Buffer Overflows. Buffers. Administrative. COMP 435 Fall 2017 Prof. Cynthia Sturton. Buffers

Similar documents
Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

Software Security II: Memory Errors - Attacks & Defenses

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

CMPSC 497 Buffer Overflow Vulnerabilities

Secure Programming I. Steven M. Bellovin September 28,

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM

Lecture 4 September Required reading materials for this class

CSE 565 Computer Security Fall 2018

Buffer overflow background

UMSSIA LECTURE I: SOFTWARE SECURITY

Lecture 1: Buffer Overflows

Topics in Software Security Vulnerability

C Characters and Strings

Secure Software Development: Theory and Practice

ECS 153 Discussion Section. April 6, 2015

CMSC 414 Computer and Network Security

We will focus on Buffer overflow attacks SQL injections. See book for other examples

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.

Exploits and gdb. Tutorial 5

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Software and Web Security 1. Root Cause Analysis. Abstractions Assumptions Trust. sws1 1

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

EURECOM 6/2/2012 SYSTEM SECURITY Σ

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Module: Safe Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CS 222: Pointers and Manual Memory Management

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Announcements. assign0 due tonight. Labs start this week. No late submissions. Very helpful for assign1

CSE 565 Computer Security Fall 2018

CS 161 Computer Security

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

Software Security Buffer Overflows more countermeasures. Erik Poll. Digital Security Radboud University Nijmegen

CS 161 Computer Security

Buffer overflow prevention, and other attacks

Black Hat Webcast Series. C/C++ AppSec in 2014

Language Security. Lecture 40

Software Security: Buffer Overflow Defenses

On The Effectiveness of Address-Space Randomization. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004

Architecture-level Security Vulnerabilities

Buffer Overflow Attacks

Machine-Level Programming V: Unions and Memory layout

CSCE 548 Building Secure Software Integers & Integer-related Attacks & Format String Attacks. Professor Lisa Luo Spring 2018

CS 361S - Network Security and Privacy Spring Homework #2

COMP3441 Lecture 7: Software Vulnerabilities

EE 355 Lab 4 - Party Like A Char Star

Lec06: DEP and ASLR. Taesoo Kim

Lecture 05 Integer overflow. Stephen Checkoway University of Illinois at Chicago

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Create a Program in C (Last Class)

Basic Buffer Overflows

Memory Safety (cont d) Software Security

Lecture 08 Control-flow Hijacking Defenses

Memory corruption countermeasures

Program Security and Vulnerabilities Class 2

in memory: an evolution of attacks Mathias Payer Purdue University

Reserve Engineering & Buffer Overflow Attacks. Tom Chothia Computer Security, Lecture 17

Code Injection Attacks Buffer Overflows

C and C++ Secure Coding 4-day course. Syllabus

One-Slide Summary. Lecture Outline. Language Security

Overflows, Injection, & Memory Safety

Fundamentals of Computer Security

Secure Systems Engineering

Secure Programming. Buffer Overflows Learning objectives. Type. 3 Buffer Overflows. 4 An Important Vulnerability. 5 Example Overflow

EURECOM 6/2/2012 SYSTEM SECURITY Σ

CS 103 Lab 6 - Party Like A Char Star

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

ENEE 457: Computer Systems Security. Lecture 16 Buffer Overflow Attacks

Architecture-level Security Vulnerabilities. Julian Stecklina

Stack Overflow COMP620

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

CSC 252: Computer Organization Spring 2018: Lecture 9

Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena

(Early) Memory Corruption Attacks

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

CMPSC 497: Midterm Review

New York University CSCI-UA : Advanced Computer Systems: Spring 2016 Midterm Exam

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Software Security Buffer Overflows more countermeasures. Erik Poll. Digital Security Radboud University Nijmegen

A program execution is memory safe so long as memory access errors never occur:

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Secure Coding Techniques

Control Flow Hijacking Attacks. Prof. Dr. Michael Backes

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

Recitation: C Review. TA s 20 Feb 2017

CprE 288 Introduction to Embedded Systems Exam 1 Review. 1

Limitations of the stack

Heartbleed Attack Lab

Secure Programming. An introduction to Splint. Informatics and Mathematical Modelling Technical University of Denmark E

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

Software Security: Buffer Overflow Attacks

Protection and Security

CIS 4360 Secure Computer Systems. Buffer Overflows

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Transcription:

dministrative Buffer Overflows COMP 435 Fall 2017 Prof. Cynthia Sturton Exam Mon., Nov. 6 Covers material since last exam, including today s lecture Review in OH Fri., Nov. 3, 10-12 FB 354 Poster group info due tomorrow (or lose points!) Group sign-up using google form OR Email instr-435-cs@cs.unc.edu to be grouped ssignment 3 due Wed., Nov. 8 Can work on it after the exam New this time: Sakai will stay open for resubmissions 2 Buffers Buffers char sample[10]; int i; for (i=0; i<=9; i++) sample[i] = ; 0 1 2 3 4 5 6 7 8 9 3 4

Buffers Buffers in Memory char sample[10]; int i; for (i=0; i<=9; i++) sample[i] = ; sample[10] = B ;? 0 1 2 3 4 5 6 7 8 9... 0x00...0001 0x00...0000 5 6 Buffers in Memory Terminology B... 0x00...0001 0x00...0000 Buffer Overflow Buffer Overrun Buffer Overflow ttack Smashing 7 8

Buffer Overflow ttack 1988 Morris Worm Buffer Overflow ttack 2014 Heartbleed 9 10 Code & Data User Code & Data User B Code & Data Operating System Proc 1 Code Proc 1 Data Proc 2 Code Proc 2 Data Memory Layout 11 Heap Local Data Local Code System Data System Code Memory Layout: one process 12

Procedure p1 { call p2; Local Vars Return Instruction Pointer Procedure p1 { call p2; Local Vars Return Instruction Pointer 13 14 int p2(char *input){ char buffer[100]; strcpy(buffer, input); return 0; Procedure p2 Procedure p1 { call p2; Local Vars Return Instruction Pointer Saved Base Pointer p1 buffer p2 15 16

n ttack int p2(char *input){ char buffer[100]; strcpy(buffer, input); return 0; input 0xCFECFECFECFE...00FFEE Procedure p1 { call p2; Local Vars (Return Instruction Pointer) 0X00FFEE (Saved Base Pointer) 0xCFE (buffer) 0xCFECF ECFECF E p1 p2 Compromised 17 18 dd a secret value to the stack Check value before returning Defense: Canary Procedure p1 { call p2; Local Vars (Return Instruction Pointer) 0X00FFEE (Saved Base Pointer) 0xCFE p1 Compromised (buffer) 0xCFECF ECFECF E p2 19 20

ttack Defense: W xor X Guess Canary Regions of memory can be either writable or executable 21 22 Point to existing code in the system ttack: Return to LibC Procedure p1 { call p2; Points to elsewhere in memory Local Vars (Return Instruction Pointer) 0X00FFEE (Saved Base Pointer) 0xCFE (buffer) 0xCFECF ECFECF E p1 p2 Compromised 23 24

ttack: Return oriented programming Current State Point to gadgets within the existing code We have trained the attackers very well! 25 26 TLS Heartbeat Client Server Heartbleed heartbeat request: 3 bytes, cat heartbeat reply: cat 27 28

TLS Heartbleed ttack Server Bug introduced to code repository Dec 2011 History of Heartbleed heartbeat request: 64 Kbytes, cat Published for comment Feb 2012 Included and enabled by default in OpenSSL March 2012 heartbeat reply: cat0xcfepasswordkeys First discovered March 2014 29 30 Current State Integer Overflows Buffer overflow and overruns are the major source of vulnerabilities in SW int *vulnerable(int *array, int len) { int *myarray; myarray = malloc(len * sizeof(int)); if (myarray == NULL) { return -1; for (i = 0; i < len; i++) { myarray[i] = array[i]; return myarray; 31 32

Overflow Countermeasures Bounds Checking Bounds Checking Input validation & sanitization Use safe utilities Manual code review Static analysis Dynamic analysis Least privilege Sandboxing 33 34 Input Validation & Sanitization Input Validation & Sanitization Use a template (919) 555-1234 Use a template (919) 555-1234 Templates prescribe good behavior 35 36

Templates are Difficult Input Validation & Sanitization (919) 555-1234 1-919-555-1234 +1 919 555 1234 The length of buffer writes should be dictated by buffer size, not by user-provided input 919 555 1234 919.555.1234 37 38 Input Validation & Sanitization Use Safe Utilities strcpy vs strncpy Never trust user-supplied input char str1[]= "hello"; char str2[6]; /* copy to terminating null \0 */ strcpy (str2, str1); /* copy only 6 chars */ strncpy (str2, str1, 6); 39 40

Use Safe Utilities Least Privilege strcpy vs strncpy strcmp vs strncmp sprintf vs snprintf Subject should have access to fewest number of objects necessary to do its work 41 42 Least Privilege Sandboxing Code should have only the permissions needed Limits the damage done by compromise Contain sections of code within a specified address range 43 44

The choice of language plays a role as well Programming Language Type Safety Memory Safety In-class Exercise 45 46

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback