Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

Similar documents
Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

Is stack overflow still a problem?

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

x86 assembly CS449 Fall 2017

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Memory corruption countermeasures

CSC 2400: Computing Systems. X86 Assembly: Function Calls"

Assembly Language: Function Calls

CMPSC 497 Buffer Overflow Vulnerabilities

Assembly Language: Function Calls" Goals of this Lecture"

Assembly Language: Function Calls" Goals of this Lecture"

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 21: Generating Pentium Code 10 March 08

Function Calls COS 217. Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site)

Secure Programming Lecture 5: Memory Corruption III (Countermeasures)

Buffer overflow risks have been known for over 30 years. Is it still a problem? Try searching at to see.

Assembly Language: Function Calls. Goals of this Lecture. Function Call Problems

Buffer Overflows Defending against arbitrary code insertion and execution

Buffer Overflow Vulnerability

X86 Review Process Layout, ISA, etc. CS642: Computer Security. Drew Davidson

putting m bytes into a buffer of size n, for m>n corrupts the surrounding memory check size of data before/when writing

CPS104 Recitation: Assembly Programming

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING

Secure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows)

SYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14

Procedure Calls. Young W. Lim Mon. Young W. Lim Procedure Calls Mon 1 / 29

putting m bytes into a buffer of size n, for m>n corrupts the surrounding memory check size of data before/when writing

Buffer overflow background

Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to

Machine Programming 3: Procedures

CSC 2400: Computing Systems. X86 Assembly: Function Calls

Secure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows)

Practical Malware Analysis

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Università Ca Foscari Venezia

CS241 Computer Organization Spring 2015 IA

Assembly level Programming. 198:211 Computer Architecture. (recall) Von Neumann Architecture. Simplified hardware view. Lecture 10 Fall 2012

What the CPU Sees Basic Flow Control Conditional Flow Control Structured Flow Control Functions and Scope. C Flow Control.

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

CS 31: Intro to Systems Functions and the Stack. Martin Gagne Swarthmore College February 23, 2016

Lecture 08 Control-flow Hijacking Defenses

x86 architecture et similia

Exercise 6: Buffer Overflow and return-into-libc Attacks

Buffer Overflow Attack

CS 33: Week 3 Discussion. x86 Assembly (v1.0) Section 1G

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Procedure Calls. Young W. Lim Sat. Young W. Lim Procedure Calls Sat 1 / 27

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena

CS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2017 Lecture 7

Lecture 04 Control Flow II. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Based on Michael Bailey s ECE 422

Exploits and gdb. Tutorial 5

W4118: PC Hardware and x86. Junfeng Yang

Compiler Construction D7011E

Low-Level Essentials for Understanding Security Problems Aurélien Francillon

Buffer overflow prevention, and other attacks

CS642: Computer Security

Digital Forensics Lecture 3 - Reverse Engineering

CS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities

CS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2016 Lecture 12

ISA564 SECURITY LAB. Shellcode. George Mason University

Intel assembly language using gcc

CS 31: Intro to Systems ISAs and Assembly. Martin Gagné Swarthmore College February 7, 2017

CS165 Computer Security. Understanding low-level program execution Oct 1 st, 2015

Processes (Intro) Yannis Smaragdakis, U. Athens

buffer overflow exploitation

CPEG421/621 Tutorial

Stacks and Frames Demystified. CSCI 3753 Operating Systems Spring 2005 Prof. Rick Han

Lab 10: Introduction to x86 Assembly

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

What is a Compiler? Compiler Construction SMD163. Why Translation is Needed: Know your Target: Lecture 8: Introduction to code generation

administrivia today start assembly probably won t finish all these slides Assignment 4 due tomorrow any questions?

18-600: Recitation #4 Exploits

CIT Week13 Lecture

The Geometry of Innocent Flesh on the Bone

Week 5, continued. This is CS50. Harvard University. Fall Cheng Gong

CSC 2400: Computer Systems. Using the Stack for Function Calls

Lecture 6: Buffer Overflow. CS 436/636/736 Spring Nitesh Saxena

University of Washington

C Compilation Model. Comp-206 : Introduction to Software Systems Lecture 9. Alexandre Denault Computer Science McGill University Fall 2006

ANITA S SUPER AWESOME RECITATION SLIDES

Advanced Buffer Overflow

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

CSE 565 Computer Security Fall 2018

x86 assembly CS449 Spring 2016

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

CSE 509: Computer Security

CMSC 313 Lecture 12. Project 3 Questions. How C functions pass parameters. UMBC, CMSC313, Richard Chang

HW 8 CS681 & CS392 Computer Security Understanding and Experimenting with Memory Corruption Vulnerabilities DUE 12/18/2005

CSC 8400: Computer Systems. Using the Stack for Function Calls

Module 3 Instruction Set Architecture (ISA)

Question 4.2 2: (Solution, p 5) Suppose that the HYMN CPU begins with the following in memory. addr data (translation) LOAD 11110

Basic Buffer Overflows

Architecture-level Security Vulnerabilities

Function Call Convention

Process Layout and Function Calls

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Transcription:

Secure Programming Lecture 3: Memory Corruption I (introduction) David Aspinall, Informatics @ Edinburgh 24th January 2019 Roadmap: Security in the software lifecycle Security is considered at different stages in the Secure Software Development Life Cycle (SSDLC) The overall phases are: 1 Design (requirements, architecture) 2 Implementation (tests, coding) 3 Deployment (configuration, feedback) We focus mainly on the coding stage Roadmap: From vulnerabilities to security This course emphasises removing and avoiding vulnerabilities in software rather than crafting exploits to break code, or using digital forensics to discover what happened after-the-fact But insight into exploits is needed to understand the reason for vulnerabilities It also helps to understand how and why defensive programming practices and tools work Question Can you think of other reasons why a (white hat) security researcher might want to work on exploits? Roadmap: Kinds of vulnerability Software vulnerabilities fall into categories, for example: memory corruption errors injection broken authentication bad cryptography and others We ll look at vulnerability taxonomies later Memory corruption vulnerabilities This lecture begins our look at code vulnerabilities, starting with memory corruption Memory corruption vulnerabilities let the attacker cause the program to write to areas of memory (or write certain values) that the programmer did not intend In the worst cases, these can lead to arbitrary command execution under the attacker s control We examine vulnerabilities, exploits, defences and repair Reasons for memory corruption Memory corruption vulnerabilities arise from possible: buffer overflows, in different places stack overflows heap overflows other programming mistakes pointer arithmetic mistakes type confusion errors

The nuts and bolts We begin with classic stack overflows Most of you have seen examples of this already The idea is to bring everyone to the same point, so we give some instant background If you don t know these details already, this lecture will indicate where you should study more Make sure you understand Lectures 3, 4 and 5 before Lab 2 If you have only studied high-level programming languages before you should spend time on this or you will find the lab difficult Programming in C or assembler Low-level programs manipulate memory directly Advantage: efficient, precise Disadvantage: easy to violate data abstractions Memory safety arbitrary access to memory pointers and pointer arithmetic mistakes violate memory safety A programming language or analysis tool is said to enforce memory safety if it ensures that reads and writes stay within clearly defined memory areas, belonging to different parts of the program Memory areas are often delineated with types and a typing discipline Von Neumann programming model Von Neumann model: code and data are the same stuff Von Neumann architecture implements this in hardware helped revolution in Computing 1950s 1970s But has drawbacks: data path and control path overloaded (bottleneck) code/data abstraction blurred self-modifying code not always safe Close to the metal Question What are the trusted bits of code in this picture? In what way do we trust them? Further from the metal Question What are the trusted bits of code in this picture? In what way do we trust them? Processes and memory A process is a running program managed by the operating system Processes are organised into several memory areas: 1 Code where the compiled program (or shared libraries) reside 2 Data where non-local program variables are stored This contains global or static variables and the program heap for dynamically allocated data 3 Stack which records dynamically allocated data for each of the currently executing functions/methods This includes local variables, the current object reference (often) and the return address The OS (with the CPU, language runtime) can provide varying amounts of protection between these areas

You should know Java C uses a similar syntax It has no objects but pointers to memory locations (&val, *ptr) arbitrary-length strings, terminated with ASCII NUL fixed-size structs for records of values explicit dynamic allocation with malloc() It has no exceptions but function return code conventions Is generally more relaxed about type errors uninitialised variables But modern compilers give strong warnings these days, errors by default can instrument C code with debug/defence code #include <stdioh> void main(int argc, char *argv[]) { int c; printf("number of arguments passed: %d\n", argc); for (c = 0 ; c < argc ; c++) { printf("argument %d is: %s\n", c, argv[c]); $ gcc showargsc -o showargs $ /showargs this is my test Number of arguments passed: 5 Argument 0 is: /showargs Argument 1 is: this Argument 2 is: is Argument 3 is: my Argument 4 is: test $ #include <stdlibh> #include <stringh> #include <stdioh> typedef struct list { int hd; struct list *tl; list_t; void printlist(list_t *l) { while (l!= NULL) { printf("%i\n",l->hd); l=l->tl; int main(int argc, char *argv[]) { int c; list_t *cell = NULL; for (c = argc-1; c > 0; c--) { list_t *newcell = malloc(sizeof(list_t)); (*newcell)hd = (int)(strlen(argv[c])); newcell->tl = cell; cell = newcell; if (cell!= NULL) printlist(cell); $ gcc structegc -o structeg $ /structeg this is my different test 4 2 2 9 4 Exercise If you haven t programmed C before, try these examples and some others simple programs from a textbook Write a program to reverse its list of argument words Instant assembler programming x86: hundreds of instructions! But in families: Data movement: MOV Arithmetic: ADD, FDIV, IDIV, MUL, Logic: AND, OR, XOR, Control: JMP, CALL, LEAVE, RET, General registers are split into pieces: 32 bits : EAX (extended A) 16 bits : AX 8 bits : AH AL (high and low bytes of A) Others are pointers to segments, index offsets ESP: stack pointer EBP: base pointer (aka frame pointer) ESI, EDI: source, destination index register (We ll stick to x86 32-bit instructions in this course, 64-bit is slightly different)

Instant assembler programming Here is a file movcc: int value; int *ptr; void main() { value = 7; ptr = &value; *ptr = value * 13; Compile this to assembly code with: $ gcc showargsc -S -m32 movcc This produces a file movcs shown next Instant assembler programming data value: ptr: text long 2 long 2 movl $7, %eax ; set EAX to 7 movw %ax, value ; value is now 7 movl $value, ptr ; set ptr = address of value movl ptr, %ecx ; ECX to same movl value, %edx ; EDX = 7 movl %edx, %eax ; EAX = 7 addl %eax, %eax ; EAX = 14 (2*7) addl %edx, %eax ; EDX = 7 + 14 = 21 sall $2, %eax ; EAX = 21 * 4 = 84 (12 * 7) addl %edx, %eax ; EAX = 7 + 84 = 91 (13 * 7) movl %eax, (%ecx) ; set value = 91 Exercise If you haven t looked at assembly programs before, compile some small C programs and try to understand the compiled asssembler, at least roughly Fun and profit Stack overflow attacks were first carefully explained in Smashing the stack for fun and profit, a paper written by Aleph One for the hacker s magazine Phrack, issue 49, in 1996 Stack overflows are mainly relevant for C, C++ and other unsafe languages with raw memory access (eg, pointers and pointer arithmetic) Languages with built-in memory safety such as Java, C#, Python, etc, are immune to the worst attacks providing their language runtimes and native libraries have no exploitable flaws Stack overflow: high level view How the stack works How the stack works return address attack code buffer The malicious argument overwrites all of the space allocated for the buffer, all the way to the return address location The return address is altered to point back into the stack, somewhere before the attack code Typically, the attack code executes a shell Recall Abstract Data Type (encapsulation) principles: access to data possible only by ADT operations only data built via operations can be represented Recall the stack Abstract Data Type, a first-in first-out queue: push(x): add an element X to the top pop(): remove and return the top element The program stack (aka function stack, runtime stack) holds stack frames (aka activation records) for each function that is invoked Very common mechanism for high-level language implementation So has special CPU support stack pointer registers: on x86, ESP frame pointer registers: on x86, EBP push and pop machine instructions Exact mechanisms vary by CPU, OS, language, compiler, compiler flags NB: in pictures, some authors draw stacks growing upwards on the page! I will draw stacks that grow downwards

How the stack works Stack usage with function calls Stack usage with function calls high addresses Stack void fun1(char arg1, int arg2) { char *buffer[5]; int i; frame for main() previous stack pointer low addresses Data Code fun1 has two arguments arg1 and arg2 Actual parameters may be passed to the function body on the stack or in registers; the precise mechanism is called the calling convention fun1 has two local variables buffer and i Local variables are allocated space on the stack frame for fun1() arg2 arg1 return address i buffer stack pointer Memory A frame pointer may be used to help locate arguments and local variables Frame pointers Assembly code for function calls Assembly code for function calls frame for main() previous stack, frame pointers Let s see assembly code produced by gcc compiling C programs on Linux (32 bit x86), using gcc -S frame for fun1() arg2 arg1 return address old frame ptr i buffer frame pointer stack pointer int main() { return 0; produces: main: pushl %ebp ; save EBP, the old frame pointer movl %esp, %ebp ; the new frame pointer for body of main() movl $0, %eax ; the return value in EAX popl %ebp ; restore the old frame pointer ret void fun1(char arg1, int arg2) { char *buffer[5]; int i; *buffer[0] = (char)i; void main() { fun1('a',77);

fun1: main: pushl %ebp ; save previous frame pointer movl %esp, %ebp ; set new frame pointer subl $36, %esp ; allocate enough space for locals movl -24(%ebp), %eax ; EAX = address of buffer[0] movl -4(%ebp), %edx ; EDX = i movb %dl, (%eax) ; Set buffer[0] to be low byte of i leave ; drop frame ret ; return pushl %ebp ; save previous frame pointer movl %esp, %ebp ; set new frame pointer subl $8, %esp ; allocate space for fun1 parameters movl $77, 4(%esp) ; store arg2 movl $97, (%esp) ; store arg1 (ASCII 'a') call fun1 ; invoke fun1 leave ; drop frame ret ; return Exercise Draw the detailed layout of the stack when the frame for fun1() is active Review questions Program execution Explain the points of trust that exist when a Linux user runs a program by executing a binary file Buffer overflows How do they arise? In what sense are some languages considered immune from buffer overflow attacks? Runtime stack basics Describe how function parameters and local variables are allocated on the runtime stack Write a C program with two nested function calls, compile it to x86 assembler and explain the code Next time We ll continue looking at the detail of stack and buffer overflow exploits Tuesday 29th 9am AT 505: Lab 1 We are going to use some of the SEEDlabs on Software security The first lab will be an introduction to some basics and demonstrating issues with Environments and SUID You may like to prepare for this lab in advance, and/or try the earlier labs on buffer overflow and return-to-libc

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback