ENEE 457: Computer Systems Security. Lecture 16 Buffer Overflow Attacks

Similar documents
CSE 509: Computer Security

Lecture 07 Heap control data. Stephen Checkoway University of Illinois at Chicago

Heap Off by 1 Overflow Illustrated. Eric Conrad October 2007

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Lecture 4 September Required reading materials for this class

PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

Is stack overflow still a problem?

Basic Buffer Overflows

CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING

Buffer overflow background

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

CSE 303: Concepts and Tools for Software Development

Storage in Programs. largest. address. address

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

20: Exploits and Containment

Practical Malware Analysis

Ch. 11: References & the Copy-Constructor. - continued -

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

Lab 2: Buffer Overflows

Lecture Notes on Memory Layout

Understand Execution of a Program

Advanced Buffer Overflow

Bypassing Browser Memory Protections

United States Naval Academy Electrical and Computer Engineering Department EC312-6 Week Midterm Spring 2016

Run-time Environment

Part 7. Stacks. Stack. Stack. Examples of Stacks. Stack Operation: Push. Piles of Data. The Stack

CS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities

Function Call Convention

CMPSC 497 Buffer Overflow Vulnerabilities

Buffer Overflows Defending against arbitrary code insertion and execution

United States Naval Academy Electrical and Computer Engineering Department EC310-6 Week Midterm Spring AY2017

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

Today: Segmentation. Last Class: Paging. Costs of Using The TLB. The Translation Look-aside Buffer (TLB)

Advanced Buffer Overflow

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Reserve Engineering & Buffer Overflow Attacks. Tom Chothia Computer Security, Lecture 17

6 WEEK EXAM NAME: ALPHA: SECTION:

Binding and Storage. COMP 524: Programming Language Concepts Björn B. Brandenburg. The University of North Carolina at Chapel Hill

Buffer Overflow Attacks

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

Computer Architecture and System Software Lecture 07: Assembly Language Programming

Applications. Cloud. See voting example (DC Internet voting pilot) Select * from userinfo WHERE id = %%% (variable)

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Stack Overflow COMP620

Lecture 7: Binding Time and Storage

Section Notes - Week 1 (9/17)

Università Ca Foscari Venezia

ENEE 457: Computer Systems Security 8/27/18. Lecture 1 Introduction to Computer Systems Security

United States Naval Academy Electrical and Computer Engineering Department EC310-6 Week Midterm Spring 2015

buffer overflow exploitation

CA Compiler Construction

CSC 2400: Computing Systems. X86 Assembly: Function Calls"

COMP3441 Lecture 7: Software Vulnerabilities

Runtime Defenses against Memory Corruption

Buffer overflow prevention, and other attacks

Memory Usage 0x7fffffff. stack. dynamic data. static data 0x Code Reserved 0x x A software convention

CS399 New Beginnings. Jonathan Walpole

CS 161 Computer Security

Data Transfer Instructions

C Arrays and Pointers

Run-time Environments

Computer Architecture and System Software Lecture 06: Assembly Language Programming

Digital Forensics Lecture 02 PDF Structure

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

Run-time Environments

A Unix process s address space appears to be three regions of memory: a read-only text region (containing executable code); a read-write region

Lecture XXIV: Review Xuan Guo CSC 3210 Computer Organization and Programming Georgia State University April 23, 2015 Xuan Guo Lecture XXIV: Review

CSC 2400: Computing Systems. X86 Assembly: Function Calls

CS3600 SYSTEMS AND NETWORKS

x86 assembly CS449 Fall 2017

C Programming. Course Outline. C Programming. Code: MBD101. Duration: 10 Hours. Prerequisites:

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e Feb 11, 13, 15, and 25. Winter Session 2018, Term 2

Buffer Overflow Vulnerability

Goals of Memory Management

Lecture 14 Notes. Brent Edmunds

MSRPC Heap Overflow Part II

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

CSE 565 Computer Security Fall 2018

Buffer Overflow Attack

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

CIT Week13 Lecture

Software Security II: Memory Errors - Attacks & Defenses

Exploits and gdb. Tutorial 5

THEORY OF COMPILATION

BUFFER OVERFLOW. Jo, Heeseung

Procedure Calls. Young W. Lim Mon. Young W. Lim Procedure Calls Mon 1 / 29

Buffer Overflow. Jo, Heeseung

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

LibsafeXP: A Practical & Transparent Tool for Run-time Buffer Overflow Preventions

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Is Exploitation Over? Bypassing Memory Protections in Windows 7

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

CSC 1600 Memory Layout for Unix Processes"

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

ENEE 457: Computer Systems Security 11/07/16. Lecture 18 Computer Networking Basics

Transcription:

ENEE 457: Computer Systems Security Lecture 16 Buffer Overflow Attacks Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland, College Park

Buffer overflow attacks We have already seen some kind of a buffer overflow Heartbleed Buffer overflow attacks lead to undesired behavior (e.g., in Heartbleed they led to the secret key being output to the attacker) when the attacker causes the system to read data outside an eligible memory area

Memory Layout Stack and heap and the dynamically allocated portions of memory whose size changes while program runs Stack is used for keeping track of functions calls, heap is used for allocating dynamic memory (note that these cannot be predermined at compilation time)

Stack Layout We store arguments at the top of the stack frame and other variables at the bottom of the stack frame

Addresses of variables during runtime The CPU needs to access addresses of local variables in the function at runtime Unfortunately, these addresses are not known at compilation time (at compilation time, I only know the addresses relative to the top of the stack frame) To deal with that, there is a system register ebp which stores the address of the current stack frame (basically the top of the stack) So whenever CPU needs to access a specific local variable within a stack frame, it just uses ebp and the relative offset

Example

Let s see the assembly code of main.c

Assembly

Return address and previous frame pointer Between the arguments and the local variables, the stack frame will store the return address, namely, where the execution needs to return after the function call is done and releases the memory Also, it will store the previous frame pointer, so that the ebp can be updated whenever the execution is done

Example

Drawing the stack layout for a recursive program

Basics of Buffer Overflow attack: Example

Challenges of the attack

How to find the return address? The attacker can use FP to figure out what address he should be using to overwrite the return address and place the malicious code But FP is not printed by the program. This is not likely Possible solutions: Try many choices (low probability of success) Try to run a similar/same program to see how the addresses are distributed. In particular if you do not randomize the addresses of the variables on the stack, the addresses you will be getting on your own execution will be similar to the addresses of the program you are trying to attack, since the stack is always starting from a fixed location Note also that stack does not grow that much (unless you are doing a lot of recursion) so you can hit the right address with very high probability

Find the return address: Using NOOP

What program to run? char shellcode[] = "\xeb\x18\x5e\x31\xc0\x8 8\x46\x07\x89\x76\x08\x 89\x46" "\x0c\xb0\x0b\x8d\x1e\x8 d\x4e\x08\x8d\x56\x0c\x cd\x80" "\xe8\xe3\xff\xff\xff\x2f\x6 2\x69\x6e\x2f\x73\x68";

Challenge #1 How to estimate the distance from the beginning of the buffer to the address where the return address is stored? Just debug and print the address x of the beginning of the buffer and the address of %ebp Remember %ebp will point to one position behind the return address So the distance is %ebp x+4

Challenge #2 What address to overwrite the return address with Any value greater than %ebp + 8 will do This is because you can place the malicious code at any point in memory after the return address and the return address is finishing 8 bytes after %ebp

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback