Software Security: Buffer Overflow Attacks

Similar documents
Software Security: Buffer Overflow Defenses and Miscellaneous

Software Security: Buffer Overflow Defenses

Software Security: Buffer Overflow Attacks (continued)

Software Security: Miscellaneous

Software Security: Misc and Principles

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Software Security (cont.): Defenses, Adv. Attacks, & More

Software Security: Buffer Overflow Attacks and Beyond

Software Security: Buffer Overflow Attacks and Beyond

Software Security: Buffer Overflow Attacks and Beyond

CS 161 Computer Security

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

Runtime Defenses against Memory Corruption

MEMORY SAFETY ATTACKS & DEFENSES

Outline. Memory Exploit

So$ware Security (II): Buffer- overflow Defenses

(Continue) Cryptography + (Back to) Software Security

Software Security II: Memory Errors - Attacks & Defenses

CS 161 Computer Security

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

Software Security; Common Implementation Flaws

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

UMSSIA LECTURE I: SOFTWARE SECURITY

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Fundamentals of Computer Security

CSE 509: Computer Security

Lecture 08 Control-flow Hijacking Defenses

CSE 565 Computer Security Fall 2018

CSE 565 Computer Security Fall 2018

Lecture 4 September Required reading materials for this class

Required reading: StackGuard: Simple Stack Smash Protection for GCC

CSE 484 / CSE M 584: Computer Security and Privacy. Anonymity Mobile. Autumn Tadayoshi (Yoshi) Kohno

Return-orientated Programming

Memory Safety (cont d) Software Security

CNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Secure Software Development: Theory and Practice

Smashing the Buffer. Miroslav Štampar

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

Defeat Exploit Mitigation Heap Attacks. compass-security.com 1

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

Program Security and Vulnerabilities Class 2

Inject malicious code Call any library functions Modify the original code

CMPSC 497 Buffer Overflow Vulnerabilities

Modern Buffer Overflow Prevention Techniques: How they work and why they don t

CS 161 Computer Security

Advanced Systems Security: Ordinary Operating Systems

CSE 127 Computer Security

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Cryptography [Symmetric Encryption]

Fundamentals of Linux Platform Security

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

Cryptography: Symmetric Encryption [continued]

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

Defending Computer Networks Lecture 4: Exploit Defenses. Stuart Staniford Adjunct Professor of Computer Science

20: Exploits and Containment

Buffer overflow prevention, and other attacks

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Outline. Format string attack layout. Null pointer dereference

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Exploit Mitigation - PIE

Page 1. Goals for Today. Buffer Overrun Vulnerabilities. Simple Example. More Serious Exploit Example. Modified Example

CSE 127 Computer Security

Foundations of Network and Computer Security

Lecture 1: Buffer Overflows

CSE 127 Computer Security

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2

CS Exploiting Memory. Vitaly Shmatikov

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

1/31/2007 C. Edward Chow. CS591 Page 1

Advanced Systems Security: Control-Flow Integrity

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

Secure Programming I. Steven M. Bellovin September 28,

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

Writing Exploits. Nethemba s.r.o.

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

Control Hijacking Attacks

The Geometry of Innocent Flesh on the Bone

I run a Linux server, so we re secure

CS 161 Computer Security

Bypassing Browser Memory Protections

Buffer overflow risks have been known for over 30 years. Is it still a problem? Try searching at to see.

Outline. Heap meta-data. Non-control data overwrite

Midterm 1 Review. Memory Safety & Web Attacks

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Solutions

Is Exploitation Over? Bypassing Memory Protections in Windows 7

Buffer overflow background

CSCD 303 Fall Lecture 15 Buffer Overflows

Exploits and gdb. Tutorial 5

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Transcription:

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Autumn 2018 Tadayoshi (Yoshi) Kohno yoshi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Ada Lerner, John Manferdelli, John Mitchell, Franziska Roesner, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials...

Admin Lab 1 out, groups being formed Come to quiz section this week! Looking forward This week: More buffer overflows + beyond Also this week: Transition to crypto 10/8/2018 CSE 484 / CSE M 584 2

Buffer Overflow: Causes and Cures Typical memory exploit involves code injection Classic approach: Put malicious code at a predictable location in memory, usually masquerading as data Trick vulnerable program into passing control to it Possible defenses: 1. Prevent execution of untrusted code 2. Stack canaries 3. Encrypt pointers 4. Address space layout randomization 5. Code analysis 6. 10/8/2018 CSE 484 / CSE M 584 3

Executable Space Protection Mark all writeable memory locations as nonexecutable Example: Microsoft s Data Execution Prevention (DEP) This blocks many code injection exploits Hardware support AMD NX bit (no-execute), Intel XD bit (executed disable) (in post-2004 CPUs) Makes memory page non-executable Widely deployed Windows XP SP2+ (2004), Linux since 2004 (check distribution), OS X 10.5+ (10.4 for stack but not heap), Android 2.3+ 10/8/2018 CSE 484 / CSE M 584 4

What Does Executable Space Protection Not Prevent? Can still corrupt stack or function pointers or critical data on the heap As long as saved EIP points into existing code, executable space protection will not block control transfer This is the basis of return-to-libc exploits Overwrite saved EIP with address of any library routine, arrange stack to look like arguments Does not look like a huge threat Attacker cannot execute arbitrary code But? 10/8/2018 CSE 484 / CSE M 584 5

return-to-libc Can still call critical functions, like exec See lab 1, sploit 8 10/8/2018 CSE 484 / CSE M 584 6

return-to-libc on Steroids Overwritten saved EIP need not point to the beginning of a library routine Any existing instruction in the code image is fine Will execute the sequence starting from this instruction What if instruction sequence contains RET? Execution will be transferred to where? Read the word pointed to by stack pointer (ESP) Guess what? Its value is under attacker s control! Use it as the new value for EIP Now control is transferred to an address of attacker s choice! Increment ESP to point to the next word on the stack 10/8/2018 CSE 484 / CSE M 584 7

Chaining RETs for Fun and Profit Can chain together sequences ending in RET Krahmer, x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique (2005) What is this good for? Answer [Shacham et al.]: everything Turing-complete language Build gadgets for load-store, arithmetic, logic, control flow, system calls Attack can perform arbitrary computation using no injected code at all return-oriented programming 10/8/2018 CSE 484 / CSE M 584 8

Return-Oriented Programming 10/8/2018 CSE 484 / CSE M 584 9

Run-Time Checking: StackGuard Embed canaries (stack cookies) in stack frames and verify their integrity prior to function return Any overflow of local variables will damage the canary buf canary sfp ret addr Frame of the calling function Top of stack Local variables Pointer to previous frame Return execution to this address 10/8/2018 CSE 484 / CSE M 584 10

Run-Time Checking: StackGuard Embed canaries (stack cookies) in stack frames and verify their integrity prior to function return Any overflow of local variables will damage the canary buf canary sfp ret addr Frame of the calling function Top of stack Local variables Pointer to previous frame Return execution to this address Choose random canary string on program start Attacker can t guess what the value of canary will be Terminator canary: \0, newline, linefeed, EOF String functions like strcpy won t copy beyond \0 10/8/2018 CSE 484 / CSE M 584 11

StackGuard Implementation StackGuard requires code recompilation Checking canary integrity prior to every function return causes a performance penalty For example, 8% for Apache Web server at one point in time StackGuard can be defeated A single memory write where the attacker controls both the value and the destination is sufficient 10/8/2018 CSE 484 / CSE M 584 12

Defeating StackGuard Suppose program contains strcpy(dst,buf) where attacker controls both dst and buf Example: dst is a local pointer variable buf dst canary sfp RET Return execution to this address 10/8/2018 CSE 484 / CSE M 584 13

Defeating StackGuard Suppose program contains strcpy(dst,buf) where attacker controls both dst and buf Example: dst is a local pointer variable buf dst canary sfp RET Return execution to this address BadPointer, attack code canary sfp RET 10/8/2018 CSE 484 / CSE M 584 14

Defeating StackGuard Suppose program contains strcpy(dst,buf) where attacker controls both dst and buf Example: dst is a local pointer variable buf dst canary sfp RET Return execution to this address BadPointer, attack code &RET canary sfp RET Overwrite destination of strcpy with RET position 10/8/2018 CSE 484 / CSE M 584 15

Defeating StackGuard Suppose program contains strcpy(dst,buf) where attacker controls both dst and buf Example: dst is a local pointer variable buf dst canary sfp RET Return execution to this address BadPointer, attack code &RET canary sfp RET Overwrite destination of strcpy with RET position strcpy will copy BadPointer here 10/8/2018 CSE 484 / CSE M 584 16

More on Defeating StackGuard Attacker sets buf to contain (first) a pointer to another region in buf with the attack code, and then (second) the attack code Attacker sets dst, to contain the address where RET is stored (recall the assumption that the attacker can also set dst) When the strcpy happens, memory beginning at the address of RET is overwritten with the contents of buf This puts BadPointer in the location of RET Recall that BadPointer is a value for the address at which the attack code starts (in buf) 10/8/2018 CSE 484 / CSE M 584 17

ASLR: Address Space Randomization Randomly arrange address space of key data areas for a process Base of executable region Position of stack Position of heap Position of libraries Introduced by Linux PaX project in 2001 Adopted by OpenBSD in 2003 Adopted by Linux in 2005 10/8/2018 CSE 484 / CSE M 584 22

ASLR: Address Space Randomization Deployment (examples) Linux kernel since 2.6.12 (2005+) Android 4.0+ ios 4.3+ ; OS X 10.5+ Microsoft since Windows Vista (2007) (not by default) Attacker goal: Guess or figure out target address (or addresses) ASLR more effective on 64-bit architectures 10/8/2018 CSE 484 / CSE M 584 23

ASLR Issues NOP slides and heap spraying to increase likelihood for custom code (e.g., on heap) Brute force attacks or memory disclosures to map out memory on the fly Disclosing a single address can reveal the location of all code within a library, depending on the ASLR implementation 10/8/2018 CSE 484 / CSE M 584 24

Other Possible Solutions Use safe programming languages, e.g., Java What about legacy C code? (Though Java doesn t magically fix all security issues ) Static analysis of source code to find overflows Dynamic testing: fuzzing Modern compiler options, e.g., incorporate stack canaries 10/8/2018 CSE 484 / CSE M 584 25

Beyond Buffer Overflows 10/8/2018 CSE 484 / CSE M 584 26

Another Type of Vulnerability Consider this code: int openfile(char *path) { struct stat s; if (stat(path, &s) < 0) return -1; if (!S_ISRREG(s.st_mode)) { error("only allowed to regular files!"); return -1; } return open(path, O_RDONLY); } Goal: Open only regular files (not symlink, etc) What can go wrong? 10/8/2018 CSE 484 / CSE M 584 27

TOCTOU (Race Condition) TOCTOU == Time of Check to Time of Use: int openfile(char *path) { struct stat s; if (stat(path, &s) < 0) return -1; if (!S_ISRREG(s.st_mode)) { error("only allowed to regular files!"); return -1; } return open(path, O_RDONLY); } Goal: Open only regular files (not symlink, etc) Attacker can change meaning of path between stat and open (and access files he or she shouldn t) 10/8/2018 CSE 484 / CSE M 584 28

This TOCTOU Example In call to open, pass O_NOFOLLOW to not follow symbolic links Call fstat on open file descriptor Nice reference: https://developer.apple.com/library/archive/ documentation/security/conceptual/securec odingguide/articles/raceconditions.html 10/8/2018 CSE 484 / CSE M 584 - Fall 2017 29

Another Type of Vulnerability Consider this code: char buf[80]; void vulnerable() { int len = read_int_from_network(); char *p = read_string_from_network(); if (len > sizeof buf) { error("length too large, nice try!"); return; } memcpy(buf, p, len); } void *memcpy(void *dst, const void * src, size_t n); typedef unsigned int size_t; 10/8/2018 CSE 484 / CSE M 584 30

Implicit Cast Consider this code: char buf[80]; void vulnerable() { int len = read_int_from_network(); char *p = read_string_from_network(); if (len > sizeof buf) { error("length too large, nice try!"); return; } memcpy(buf, p, len); } void *memcpy(void *dst, const void * src, size_t n); typedef unsigned int size_t; If len is negative, may copy huge amounts of input into buf. 10/8/2018 CSE 484 / CSE M 584 31

Another Example size_t len = read_int_from_network(); char *buf; buf = malloc(len+5); read(fd, buf, len); (from www-inst.eecs.berkeley.edu implflaws.pdf) 10/8/2018 CSE 484 / CSE M 584 32

Integer Overflow size_t len = read_int_from_network(); char *buf; buf = malloc(len+5); read(fd, buf, len); What if len is large (e.g., len = 0xFFFFFFFF)? Then len + 5 = 4 (on many platforms) Result: Allocate a 4-byte buffer, then read a lot of data into that buffer. (from www-inst.eecs.berkeley.edu implflaws.pdf) 10/8/2018 CSE 484 / CSE M 584 33

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback