Fundamentals of Linux Platform Security

Similar documents
Buffer Overflow Attacks

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Software Security: Buffer Overflow Defenses

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Software Security: Buffer Overflow Attacks

ECS 153 Discussion Section. April 6, 2015

Software Security II: Memory Errors - Attacks & Defenses

CSE 565 Computer Security Fall 2018

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

Software Security: Buffer Overflow Attacks (continued)

Hands-on SELinux: A Practical Introduction

CMSC 414 Computer and Network Security

CMPSC 497 Buffer Overflow Vulnerabilities

9/17/14. Hands-on SELinux: A Practical Introduction. Security Training Course. Dr. Charles J. Antonelli The University of Michigan /14 09/14

CSE 127 Computer Security

Smashing the Buffer. Miroslav Štampar

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)

Return-orientated Programming

Lecture 08 Control-flow Hijacking Defenses

20: Exploits and Containment

We will focus on Buffer overflow attacks SQL injections. See book for other examples

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2

Homework 1 CS 642: Information Security

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

CNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated

CS 161 Computer Security

ISA564 SECURITY LAB. Code Injection Attacks

Secure Programming I. Steven M. Bellovin September 28,

Basic Buffer Overflows

Code with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Software Security: Buffer Overflow Defenses and Miscellaneous

Memory corruption countermeasures

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Runtime attacks are major threats to today's applications Control-flow of an application is compromised at runtime Typically, runtime attacks include

Lecture 1: Buffer Overflows

Outline. Memory Exploit

CS161 Midterm 1 Review

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

CSE 127 Computer Security

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Buffer Overflow Vulnerability

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

CSE 127 Computer Security

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

Lecture 4 September Required reading materials for this class

Runtime Defenses against Memory Corruption

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

Architecture-level Security Vulnerabilities

Abstract. 1 Introduction

Writing Exploits. Nethemba s.r.o.

COMP3441 Lecture 7: Software Vulnerabilities

Lab 2: Buffer Overflows

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Secure Systems Engineering

CS 161 Computer Security

Is stack overflow still a problem?

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Lecture 10 Code Reuse

Outline. Format string attack layout. Null pointer dereference

Buffer overflow background

Exploits and gdb. Tutorial 5

Play with FILE Structure Yet Another Binary Exploitation Technique. Abstract

ECE 471 Embedded Systems Lecture 22

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

CSE 509: Computer Security

Cyber Moving Targets. Yashar Dehkan Asl

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Architecture-level Security Vulnerabilities. Julian Stecklina

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to

I run a Linux server, so we re secure

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

Exercise 6: Buffer Overflow and return-into-libc Attacks

UMSSIA LECTURE I: SOFTWARE SECURITY

INTRODUCTION TO EXPLOIT DEVELOPMENT

1/31/2007 C. Edward Chow. CS591 Page 1

Topics in Software Security Vulnerability

How to Sandbox IIS Automatically without 0 False Positive and Negative

Buffer Overflow Attack

ISA 564, Laboratory I: Buffer Overflows

System Security. Aurélien Francillon

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

String Oriented Programming Exploring Format String Attacks. Mathias Payer

Memory Safety (cont d) Software Security

CS 161 Computer Security

Selected background on ARM registers, stack layout, and calling convention

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

CIT 480: Securing Computer Systems. Software Security

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Transcription:

Fundamentals of Linux Platform Security Security Training Course Dr. Charles J. Antonelli The University of Michigan 2012

Linux Platform Security Module 8 Arbitrary Code Execution: Threats & Countermeasures

Buffer Overflows

Linux Architecture User Process Process Process Process Process Process Process Process Process Kernel VFS UFS NFS RPC/XDR TCP/IP Security Memory Manager Scheduler Communication Drivers 4

Process Memory 0xFFFFFFFF Stack Virtual Addresses Heap Uninitialized Data Initialized Data 0x00000000 Code 5

Linux Architecture Creating a process Two intertwined system calls A parent process calls fork() Creates a child process» An exact copy of the parent» Including uid, open files, devices, network connections The child process calls exec(executable) Overlays itself with the named executable» Retains uid, open files, devices, network connections 6

Linux Architecture Creating trouble exec() may be called without fork() Useful paradigm tcpd execs the wrapped application after validation So what happens if a process calls exec("/bin/sh")? Process becomes a command shell Running with the overlaid process's credentials» If the process was running as root, so is the shell Connected the same network connections» If the process was connected to your keyboard, so is the shell» If the process was connected to a client, so is the shell 7

Smashing the stack Part I A calling function will write its return address into a memory data structure called the stack When the called function is finished, the processor will jump to whatever address is stored in the stack Suppose Local Variable 1 is an array of integers of some fixed size Suppose our called function doesn t check boundary conditions properly and writes values past the end of the array The first value beyond the end of the array overwrites the stack The second value overwrites the return address on the stack When the called function returns, the processor jumps to the overwritten address 8

Smashing the stack 0xFFFFFFFF Virtual Addresses 0x00000000 Parameter 3 Parameter 2 Parameter 1 Return Address Saved FP Local Variable 1 Local Variable 2 RA FP SP 9

Smashing the stack 0xFFFFFFFF Virtual Addresses 0x00000000 Parameter 3 Parameter 2 Parameter 1 Return Address Saved FP Value Local Variable 2 RA FP SP 10

Smashing the stack 0xFFFFFFFF Virtual Addresses 0x00000000 Parameter 3 Parameter 2 Parameter 1 Return Address Value Value Local Variable 2 RA FP SP 11

Smashing the stack 0xFFFFFFFF Virtual Addresses 0x00000000 Parameter 3 Parameter 2 Parameter 1 Value Value Value Local Variable 2 RA FP SP 12

Smashing the stack 0xFFFFFFFF Virtual Addresses 0x00000000 Parameter 3 Parameter 2 Value Value Value Value Local Variable 2 RA FP SP 13

Smashing the stack Part II Suppose the attacker has placed malicious code somewhere in memory and overwrites that address on the stack Now the attacker has forced your process to execute her code Where to place the code? Simplest to put it in the buffer that is being overflowed How to get the code into the buffer? Examine the source code Look for copy functions that don t check bounds» gets, strcpy, strcat, sprintf, Look for arguments to those functions that are under the attacker s control and not validated by the victim code» Environment variables, format strings, URLs, 14

Blaster (variant) Worm Blaster used a buffer overflow attack against the Microsoft RPC server We ll inspect a trace of a Blaster infection Real data, filtered and anonymized Who can spot the shellcode? 15

History An unpatched Windows laptop was brought to U-M and connected to the wireless network At home, it lived comfortably behind a firewall Connected at 19:30:13 Infected at 19:41:13 Noticed by HackFinder a day or so later Attack traffic captured by a packet vault 16

Details Lab materials cd /usr/local/lab/blaster Contains compressed libpcap format trace file Hint: it s not necessary to uncompress the entire trace file, and don t try to use Wireshark Attack information Victim IP = 10.10.10.189 Attacker IP = 10.10.10.29 Victim connected 19:30:13 Victim infected 19:41:13 View Blaster documentation on class Web site Find and characterize the attack! 17

Countermeasures Avoiding buffer overflows Prevent them from occurring Preventing buffer overflows Assume you can t avoid them Trap the attempt, and recover Recovering from buffer overflows Assume you can t avoid them Detect that it has happened, and recover 18

Avoidance Requires code analysis and review Some automation is possible Manual process so it is expensive And what about the code you don t write? so it will never be complete (Not so) recent progress here Many vulnerabilities closed Increased developer awareness & avoidance tools Phishing and pharming can be more lucrative 19

Prevention Non-executable stack W^X (OpenBSD) Random-offset stack Random-offset libraries (Not so) recent progress here 20

Recovery Canaries StackGuard ProPolice/SSP Pointer encryption Guard pages Electric Fence 21

Problems Beyond stack smashing Heap smashing Pointer subterfuge Function-pointer clobbering Data-pointer clobbering Exception-handler hijacking VPTR smashing 22

Problems Beyond stack smashing Arc injection return-to-libc -> return-to-lib -> chained return-tolib -> borrowed code chunks -> return-oriented programming (ROP) Turing-complete malicious computations using borrowed chunks of existing code Automated Defenses? Another arms race 23

Future Smashing attacks will be with us for some time, because of Hardware architecture Programming language Co-location of function arguments and return address exec() 24

References Matt LeGrow, "Blasting 'Blaster' - Detecting the MSRPC DCOM hole," Rapid Response Team, NFR, Inc. Retrieved January 2007. http://www.nfr.com/newsletter/fall-03/blastingblaster-detectingthemsrpcdcomhole.htm Aleph One, "Smashing the Stack for Fun and Profit," Phrack Magazine, Vol. 7, Iss. 49, 1996. www.phrack.org Kaan Onarlioglu et al, G-Free: Defeating Return-Oriented Programming through Gadget-less Binaries, ACM ACSAC 10, Austin, December 2010. http://iseclab.org/papers/gfree.pdf (retrieved February, 2012) 25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback