(Early) Memory Corruption Attacks

Similar documents
Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Basic Buffer Overflows

CMPSC 497 Buffer Overflow Vulnerabilities

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

ECE 471 Embedded Systems Lecture 22

Lecture 08 Control-flow Hijacking Defenses

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.

Lecture 4 September Required reading materials for this class

Program Security and Vulnerabilities Class 2

Buffer Overflow Vulnerability

Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Secure Software Development: Theory and Practice

Lecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017

Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to

One-Slide Summary. Lecture Outline. Language Security

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflow. Jo, Heeseung

Control Hijacking Attacks

typedef void (*type_fp)(void); int a(char *s) { type_fp hf = (type_fp)(&happy_function); char buf[16]; strncpy(buf, s, 18); (*hf)(); return 0; }

CSE 565 Computer Security Fall 2018

Language Security. Lecture 40

Buffer overflow background

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Fundamentals of Computer Security

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

Buffer Overflows. Buffer Overflow. Many of the following slides are based on those from

Offensive Security My First Buffer Overflow: Tutorial

CS4264 Programming Assignment 1 Buffer Overflow Vulnerability Due 02/21/2018 at 5:00 PM EST Submit through CANVAS

Buffer Overflow Vulnerability Lab

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

ISA564 SECURITY LAB. Code Injection Attacks

X86 Review Process Layout, ISA, etc. CS642: Computer Security. Drew Davidson

Lecture 6: Buffer Overflow. CS 436/636/736 Spring Nitesh Saxena

CSE 565 Computer Security Fall 2018

CSE 565 Computer Security Fall 2018

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

Lecture 9 Assertions and Error Handling CS240

1. (6 points) Control Hijacking Indicate whether the statement is always valid. Indicate true or false, and give a one sentence explanation.

INTRODUCTION TO EXPLOIT DEVELOPMENT

Sandboxing. CS-576 Systems Security Instructor: Georgios Portokalidis Spring 2018

CSE 509: Computer Security

Control Flow Hijacking Attacks. Prof. Dr. Michael Backes

Verification & Validation of Open Source

New York University CSCI-UA : Advanced Computer Systems: Spring 2016 Midterm Exam

Memory Corruption 101 From Primitives to Exploit

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Software Security: Buffer Overflow Attacks

CS 161 Computer Security

Topics in Software Security Vulnerability

Secure C Coding...yeah right. Andrew Zonenberg Alex Radocea

Exploits and gdb. Tutorial 5

1 Lab Overview. 2 Resources Required. CSC 666 Lab #11 Buffer Overflow November 29, 2012

Buffer Overflows Defending against arbitrary code insertion and execution

CS 3214 Spring # Problem Points Min Max Average Median SD Grader. 1 Memory Layout and Locality Bill

18-600: Recitation #4 Exploits

Architecture-level Security Vulnerabilities

Software Security: Buffer Overflow Defenses

How Software Executes

CS 642 Homework #4. Due Date: 11:59 p.m. on Tuesday, May 1, Warning!

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

CSE543 - Introduction to Computer and Network Security

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

How Software Executes

CSE 127 Computer Security

CS527 Software Security

Software Vulnerabilities. Jeff Foster University of Maryland, College Park

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

CSE 127 Computer Security

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM

CS 5460/6460 Operating Systems

We will focus on Buffer overflow attacks SQL injections. See book for other examples

Syed Kamran Haider Department of Electrical & Computer Engineering University of Connecticut

Midterm 1 Review. Memory Safety & Web Attacks

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

18-600: Recitation #4 Exploits (Attack Lab)

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Solutions

[0569] p 0318 garbage

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

Foundations of Network and Computer Security

buffer overflow exploitation

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Advanced System Security: Vulnerabilities

20: Exploits and Containment

Buffer Overflow and Protection Technology. Department of Computer Science,

Rooting Routers Using Symbolic Execution. Mathy HITB DXB 2018, Dubai, 27 November 2018

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Is stack overflow still a problem?

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

SoK: Eternal War in Memory

Module 6 Software Security Attacks

Last week. Data on the stack is allocated automatically when we do a function call, and removed when we return

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

From Over ow to Shell

Transcription:

(Early) Memory Corruption Attacks CS-576 Systems Security Instructor: Georgios Portokalidis Fall 2018 Fall 2018 Stevens Institute of Technology 1

Memory Corruption Memory corruption occurs in a computer program when the contents of a memory location are unintentionally modified due to programming errors; this is termed violating memory safety. When the corrupted memory contents are used later in that program, it leads either to program crash or to strange and bizarre program behavior. --wikipedia Fall 2018 Stevens Institute of Technology 2

Programs Are Deterministic Input A Output A Input B Program Output B Input C Output C The program implements the functionality intended by the developer Fall 2018 Stevens Institute of Technology 3

Programs Are Deterministic Program functionality severely altered Original Input A programà arbitrary program based Output on input A Input B Program Output B Input C Output C Unexpected or untested input triggering vulnerability in program Input D Output D Malicious or garbage input Fall 2018 Stevens Institute of Technology 4

Incorrect handling of untested or incorrect input is one the main causes of software vulnerabilities Fall 2018 Stevens Institute of Technology 5

Remote Vs. local Local attacks If the user input can be only provided by a local user Remote attack If the user input can be only provided over the network Fall 2018 Stevens Institute of Technology 6

Local Attacks Program User All programs run with the privileges of the running user (Effective UID) Program Program Program Program Fall 2018 Stevens Institute of Technology 7

Local Attacks Input produced by another user Program Arbitrary program executes with the rights of the user executing it Fall 2018 Stevens Institute of Technology 8

Privileged Resources KERNEL User Program User accessible resources Administrator Program Privileged resources Fall 2018 Stevens Institute of Technology 9

SETUID Programs Programs that run with the privileges of their owner, not the executing user User SETUID Program User accessible resources Privileged resources Fall 2018 Stevens Institute of Technology 10

Privilege Escalation Attacks Input produced by another user SETUID Program Privileged resources The arbitrary program executes with elevated privileges Fall 2018 Stevens Institute of Technology 11

Remote Attacks An arbitrary program is run at a remote host www.stevens.edu Bad Input Host: www OS: Debian HTTP Server: nginx Fall 2018 Stevens Institute of Technology 13

Remote Attacks An arbitrary program is run at a remote host www.stevens.edu Bad Input Host: www OS: Debian HTTP Server: nginxd With high privileges Running as root Fall 2018 Stevens Institute of Technology 14

Common Vulnerabilities Overflows: Writing beyond the end of a buffer Underflows: Writing beyond the beginning of a buffer Use-after-free: Using memory after it has been freed Uninitialized memory: Using pointer before initialization Null pointer dereferences: Using NULL pointers Type confusion: Assume a variable/object has the wrong type HW errors: Hammering memory to cause bit flips to non-owned memory Fall 2018 Stevens Institute of Technology 16

Fall 2018 Stevens Institute of Technology 17

Buffer Overflows Fall 2018 Stevens Institute of Technology 18

Buffer Overflows Writing outside the boundaries of a buffer Common programmer errors that lead to it Insufficient input checks/wrong assumptions about input Unchecked buffer size Integer overflows Fall 2018 Stevens Institute of Technology 19

Stack Overflows Fall 2018 Stevens Institute of Technology 20

Stack Overflow Example int mytest(char *str) { char buf[16]; strcpy(buf, str); printf("%s\n", buf); } return strlen(buf); Fall 2018 Stevens Institute of Technology 22

Stack Overflow Example int mytest(char *str) { char buf[16]; } strcpy(buf, str); printf("%s\n", buf); return strlen(buf); High address/stack bottom RETADDR buf buf buf buf S T A C K Low address/stack top Fall 2018 Stevens Institute of Technology 23

Stack Overflow Example int mytest(char *str) { char buf[16]; }./mytest A strcpy(buf, str); printf("%s\n", buf); return strlen(buf); High address/stack bottom RETADDR buf buf buf buf S T A C K Low address/stack top Fall 2018 Stevens Institute of Technology 24

Stack Overflow Example int mytest(char *str) { char buf[16]; }./mytest A strcpy(buf, str); printf("%s\n", buf); return strlen(buf); High address/stack bottom RETADDR???????? A\0?? S T A C K Low address/stack top Fall 2018 Stevens Institute of Technology 25

Stack Overflow Example int mytest(char *str) { char buf[16]; } strcpy(buf, str); printf("%s\n", buf); return strlen(buf);./mytest AAA \0??? S T A C K High address/stack bottom Low address/stack top Fall 2018 Stevens Institute of Technology 26

Stack Overflow Example int mytest(char *str) { char buf[16]; } strcpy(buf, str); printf("%s\n", buf); return strlen(buf);./mytest AAA \0??? S T A C K High address/stack bottom Low address/stack top Fall 2018 Stevens Institute of Technology 27

Control-Flow Hijacking The saved return address is a code pointer stored in memory Controlling it grants control of a control-flow instruction (e.g., ret) Untrusted inputs that lead to corruption of a code pointer lead to control-flow hijacking attacks Fall 2018 Stevens Institute of Technology 28

Other Code Pointers Return address Function address return; typedef void (*cmpf_t)(int, int); void compare(intarray[], intlen, intnum, cmpf_tf) { int i; for (i < 0; i < len; i++) if (array[i] < num) f(i, array[i]); } ret call *(rax) Jump table switch (option) { case 0: Code case 1: Code...... } jmp *(rax) Fall 2018 Stevens Institute of Technology 29

Where to Point Execution 0xdeadbeef: \0??? S T A C K 0xdeadbeef SHELLCODE malicious machine code Malicious injected code is also code shellcode, because the first instances where used to spawn a shell Fall 2018 Stevens Institute of Technology 30

Injecting Shellcode \0??? SHELLCODE S T A C K buf + 0x14 Fall 2018 Stevens Institute of Technology 31

Code Injection Code injection (CI) - Injecting machine code into a vulnerable program s memory Code injections attacks inject code and use control-flow hijacking to execute that code Fall 2018 Stevens Institute of Technology 32

Shellcode Limitations \0??? SHELLCODE Injected shellcode cannot include a null byte because of strcpy() S T A C K buf + 0x14 Shellcode needs to be carefully crafted to avoid disallowed bytes Other methods of copying data may not have the same limitation: memcpy(), gets(), read(), fread(), custom copy routines, etc. Fall 2018 Stevens Institute of Technology 33

Stack Overflow Using read() static void geturl(void) { char buf[64]; } read(stdin_fileno, buf, 128); get_webpage(buf);???? S T A C K High address/stack bottom No limitation on bytes read. Low address/stack top Fall 2018 Stevens Institute of Technology 34

Stack Overflow with FP int mytest(char *str) { char buf[16]; } strcpy(buf, str); printf("%s\n", buf); return strlen(buf); High address/stack bottom RETADDR oldebp buf buf buf S T A C K buf Low address/stack top Fall 2018 Stevens Institute of Technology 35

Stack Overflow with FP int mytest(char *str) { char buf[16]; } strcpy(buf, str); printf("%s\n", buf); return strlen(buf);./mytest AAA High address/stack bottom \0TADDR S T A C K Low address/stack top Fall 2018 Stevens Institute of Technology 36

Stack Overflow with FP int mytest(char *str) { char buf[16]; } strcpy(buf, str); printf("%s\n", buf); return strlen(buf);./mytest AAA High address/stack bottom \0TADDR S T A C K 80484e1: c9 leave 80484e2: c3 ret Low address/stack top Fall 2018 Stevens Institute of Technology 37

Stack Overflow with FP int mytest(char *str) { char buf[16]; } strcpy(buf, str); printf("%s\n", buf); return strlen(buf);./mytest AAA High address/stack bottom \0TADDR S T A C K Function exit (LEAVE) 80484e1: c9 leave 80484e2: c3 ret movl pop %ebp, %esp %ebp Low address/stack top Fall 2018 Stevens Institute of Technology 38

Stack Overflow with FP int mytest(char *str) { char buf[16]; } strcpy(buf, str); printf("%s\n", buf); return strlen(buf);./mytest AAA\x3c\xca\xff\xff \0??? ffffca3c S T A C K High address/stack bottom Function exit (LEAVE) 80484e1: c9 leave 80484e2: c3 ret movl pop %ebp, %esp %ebp Low address/stack top Fall 2018 Stevens Institute of Technology 39

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback