dministrative Buffer Overflows COMP 435 Fall 2017 Prof. Cynthia Sturton Exam Mon., Nov. 6 Covers material since last exam, including today s lecture Review in OH Fri., Nov. 3, 10-12 FB 354 Poster group info due tomorrow (or lose points!) Group sign-up using google form OR Email instr-435-cs@cs.unc.edu to be grouped ssignment 3 due Wed., Nov. 8 Can work on it after the exam New this time: Sakai will stay open for resubmissions 2 Buffers Buffers char sample[10]; int i; for (i=0; i<=9; i++) sample[i] = ; 0 1 2 3 4 5 6 7 8 9 3 4
Buffers Buffers in Memory char sample[10]; int i; for (i=0; i<=9; i++) sample[i] = ; sample[10] = B ;? 0 1 2 3 4 5 6 7 8 9... 0x00...0001 0x00...0000 5 6 Buffers in Memory Terminology B... 0x00...0001 0x00...0000 Buffer Overflow Buffer Overrun Buffer Overflow ttack Smashing 7 8
Buffer Overflow ttack 1988 Morris Worm Buffer Overflow ttack 2014 Heartbleed 9 10 Code & Data User Code & Data User B Code & Data Operating System Proc 1 Code Proc 1 Data Proc 2 Code Proc 2 Data Memory Layout 11 Heap Local Data Local Code System Data System Code Memory Layout: one process 12
Procedure p1 { call p2; Local Vars Return Instruction Pointer Procedure p1 { call p2; Local Vars Return Instruction Pointer 13 14 int p2(char *input){ char buffer[100]; strcpy(buffer, input); return 0; Procedure p2 Procedure p1 { call p2; Local Vars Return Instruction Pointer Saved Base Pointer p1 buffer p2 15 16
n ttack int p2(char *input){ char buffer[100]; strcpy(buffer, input); return 0; input 0xCFECFECFECFE...00FFEE Procedure p1 { call p2; Local Vars (Return Instruction Pointer) 0X00FFEE (Saved Base Pointer) 0xCFE (buffer) 0xCFECF ECFECF E p1 p2 Compromised 17 18 dd a secret value to the stack Check value before returning Defense: Canary Procedure p1 { call p2; Local Vars (Return Instruction Pointer) 0X00FFEE (Saved Base Pointer) 0xCFE p1 Compromised (buffer) 0xCFECF ECFECF E p2 19 20
ttack Defense: W xor X Guess Canary Regions of memory can be either writable or executable 21 22 Point to existing code in the system ttack: Return to LibC Procedure p1 { call p2; Points to elsewhere in memory Local Vars (Return Instruction Pointer) 0X00FFEE (Saved Base Pointer) 0xCFE (buffer) 0xCFECF ECFECF E p1 p2 Compromised 23 24
ttack: Return oriented programming Current State Point to gadgets within the existing code We have trained the attackers very well! 25 26 TLS Heartbeat Client Server Heartbleed heartbeat request: 3 bytes, cat heartbeat reply: cat 27 28
TLS Heartbleed ttack Server Bug introduced to code repository Dec 2011 History of Heartbleed heartbeat request: 64 Kbytes, cat Published for comment Feb 2012 Included and enabled by default in OpenSSL March 2012 heartbeat reply: cat0xcfepasswordkeys First discovered March 2014 29 30 Current State Integer Overflows Buffer overflow and overruns are the major source of vulnerabilities in SW int *vulnerable(int *array, int len) { int *myarray; myarray = malloc(len * sizeof(int)); if (myarray == NULL) { return -1; for (i = 0; i < len; i++) { myarray[i] = array[i]; return myarray; 31 32
Overflow Countermeasures Bounds Checking Bounds Checking Input validation & sanitization Use safe utilities Manual code review Static analysis Dynamic analysis Least privilege Sandboxing 33 34 Input Validation & Sanitization Input Validation & Sanitization Use a template (919) 555-1234 Use a template (919) 555-1234 Templates prescribe good behavior 35 36
Templates are Difficult Input Validation & Sanitization (919) 555-1234 1-919-555-1234 +1 919 555 1234 The length of buffer writes should be dictated by buffer size, not by user-provided input 919 555 1234 919.555.1234 37 38 Input Validation & Sanitization Use Safe Utilities strcpy vs strncpy Never trust user-supplied input char str1[]= "hello"; char str2[6]; /* copy to terminating null \0 */ strcpy (str2, str1); /* copy only 6 chars */ strncpy (str2, str1, 6); 39 40
Use Safe Utilities Least Privilege strcpy vs strncpy strcmp vs strncmp sprintf vs snprintf Subject should have access to fewest number of objects necessary to do its work 41 42 Least Privilege Sandboxing Code should have only the permissions needed Limits the damage done by compromise Contain sections of code within a specified address range 43 44
The choice of language plays a role as well Programming Language Type Safety Memory Safety In-class Exercise 45 46