ECS 153 Discussion Section. April 6, 2015

Similar documents
Secure Programming I. Steven M. Bellovin September 28,

Program Security and Vulnerabilities Class 2

CSE 509: Computer Security

Is stack overflow still a problem?

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

CS 161 Computer Security

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

One-Slide Summary. Lecture Outline. Language Security

Writing Safe Setuid Programs. Theme

Code with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function

Fundamentals of Linux Platform Security

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

Language Security. Lecture 40

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Topics in Software Security Vulnerability

Week 5, continued. This is CS50. Harvard University. Fall Cheng Gong

Basic Buffer Overflows

CMPSC 497 Buffer Overflow Vulnerabilities

Fundamentals of Computer Security

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Intro to x86 Binaries. From ASM to exploit

Smashing the Buffer. Miroslav Štampar

CMSC 414 Computer and Network Security

UMSSIA LECTURE I: SOFTWARE SECURITY

Foundations of Network and Computer Security

Software Security II: Memory Errors - Attacks & Defenses

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

Software and Web Security 1. Root Cause Analysis. Abstractions Assumptions Trust. sws1 1

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

CS 161 Computer Security

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Programs in memory. The layout of memory is roughly:

Runtime Defenses against Memory Corruption

CSci 4061 Introduction to Operating Systems. Programs in C/Unix

Foundations of Network and Computer Security

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

Inline Reference Monitoring Techniques

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Buffer overflow prevention, and other attacks

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Buffer overflow background

Applications. Cloud. See voting example (DC Internet voting pilot) Select * from userinfo WHERE id = %%% (variable)

Buffer Overflow Vulnerability

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

Buffer overflows. Specific topics:

Run-time Environments

Run-time Environments

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Solutions

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM

CNIT 127: Exploit Development. Ch 18: Source Code Auditing. Updated

BUFFER OVERFLOW. Jo, Heeseung

Lecture 4 September Required reading materials for this class

Buffer Overflow. Jo, Heeseung

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

Recitation 10: Malloc Lab

CSCE 548 Building Secure Software Integers & Integer-related Attacks & Format String Attacks. Professor Lisa Luo Spring 2018

Advanced Buffer Overflow

Lecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni.

Secure Systems Engineering

Play with FILE Structure Yet Another Binary Exploitation Technique. Abstract

CSE506: Operating Systems CSE 506: Operating Systems

Sungkyunkwan University

Software Security: Buffer Overflow Defenses

A Unix process s address space appears to be three regions of memory: a read-only text region (containing executable code); a read-write region

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Computer Security. Robust and secure programming in C. Marius Minea. 12 October 2017

The cross-page overwrite and it s application in heap overflows. By Greg Hoglund 2003 HBGary, LLC

Advanced Memory Allocation

Hands-on Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

buffer overflow exploitation

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

Software Security: Buffer Overflow Attacks (continued)

COMP3441 Lecture 7: Software Vulnerabilities

Run-time Environments. Lecture 13. Prof. Alex Aiken Original Slides (Modified by Prof. Vijay Ganesh) Lecture 13

Recitation #12 Malloc Lab - Part 2. November 14th, 2017

Lab 2: Buffer Overflows

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Reflections on using C(++) Root Cause Analysis

Secure Programming. Buffer Overflows Learning objectives. Type. 3 Buffer Overflows. 4 An Important Vulnerability. 5 Example Overflow

HOT-Compilation: Garbage Collection

CSE506: Operating Systems CSE 506: Operating Systems

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review

Lecture 1: Buffer Overflows

Buffer Overflow and Format String Overflow Vulnerabilities

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall 2011.

A heap, a stack, a bottle and a rack. Johan Montelius HT2017

Playing God With Format String Attacks. Bsides Jax 2016 Travis Phillips 10/22/2016

Security. 1 Introduction. Alex S. 1.1 Authentication

ELEC / COMP 177 Fall Some slides from Kurose and Ross, Computer Networking, 5 th Edition

Machine-Level Programming V: Advanced Topics

Buffer Overflows. Buffer Overflow. Many of the following slides are based on those from

Heap Off by 1 Overflow Illustrated. Eric Conrad October 2007

Transcription:

ECS 153 Discussion Section April 6, 2015 1

What We ll Cover Goal: To discuss buffer overflows in detail Stack- based buffer overflows Smashing the stack : execution from the stack ARC (or return- to- libc) attacks; ROP Data- based buffer overflows Ways to avoid and detect them 2

What They Are Traditionally considered as a technique to have your code executed by a running program Other, less examined uses: Overflow data area to alter variable values Overflow heap to alter variable values or return addresses Execute code contained in environment variables (not fundamentally different, but usually stored on stack) 3

Process Memory Structure text data stack heap (instructions) 4

Typical Stack Structure return address processor status word local variable values local variable values stack shrinks stack grows 5

Idea Figure out what buffers are stored on the stack Write a small machine- language program to do what you want (exec a shell, for example) Add enough bytes to pad out the buffer to reach the return address Alter return address so it returns to the beginning of the buffer Thereby executing your code 6

In Pictures gets local variables gets local variables other return state info return address of main parameter to gets input buffer main local variables after message other return state info address of input buffer program to invoke shell program to invoke shell main local variables the usual stack the stack after the attack 7

In Words Parameter to gets(3) is a pointer to a buffer Here, buffer is 256 bytes long Buffer is local to caller, hence on the stack Input your shell executing program Must be in machine language of the target processor 45 bytes on a Linux/i386 PC box Pad it with 256 45 + 4 = 215 bytes Add 4 bytes containing address of buffer These alter the return address on the stack 8

Required Change return address Best: you know how many bytes the return address is from the buffer Approach: pad shell code routine with address of beginning of buffer If not sure, put NOPs before shell code, and guess Use buffer address as padding Need to get alignment right, though 9

Also Required Machine language program to spawn subshell (or whatever) that does not contain either a newline or a NUL (string terminator) If string loaded by standard I/O function (like gets(3)), no NULs or newlines allowed If string loaded by string function (like strcpy(3)), no NULs allowed strncpy terminates on NUL as well as length Many other problems (e.g., buffer may be massaged by tolower(), so can t contain upper case) 10

Quick Test If you overflow the return address with some fixed character, you are likely to load that location with an illegal address So, enter fixed data as input (or as arguments) Usual value is sequence of A (0x41) If the program crashes, you probably have a stack overflow Go look at the stored address in the program counter; if it s 0x41414141, you have an overflow 11

Where to Put Shell Code In the buffer Get address by running gdb, trace or their ilk Need access to system of same type as attacked system Somewhere else: environment list Stored in standard place for all processes Put shell code in last environment variable Create new one Calculate and supply this address 12

Variations on a Theme Return- to- libc (arc injection) attack Change the return address to point to a library, or other function On return you will jump to that routine Set up the stack so when you jump to that function, it looks like a proper function call Then the function executes under your control 13

Return- Oriented Programmng (ROP) Like return- to- libc, but jump to code sequences rather than function entry points Sequence terminates with a return Enough of these sequences in standard C library to form a simple programming language Attack: chain these together using the stack to handle their invocation Sounds complex, but can be made simple 14

Data Segment Buffer Overflows Can t change return address Systems prevent crossing data, stack boundary Even if they didn t, you would need to enter a pretty long string to cross from data to stack segment! Change values of other critical parameters Variables stored in data area control execution, file access Can change binary or string data using technique similar to that of stack buffer overflowing 15

Example: login Problem Program stored user- typed password, hash from password file in two adjacent arrays Algorithm Obtain user name, load corresponding hash into array Read user password into array, hash, compare to contents of hash array Attack Generate any 8 character password, corresponding hash When asked for password, enter it, type 72 characters, then type corresponding hash 16

In Pictures buffer for cleartext password (80 bytes) buffer for hash (13 bytes) 0 79 80 92 load password buffer from 0 on store hash from /etc/passwd when given login name 17

Requires Knowing what data structures are, and where Need positions with respect to one another If symbol table present, use nm(1) Knowing what data structures are used for Use the source Guess Disassemble the code Knowing what a good value is Good for the attacker and bad for the system 18

Example: The syslogd Bug On one system, syslogd read message from a socket Does not use gets(), so no overflow at the read Message formatted with PID, date, etc. Used sprintf(3) to write into an array called line2 allocated with 2048 characters This array for sprintf can overflow 19

The Problem In the 3 cases we ve seen, string put into array without being checked for overflow fingerd login If buf not overflowed, stack uncorrupted and return made to main If passwd not overflowed, hash not altered and correct hash used to validate password syslogd If line2 not overflowed, stack uncorrupted and return made to caller 20

Selective Buffer Overflow Sets particular locations rather than just overwriting everything Principles are the same, but you have to determine the specific locations involved Cannot approximate, as you could for general stack overflow; need exact address Advantage: it s fixed across all invocations of the program, whereas a stack address can change depending on memory layout, input, or other actions 21

Sendmail Configuration File sendmail takes debugging flags of form flag.value sendmail - d7,102 sets debugging flag 7 to value 102 Flags stored in array in data segment Name of default configuration file also stored in array in data segment It s called sendmail.cf Config file contains name of local delivery agent Mlocal line; usually /bin/mail 22

In Pictures 100 / e t c configuration file name 104 / s e n Create your own config file, d m a i making the local mailer be whatever l. c f you want. Then run sendmail with the following debug flags settings: flag 27 to 117 ( t ), 26 to 110 ( m ), and 25 to 113 ( p ). Have it deliver a letter to any local address byte for flag 0 128 23

Problems and Solutions Sendmail won t recognize negative flag numbers So make them unsigned (positive)! 27 becomes 2 32 27 = 4294967269 26 becomes 2 32 26 = 4294967270 25 becomes 2 32 26 = 4294967271 Command is: sendmail - d4294967269,117 - d4294967270,110 \ - d4294967271,113 24

Attack: Whacking the Heap Like stack, except you find something on the heap that you can alter Vendors protect stack from execution, but rarely the heap return address malloc data malloc space program stack goes here 25

Attack: Changing the Heap Like data segment, except overwrite other components on the heap Mucks up storage allocators unless you figure out what the malloc information is malloc data 2 malloc data 1 second malloc space overflow first malloc space 26

Things To Alter Function pointers Look for places where these are stored on stack or heap May be explicit (store function pointer in dynamically allocated array) or implicit (atexit(3)) Fault handlers Some are stored at the beginning of the heap, so just keep writing 27

Requires Knowing what allocations are performed, and where the allocators place the storage Need positions with respect to one another Knowing where program stores function pointers Knowing where system stores function pointers See atexit(3) Knowing what a good value is Same importance as for stack- based buffer overflows 28

General Rule Assume input may overflow an input buffer Design to prevent overflow In general, don't trust input to be of the right form or length 29

Design Tip: Buffer Overflow Assume input may overflow an input buffer Design to prevent overflow In general, don't trust input to be of the right form or length 30

Handling Arrays Use a function that respects buffer bounds Avoid gets, strcpy, strcat, sprintf Use fgets, strncpy, strncat, instead; no standard replacement for sprintf (snprintf on some systems) Don t forget to add a NUL byte at the end of arrays if you use these functions, and watch those n values! To find good (bad) functions, look for those which handle arrays and do not check length Checking for termination character is not enough Check array references Not only when they are in loops 31

Puzzle Consider the strn functions. What happens when n is negative? As the functions n is an unsigned parameter, n is effectively infinite In strncpy, what happens if the first two arguments overlap? The behavior is undefined so it varies from one system to another 32

Common Error When writing error handlers, be sure you check for buffer overflows during formatting of error messages, even if the program provides the message Sometimes you can manipulate the environment to force a bogus message Source of message (file names printed, command- line arguments, etc.) are often under user s control 33

One Way to Fix Them Canaries Install a special value (the canary ) on the stack before the return address At exit of routine (but before you actually do the return), compare the canary to the special value If they differ, call an error handling routine 34

Canaries gets local variables gets local variables other return state info return address of main canary parameter to gets input buffer main local variables after message other return state info address of input buffer altered canary program to invoke shell program to invoke shell main local variables the usual stack the stack after the attack 35

Puzzle Will this always work? buffer canary return address _exit address stack global object table buffer (shell code) altered canary altered return address 36

Key Ideas Whenever you put data into an array (like a string), check that the length will not overflow that array Look out for functions that manipulate arrays (strings) and do not check lengths Look for other problems, such as calling a string manipulation function with bad numeric values When you compile, if you can turn off execute permission on the stack, do so This will stop one type of buffer overflow attack It does not stop many others, though 37

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback