CSE 565 Computer Security Fall 2018

Similar documents
Program Security and Vulnerabilities Class 2

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Buffer Overflow Attacks

1/31/2007 C. Edward Chow. CS591 Page 1

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Fundamentals of Computer Security

Buffer overflow background

Buffer overflow prevention, and other attacks

Software Security: Buffer Overflow Defenses

Runtime Defenses against Memory Corruption

Software Security: Buffer Overflow Attacks (continued)

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Lecture 4 September Required reading materials for this class

UMSSIA LECTURE I: SOFTWARE SECURITY

Lecture 9 Assertions and Error Handling CS240

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

Lecture 1: Buffer Overflows

We will focus on Buffer overflow attacks SQL injections. See book for other examples

Vulnerabilities. Code Injection - Buffer overflows. Some Commonly Exploitable Flaws

Buffer Overflow Defenses

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

CS 161 Computer Security

Information Security CS 526

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Secure Programming I. Steven M. Bellovin September 28,

Buffer Overflows Defending against arbitrary code insertion and execution

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review

Software Security II: Memory Errors - Attacks & Defenses

Software Security: Buffer Overflow Attacks

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Control Hijacking Attacks

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

Software Security (cont.): Defenses, Adv. Attacks, & More

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

CSE 565 Computer Security Fall 2018

Software Security: Buffer Overflow Defenses and Miscellaneous

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CSE 127 Computer Security

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

CSE 127 Computer Security

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

Reserve Engineering & Buffer Overflow Attacks. Tom Chothia Computer Security, Lecture 17

CS 161 Computer Security

Buffer Overflow and Format String Overflow Vulnerabilities

CMPSC 497 Buffer Overflow Vulnerabilities

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Lecture 08 Control-flow Hijacking Defenses

Basic Buffer Overflows

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CSCD 303 Fall Lecture 15 Buffer Overflows

Topics in Software Security Vulnerability

CSE 127 Computer Security

Secure Systems Engineering

Buffer Overflow Vulnerability

Control Flow Hijacking Attacks. Prof. Dr. Michael Backes

Secure Software Development: Theory and Practice

CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

Fundamentals of Linux Platform Security

Is stack overflow still a problem?

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Advanced Buffer Overflow

Software Security: Buffer Overflow Attacks and Beyond

20: Exploits and Containment

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Università Ca Foscari Venezia

Smashing the Buffer. Miroslav Štampar

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM

Architecture-level Security Vulnerabilities

Memory Safety (cont d) Software Security

Modern Buffer Overflow Prevention Techniques: How they work and why they don t

Writing Exploits. Nethemba s.r.o.

Outline. Format string attack layout. Null pointer dereference

Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena

Biography. Background

So$ware Security (II): Buffer- overflow Defenses

SoK: Eternal War in Memory

CSE 509: Computer Security

Foundations of Network and Computer Security

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Lab 2: Buffer Overflows

Buffer Overflow & Format Strings

Software Security: Buffer Overflow Attacks and Beyond

Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to

(Early) Memory Corruption Attacks

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflow. Jo, Heeseung

Stack Overflow COMP620

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

From Over ow to Shell

ISA564 SECURITY LAB. Code Injection Attacks

Transcription:

CSE 565 Computer Security Fall 2018 Lecture 14: Software Security Department of Computer Science and Engineering University at Buffalo 1

Software Security Exploiting software vulnerabilities is paramount to computer break-ins Common software vulnerabilities input validation buffer overflow integer overflow format string problems interaction with environment variables failure to handle errors 2

Buffer Overflow Buffer overflow is a very common software vulnerability the first major exploit was Morris Internet Worm in 1988 that exploited buffer overflow in fingerd many others followed, such as Code Red worm in 2001 large percentage of all exploits in CERT vulnerability advisories describe buffer overflow or heap overflow problems check US-CERT (United States Computer Emergency Readiness Team) alerts and ICS-CERT (Industrial Control Systems Cyber Emergency Response Team) advisories Buffer overflows often lead to total compromise of the host 3

Buffer Overflow A buffer overflow or buffer overrun is a condition under which more input can be placed in a buffer than the allocated capacity the extra input for which there is no allocated memory overwrites other information the locations being overwritten could hold other variables, parameters, and control flow data such as return addresses Developing buffer overflow attacks includes locating buffer overflow within an application designing an exploit Attacker needs to know which CPU and OS are running on the target machine 4

Buffer Overflow Simple example of buffer overflow in C void func(char *str1) { char str2[8]; } strcpy(str2, str1); printf("%s, %s\n", str1, str2); what happens if we callfunc("abc")? how aboutfunc("reallylongstring")? The problem occurs becausestrcpy doesn t check the amount of data being copied 5

Buffer Overflow Not all languages are vulnerable some languages (Java, Python) provide strong type checking and have predefined operations on types they don t permit storing more data than allocated space but safety comes at resource usage cost Writing an exploit involves understanding process memory and stack layout in what direction the stack grows what data and in what order are placed on the stack how information is represented 6

Process Memory Layout Generic process memory layout stack high addresses run time heap global data text (machine code) low addresses 7

Stack Buffer Overflow Stack buffer overflow or stack smashing occurs when the buffer is located on the stack When a function is called, its data are placed on the stack this includes arguments, local variables, and return address The calling function first pushes the parameters for the called function onto the stack normally in the reverse order executes the call instruction which pushes the return address onto the stack 8

Stack Buffer Overflow The called function pushes the current frame pointer onto the stack the frame pointer points to the calling routine s stack sets the frame pointer to be the current stack pointer value allocates space for local variables runs the called function sets the stack pointer back to the value of the frame pointer pops the old frame pointer executes the return instruction which pops the return address off the stack giving control to the calling function The calling function pops parameters off the stack and continues 9

Stack Buffer Overflow Suppose functionf1 callsf2(param1, param2) f1: return address f2: old frame pointer param2 param1 return address in f1 old frame pointer var1 var2 frame pointer stack pointer 10

Stack Buffer Overflow Let s go back to our code example void func(char *str1) { char str2[8]; } strcpy(str2, str1); printf("%s, %s\n", str1, str2); The stack will look like str2 fptr ret addr str1 top of stack What ifstr1 is 16 bytes long? After copying we get str1 new addr str1 top of stack 11

Stack Buffer Overflow Now suppose thatstr1 looks like this str1 ret addr code for f top of stack where programf: exec("/bin/sh") Now when functionfunc exits, the user will be given a shell What happens attack code runs on the stack to determine the return address, attacker needs to guess position of the stack whenfunc is called 12

Stack Buffer Overflow The main problem with the above program was that there is no range checking instrcpy() Some unsafe C library functions strcpy(char *dest, char *src) strcat(char *dest, char *src) gets(char *str) scanf(const char *format,...) printf(const char *format,...) 13

Buffer Overflow Execution As an example, consider attacking a web server web server has a function with buffer overflow vulnerability which takes a URL attacker can craft a long URL to obtain shell on web server Difficulties in constructing buffer overflow exploit exploit code cannot contain the \0 character overflow should not crash the program before the vulnerable function exits 14

Buffer Overflow How does one find buffer overflow vulnerabilities? do it yourself run the program (such as a web server) on your local machine use long inputs with a specific pattern if the program crashes, search core dump for the pattern to determine overflow location use an existing automated tool e.g., eeye Retina scanner, ISIC (IP Stack Integrity & Stability Checker) Once a vulnerability is found, use disassemblers and debuggers to construct an exploit 15

Buffer Overflow What can be done to defend against buffer overflow attacks? Various mechanisms exist compile-time defenses type safe language choice static code analysis safe libraries stack protection run-time defenses stack protection address space randomization 16

Buffer Overflow Defenses Choice of programming language some languages (Java, ML) have a strong notion of variable type and define a set of permitted operations on them they are not vulnerable to buffer overflow attacks if they use external libraries written in an unsafe language, they can still be vulnerable such languages are becoming increasingly popular disadvantages there is resource consumption cost at both compile time and run time some functionality might be lost due to the distance from the architecture and machine language 17

Buffer Overflow Defenses Static source code analysis statically check source code to detect buffer overflows this allows to automate code review process there are several consulting companies and several existing tools Coverity, Microsoft PREfix and PREfast, etc. find many bugs, but not all Safe coding practices buffer overflows can be prevented by handling errors gracefully first check buffer size to ensure that sufficient space has been allocated more complex data structure require additional care 18

Buffer Overflow Defenses Example problems that can be detected through static source code analysis null pointer dereference use after freeing double freeing array indexing errors mismatched array on create/delete potential stack overrun potential heap overrun returning pointer to local variables logically inconsistent code uninitialized variables invalid use of negative values underallocations of dynamic data memory leaks file handle leaks network resource leaks unused values unhandled return values use of invalid iterators 19

Buffer Overflow Defenses Use of safe libraries replace standard unsafe library routines with a safer version Libsafe (by Avaya Labs) is a well-known example dynamically loaded library ensures that copy operations don t extend beyond the current stack frame e.g., in strcpy(dest, src), if loc(f p) loc(dest) > strlen(src), permit copy; otherwise, terminate the application fptr ret addr dest src local buf fptr ret addr top of stack libsafe main Language extensions for adding range checking also exist 20

Buffer Overflow Defenses Stack protection mechanisms mark stack segment as non-executable this will prevent several types of buffer overflow attacks this is supported in SP2, code patches exist for Linux, Solaris there are disadvantages it does not prevent all types of overflow exploits some applications need executable stack (e.g., LISP interpreters) disallow changes to the stack frame during function execution instruct the function entry and exist code to check the stack for corruption if any modification is found, abort the program 21

Buffer Overflow Defenses StackGuard is one of the best known stack protection mechanisms insert a canary value between the old frame pointer address and local variables the entry code places a canary, and the exit code checks it for corruption local vars canary fptr ret addr params top of stack random canary the canary value is chosen at random during program startup it is known to all functions, but unpredictable to attacker 22

Buffer Overflow Defenses StackGuard (cont.) terminator canary set canary value to \0 (or an equivalent terminator value) string functions will not copy beyond the terminator attacker cannot use string functions to corrupt stack StackGuard can be used as a GCC extension performance overhead is minimal: 8% for Apache web server similar functionality exists for Windows newer version PointGuard offers protection against more types of overflow exploits 23

StackGuard (cont.) disadvantages Buffer Overflow Defenses all programs that require protection need to be recompiled can cause problems with other programs such as debuggers some stack smashing attacks can leave canaries untouched StackShield stack frame is protected without altering the stack with canaries on function entry, added code writes a copy of the return address to a safe memory region the exit code compares the return address with the stored value and aborts the program in case of corruption StackShield is also available as a GCC extension 24

Buffer Overflow Defenses Randomization buffer overflow exploits need to know (virtual) address to which to pass control address of attack code in the buffer address of library routines for return-to-libc attack the same address is used on many machines Slammer worm infected 75,000 MS SQL servers using the same code on every machine the idea is to introduce artificial diversity make stack and other addresses unpredictable and different from one machine to another 25

Buffer Overflow Defenses Address space randomization arrange key data areas randomly in address space of a process e.g., positions of heap, stack, libraries correct address guessing is significantly more difficult support for this defense exists in many operating systems Instruction set randomization each program has a different and secret instruction set uses translator to randomize instructions at load time attacker no longer can execute her own code what constitutes the instruction set depends on the environment 26

Other Types of Overflow Attacks Frame pointer replacement the attack overwrites the buffer and stored frame pointer str1 new fpt ret addr str1 top of stack the buffer contains a dummy stack frame with a return address pointing to the shellcode in the same buffer this can be used when only a limited buffer overflow is possible Off-by-one attack as a variant of the above attack, a programming error might permit copying just one byte more than the available space this happens when the size of the buffer is checked incorrectly 27

Other Types of Overflow Attacks Off-by-one attack (cont.) example code: void f(char *str) { char buf[16]; if (strlen(str) <= sizeof(buf)) { strcpy(buf, str); } } only one byte of the frame pointer can be overwritten str1 new fpt ret addr str1 top of stack it corresponds to the least significant byte on x86 architectures a one byte change might be enough! 28

Other Types of Overflow Attacks Return to system call attack also known as return-to-libc attack assume that the stack is made non-executable as a protection mechanism a new type of attack overwrites the return address to jump to existing code system() call inlibc is most commonly used what needs to be done overwrite frame pointer with a suitable value replace return address with address of the library function write a value that the library function will believe is return address 29

Other Types of Overflow Attacks Return to system call attack (cont.) finally, specify parameters to the library function i.e., call the shell system() in libc str1 ret addr fake ret addr top of stack "/bin/sh" what happens? when the attacked function returns, it transfers control to the return address, which calls the library function the library function treats the value on top of the stack as a return address and the values before as its parameters 30

Other Types of Overflow Attacks Heap overflow with stack protection techniques, attackers started exploiting overflows in non-stack buffers the heap that stores dynamically allocated data structures is such a target if heap contains a buffer vulnerable to overflow, other data on the heap may be overwritten heap doesn t contain return addresses to transfer controls, but can contain pointers to functions attacker can overwrite the pointer to reference code in the same buffer that calls shellcode if the function is called, the attack can succeed 31

Other Types of Overflow Attacks Heap overflow (cont.) defenses include making heap non-executable and heap address randomization Other types of overflow similar vulnerabilities exist for static (global) data such data is allocated in different space, but the treats remain similar to heap overflow finally, there are also integer overflow and format string overflow attacks 32

Buffer Overflow Resources Additional articles Smashing the stack for fun and profit by Aleph One, 1996 Buffer overflows: attacks and defenses for the vulnerability of the decade by Cowan at el., 2000 Bypassing non-executable-stack during exploitation using return-to-libc by c0ntex, 2005 What is next other types of software vulnerabilities input validation, environment variables, race conditions, etc. 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback