CMPSC 497 Buffer Overflow Vulnerabilities

Similar documents
Memory Corruption Vulnerabilities, Part I

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Lecture 08 Control-flow Hijacking Defenses

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

CSC 2400: Computing Systems. X86 Assembly: Function Calls"

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflow. Jo, Heeseung

Buffer overflows. Specific topics:

20: Exploits and Containment

Project 1 Buffer Overflow

Is stack overflow still a problem?

Assembly Language: Function Calls

Program Security and Vulnerabilities Class 2

Assembly Language: Function Calls" Goals of this Lecture"

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

Basic Buffer Overflows

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Assembly Language: Function Calls. Goals of this Lecture. Function Call Problems

Assembly Language: Function Calls" Goals of this Lecture"

CMPSC 497: Midterm Review

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

CSE 509: Computer Security

Fundamentals of Computer Security

X86 Review Process Layout, ISA, etc. CS642: Computer Security. Drew Davidson

Buffer Overflows Defending against arbitrary code insertion and execution

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Advanced Systems Security: Ordinary Operating Systems

Function Calls COS 217. Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site)

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

CSC 2400: Computing Systems. X86 Assembly: Function Calls

Sungkyunkwan University

Advanced Systems Security: Control-Flow Integrity

Advanced System Security: Vulnerabilities

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Buffer Overflow Vulnerability

Software Security: Buffer Overflow Defenses

Secure Systems Engineering

Stacks and Frames Demystified. CSCI 3753 Operating Systems Spring 2005 Prof. Rick Han

Computer Systems CEN591(502) Fall 2011

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

CS 161 Computer Security

CS642: Computer Security

Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include

Procedure Calls. Young W. Lim Sat. Young W. Lim Procedure Calls Sat 1 / 27

Lecture 4 September Required reading materials for this class

Buffer Overflows. Buffer Overflow. Many of the following slides are based on those from

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Buffer Overflow Attacks

18-600: Recitation #4 Exploits

Software Security II: Memory Errors - Attacks & Defenses

Topics in Software Security Vulnerability

Architecture-level Security Vulnerabilities

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

Exercise 6: Buffer Overflow and return-into-libc Attacks

Advanced Buffer Overflow

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Machine-Level Programming V: Buffer overflow

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Solutions

CSE 544 Advanced Systems Security

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

Software Security: Buffer Overflow Attacks (continued)

(Early) Memory Corruption Attacks

Advanced Systems Security: Ordinary Operating Systems

CSE 127 Computer Security

CS 161 Computer Security

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Lecture 1: Buffer Overflows

CSE 127 Computer Security

CSE 127 Computer Security

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Selected background on ARM registers, stack layout, and calling convention

CMPSC 497 Other Memory Vulnerabilities

CSE 565 Computer Security Fall 2018

Procedure Calls. Young W. Lim Mon. Young W. Lim Procedure Calls Mon 1 / 29

18-600: Recitation #4 Exploits (Attack Lab)

Defense against Code-injection, and Code-reuse Attack

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e Feb 11, 13, 15, and 25. Winter Session 2018, Term 2

Machine Programming 5: Buffer Overruns and Stack Exploits

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to

String Oriented Programming Exploring Format String Attacks. Mathias Payer

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

logistics LEX assignment out exam in on week come with questions on Monday (review)

Software Security: Buffer Overflow Attacks

Topics. What is a Buffer Overflow? Buffer Overflows

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

Buffer Overflow Attack (AskCypert CLaaS)

Transcription:

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Buffer Overflow Vulnerabilities Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University 1

Buffer Overflow Early example of a method to exploit a memory error in a C program Discovered in the 1970s Leveraged by the Morris Worm in 1988 first large scale exploit Leveraged by subsequent attacks in the early 2000s that led to security rethink Still a problem today Check out CVEs for buffer overflow 2

Memory Error A memory error allows a program statement to access memory beyond that allocated for the variables processed in the statement Common case: Buffer overflow The C language allows writes to memory addresses specified by pointers char buf[10] buf can be used as a pointer C functions enable writing based on the size of the input or a length value strcpy and strncpy However, neither limits the write to the allocated buf 3

Morris Worm Robert Morris, a 23-year old Cornell PhD student Wrote a small (99 line) program Launched on November 3, 1988 Simply disabled the Internet Used a buffer overflow in a program called fingerd To get adversary-controlled code running Then spread to other hosts cracked passwords and leveraged open LAN configurations Covered its tracks (set is own process name to sh, prevented accurate cores, re-forked itself) 4

Process Address Space higher memory address lower memory address Stack Data Text Text: static code Data: also called heap static variables dynamically allocated data (malloc, new) Stack: program execution stacks

Program Stack For implementing procedure calls and returns Keep track of program execution and state by storing local variables arguments to the called procedure (callee) return address of the calling procedure (caller)...

Program Stack *Slide by Robert Seacord

Stack Frames Stack grows from high mem to low mem addresses The stack pointer points to the top of the stack ESP in Intel architectures The frame pointer points to the end of the current frame also called the base pointer EBP in Intel architectures The stack is modified during function calls, function initializations, returning from a function

A Running Example void function(int a, int b) { char buffer[12]; gets(buffer); return; } void main() { } int x; x = 0; function(1,2); x = 1; printf("%d\n",x); Run gcc S o example.s example.c to see its assembly code

Function Calls function (1,2) pushl $2 pushl $1 call function push the 2 nd arg to stack push the 1 st arg to stack push the ret addr onto the stack, and jumps to the function 10

Function Calls: Stacks Before After esp ebp stack frame for main esp ebp ret 1 2 stack frame for main

Function Initialization void function(int a, int b) { pushl %ebp movl %esp, %ebp subl $12, %esp saves the frame pointer sets the new frame pointer allocate space for local variables Procedure prologue

Function Initialization: Stacks Before After esp esp ebp ret 1 2 stack frame for main ebp buffer old ebp ret 1 2 stack frame for main

Function Return return; movl %ebp, %esp popl %ebp ret restores the old stack pointer restores the old frame pointer gets the return address, and jumps to it

Function Return: Stacks Before After esp ebp buffer old ebp ret 1 2 stack frame for main esp ebp buffer old ebp ret 1 2 stack frame for main

Return to Calling Function In main again following return pushl $2 pushl $1 call function addl $8, %esp restores the stack pointer

Return to Calling Function: Stacks Before After esp ebp buffer old ebp ret 1 2 stack frame for main ebp buffer old ret ebp esp 2 1 stack frame for main

A Running Example void function(int a, int b) { char buffer[12]; gets(buffer); return; } void main() { int x; x = 0; function(1,2); x = 1; printf("%d\n",x); } esp ebp buffer old ebp ret 1 2 stack frame for main

Overwriting the Return Address void function(int a, int b) { char buffer[12]; gets(buffer); int* ret = (int *)buffer+?; *ret =?; return; } esp ebp buffer old ebp ret 1 2 stack frame for main

Overwriting the Return Address void function(int a, int b) { char buffer[12]; gets(buffer); int* ret = (int *) buffer+16; *ret = *ret + 10; // addl and store constant 1 } return; The output will be 0 void main() { int x; x = 0; function(1,2); x = 1; printf("%d\n",x); } the original return address the new return address

Previous Attack Not very realistic Attackers are usually not allowed to modify code Threat model: the only thing they can affect is the input Can they still carry out similar attacks? YES, because of possible buffer overflows 21

Buffer Overflows A buffer overflow occurs when data is written outside of the boundaries of the memory allocated to a particular data structure (buffer) Happens when buffer boundaries are neglected and unchecked Can be exploited to modify memory after buffer Stack: return address, local variables, function pointers, etc. Heap: data structures and metadata (next time) 22

Smashing the Stack Occurs when a buffer overflow overwrites other data in the program stack Successful exploits can overwrite the return address on the stack enabling the execution of arbitrary code on the targeted machine What happens if we input a large string?./example ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff Segmentation fault why is that? 23

What Happened? The Stack is Smashed void function(int a, int b) { } char buffer[12]; gets(buffer); return; If the input is large, then gets(buffer) will write outside the bound of buffer, and the return address is overwritten with ffff (in ASCII), which likely is not a legal code address seg fault f buffer old febp ret f 1 2 stack frame for main 24

Figure Out A Nasty Input void function (int a, int b) { char buffer[12]; gets(buffer); return; } void main() { int x; x = 0; function(1,2); x = 1; printf("%d\n",x); } ret 1 2 stack frame for main A nasty input puts the return address after x=1. Arc injection 25

Injecting Code void function (int a, int b) { char buffer[12]; gets(buffer); return; } void main() { int x; x = 0; function(1,2); x = 1; printf("%d\n",x); } Injected code ret 1 2 stack frame for main The injected code can do anything. E.g., download and install a worm 26

Code Injection Attacker creates a malicious argument a specially crafted string that contains a pointer to malicious code provided by the attacker When the function returns, control is transferred to the malicious code Injected code runs with the permission of the vulnerable program when the function returns. Programs running as root or other elevated privileges are normally targeted Programs with the setuid bit on 27

Injecting Shell Code execve ( /bin/sh ) ret 1 2 stack frame for main This brings up a shell Adversary can execute any command in the shell The shell has the same privilege as the process Usually a process with the root privilege is attacked 28

Injecting Shell Code How do you invoke execve using injected code? 29

Injecting Shell Code Inject the address of the execve function onto the stack execve is a function in libc that is dynamically linked into the process address space In order for your executable to invoke a function in a library it must be able to find that address itself as well How is that done? Your program calls execve thru a stub (procedure linkage table), which retrieves the address set at link time (in the global offset table) 30

Injecting Shell Code Example of PLT code (from objdump -dl) 08048730 <execve@plt>: 8048730: ff 25 1c d1 04 08 jmp *0x804d11c 8048736: 68 28 00 00 00 push $0x28 804873b: e9 90 ff ff ff jmp 80486d0 08048740 <strncpy@plt>: 8048740: ff 25 20 d1 04 08 jmp *0x804d120 8048746: 68 30 00 00 00 push $0x30 804874b: e9 80 ff ff ff jmp 80486d0 31

Any C(++) code acting on untrusted input is at risk Code taking input over untrusted network E.g., sendmail, web browser, wireless network driver,... Code taking input from untrusted user on multi-user system, esp. services running with high privileges (as ROOT on Unix/Linux, as SYSTEM on Windows) Code processing untrusted files that have been downloaded or emailed Also embedded software, e.g., in devices with (wireless) network connection such as mobile phones with Bluetooth, wireless smartcards in new passport or OV card, airplane navigation systems,... 32

Preventing Buffer Overflows How do you prevent buffer overflows? 33

Preventing Buffer Overflows How do you prevent buffer overflow attacks? Block any of the necessary conditions Check buffer bounds Use a safe function to read input Prevent unauthorized modification of the return address without detection Prevent execution of stack memory Make it impractical for the adversary to find the code she wants to execute, such as execve 34

Preventing Buffer Overflows How do you prevent buffer overflow attacks? Block any of the necessary conditions Check buffer bounds Use a safe function to read input Prevent unauthorized modification of the return address without detection Prevent execution of stack memory Make it impractical for the adversary to find the code she wants to execute, such as execve 35

Buffer Overflow Defense Preventing Buffer Overflows How do you prevent buffer overflow attacks? Previous Function Canary on the stack Block Func any Parameters of the necessary conditions Random value placed between the local vars Return Check buffer Address bounds and the return Use CANARY a safe function to read input address If canary is modified, Prevent Local unauthorized Var modification of the return program is stopped address without detection Have we solved buffer Prevent execution of stack memory Buffer overflows? Make it impractical for the adversary to find the code she wants to execute, such as execve Local Var Systems CSE543 and - Introduction Internet Infrastructure to Computer Security and Network (SIIS) Security Laboratory 36 X

DEP and W xor X An approach to prevent code injection on the stack is to make the stack non-executable Technique is called DEP (Windows) and W xor X (Linux) Idea: Each memory region is either writable (like data) or executable (like code), but not both Prevents code injection on stack, but not invoking functions directly 37

Take Away Memory errors enable processes to write to memory outside the expectation range The classic example is the buffer overflow, which is still a common attack vector today A buffer overflow vulnerability allows an adversary to overwrite the memory beyond the buffer on the stack But runtime state is also on the stack return address We discussed methods to inject and reuse code Available defenses are not complete 38

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback