Buffer Overflow Attacks

Similar documents
CSE 565 Computer Security Fall 2018

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.

Runtime Defenses against Memory Corruption

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

Software Security II: Memory Errors - Attacks & Defenses

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review

Software Security: Buffer Overflow Attacks (continued)

Software Security: Buffer Overflow Defenses

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

CMPSC 497 Buffer Overflow Vulnerabilities

Fundamentals of Linux Platform Security

Lecture 08 Control-flow Hijacking Defenses

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Writing Exploits. Nethemba s.r.o.

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

A Hybrid Method of Defense against Buffer Overflow Attacks

CS 161 Computer Security

CS161 Midterm 1 Review

Buffer Overflow Defenses

Reserve Engineering & Buffer Overflow Attacks. Tom Chothia Computer Security, Lecture 17

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

CS 161 Computer Security

Buffer Overflow Vulnerability

UMSSIA LECTURE I: SOFTWARE SECURITY

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

Program Security and Vulnerabilities Class 2

Architecture-level Security Vulnerabilities

Inject malicious code Call any library functions Modify the original code

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

String Oriented Programming Exploring Format String Attacks. Mathias Payer

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to

Buffer Overflow Vulnerabilities

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

We will focus on Buffer overflow attacks SQL injections. See book for other examples

Buffer Overflow & Format Strings

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Secure Programming I. Steven M. Bellovin September 28,

Buffer Overflow and Format String Overflow Vulnerabilities

1/31/2007 C. Edward Chow. CS591 Page 1

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Basic Buffer Overflows

Module: Programming Language Security. Professor Patrick McDaniel Spring CMPSC443 - Introduction to Computer and Network Security

Buffer overflow prevention, and other attacks

CSE 509: Computer Security

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

Exercise 6: Buffer Overflow and return-into-libc Attacks

Topics in Software Security Vulnerability

Architecture-level Security Vulnerabilities. Julian Stecklina

SmashGuard: A Hardware Solution to Prevent Attacks on the Function Return Address

Memory Safety (cont d) Software Security

Lecture 1: Buffer Overflows

STACK-BASED BUFFER OVERFLOWS IN HARVARD CLASS EMBEDDED SYSTEMS

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Lab 2: Buffer Overflows

ATTACKS DETECTION AND PREVENTION OF STACK BUFFER OVERFLOW

Memory corruption countermeasures

LibsafeXP: A Practical & Transparent Tool for Run-time Buffer Overflow Preventions

Control Hijacking Attacks

Buffer Overflow Vulnerability Lab

Software Security: Buffer Overflow Defenses and Miscellaneous

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Software Security: Buffer Overflow Attacks

Control Hijacking: Defenses

Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena

Buffer Overflows Defending against arbitrary code insertion and execution

RIPE: Runtime Intrusion Prevention Evaluator

COMPUTER security is critical in this increasingly networked

Proceedings of the 11 th USENIX Security Symposium

Modern Buffer Overflow Prevention Techniques: How they work and why they don t

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

CNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated

CSE 127 Computer Security

CSE 127 Computer Security

CSE 127 Computer Security

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

Transparent Runtime Shadow Stack: Protection against malicious return address modifications

CS4264 Programming Assignment 1 Buffer Overflow Vulnerability Due 02/21/2018 at 5:00 PM EST Submit through CANVAS

1 Recommended Readings

I run a Linux server, so we re secure

Lecture 10 Code Reuse

Exploits and gdb. Tutorial 5

Vulnerabilities. Code Injection - Buffer overflows. Some Commonly Exploitable Flaws

SoK: Eternal War in Memory

Lecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017

Università Ca Foscari Venezia

malloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which

20: Exploits and Containment

Libsafe 2.0: Detection of Format String Vulnerability Exploits

Foundations of Network and Computer Security

ENEE 457: Computer Systems Security. Lecture 16 Buffer Overflow Attacks

Buffer Overflow Attack

Lecture 6: Buffer Overflow. CS 436/636/736 Spring Nitesh Saxena

Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include

Advanced Buffer Overflow

Outline. Format string attack layout. Null pointer dereference

Transcription:

Buffer Overflow Attacks

1. Smashing the Stack 2. Other Buffer Overflow Attacks 3. Work on Preventing Buffer Overflow Attacks

Smashing the Stack

An Evil Function void func(char* inp){ } char buffer[16]; strcpy(buffer, inp);

Calling func Stack sp void func(char* inp){ buffer } char buffer[16]; strcpy(buffer, inp); fp <ret> Frames call instruction pushes return address onto stack

Operation of func Stack sp void func(char* inp){ input } char buffer[16]; strcpy(buffer, inp); fp <ret> Frames

C doesn t check bounds... Stack sp void func(char* inp){ input } char buffer[16]; strcpy(buffer, inp); fp Frames return instruction will jump to location specified by input!

The Exploit Stack sp shell code void func(char* inp){ } char buffer[16]; strcpy(buffer, inp); fp sp Frames

Two Questions 1. How does attacker know where buffer starts on the stack?

Two Questions 1. How does attacker know where buffer starts on the stack (referred to as ra)? 2. How does attacker know where to put ra in the input to overwrite <ret>?

Two Questions 1. How does attacker know where buffer starts on the stack? 2. How does attacker know where to put ra in the input to overwrite <ret>? Answer: she doesn t, but she can guess...

Guessing ra Stack has same starting location in all programs Most programs don t ever put more than a few thousand bytes on the stack So, just guess ra!

Adding a Launching Stack Pad sp no ps void func(char* inp){ shell code } char buffer[16]; strcpy(buffer, inp); fp ra Frames

Guessing Where to Put ra in the Input This is really just trial-and-error... But we can improve our chances on this as well.

Improvement Stack sp fp no ps shell code ra ra ra Frames void func(char* inp){ } char buffer[16]; strcpy(buffer, inp);

Final Version of Input no ps shellcode ra ra ra A good value of ra is worked out through trial and error, as is a good length for the input

Other Buffer Overflow Attacks

Arc Injection Input overwrites return address to point to a piece of code not supplied by the attacker For example, system call in libc: register void system(char * arg){ check_validity(arg); R = arg; execl(r,...) } target for attacker

Pointer Subterfuge Attacker overwrites a pointer instead of the return address Example: overwriting a function pointer function pointer void func (char* arg) { char buff[100]; void (*f)() =...; strcpy(buff, arg); f(); } control branches to (*f)

Heap Smashing Exploits buffer overflows in heap rather than on stack Often combined with pointer subterfuge (eg, overwriting a function pointer that is not a local variable) Gaining in popularity

Preventing Buffer Overflows

Stackguard (Cowan et al.) Instruments code during compilation: 1. Augments call instructions to write a canary word next to return address, and push it onto a canary stack 2. Augments return instructions to first check that canary word is intact

ProPolice (Etoh & Yoda) Extension to Stackguard s method: they place canary word between local char[] s and other local variables This protects against pointer subterfuge on the stack

StackShield Similar to StackGuard, but saves a copy of return address to check against If real return address has been overwritten, can either terminate program or use copy and let program keep running

CRED: Bounds Checking for C (Ruwase & Lam) Does bounds checking for all string/char[] accesses Only tool to detect all attacks in a testbed that includes all previously mentioned attacks Adds 26%-130% overhead to the program

Baratloo et al. Two dynamically loaded libraries: Libsafe replaces unsafe library functions with safe versions, and Libverify does return address verification Works on executables Slowdown is < 15% for all tested programs

Baratloo et al. Weaknesses of Libverify: 1. Only prevents attacks that overwrite the return address 2. For technical reasons, has to copy entire function to heap on each call

References Aleph I. Smashing the stack for fun and profit. http://www.phrack.org/phrack/49/p49-16 Baratloo, Singh, and Tsai. Transparent runtime defense against smash stacking attacks. http://www.usenix.org/publications/library/ proceedings/usenix2000/general/full_papers/ baratloo/baratloo.pdf Cowan et al. StackGuard http://www.cse.ogi.edu/disc/projects/immunix/ StackGuard/usenixsc98.ps.gz

References Etoh & Yoda. Protecting from stacksmashing attacks. http://www.trl.ibm.com/projects/security/ ssp/main.html Ruwase & Lam. A practical dynamic buffer overflow detector. http://suif.stanford.edu/papers/tunji04.pdf Stackshield. http://www.angelfire.com/sk/stackshield

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback