Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Similar documents
Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Advanced System Security: Vulnerabilities

CSE543 - Introduction to Computer and Network Security

CMPSC 497 Buffer Overflow Vulnerabilities

CSE 509: Computer Security

Memory Corruption Vulnerabilities, Part II

Software Security: Buffer Overflow Defenses

CS 161 Computer Security

Lecture 4 September Required reading materials for this class

Software Security: Buffer Overflow Attacks

CSE 565 Computer Security Fall 2018

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Software Security: Buffer Overflow Attacks (continued)

CS 161 Computer Security

Secure Programming I. Steven M. Bellovin September 28,

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Memory Corruption 101 From Primitives to Exploit

ISA564 SECURITY LAB. Code Injection Attacks

20: Exploits and Containment

Lecture 08 Control-flow Hijacking Defenses

CSE / / 60567: Computer Security. Software Security 4

Code Injection Attacks Buffer Overflows

CMPSC 497 Other Memory Vulnerabilities

Advanced Systems Security: Ordinary Operating Systems

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Basic Buffer Overflows

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

Secure Software Programming and Vulnerability Analysis

Buffer overflow prevention, and other attacks

Lecture 9 Assertions and Error Handling CS240

Syed Kamran Haider Department of Electrical & Computer Engineering University of Connecticut

Lec06: DEP and ASLR. Taesoo Kim

Intrusion Detection and Malware Analysis

Exploits and gdb. Tutorial 5

Module: Advanced Program Vulnerabilities and Defenses. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

System Security Class Notes 09/23/2013

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CSE 127 Computer Security

CSCE 548 Building Secure Software Integers & Integer-related Attacks & Format String Attacks. Professor Lisa Luo Spring 2018

Software Security: Buffer Overflow Defenses and Miscellaneous

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

EURECOM 6/2/2012 SYSTEM SECURITY Σ

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

Play with FILE Structure Yet Another Binary Exploitation Technique. Abstract

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

CSE 127 Computer Security

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

CSE 127 Computer Security

Secure C Coding...yeah right. Andrew Zonenberg Alex Radocea

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflow. Jo, Heeseung

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

CMPSC 497: Midterm Review

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Software Security II: Memory Errors - Attacks & Defenses

CSE 565 Computer Security Fall 2018

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

CSE Computer Security

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

CSE Computer Security (Fall 2006)

This exam contains 7 pages (including this cover page) and 4 questions. Once we tell you to start, please check that no pages are missing.

Is Exploitation Over? Bypassing Memory Protections in Windows 7

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

CSE 544 Advanced Systems Security

CNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated

UMSSIA LECTURE I: SOFTWARE SECURITY

Changelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part

Lecture 1: Buffer Overflows

CSC 405 Computer Security Stack Canaries & ASLR

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Solutions

Buffer overflow background

CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR

Cling: A Memory Allocator to Mitigate Dangling Pointers. Periklis Akritidis

Return-orientated Programming

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Dnmaloc: a more secure memory allocator

Program Security and Vulnerabilities Class 2

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Advanced Systems Security: Control-Flow Integrity

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

CS 31: Intro to Systems Pointers and Memory. Martin Gagne Swarthmore College February 16, 2016

CMSC 414 Computer and Network Security

C and C++: vulnerabilities, exploits and countermeasures

This exam contains 8 pages (including this cover page) and 4 questions. Once we tell you to start, please check that no pages are missing.

malloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which

SoK: Eternal War in Memory

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

CS161 Midterm 1 Review

Runtime Defenses against Memory Corruption

Transcription:

CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1 1

Programming Why do we write programs? Function What functions do we enable via our programs? Some we want -- some we don t need Adversaries take advantage of such hidden function 2 2

Broad Attack Categories Control-flow Attacks Adversary directs program control-flow E.g., return address overwrite through buffer overflow Data Attacks Adversary exploits flaw to read/modify unexpected data E.g., critical variable overwrite through buffer overflow Code Injection Attacks Adversary tricks the program into executing their input E.g., SQL injection attacks Other types of attacks on unauthorized access (later) See CWE (http://cwe.mitre.org/) 3 3

Memory Errors Control and data attacks are possible because some programming languages allow memory errors C and C++ for example A memory error occurs when the program allows an access to a variable to read/write to memory beyond what is allocated to that variable E.g., read/write beyond the end of a string Access memory next to the string Memory errors may be exploited to change the program s control-flow or data-flow or to injection code 4 4

A Simple Program void myfunc() { char string[16]; printf("enter a string\n"); scanf( %s, string); printf( You entered: %s\n, string); } int main() { myfunc(); } 5-1 5

A Simple Program void myfunc() { char string[16]; printf("enter a string\n"); scanf( %s, string); printf( You entered: %s\n, string); } int main() { myfunc(); } 5-2 5

A Simple Program void myfunc() { char string[16]; printf("enter a string\n"); scanf( %s, string); printf( You entered: %s\n, string); } int main() { myfunc(); } 5-3 5

What Happened? Brief refresher on program address space Stack -- local variables Heap -- dynamically allocated (malloc, free) Data -- global, uninitialized variables Text -- program code Stack Heap Data Text 6 6

Stack What Happened? main() parameters(argc, argv) return address saved frame pointer main() local vars myfunc() parameters (void) return address saved frame pointer myfunc() local vars string[16] 7-1 7

Stack What Happened? main() parameters(argc, argv) return address saved frame pointer main() local vars myfunc() parameters (void) return sghfjdsh address saved gjlkhgfd frame pointer myfunc() jlkseghrueioshja local vars string[16] 7-2 7

Stack Exploiting Buffer Overflow main() parameters(argc, argv) return address saved frame pointer main() local vars myfunc() parameters (void) return address saved frame pointer myfunc() local vars string[16] 8-1 8

Stack Exploiting Buffer Overflow main() parameters(argc, argv) return address saved frame pointer main() local vars myfunc() parameters (void) return addr address + 8 saved my frame evil code pointer myfunc() more evil local code vars string[16] 8-2 8

Prevent Code Injection 9-1 9

Prevent Code Injection What if we made the stack non-executable? AMD NX-bit More general: W (xor) X (DEP in Windows) 9-2 9

Prevent Code Injection What if we made the stack non-executable? AMD NX-bit More general: W (xor) X (DEP in Windows) 9-3 9

Prevent Code Injection What if we made the stack non-executable? AMD NX-bit More general: W (xor) X (DEP in Windows) myfunc() parameters (void) return address saved frame pointer myfunc() local vars string[16] 9-4 9

Prevent Code Injection What if we made the stack non-executable? AMD NX-bit More general: W (xor) X (DEP in Windows) myfunc() parameters (void) return address saved frame pointer myfunc() local vars string[16] 9-5 9

Prevent Code Injection What if we made the stack non-executable? AMD NX-bit More general: W (xor) X (DEP in Windows) myfunc() parameters (void) return pc of libc address call() saved arguments frame pointer for libc call myfunc() local vars string[16] 9-6 9

Protect the Return Address main() parameters(argc, argv) return address saved frame pointer main() local vars myfunc() parameters (void) return address Canary on the stack Random value placed between the local vars and the return address If canary is modified, program is stopped Have we solved buffer overflows? saved frame pointer myfunc() local vars string[16] 10 10-1

Protect the Return Address main() parameters(argc, argv) return address saved frame pointer main() local vars myfunc() parameters (void) return address CANARY Canary on the stack Random value placed between the local vars and the return address If canary is modified, program is stopped Have we solved buffer overflows? saved frame pointer myfunc() local vars string[16] 10 10-2

Canary Shortcomings main() parameters(argc, argv) return address saved frame pointer main() local vars myfunc() parameters (void) return address saved frame pointer myfunc() local vars string[16]?????? Other local variables? Frame pointers? Anything left unprotected on stack can be used to launch attacks Not possible to protect everything Varargs Structure members Performance 11-1 11

Canary Shortcomings main() parameters(argc, argv) return address saved frame pointer main() local vars myfunc() parameters (void) return address CANARY saved frame pointer myfunc() local vars string[16]?????? Other local variables? Frame pointers? Anything left unprotected on stack can be used to launch attacks Not possible to protect everything Varargs Structure members Performance 11-2 11

A Simple Program int authenticated = 0; char packet[1000]; while (!authenticated) { PacketRead(packet); if (Authenticate(packet)) authenticated = 1; } if (authenticated) ProcessPacket(packet); 12 12

A Simple Program int authenticated = 0; char packet[1000]; while (!authenticated) { PacketRead(packet); if (Authenticate(packet)) authenticated = 1; } if (authenticated) ProcessPacket(packet); What if packet is only 1004 bytes? myfunc() parameters return address CANARY saved frame pointer int authenticated char packet[1000] 13 13

Overflow of Local Variables Don t need to modify return address Local variables may affect control What kinds of local variables would impact control? Ones used in conditionals (example) Function pointers What can you do to prevent that? 14 14

A Simple Program int authenticated = 0; char *packet = (char *)malloc(1000); while (!authenticated) { PacketRead(packet); if (Authenticate(packet)) authenticated = 1; } if (authenticated) ProcessPacket(packet); What if we allocate the packet buffer on the heap? 15 15

Heap Overflows Overflows on heap also possible char *packet = malloc(1000) ptr[1000] = M ; Classical heap overflow corrupts metadata Heap metadata maintains chunk size, previous and next pointers,... Heap metadata is inline with heap data And waits for heap management functions (malloc, free) to write corrupted metadata to target locations 16 16

Heap Overflows Heap allocators maintain a doubly-linked list of allocated and free chunks malloc() and free() modify this list http://www.sans.edu/student-files/presentations/heap_overflows_notes.pdf 17 17

Heap Overflows chunk2->bk->fd = chunk2->fd chunk2->fd->bk = chunk2->bk 18-1 18

Heap Overflows free() removes a chunk from allocated list chunk2->bk->fd = chunk2->fd chunk2->fd->bk = chunk2->bk 18-2 18

Heap Overflows free() removes a chunk from allocated list chunk2->bk->fd = chunk2->fd chunk2->fd->bk = chunk2->bk 18-3 18

Heap Overflows free() removes a chunk from allocated list chunk2->bk->fd = chunk2->fd chunk2->fd->bk = chunk2->bk 18-4 18

Heap Overflows free() removes a chunk from allocated list chunk2->bk->fd = chunk2->fd chunk2->fd->bk = chunk2->bk By overflowing chunk2, attacker controls bk and fd Controls both where and what data is written! Arbitrarily change memory (e.g., function pointers) 18-5 18

Heap Overflows By overflowing chunk2, attacker controls bk and fd Controls both where and what data is written! Assign chunk2->fd to value to want to write Assign chunk2->bk to address X (where you want to write) Less an offset of the fd field in the structure Free() removes a chunk from allocated list chunk2->bk->fd = chunk2->fd chunk2->fd->bk = chunk2->bk What s the result? 19 19

Heap Overflows By overflowing chunk2, attacker controls bk and fd Controls both where and what data is written! Assign chunk2->fd to value to want to write Assign chunk2->bk to address X (where you want to write) Less an offset of the fd field in the structure Free() removes a chunk from allocated list chunk2->bk->fd = chunk2->fd addrx->fd = value chunk2->fd->bk = chunk2->bk What s the result? value->bk = addrx Change a memory address to a new pointer value (in data) 20 20

Heap Overflow Defenses Separate data and metadata e.g., OpenBSD s allocator (Variation of PHKmalloc) Sanity checks during heap management free(chunk2) --> assert(chunk2->fd->bk == chunk2) assert(chunk2->bk->fd == chunk2) Added to GNU libc 2.3.5 Randomization Q. What are analogous defenses for stack overflows? 21 21

Other Heap Attacks Heap spraying Combat randomization by filling heap with allocated objects containing malicious code Use another vulnerability to overwrite a function pointer to any heap address, hoping it points to a sprayed object Heuristic defenses e.g., NOZZLE: If heap data is like code, flag attack Use-after-free Type confusion 22-1 22

Other Heap Attacks Heap spraying Combat randomization by filling heap with allocated objects containing malicious code Use another vulnerability to overwrite a function pointer to any heap address, hoping it points to a sprayed object Heuristic defenses e.g., NOZZLE: If heap data is like code, flag attack Use-after-free Type confusion 22-2 22

Another Simple Program int size = BASE_SIZE; char *packet = (char *)malloc(1000); char *buf = (char *)malloc(1000+base_size); strcpy(buf, FILE_PREFIX); size += PacketRead(packet); if (size >= 1000+BASE_SIZE)) { return(-1) } else strcat(buf, packet); fd = open(buf); } Any problem with this conditional check? 23 23

Integer Overflow Signed variables represent positive and negative values Consider an 8-bit integer: -128 to 127 Weird math: 127+1 =??? This results in some strange behaviors size += PacketRead(packet) What is the possible value of size? if ( size >= 1000+BASE_SIZE ) { What is the possible result of this condition? How do we prevent these errors? 24 24

Another Simple Program int size = BASE_SIZE; char *packet = (char *)malloc(1000); char *buf = (char *)malloc(1000+base_size); strcpy(buf, FILE_PREFIX); size += PacketRead(packet); if ( size < 1000+BASE_SIZE) { } strcat(buf, packet); fd = open(buf); printf(packet); Any problem with this printf? 25 25

Format String Vulnerability Attacker control of the format string results in a format string vulnerability printf is a very versatile function %s - dereferences (crash program) %x - print addresses (leak addresses, break ASLR) %n - write to address (arbitrarily change memory) Never use printf(string); Instead, use printf( %s, string); 26 26

A Simple Program int authenticated = 0; char *packet = (char *)malloc(1000); while (!authenticated) { PacketRead(packet); if (Authenticate(packet)) authenticated = 1; } if (authenticated) ProcessQuery( Select, partof(packet)); Any problem with this query request? 27 27

Parsing Errors Have to be sure that user input can only be used for expected function SQL injection: user provides a substring for an SQL query that changes the query entirely (e.g., add SQL operations to query processing) SELECT * FROM students WHERE student_name = 'Robert ; Many scripting languages convert data between types automatically -- are not type-safe -- so must be extra careful 28 28

Character Strings String formats Unicode ASCII -- 0x00 -- 0x7F non-ascii -- 0x80 -- 0xF7 Also, multi-byte formats Decoding is a challenge URL: [IPaddr]/scripts/..%c0%af../winnt/system32 Decodes to /winnt/system32 Markus Kuhn s page on Unicode resources for Linux www.cl.cam.ac.uk/~mgk25/unicode.html 29 29

Take Away Programs have function Adversaries can exploit unexpected functions Vulnerabilities due to malicious input Subvert control-flow or critical data Buffer, heap, integer overflows, format string vulnerabilities Injection attacks Application-dependent If applicable, write programs in languages that eliminate classes of vulnerabilities E.g., Type-safe languages such as Java 30 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback