CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

Similar documents
Buffer Overflow Attacks

Software Security: Buffer Overflow Attacks (continued)

Software Security: Buffer Overflow Defenses

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

Lecture 6: Buffer Overflow. CS 436/636/736 Spring Nitesh Saxena

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

CSE 565 Computer Security Fall 2018

Software Security II: Memory Errors - Attacks & Defenses

Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review

Software Security Buffer Overflows more countermeasures. Erik Poll. Digital Security Radboud University Nijmegen

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

ECS 153 Discussion Section. April 6, 2015

We will focus on Buffer overflow attacks SQL injections. See book for other examples

Secure Programming I. Steven M. Bellovin September 28,

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Runtime Defenses against Memory Corruption

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

CMPSC 497 Buffer Overflow Vulnerabilities

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

Basic Buffer Overflows

Topics in Software Security Vulnerability

Lab 2: Buffer Overflows

Software and Web Security 1. Root Cause Analysis. Abstractions Assumptions Trust. sws1 1

Buffer Overflows. Buffer Overflow. Many of the following slides are based on those from

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

Buffer Overflows Defending against arbitrary code insertion and execution

Lecture 08 Control-flow Hijacking Defenses

Buffer Overflow Defenses

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Code Injection Attacks Buffer Overflows

Syed Kamran Haider Department of Electrical & Computer Engineering University of Connecticut

Is stack overflow still a problem?

Software Security Buffer Overflows more countermeasures. Erik Poll. Digital Security Radboud University Nijmegen

Reflections on using C(++) Root Cause Analysis

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM

Buffer overflow background

HW 8 CS681 & CS392 Computer Security Understanding and Experimenting with Memory Corruption Vulnerabilities DUE 12/18/2005

Secure Programming. Buffer Overflows Learning objectives. Type. 3 Buffer Overflows. 4 An Important Vulnerability. 5 Example Overflow

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

Software Security: Buffer Overflow Attacks

Lecture 4 September Required reading materials for this class

Software Security: Buffer Overflow Defenses and Miscellaneous

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflow. Jo, Heeseung

Hands-on Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

Memory Corruption Vulnerabilities, Part I

Buffer Overflows. Buffers. Administrative. COMP 435 Fall 2017 Prof. Cynthia Sturton. Buffers

Memory corruption countermeasures

Stack Overflow COMP620

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Buffer overflow prevention, and other attacks

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING

Reserve Engineering & Buffer Overflow Attacks. Tom Chothia Computer Security, Lecture 17

Language Security. Lecture 40

Buffer Overflow Attack

Buffer Overflow Vulnerability

CMSC 414 Computer and Network Security

Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

CS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

1/31/2007 C. Edward Chow. CS591 Page 1

Foundations of Network and Computer Security

DAY 3. CS3600, Northeastern University. Alan Mislove

Buffer Overflow and Format String Overflow Vulnerabilities

CSE 509: Computer Security

Machine-Level Programming V: Advanced Topics

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

Smashing the Buffer. Miroslav Štampar

One-Slide Summary. Lecture Outline. Language Security

CSC 252: Computer Organization Spring 2018: Lecture 9

Recitation: C Review. TA s 20 Feb 2017

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

malloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which

Buffer Overflow Attack (AskCypert CLaaS)

CSE 12 Spring 2016 Week One, Lecture Two

Buffer Overflow Vulnerabilities

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

TI2725-C, C programming lab, course

Buffer overflows. Specific topics:

20: Exploits and Containment

4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

CS 161 Computer Security

ECE 471 Embedded Systems Lecture 22

A program execution is memory safe so long as memory access errors never occur:

Lecture 1: Buffer Overflows

Vulnerabilities in C/C++ programs Part I

Foundations of Network and Computer Security

Transcription:

CIS 551 / TCOM 401 Computer and Network Security Spring 2007 Lecture 2

Announcements First project is on the web Due: Feb. 1st at midnight Form groups of 2 or 3 people If you need help finding a group, contact us Mail Jeff Vaughan (vaughan2@seas.upenn.edu) with your group information by Jan. 25th Please put "CIS551" in all course-related e-mail. I will be away next Tues. Jeff Vaughan will be guest lecturing 1/18/07 CIS/TCOM 551 2

Class Scribes Each Lecture one or two people will be "Scribes" Their duties: Take notes (in addition to what is on the handouts) Prepare them in HTML format, suitable for putting them on the course web page Mail them to me When you mail the notes: Please include CIS551 and the lecture number in the subject of the e-mail Sign-up sheet for scribing circulating in class today 1/18/07 CIS/TCOM 551 3

Plan for Today: Buffer Overflows Assigned Reading: Aleph One (1996) Smashing the Stack for Fun and Profit This paper is essentially a tutorial for your project! Stack smashing is a particular (common) instance of a buffer overflow. Easy to exploit in practice 1/18/07 CIS/TCOM 551 4

Buffer Overrun in the News From Slashdot There is an unchecked buffer in Microsoft Data Access Components (MDAC) prior to version 2.7, the company said. MDAC is a "ubiquitous" technology used in Internet Explorer and the IIS web server. The buffer can be overrun with a malformed HTTP request, allowing arbitrary code to be executed on the target machine. http://www.theregister.co.uk/content/55/28215.html 1/18/07 CIS/TCOM 551 5

The Consequences From Microsoft An attacker who successfully exploited it could gain complete control over an affected system, thereby gaining the ability to take any action that the legitimate user could take. http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/bulletin/ms02-065.asp 1/18/07 CIS/TCOM 551 6

Buffer Overflow Attacks > 50% of security incidents reported at CERT are related to buffer overflow attacks Problem is access control but at a very fine level of granularity C and C++ programming languages don t do array bounds checks 1/18/07 CIS/TCOM 551 7

3 parts of C memory model The code & data (or "text") segment contains compiled code, constant strings, etc. The Heap Stores dynamically allocated objects Allocated via "malloc" Deallocated via "free" C runtime system The Stack Stores local variables Stores the return address of a function Larger Addresses Code Heap Stack 1/18/07 CIS/TCOM 551 8

C s Control Stack f() { g(parameter); } g(char *args) { int x; // more local // variables... } Larger Addresses ESP int x; // local // variables Base Pointer Return Addr. Input parameter f s stack frame 1/18/07 CIS/TCOM 551 9

C s Control Stack f() { g(parameter); } g(char *args) { int x; // more local // variables... } Larger Addresses Input parameter f s stack frame 1/18/07 CIS/TCOM 551 10

C s Control Stack f() { g(parameter); } g(char *args) { int x; // more local // variables... } Larger Addresses ESP int x; // local // variables Base Pointer Return Addr. Input parameter f s stack frame 1/18/07 CIS/TCOM 551 11

Buffer Overflow Example ESP g(char *text) { char buffer[128]; strcpy(buffer, text); } text buffer[] Base Pointer Return Addr. Attack code 132 bytes ADDR f s stack frame 1/18/07 CIS/TCOM 551 12

Buffer Overflow Example g(char *text) { char buffer[128]; strcpy(buffer, text); } ADDR: text Attack code 132 bytes Base Pointer Return ADDR Addr. Attack code 132 bytes? ADDR f s stack frame 1/18/07 CIS/TCOM 551 13

Constructing a Payload Idea: Overwrite the return address on the stack Value overwritten is an address of some code in the "payload" The processor will jump to the instruction at that location It may be hard to figure out precisely the location in memory You can increase the size of the "target" area by padding the code with no-op instructions You can increase the chance over overwriting the return address by putting many copies of the target address on the stack [NOP] [NOP]{attack code} {attack data}[addr] [ADDR] 1/18/07 CIS/TCOM 551 14

More About Payloads How do you construct the attack code to put in the payload? You use a compiler! Gcc + gdb + options to spit out assembly (hex encoded) What about the padding? NOP on the x86 has the machine code 0x90 How do you guess the ADDR to put in the payload? Some guesswork here Figure out where the first stack frame lives: OS & hardware platform dependent, but easy to figure out Look at the program -- try to guess the stack depth at the point of the buffer overflow vulnerability. Intel is little endian -- so if ADDR is: 0xbf9ae358 you actually need to put the following words in the payload: 0x58 0xe3 0x9a 0xbf 1/18/07 CIS/TCOM 551 15

Finding Buffer Overflows The #1 source of vulnerabilities in software Caused because C and C++ are not safe languages They use a null terminated string representation: HELLO!\0 Standard library routines assume that strings will have the null character at the end. Bad defaults: the library routines don t check inputs Easy to accidentally get wrong even easier to maliciously attack 1/18/07 CIS/TCOM 551 16

Buffer overflows in library code Basic problem is that the library routines look like this: void strcopy(char *src, char *dst) { int i = 0; while (src[i]!= \0 ) { dst[i] = src[i]; i = i + 1; } } If the memory allocated to dst is smaller than the memory needed to store the contents of src, a buffer overflow occurs. 1/18/07 CIS/TCOM 551 17

If you must use C/C++ Avoid the (long list of) broken library routines: strcpy, strcat, sprintf, scanf, sscanf, gets, read, Use (but be careful with) the "safer" versions: e.g. strncpy, snprintf, fgets, Always do bounds checks One thing to look for when reviewing/auditing code Be careful to manage memory properly Dangling pointers often crash program Deallocate storage (otherwise program will have a memory leak) Be aware that doing all of this is difficult. 1/18/07 CIS/TCOM 551 18

Tool support for C/C++ Extensions to gcc that do array bounds checking Link against "safe" versions of libc (e.g. libsafe) Test programs with tools such as Purify or Splint Compile programs using tools such as: Stackguard and Pointguard (Cowan et al., immunix.org) Research compilers: Ccured (Necula et al.) Cyclone (Morrisett et al.) Binary rewriting techniques Software fault isolation (Wahbe et al.) 1/18/07 CIS/TCOM 551 19

Defeating Buffer Overflows Use a typesafe programming language Java/C# are not vulnerable to these attacks Some operating systems move the start of the stack on a per-process basis: E.g. eniac-l 1/18/07 CIS/TCOM 551 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback