One-Slide Summary. Lecture Outline. Language Security

Similar documents
Language Security. Lecture 40

Security Analyses For The Lazy Superhero

Foundations of Network and Computer Security

Foundations of Network and Computer Security

Secure Software Development: Theory and Practice

Basic Buffer Overflows

ECS 153 Discussion Section. April 6, 2015

Lecture 4 September Required reading materials for this class

Towards automated detection of buffer overrun vulnerabilities: a first step. NDSS 2000 Feb 3, 2000

Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

(Early) Memory Corruption Attacks

CCured. One-Slide Summary. Lecture Outline. Type-Safe Retrofitting of C Programs

Buffer Overflows Defending against arbitrary code insertion and execution

Buffer overflow background

Buffer Overflow Vulnerability

Software Security II: Memory Errors - Attacks & Defenses

Simple Overflow. #include <stdio.h> int main(void){ unsigned int num = 0xffffffff;

CS61C Machine Structures. Lecture 4 C Pointers and Arrays. 1/25/2006 John Wawrzynek. www-inst.eecs.berkeley.edu/~cs61c/

Lecture 9 Assertions and Error Handling CS240

CSE 565 Computer Security Fall 2018

Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to

CMPSC 497 Buffer Overflow Vulnerabilities

CSE 565 Computer Security Fall 2018

Static Analysis in Practice

Program Security and Vulnerabilities Class 2

Lecture 6: Buffer Overflow. CS 436/636/736 Spring Nitesh Saxena

Static Analysis in Practice

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Secure Programming I. Steven M. Bellovin September 28,

Buffer overflows & friends CS642: Computer Security

CS61C : Machine Structures

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

CS107 Handout 08 Spring 2007 April 9, 2007 The Ins and Outs of C Arrays

Control Flow Hijacking Attacks. Prof. Dr. Michael Backes

HW1 due Monday by 9:30am Assignment online, submission details to come

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflow. Jo, Heeseung

Lecture 08 Control-flow Hijacking Defenses

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Static Vulnerability Analysis

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

ISA564 SECURITY LAB. Code Injection Attacks

Review! * follows a pointer to its value! & gets the address of a variable! Pearce, Summer 2010 UCB! ! int x = 1000; Pearce, Summer 2010 UCB!

CS61C : Machine Structures

Agenda. Peer Instruction Question 1. Peer Instruction Answer 1. Peer Instruction Question 2 6/22/2011

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Is stack overflow still a problem?

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

ECE 471 Embedded Systems Lecture 22

Securing Software Applications Using Dynamic Dataflow Analysis. OWASP June 16, The OWASP Foundation

Software Security: Buffer Overflow Attacks (continued)

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Memory Safety (cont d) Software Security

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Software Security: Buffer Overflow Attacks

Software Security: Buffer Overflow Defenses and Miscellaneous

EURECOM 6/2/2012 SYSTEM SECURITY Σ

Today Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

Limitations of the stack

CS 61C: Great Ideas in Computer Architecture. C Arrays, Strings, More Pointers

Software Security: Buffer Overflow Defenses

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

Static Analysis. Systems and Internet Infrastructure Security

Computer Programming: Skills & Concepts (CP) Strings

Code Injection Attacks Buffer Overflows

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

CSE 509: Computer Security

Last week. Data on the stack is allocated automatically when we do a function call, and removed when we return

Profilers and Debuggers. Introductory Material. One-Slide Summary

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

20: Exploits and Containment

Buffer overflows & friends CS642: Computer Security

Lecture 05 Integer overflow. Stephen Checkoway University of Illinois at Chicago

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

Fundamentals of Computer Security

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

Buffer Overflow & Format Strings

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

United States Naval Academy Electrical and Computer Engineering Department EC310-6 Week Midterm Spring 2015

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

Automated Assessment Tools

Runtime Defenses against Memory Corruption

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

COMP 2355 Introduction to Systems Programming

CS4264 Programming Assignment 1 Buffer Overflow Vulnerability Due 02/21/2018 at 5:00 PM EST Submit through CANVAS

More C Pointer Dangers

CSSV: Towards a Realistic Tool for Statically Detecting All Buffer Overflows in C

CS61C : Machine Structures

Syed Kamran Haider Department of Electrical & Computer Engineering University of Connecticut

Project 1 Buffer Overflow

Buffer Overflow Vulnerability Lab

CS 222: Pointers and Manual Memory Management

Finding User/Kernel Pointer Bugs with Type Inference p.1

Transcription:

Language Security Or: bringing a knife to a gun fight #1 One-Slide Summary A language s design principles and features have a strong influence on the security of programs written in that language. C s legacy of null-terminated, stackallocated and non-sized buffers leads directly to the most common sort of security vulnerability: the buffer overrun. What can be done? #2 Beyond interpreters Lecture Outline Looking at other issues in programming language design and tools C Arrays Exploiting buffer overruns Detecting buffer overruns #3 1

Duck-billed Platitudes Language design has profound influence on Safety Efficiency Security #4 C Design Principles Small language Maximum efficiency Safety less important Designed for the world in 1972 Weak machines Trusted networks #5 char buffer[100]; Arrays in C Declares and allocates an array of 100 chars 0 1 2 99 100*sizeof(char) #6 2

C Array Operations char buf1[100], buf2[100]; Write: buf1[0] = a ; Read: return buf2[0]; #7 What s Wrong with this Picture? /* strcpy buf1 into buf2 */ int i; for (i = 0; buf1[i]!= \0 ; i++) { } buf2[i] = buf1[i]; buf2[i] = \0 ; #8 Indexing Out of Bounds The following are all legal C and may generate no run-time errors char buffer[100]; buffer[-1] = a ; buffer[100] = a ; buffer[100000] = a ; #9 3

Why Ask Why? Why does C allow out of bounds array references? Proving at compile-time that all array references are in bounds is very difficult (why?) Checking at run-time that all array references are in bounds is expensive (who does this?) #10 Code Generation for Arrays The C code: buf1[i] = 1; /* buf1 has type int[] */ The assembly code: Regular C r1 = &buf1; r2 = load i; r3 = r2 * 4; r4 = r1 + r3 store r4, 1 C with bounds checks r1 = &buf1; r2 = load i; r3 = r2 * 4; if r3 < 0 then error; r5 = load limit of buf1; if r3 >= r5 then error; r4 = r1 + r3 store r4, 1 Costly! Finding the array limits is non-trivial #11 C vs. Java Typical work for a C array reference Offset calculation Memory operation (load or store) Typical work for a Java array reference Offset calculation Memory operation (load or store) Array bounds check Type compatibility check (for stores) (why?) #12 4

Buffer Overruns A buffer overrun writes past the end of an array Buffer usually refers to a C array of char But can be any array So who s afraid of a buffer overrun? Cause a core dump Can damage data structures What else? #13 Stack Smashing Buffer overruns can alter the control flow of your program! char buffer[100]; /* stack-allocated array */ 0 1 2 99 return address 100 *sizeof(char) #14 An Overrun Vulnerability void foo(char in[]) { char buffer[100]; } int i = 0; for(i = 0; in[i]!= \0 ; i++) buffer[i] = in[i]; buffer[i] = \0 ; #15 5

An Interesting Idea char in[104] = { 0,,0, magic 4 chars } foo(in); (**) foo entry 0 1 2 99 return address 100 *sizeof(char) 100 *sizeof(char) (**) foo exit 0 1 2 99 return address magic 4 chars #16 Discussion So we can make foo jump wherever we like! How is this possible? Unanticipated interaction of two features: Unchecked array operations Stack-allocated arrays Knowledge of frame layout allows prediction of where array and return address are stored Note the magic cast from char to an address #17 The Rest of the Story Say that foo is part of a network server and the in originates in a received message Some remote user can make foo jump anywhere! But where is a useful place to jump? Idea: Jump to some code that gives you control of the host system (e.g. code that spawns a shell) But where to put such code? Idea: Put the code in the same buffer and jump there! #18 6

Where to jump? Useful Jumps We want to take control of the program How about to a system call? #19 The Plan Force a jump to the following code: In C: exec( /bin/sh ); In x86 assembly: movl $LC0, (%esp) call _exec LC0:.ascii /bin/sh\0 In machine code: 0x20, 0x42, 0x00, #20 The Plan char in[104] = { 104 magic chars } foo(in); foo exit 0 1 2 99 return address 0x20, 0x42, 0x00, The last 4 bytes in in must equal the start of buffer That position might depend on many factors! #21 7

Guess the Location of the Injected Code Trial and error: gives you a ballpark Then pad the injected code with NOP e.g. add $0, $1, 0x2020 stores result in $0 which is hardwired to 0 anyway Encoded as 0x20202020 foo exit 0 1 2 99 return address 0x20,, 0x20, 0x20, 0x42, 0x00, The bad code Works even with an approximate address of buffer! #22 More Problems We do not know exactly where the return address is Depends on how the compiler chose to allocate variables in the stack frame Solution: pad the buffer at the end with many copies of the magic return address X foo exit 0 1 2 99 0x20,, 0x20, 0x20, 0x42, 0x00,, X, X, X, X,, X, X, The bad code return address #23 Even More Problems The most common way to copy the bad code in a stack buffer is using string functions: strcpy, strcat, etc. This means that buf cannot contain 0x00 bytes Why? Solution: Rewrite the code carefully Instead of addiu $4,$0,0x0015 (code 0x20400015) Use addiu $4,$0,0x1126; subiu $4, $4, 0x1111 #24 8

The State of C Programming Buffer overruns are common Programmers must do their own bounds checking Easy to forget or be off-by-one or more Program still appears to work correctly In C w.r.t. to buffer overruns Easy to do the wrong thing Hard to do the right thing #25 The State of Hacking Buffer overruns are the attack of choice 40-50% of new vulnerabilities are buffer overrun exploits Many recent attacks of this flavor: Code Red, Nimda, MS-SQL server, yada yada Buffer overflows have been the most common form of security vulnerability for the past ten years [OGI DARPA 2000] Highly automated toolkits are available to exploit known buffer overruns Look up script kiddie #26 The Sad Reality Even well-known buffer overruns are still widely exploited Hard to get people to upgrade millions of vulnerable machines We assume that there are many more unknown buffer overrun vulnerabilities At least unknown to the good guys #27 9

Static Analysis to Detect Buffer Overruns Detecting buffer overruns before distributing code would be better Idea: Build a tool similar to a type checker to detect buffer overruns This is a popular research area; we ll present one idea at random [Wagner, Aiken, ] You ll see more in later lectures #28 Focus on Strings Most important buffer overrun exploits are through string buffers Reading an untrusted string from the network, keyboard, etc. Focus the tool only on arrays of characters #29 Idea 1: Strings as an Abstract Data Type A problem: Pointer operations and array dereferences are very difficult to analyze statically Where does *ptr point? What does buf[j] refer to? Idea: Model effect of string library functions directly Hard code effect of strcpy, strcat, etc. #30 10

Idea 2: The Abstraction Model buffers as pairs of integer ranges Alloc min allocated size of the buffer in bytes Length max number of bytes actually in use Use integer ranges [x,y] = { x, x+1,, y-1, y } Alloc and length cannot be computed exactly #31 The Strategy For each program expression, write constraints capturing the alloc and len of its string subexpressions Solve the constraints for the entire program Check for each string variable s len(s) alloc(s) #32 The Constraints char s[n]; strcpy(dst,src) n alloc(s) (or n=alloc(s)) len(src) len(dst) p = strdup(s) len(s) len(p) & alloc(s) alloc(p) p[n] = \0 min(len(p),n+1)) len(p) #33 11

Constraint Solving Solving the constraints is akin to solving dataflow equations (e.g., constant propagation) Build a graph Nodes are len(s), alloc(s) Edges are constraints len(s) len(t) Propagate information forward through the graph Special handling of loops in the graph #34 Results This technique found new buffer overruns in sendmail Which is like shooting fish in a barrel Found new exploitable overruns in Linux nettools package Both widely used, previously hand-audited packages #35 Limitations Tool produces many false positives (why?) 1 out of 10 warnings is a real bug Tool has false negatives (why?) Unsound: may miss some overruns But still productive to use #36 12

Summary Programming language knowledge is useful beyond interpreters Useful for programmers Understand what you are doing! Handy for tools other than compilers Big research direction #37 Homework PA5 Due Friday April 27 (3 days) Final Examination Block 4 Thursday May 10 1400-1700 MEC 214 #38 13

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback