Stack Overflow COMP620

Similar documents
Stack Overflow. Faculty Workshop on Cyber Security May 23, 2012

Basic Buffer Overflows

Offensive Security My First Buffer Overflow: Tutorial

Buffer overflow prevention, and other attacks

CMPSC 497 Buffer Overflow Vulnerabilities

Buffer overflow background

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Lecture 4 September Required reading materials for this class

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

CSE 565 Computer Security Fall 2018

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Program Security and Vulnerabilities Class 2

Dnmaloc: a more secure memory allocator

Buffer-Overflow Attacks on the Stack

Control Flow Hijacking Attacks. Prof. Dr. Michael Backes

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

Buffer Overflows Defending against arbitrary code insertion and execution

Is stack overflow still a problem?

Software Security: Buffer Overflow Attacks (continued)

Is Exploitation Over? Bypassing Memory Protections in Windows 7

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Lecture 1: Buffer Overflows

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

Secure Programming I. Steven M. Bellovin September 28,

Week 5, continued. This is CS50. Harvard University. Fall Cheng Gong

Buffer Overflow Attacks

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?

Security Coding Module - Buffer Overflow Data Gone Wild CS1

Runtime Defenses against Memory Corruption

Buffer-Overflow Attacks on the Stack

ENEE 457: Computer Systems Security. Lecture 16 Buffer Overflow Attacks

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

20: Exploits and Containment

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

Lecture 08 Control-flow Hijacking Defenses

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

Why bother? Default configurations Buffer overflows Authentication mechanisms Reverse engineering Questions?

Secure Coding Techniques

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG

Secure Software Development: Theory and Practice

Software Security: Buffer Overflow Defenses

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflow. Jo, Heeseung

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

CS 161 Computer Security

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

ELEC / COMP 177 Fall Some slides from Kurose and Ross, Computer Networking, 5 th Edition

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review

Buffer Overflow Attacks

Heap Arrays. Steven R. Bagley

Modern Buffer Overflow Prevention Techniques: How they work and why they don t

We will focus on Buffer overflow attacks SQL injections. See book for other examples

Buffer Overflow Vulnerability

CSC 252: Computer Organization Spring 2018: Lecture 9

Exercise: Using Numbers

Hands-on Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Buffer overflows. Specific topics:

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

MIPS Functions and Instruction Formats

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Machine-Level Programming V: Buffer overflow

Software Security: Buffer Overflow Attacks

SA30228 / CVE

Lecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni.

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM

CSE 509: Computer Security

CSCE 548 Building Secure Software Integers & Integer-related Attacks & Format String Attacks. Professor Lisa Luo Spring 2018

Reserve Engineering & Buffer Overflow Attacks. Tom Chothia Computer Security, Lecture 17

Foundations of Network and Computer Security

SA31675 / CVE

Software Security Buffer Overflows more countermeasures. Erik Poll. Digital Security Radboud University Nijmegen

Quiz 0 Review Session. October 13th, 2014

System Security Class Notes 09/23/2013

Buffer Overflow attack avoiding Signature free technique

Inject malicious code Call any library functions Modify the original code

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

Intrusion Detection and Malware Analysis

Exploits and gdb. Tutorial 5

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

typedef void (*type_fp)(void); int a(char *s) { type_fp hf = (type_fp)(&happy_function); char buf[16]; strncpy(buf, s, 18); (*hf)(); return 0; }

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

CS356: Discussion #6 Assembly Procedures and Arrays. Marco Paolieri

Lecture Notes on Memory Layout

Università Ca Foscari Venezia

Buffer Overflow Attack (AskCypert CLaaS)

C Programming. Course Outline. C Programming. Code: MBD101. Duration: 10 Hours. Prerequisites:

EURECOM 6/2/2012 SYSTEM SECURITY Σ

Transcription:

Stack Overflow COMP620

There are two kinds of people in America today: those who have experienced a foreign cyber attack and know it, and those who have experienced a foreign cyber attack and don t know it. Frank Wolf

National Cyber Alert System Technical Cyber Security Alert TA09-161A Adobe Acrobat and Reader Vulnerabilities Original release date: June 10, 2009 Last revised: -- Source: US-CERT Systems Affected * Adobe Reader versions 9.1.1 and earlier * Adobe Acrobat versions 9.1.1 and earlier Overview Adobe has released Security Bulletin APSB09-07, which describes several buffer overflow vulnerabilities that could allow a remote attacker to execute arbitrary code.

Buffer Overflows Are the Major Threat Buffer overflows are the greatest security vulnerability When a security alert contains the phrase The most severe of these vulnerabilities allows a remote attacker to execute arbitrary code., the underlying problem is probably a buffer overflow The Morris worm (the first Internet worm) spread in part by exploiting a stack buffer overflow in the Unix finger server Many students do not know what they are

Critical Vulnerabilities source: Yves Younan, 25 Years of Vulnerabilities: 1988-2012

Vulnerabilities by Year source: Yves Younan, 25 Years of Vulnerabilities: 1988-2012

What will this C++ program do? void examplefunc() { int stuff = 0; } char info[4]; int i; for (i = 0; i < 7; i++){ info[i] = stuff++; } A. Compiler Error B. Run time buffer overflow error C. Corrupt data D. Data execute exception

Basic Buffer Overflow boolean rootpriv = false; char name[8]; cin >> name; When the program reads the name Smith S m i t h false char name[8] rootpriv

Basic Buffer Overflow boolean rootpriv = false; char name[8]; cin >> name; When the program reads the name Armstrong A r m s t r o n g char name[8] rootpriv

Stack Overflow A stack overflow exploit occurs when a user enters data that exceeds the memory reserved for the input The input can change adjacent data or the return address on the stack char mystuff[4]; W X Y Z 0 0 0 0 Return address Program Stack

The Other Stack Overflow The phrase Stack Overflow also applies to programs whose stack grows to exceed the available memory These stack overflows are often generated by runaway recursion or allocated large data structures on the stack This form of stack overflow is not usually the result of a malicious attack This is a problem for another day

Program Memory Organization Heap Stack Global data Intel method Program instructions

Byte Ordering Some systems store the least significant byte first (Little Endian). Others store the most significant byte first (Big Endian) The decimal number 258 (0100000010 2 ) would be stored in as a 32 bit binary number Big Endian 00000000 00000000 00000001 00000010 byte 0 byte 1 byte 2 byte 3 Little Endian (Intel processor) 00000010 00000001 00000000 00000000 byte 0 byte 1 byte 2 byte 3

Stack Review Consider the function void thefunc( float &dog, int cat ){ } char cow[4]; that is called by the main program int bass = 5; float carp = 7.0; float *trout = &carp; thefunc( trout, bass );

Stack for Call push bass 5 (value of bass) thefunc( trout, bass );

Stack for Call push bass push trout 5 (value of bass) address of carp thefunc( trout, bass );

Stack for Call push bass push trout push return address 5 (value of bass) address of carp return address thefunc( trout, bass );

Stack for Call push bass push trout push return address push frame pointer 5 (value of bass) address of carp return address Addr of last frame thefunc( trout, bass );

Stack for Call push bass push trout push return address push frame pointer Allocate space for local variable, cow[4] 5 (value of bass) address of carp return address Addr of last frame cow[4] thefunc( trout, bass );

Overflowing Local Variables On an Intel processor (and many others) the stack is extended to lower addresses If you address beyond a local variable, you will overwrite the return address. 5 (value of bass) address of carp return address Addr of last frame cow[4]

Hacking the Stack If a program does not properly check array bounds, it may be possible to give the program specially crafted input that overwrites the return address with a binary value cow[8] to cow[11] are the return address 5 (value of bass) address of carp return address Addr of last frame cow[4]

Hacking the Stack If a program does not properly check array bounds, it may be possible to give the program specially crafted input that overwrites the return address with a binary value 5 (value of bass) address of carp return addr=? Frame ptr = wxyz cow[4]= abcd The return address can be changed to the address of a function in the program Function parameters can also be put on the stack

Loading Malicious Code A long input to a short buffer might also contain binary machine language The return address can be overwritten to cause the program to jump to the newly loaded machine language when it returns

What is the most evil thing a stack overflow exploit can do? A. Change the return address to call some function B. Load binary machine language C. Crash the program D. Alter data

Research Paper Your research paper is due by 11:00am on Wednesday Technical requirements 3 5 pages in length single spaced or space and a half 12 point font with one inch margins on all sides in Microsoft Word or PDF format

Research Paper The paper MUST be your opinion on the topic Your opinion must be backed up with facts At least 4 reliable references Other references are allowed

Plagiarism Whenever you use the ideas of another, you must cite the source Direct quotes must be quoted Beware of citations in quotes Whenever you use another s idea, indicate the source John Doe [4] says this is ridiculous.

Preventing Stack Overflow Exploits Better software engineering Avoid dangerous functions Language choice Compiler tools (Stack Guard) Analysis tools Execution Prevention Randomize stack location

You are the cause It s All About You As a programmer, insecure code that you may write can leave users vulnerable to attack You are the solution By writing secure code, you can protect users from attack

Stack Canaries A stack canary is a random number placed on the stack between the user data and the return address Overflowing the local variable and changing the return address will also change the stack canary Before returning, the program checks the canary value 5 (value of bass) address of carp return address Addr of last frame Stack canary cow[4]

Data Execution Prevention Most newer processors have a bit in the page table that inhibits instruction fetches from that page Operating systems can set data execution prevention for stacks This prevents the program from executing machine language loaded on the stack by an exploit This does not prevent programs from overwriting the return address

Random Stack Location Microsoft Windows locates a programs stack at a random address since Windows Vista Each time the program is executed, the stack is at a different address Hackers cannot learn stack addresses from a previous execution of the program

Real Overflow Attack A handout gives step-by-step instructions on how to perform a real stack overflow This attack puts machine language on the stack to print your name The exercise uses a virtual machine running Windows XP

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback