Buffer overflow background

Transcription

1 and heap buffer background Comp Sci 3600 Security Heap

2 Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap

3 Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap

4 Address Space and heap buffer Every program needs to access memory in order to run For simplicity sake, it would be nice to allow each process (i.e., each executing program) to act as if it owns all of memory The address space model is used to accomplish this Each process can allocate space anywhere it wants in memory Most kernels manage each process allocation of memory through the virtual memory model How the memory is managed is irrelevant to the process Heap

5 Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap

6 Mapping virtual addresses to real addresses and heap buffer Heap

7 and heap buffer Heap Maps memory addresses used by a program, called virtual addresses, into physical addresses in computer memory. Main storage, as seen by a process or task, appears as a contiguous address space or collection of contiguous segments. The operating system manages virtual address spaces and the assignment of real memory to virtual memory. Address translation hardware in the CPU, often referred to as a memory management unit or MMU, automatically translates virtual addresses to physical addresses. Primary benefits of virtual memory include freeing applications from having to manage a shared memory space, increased security due to memory isolation, and being able to conceptually use more memory than might be physically available, using the technique of paging.

8 Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap

9 and heap buffer Heap

10 and heap buffer Text: machine code of the program, compiled from the source code Data: static program variables initialized in the source code prior to execution BSS (block started by symbol): static variables that are uninitialized Heap: data dynamically generated during the execution of a process : structure that grows downwards and keeps track of the activated method calls, their arguments and local variables Heap

11 and heap buffer Heap

12 Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap

13 growing downward here and heap buffer Heap

14 Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap

15 grows down, heap grows up and heap Program File Global Data Process image in main memory Kernel Code and Data Spare Heap Global Data Top of buffer Program Machine Code Program Machine Code Heap Process Control Block Bottom of

16 Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap

17 Each frame on the stack: and heap P: Return Addr Old Pointer param 2 param 1 Q: Return Addr in P Old Pointer local 1 Pointer buffer local 2 Pointer Heap

18 Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap

19 Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap

20 What is an Exploit? and heap buffer An exploit is any input (i.e., a piece of software, an argument string, or sequence of commands) that takes advantage of a bug, glitch or vulnerability in order to cause an attack An attack is an unintended or unanticipated behavior that occurs on computer software, hardware, or something electronic and that brings an advantage to the attacker Heap

21 Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap

22 Overflow Attack and heap buffer One of the most common OS bugs is a buffer The developer fails to include code that checks whether an input string fits into its buffer array An input to the running process exceeds the length of the buffer The input string overwrites a portion of the memory of the process Causes the application to behave improperly and unexpectedly Effect of a buffer The process can operate on malicious data or execute malicious code passed in by the attacker If the process is executed as root, the malicious code will be executing with root privileges Heap

23 Overflow and heap buffer A very common attack mechanism First widely used by the Morris Worm in 1988 Prevention techniques known Still of major concern Legacy of buggy code in widely deployed operating systems and applications Continued careless programming practices by programmers Heap

24 Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap

25 attack history and heap buffer Still quite common due to legacy code in C/C++ Heap

26 Overflow/ Overrun and heap buffer A buffer, also known as a buffer overrun, is defined in the NIST Glossary of Key Information Security Terms as follows: A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Attackers exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system. Heap

27 Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap

28 Overflow and heap buffer error when a process attempts to store data beyond the limits of a fixed-sized buffer Overwrites adjacent memory locations Locations could hold other program variables, parameters, or program control flow data could be located on the stack, in the heap, or in the data section of the process Consequences: Corruption of program data, Unexpected transfer of control, access violations, Execution of code chosen by attacker Heap

29 Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap

30 Contiguous memory in C and heap buffer char A [ 8 ] = ; unsigned short B = 1979; Heap

31 Contiguous memory in C and heap buffer Unsafe: s t r c p y (A, e x c e s s i v e ) ; Safe: To prevent the buffer from happening in this, the call to strcpy could be replaced with strncpy, which takes the maximum capacity of A as an additional parameter and ensures that no more than this amount of data is written to A: s t r n c p y (A, e x c e s s i v e, s i z e o f (A ) ) ; Heap

32 Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap

33 and heap buffer Function strcpy() copies the string in the second argument into the first argument e.g., strcpy(dest, src) If source string destination string, the characters may occupy the memory space used by other variables The null character is appended at the end automatically Function copies the string by specifying the number n of characters to copy e.g., strncpy(dest, src, n); dest[n] = \0 If source string is longer than the destination string, the characters are discarded automatically You have to place the null character manually Heap

34 Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap

35 Overflow and heap buffer To exploit a buffer an attacker needs: To identify a buffer vulnerability in some program that can be triggered using externally sourced data under the attacker s control To understand how that buffer is stored in memory and determine potential for corruption Identifying vulnerable programs can be done by: Inspection of program source Tracing the execution of programs as they process oversized input Using tools such as fuzzing to automatically identify potentially vulnerable programs Heap

36 Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap

37 Language and heap buffer At the machine level data manipulated by machine instructions executed by the computer processor are stored in either the processor s registers or in memory Assembly programmer is responsible for the correct interpretation of any saved data value Modern high-level s have a strong notion of type and valid operations; Not vulnerable to buffer s; Does incur overhead, some limits on use C and related s have high-level control structures, but allow direct access to memory; Hence are vulnerable to buffer ; Have a large legacy of widely used, unsafe, and hence vulnerable code Heap

38 and heap buffer Heap

39 Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap

40 buffer and heap buffer Heap buffer or stack buffer overrun occurs when a program writes to a memory address on the program s call stack outside of the intended data structure, which is usually a fixed-length buffer. A program writes more data to a buffer located on the stack than what is actually allocated for that buffer. This almost always results in corruption of adjacent data on the stack, and in cases where the was triggered by mistake, will often cause the program to crash or operate incorrectly. buffer is a type of the more general programming malfunction known as buffer (or buffer overrun). Overfilling a buffer on the stack is more likely to derail program execution than overfilling a buffer on the heap because the stack contains the return addresses for all active function calls.

41 Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap

42 buffer vulnerability in C and heap buffer Heap #i n clude <s t r i n g. h> void foo ( char bar ) { char c [ 1 2 ] ; } s t r c p y ( c, bar ) ; // no bounds c h e c k i n g i n t main ( i n t argc, char argv ) { foo ( argv [ 1 ] ) ; } return 0 ;

43 buffer vulnerability in C and heap buffer Heap The previous code takes an argument from the command line and copies it to a local stack variable c. This works fine for command line arguments smaller than 12 characters (as you can see in figure B below). Any arguments larger than 11 characters long will result in corruption of the stack. The maximum number of characters that is safe is one less than the size of the buffer here because in the C programming strings are terminated by a zero byte character. A twelve-character input thus requires thirteen bytes to store, the input followed by the sentinel zero byte. The zero byte then ends up overwriting a memory location that s one byte beyond the end of the buffer.

44 buffer vulnerability and heap buffer Before data is copied Heap

45 buffer vulnerability and heap buffer Hello is the first command line argument Heap

46 buffer vulnerability and heap buffer AAAAAAAAAAAAAAAAAAAA \x08 \x35 \xc0 \x80 is the first command line argument (address of what?) Heap

47 Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap

48 attack and heap buffer Heap

49 attack and heap buffer Heap

50 Password and heap buffer buffer.cpp uploaded Heap

51 Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap

52 Injection and heap buffer An exploit takes control of attacked computer so injects code to spawn a shell or shellcode A shellcode is: Code assembled in the CPU s native instruction set (e.g. x86, x86-64, arm, sparc, risc, etc.) Injected as a part of the buffer that is ed. We inject the code directly into the buffer that we send for the attack A buffer containing shellcode is a payload Heap

53 and heap buffer Code supplied by attacker Often saved in buffer being ed Traditionally transferred control to a user command-line interpreter (shell) Machine code Specific to processor and operating system Traditionally needed good assembly skills to create More recently a number of sites and tools have been developed that automate this process Metasploit Project Provides useful information to people who perform penetration, IDS signature development, and exploit research Heap

54 Overflow and heap buffer Variants A trusted system utility Network service daemon Commonly used library code functions Launch a remote shell when connected to Create a reverse shell that connects back to the hacker Use local exploits that establish a shell Flush firewall rules that currently block other attacks Break out of a chroot (restricted execution) environment, giving full access to the system Heap

55 Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap

56 Two approaches to buffer defense and heap buffer Compile time Aim to harden programs to resist attacks in new programs Run time Aim to detect and abort attacks in existing programs Heap

57 Compile-Time : Language and heap buffer Use a modern high-level (python, java, rust, ruby, etc) Not vulnerable to buffer attacks Compiler enforces range checks and permissible operations on variables Disadvantages Additional code must be executed at run time to impose checks Flexibility and safety comes at a cost in resource use Distance from the underlying machine and architecture means that access to some instructions and hardware resources is lost Limits their usefulness in writing code, such as device drivers, that must interact with such resources Heap

58 Compile-Time : Safe Coding Techniques and heap buffer C designers placed much more emphasis on space efficiency and performance considerations than on type safety Assumed programmers would exercise due care in writing code Programmers need to inspect the code and rewrite any unsafe coding. An of this is the OpenBSD project, where programmers have audited the existing code base, including the operating system, standard libraries, and common utilities, and this has resulted in what is widely regarded as one of the safest operating systems in widespread use Heap

59 Run-time defenses and heap buffer Will discuss more next time Heap

60 Outline and heap buffer Heap 1 and heap 2 3 buffer 4 5 Heap

61 Heap and heap buffer Attack buffer located in heap Typically located above program code is requested by programs to use in dynamic data structures (such as linked lists of records) No return address Hence no easy transfer of control May have function pointers can exploit Or manipulate management data structures Making the heap non-executable Randomizing the allocation of memory on the heap Heap