-Slide Summary. Lecture Outline. Type-Safe Retrofitting of C Programs
CCured Type-Safe Retrofitting of C Programs [Necula, McPeak,, Weimer, Condit, Harren] #1 One-Slide Summary CCured enforces memory safety and type safety in legacy C programs. CCured analyzes how you use
More information5) Attacker causes damage Different to gaining control. For example, the attacker might quit after gaining control.
Feb 23, 2009 CSE, 409/509 Mitigation of Bugs, Life of an exploit 1) Bug inserted into code 2) Bug passes testing 3) Attacker triggers bug 4) The Attacker gains control of the program 5) Attacker causes
More informationCling: A Memory Allocator to Mitigate Dangling Pointers. Periklis Akritidis
Cling: A Memory Allocator to Mitigate Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory Through Dangling Pointers Techniques : Heap Spraying, Feng Shui Manual
More informationWelcome to Lab! Feel free to get started until we start talking! The lab document is located on the course website:
Welcome to Lab! Feel free to get started until we start talking! The lab document is located on the course website: https://users.wpi.edu/~sjarvis/ece2049_smj/ece2049_labs.html You do not need to keep
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 14: Software Security Department of Computer Science and Engineering University at Buffalo 1 Software Security Exploiting software vulnerabilities is paramount
More informationCSE 374 Programming Concepts & Tools
CSE 374 Programming Concepts & Tools Hal Perkins Fall 2017 Lecture 8 C: Miscellanea Control, Declarations, Preprocessor, printf/scanf 1 The story so far The low-level execution model of a process (one
More informationfinding vulnerabilities
cs6 42 computer security finding vulnerabilities adam everspaugh ace@cs.wisc.edu hw1 Homework 1 will be posted after class today Due: Feb 22 Should be fun! TAs can help with setup Use Piazza as first step
More informationAdvanced Systems Security: Ordinary Operating Systems
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationCSCI-243 Exam 1 Review February 22, 2015 Presented by the RIT Computer Science Community
CSCI-243 Exam 1 Review February 22, 2015 Presented by the RIT Computer Science Community http://csc.cs.rit.edu History and Evolution of Programming Languages 1. Explain the relationship between machine
More informationSecure Programming Lecture 3: Memory Corruption I (Stack Overflows)
Secure Programming Lecture 3: Memory Corruption I (Stack Overflows) David Aspinall, Informatics @ Edinburgh 24th January 2017 Outline Roadmap Memory corruption vulnerabilities Instant Languages and Runtimes
More informationHexType: Efficient Detection of Type Confusion Errors for C++ Yuseok Jeon Priyam Biswas Scott A. Carr Byoungyoung Lee Mathias Payer
HexType: Efficient Detection of Type Confusion Errors for C++ Yuseok Jeon Priyam Biswas Scott A. Carr Byoungyoung Lee Mathias Payer Motivation C++ is a popular programming language Google Chrome, Firefox,
More informationECE 250 / CS 250 Computer Architecture. C to Binary: Memory & Data Representations. Benjamin Lee
ECE 250 / CS 250 Computer Architecture C to Binary: Memory & Data Representations Benjamin Lee Slides based on those from Alvin Lebeck, Daniel Sorin, Andrew Hilton, Amir Roth, Gershon Kedem Administrivia
More informationCS527 Software Security
Security Policies Purdue University, Spring 2018 Security Policies A policy is a deliberate system of principles to guide decisions and achieve rational outcomes. A policy is a statement of intent, and
More informationSecure Programming I. Steven M. Bellovin September 28,
Secure Programming I Steven M. Bellovin September 28, 2014 1 If our software is buggy, what does that say about its security? Robert H. Morris Steven M. Bellovin September 28, 2014 2 The Heart of the Problem
More informationISA564 SECURITY LAB. Code Injection Attacks
ISA564 SECURITY LAB Code Injection Attacks Outline Anatomy of Code-Injection Attacks Lab 3: Buffer Overflow Anatomy of Code-Injection Attacks Background About 60% of CERT/CC advisories deal with unauthorized
More informationCYSE 411/AIT681 Secure Software Engineering Topic #10. Secure Coding: Integer Security
CYSE 411/AIT681 Secure Software Engineering Topic #10. Secure Coding: Integer Security Instructor: Dr. Kun Sun 1 This lecture: [Seacord]: Chapter 5 Readings 2 Secure Coding String management Pointer Subterfuge
More informationAdvanced Systems Security: Principles
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationCSci 4061 Introduction to Operating Systems. Programs in C/Unix
CSci 4061 Introduction to Operating Systems Programs in C/Unix Today Basic C programming Follow on to recitation Structure of a C program A C program consists of a collection of C functions, structs, arrays,
More information2/9/18. Readings. CYSE 411/AIT681 Secure Software Engineering. Introductory Example. Secure Coding. Vulnerability. Introductory Example.
This lecture: [Seacord]: Chapter 5 Readings CYSE 411/AIT681 Secure Software Engineering Topic #10. Secure Coding: Integer Security Instructor: Dr. Kun Sun 1 2 String management Pointer Subterfuge Secure
More information2/9/18. CYSE 411/AIT681 Secure Software Engineering. Readings. Secure Coding. This lecture: String management Pointer Subterfuge
CYSE 411/AIT681 Secure Software Engineering Topic #10. Secure Coding: Integer Security Instructor: Dr. Kun Sun 1 This lecture: [Seacord]: Chapter 5 Readings 2 String management Pointer Subterfuge Secure
More informationAdvanced Systems Security: Control-Flow Integrity
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationRoadmap: Security in the software lifecycle. Memory corruption vulnerabilities
Secure Programming Lecture 3: Memory Corruption I (introduction) David Aspinall, Informatics @ Edinburgh 24th January 2019 Roadmap: Security in the software lifecycle Security is considered at different
More informationAdvanced Systems Security: Symbolic Execution
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security:
More informationHeap Arrays. Steven R. Bagley
Heap Arrays Steven R. Bagley Recap Data is stored in variables Can be accessed by the variable name Or in an array, accessed by name and index a[42] = 35; Variables and arrays have a type int, char, double,
More informationCSE 509: Computer Security
CSE 509: Computer Security Date: 2.16.2009 BUFFER OVERFLOWS: input data Server running a daemon Attacker Code The attacker sends data to the daemon process running at the server side and could thus trigger
More informationStatic Analysis. Systems and Internet Infrastructure Security
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Static Analysis Trent
More informationEURECOM 6/2/2012 SYSTEM SECURITY Σ
EURECOM 6/2/2012 Name SYSTEM SECURITY 5 5 5 5 5 5 5 5 5 5 50 1 2 3 4 5 6 7 8 9 10 Σ Course material is not allowed during the exam. Try to keep your answers precise and short. You will not get extra points
More informationCYSE 411/AIT681 Secure Software Engineering Topic #12. Secure Coding: Formatted Output
CYSE 411/AIT681 Secure Software Engineering Topic #12. Secure Coding: Formatted Output Instructor: Dr. Kun Sun 1 This lecture: [Seacord]: Chapter 6 Readings 2 Secure Coding String management Pointer Subterfuge
More information2/9/18. CYSE 411/AIT681 Secure Software Engineering. Readings. Secure Coding. This lecture: String management Pointer Subterfuge
CYSE 411/AIT681 Secure Software Engineering Topic #12. Secure Coding: Formatted Output Instructor: Dr. Kun Sun 1 This lecture: [Seacord]: Chapter 6 Readings 2 String management Pointer Subterfuge Secure
More informationBasic Buffer Overflows
Operating Systems Security Basic Buffer Overflows (Stack Smashing) Computer Security & OS lab. Cho, Seong-je ( 조성제 ) Fall, 2018 sjcho at dankook.ac.kr Chapter 10 Buffer Overflow 2 Contents Virtual Memory
More informationDefeat Exploit Mitigation Heap Attacks. compass-security.com 1
Defeat Exploit Mitigation Heap Attacks compass-security.com 1 ASCII Armor Arbitrary Write Overflow Local Vars Exploit Mitigations Stack Canary ASLR PIE Heap Overflows Brute Force Partial RIP Overwrite
More informationFoundations of Network and Computer Security
Foundations of Network and Computer Security John Black Lecture #20 Nov 4 th 2004 CSCI 6268/TLEN 5831, Fall 2004 Announcements Quiz #3 Today Need to know what big-endian is Remind me to mention it if I
More informationFall 2018 Discussion 2: September 3, 2018
CS 61C C Basics Fall 2018 Discussion 2: September 3, 2018 1 C C is syntactically similar to Java, but there are a few key differences: 1. C is function-oriented, not object-oriented; there are no objects.
More informationModule: Safe Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security
CSE543 - Introduction to Computer and Network Security Module: Safe Programming Professor Trent Jaeger 1 1 Avoiding Vulnerabilities How do we write programs to avoid mistakes that lead to vulnerabilities?
More informationCSE / / 60567: Computer Security. Software Security 4
CSE 40567 / 44567 / 60567: Computer Security Software Security 4 91 Homework #5 Due: Tonight at 11:59PM Eastern Time (ND) / Pacific Time (SV) See Assignments Page on the course website for details 92 Notes
More informationDAY 3. CS3600, Northeastern University. Alan Mislove
C BOOTCAMP DAY 3 CS3600, Northeastern University Slides adapted from Anandha Gopalan s CS132 course at Univ. of Pittsburgh and Pascal Meunier s course at Purdue Memory management 2 Memory management Two
More informationMemory Safety (cont d) Software Security
Memory Safety (cont d) Software Security CS 161: Computer Security Prof. Raluca Ada Popa January 17, 2016 Some slides credit to David Wagner and Nick Weaver Announcements Discussion sections and office
More informationDynamic memory allocation
Dynamic memory allocation outline Memory allocation functions Array allocation Matrix allocation Examples Memory allocation functions (#include ) malloc() Allocates a specified number of bytes
More informationThe Java Language Implementation
CS 242 2012 The Java Language Implementation Reading Chapter 13, sections 13.4 and 13.5 Optimizing Dynamically-Typed Object-Oriented Languages With Polymorphic Inline Caches, pages 1 5. Outline Java virtual
More informationSystem Security Class Notes 09/23/2013
System Security Class Notes 09/23/2013 1 Format String Exploits a Format String bugs The printf family consists of functions with variable arguments i printf (char* format, ) ii sprint (char* dest, char*
More informationCS61, Fall 2012 Section 2 Notes
CS61, Fall 2012 Section 2 Notes (Week of 9/24-9/28) 0. Get source code for section [optional] 1: Variable Duration 2: Memory Errors Common Errors with memory and pointers Valgrind + GDB Common Memory Errors
More informationThe Edward S. Rogers Sr. Department of Electrical and Computer Engineering
ECE 468S Computer Security The Edward S. Rogers Sr. Department of Electrical and Computer Engineering Mid-term Examination, March 2006 Name Student # Answer all questions. Write your answers on the exam
More informationCPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e Feb 11, 13, 15, and 25. Winter Session 2018, Term 2
CPSC 213 Introduction to Computer Systems Winter Session 2018, Term 2 Unit 1e Feb 11, 13, 15, and 25 Procedures and the Stack Overview Reading Companion: 2.8 Textbook: 3.7, 3.12 Learning Goals explain
More informationType Confusion: Discovery, Abuse, Protection. Mathias
Type Confusion: Discovery, Abuse, Protection Mathias Payer, @gannimo http://hexhive.github.io Type confusion leads to RCE Attack surface is huge Google Chrome: 76 MLoC Gnome: 9 MLoC Xorg: glibc: Linux
More informationCMPSC 497: Midterm Review
CMPSC 497: Midterm Review Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Page 1 Midterm Format True/False
More informationOutline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction
Outline CSci 5271 Introduction to Computer Security Day 3: Low-level vulnerabilities Stephen McCamant University of Minnesota, Computer Science & Engineering Race conditions Classic races: files in /tmp
More informationWeek 7. Statically-typed OO languages: C++ Closer look at subtyping
C++ & Subtyping Week 7 Statically-typed OO languages: C++ Closer look at subtyping Why talk about C++? C++ is an OO extension of C Efficiency and flexibility from C OO program organization from Simula
More informationG52CPP C++ Programming Lecture 3. Dr Jason Atkin
G52CPP C++ Programming Lecture 3 Dr Jason Atkin E-Mail: jaa@cs.nott.ac.uk 1 Revision so far C/C++ designed for speed, Java for catching errors Java hides a lot of the details (so can C++) Much of C, C++
More information18-600: Recitation #4 Exploits
18-600: Recitation #4 Exploits 20th September 2016 Agenda More x86-64 assembly Buffer Overflow Attack Return Oriented Programming Attack 3 Recap: x86-64: Register Conventions Arguments passed in registers:
More informationRecitation: C Review. TA s 20 Feb 2017
15-213 Recitation: C Review TA s 20 Feb 2017 Agenda Logistics Attack Lab Conclusion C Assessment C Programming Style C Exercise Cache Lab Overview Appendix: Valgrind Clang / LLVM Cache Structure Logistics
More informationC++ for Java Programmers
Basics all Finished! Everything we have covered so far: Lecture 5 Operators Variables Arrays Null Terminated Strings Structs Functions 1 2 45 mins of pure fun Introduction Today: Pointers Pointers Even
More informationENEE 457: Computer Systems Security. Lecture 16 Buffer Overflow Attacks
ENEE 457: Computer Systems Security Lecture 16 Buffer Overflow Attacks Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland, College Park Buffer overflow
More informationWriting Functions in C
Writing Functions in C 1 Test 2, Problem 5 b. Write a function to allocate space for a new instance of your structure, as defined in part a. Write the C code for a function to get space from the heap using
More informationLecture 9 Assertions and Error Handling CS240
Lecture 9 Assertions and Error Handling CS240 The C preprocessor The C compiler performs Macro expansion and directive handling Preprocessing directive lines, including file inclusion and conditional compilation,
More informationTopics in Systems and Program Security
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Topics in Systems and
More informationCMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING
CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING LECTURE 16, SPRING 2013 TOPICS TODAY Project 6 Perils & Pitfalls of Memory Allocation C Function Call Conventions in Assembly Language PERILS
More informationCS24 Week 2 Lecture 1
CS24 Week 2 Lecture 1 Kyle Dewey Overview C Review Void pointers Allocation structs void* (Void Pointers) void* Like any other pointer, it refers to some memory address However, it has no associated type,
More informationWeek 5, continued. This is CS50. Harvard University. Fall Cheng Gong
This is CS50. Harvard University. Fall 2014. Cheng Gong Table of Contents News... 1 Buffer Overflow... 1 Malloc... 6 Linked Lists... 7 Searching... 13 Inserting... 16 Removing... 19 News Good news everyone!
More informationBuffer overflow prevention, and other attacks
Buffer prevention, and other attacks Comp Sci 3600 Security Outline 1 2 Two approaches to buffer defense Aim to harden programs to resist attacks in new programs Run time Aim to detect and abort attacks
More informationCSE 431S Type Checking. Washington University Spring 2013
CSE 431S Type Checking Washington University Spring 2013 Type Checking When are types checked? Statically at compile time Compiler does type checking during compilation Ideally eliminate runtime checks
More informationProcess s Address Space. Dynamic Memory. Backing the Heap. Dynamic memory allocation 3/29/2013. When a process starts the heap is empty
/9/01 Process s Address Space Dynamic Memory 0x7fffffff Stack Data (Heap) Data (Heap) 0 Text (Code) Backing the Heap When a process starts the heap is empty The process is responsible for requesting memory
More informationFinal CSE 131B Spring 2004
Login name Signature Name Student ID Final CSE 131B Spring 2004 Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 (25 points) (24 points) (32 points) (24 points) (28 points) (26 points) (22 points)
More informationSoftware Vulnerabilities. Jeff Foster University of Maryland, College Park
Software Vulnerabilities Jeff Foster University of Maryland, College Park When is a Program Secure? When it does exactly what it should! But what is it supposed to do? - Someone tells us (do we trust them?)
More informationBuffer overflow background
and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer
More informationDepartment of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall 2011.
Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY 6.858 Fall 2011 Quiz I: Solutions Please do not write in the boxes below. I (xx/20) II (xx/10) III (xx/16)
More informationLecture 2, September 4
Lecture 2, September 4 Intro to C/C++ Instructor: Prashant Shenoy, TA: Shashi Singh 1 Introduction C++ is an object-oriented language and is one of the most frequently used languages for development due
More informationFinal CSE 131B Winter 2003
Login name Signature Name Student ID Final CSE 131B Winter 2003 Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 _ (20 points) _ (25 points) _ (21 points) _ (40 points) _ (30 points) _ (25 points)
More informationProject 1 Buffer Overflow
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Project 1 Buffer Overflow
More informationCMPSC 497 Attack Surface
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Attack Surface
More informationCSE 303: Concepts and Tools for Software Development
CSE 303: Concepts and Tools for Software Development Hal Perkins Winter 2009 Lecture 7 Introduction to C: The C-Level of Abstraction CSE 303 Winter 2009, Lecture 7 1 Welcome to C Compared to Java, in rough
More informationIdentifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교
Identifying Memory Corruption Bugs with Compiler Instrumentations 이병영 ( 조지아공과대학교 ) blee@gatech.edu @POC2014 How to find bugs Source code auditing Fuzzing Source Code Auditing Focusing on specific vulnerability
More informationSo far, system calls have had easy syntax. Integer, character string, and structure arguments.
Pointers Page 1 So far, system calls have had easy syntax Wednesday, September 30, 2015 10:45 AM Integer, character string, and structure arguments. But this is not always true. Today, we begin to explore
More informationArrays and Memory Management
Arrays and Memory Management 1 Pointing to Different Size Objects Modern machines are byte-addressable Hardware s memory composed of 8-bit storage cells, each has a unique address A C pointer is just abstracted
More informationFinal CSE 131B Spring 2005
Login name Signature Name Student ID Final CSE 131B Spring 2005 Page 1 Page 2 Page 3 Page 4 Page 5 Page 6 Page 7 Page 8 (27 points) (24 points) (32 points) (24 points) (32 points) (26 points) (31 points)
More informationLecture 08 Control-flow Hijacking Defenses
Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation
More informationBypassing Browser Memory Protections
Bypassing Browser Memory Protections Network Security Instructor: Dr. Shishir Nagaraja September 10, 2011. 1 Introduction to the topic A number of memory protection mechanisms like GS, SafeSEH, DEP and
More informationOutline. Java Models for variables Types and type checking, type safety Interpretation vs. compilation. Reasoning about code. CSCI 2600 Spring
Java Outline Java Models for variables Types and type checking, type safety Interpretation vs. compilation Reasoning about code CSCI 2600 Spring 2017 2 Java Java is a successor to a number of languages,
More informationBeyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus(MSR) and Brandon Baker (MS) Buffer Overflows and How they Occur Buffer is a contiguous segment of memory of a fixed
More informationOutline. Lecture 1 C primer What we will cover. If-statements and blocks in Python and C. Operators in Python and C
Lecture 1 C primer What we will cover A crash course in the basics of C You should read the K&R C book for lots more details Various details will be exemplified later in the course Outline Overview comparison
More informationCS107 Handout 37 Spring 2007 May 25, 2007 Introduction to Inheritance
CS107 Handout 37 Spring 2007 May 25, 2007 Introduction to Inheritance Handout written by Julie Zelenski, updated by Jerry. Inheritance is a language property most gracefully supported by the object-oriented
More informationChapter 1 Getting Started
Chapter 1 Getting Started The C# class Just like all object oriented programming languages, C# supports the concept of a class. A class is a little like a data structure in that it aggregates different
More informationC++ Crash Kurs. Polymorphism. Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck
C++ Crash Kurs Polymorphism Dr. Dennis Pfisterer Institut für Telematik, Universität zu Lübeck http://www.itm.uni-luebeck.de/people/pfisterer C++ Polymorphism Major abstractions of C++ Data abstraction
More informationCS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities
CS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities Given: November 13, 2003 Due: November 20, 2003 1 Motivation Buffer overflows and format string vulnerabilities are widespread
More informationTDDB68. Lesson 1. Simon Ståhlberg
TDDB68 Lesson 1 Simon Ståhlberg Contents General information about the labs Overview of the labs Memory layout of C programs ("Lab 00") General information about Pintos System calls Lab 1 Debugging Administration
More information