Secure C Coding...yeah right. Andrew Zonenberg Alex Radocea

Similar documents
Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CYSE 411/AIT681 Secure Software Engineering Topic #10. Secure Coding: Integer Security

CSC 1600 Memory Layout for Unix Processes"

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

2/9/18. Readings. CYSE 411/AIT681 Secure Software Engineering. Introductory Example. Secure Coding. Vulnerability. Introductory Example.

2/9/18. CYSE 411/AIT681 Secure Software Engineering. Readings. Secure Coding. This lecture: String management Pointer Subterfuge

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Exploits and gdb. Tutorial 5

Lecture 08 Control-flow Hijacking Defenses

Security Lab. Episode 6: Format String Vulnerabilities. Jan Nordholz, Matthias Petschick, Julian Vetter

o Code, executable, and process o Main memory vs. virtual memory

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Secure Software Development: Theory and Practice

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

ISA564 SECURITY LAB. Code Injection Attacks

Week 5, continued. This is CS50. Harvard University. Fall Cheng Gong

Limitations of the stack

CIS 2107 Computer Systems and Low-Level Programming Spring 2012 Final

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

CSE 565 Computer Security Fall 2018

(Early) Memory Corruption Attacks

Last week. Data on the stack is allocated automatically when we do a function call, and removed when we return

Memory Corruption 101 From Primitives to Exploit

Offensive Security My First Buffer Overflow: Tutorial

Buffer overflow background

COMP 2355 Introduction to Systems Programming

CSE 127 Computer Security

In Java we have the keyword null, which is the value of an uninitialized reference type

Memory Corruption Vulnerabilities, Part II

CS 161 Computer Security

Dynamic Allocation in C

Basic Buffer Overflows

CS 31: Intro to Systems Pointers and Memory. Martin Gagne Swarthmore College February 16, 2016

Memory corruption vulnerability exposure can be mitigated through memory hardening practices

SoK: Eternal War in Memory

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

Buffer Overflow Vulnerability

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

malloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which

Secure Software Programming and Vulnerability Analysis

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Advanced System Security: Vulnerabilities

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Heap Off by 1 Overflow Illustrated. Eric Conrad October 2007

C and C++: vulnerabilities, exploits and countermeasures

Program Security and Vulnerabilities Class 2

COSC Software Engineering. Lecture 16: Managing Memory Managers

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

SYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14

Secure Coding Techniques

Writing Exploits. Nethemba s.r.o.

Secure Coding in C and C++

Software Security: Buffer Overflow Attacks

When you add a number to a pointer, that number is added, but first it is multiplied by the sizeof the type the pointer points to.

Control Hijacking Attacks

The Darker Sides of Assembly

Integer overflows. Integer overflow types. Signed vs unsigned integers. Casting between different size integer types. Arithmetic wraparound

Memory (Stack and Heap)

Università Ca Foscari Venezia

MEMORY SAFETY ATTACKS & DEFENSES

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING

Software Security II: Memory Errors - Attacks & Defenses

Control Flow Hijacking Attacks. Prof. Dr. Michael Backes

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

Lecture 05 Integer overflow. Stephen Checkoway University of Illinois at Chicago

Secure Coding in C and C++ Dynamic Memory Management Lecture 5 Jan 29, 2013

Lecture 07 Heap control data. Stephen Checkoway University of Illinois at Chicago

Lecture 4 September Required reading materials for this class

CS 33. Intro to Storage Allocation. CS33 Intro to Computer Systems XXVI 1 Copyright 2017 Thomas W. Doeppner. All rights reserved.

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

Intro to x86 Binaries. From ASM to exploit

CSci 4061 Introduction to Operating Systems. Programs in C/Unix

ANITA S SUPER AWESOME RECITATION SLIDES

Practical Malware Analysis

Dynamic Memory. R. Inkulu (Dynamic Memory) 1 / 19

Important From Last Time

COMP 3704 Computer Security

Page 1. Today. Important From Last Time. Is the assembly code right? Is the assembly code right? Which compiler is right?

Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to

CSE 565 Computer Security Fall 2018

Agenda. Dynamic Memory Management. Robert C. Seacord. Secure Coding in C and C++

CMPS 105 Systems Programming. Prof. Darrell Long E2.371

Important From Last Time

CS 5513 Entry Quiz. Systems Programming (CS2213/CS3423))

Topics in Software Security Vulnerability

Dynamic Allocation in C

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Programming in C and C++

CSE509 System Security

Intrusion Detection and Malware Analysis

in memory: an evolution of attacks Mathias Payer Purdue University

CSE 509: Computer Security

Lecture 8 Dynamic Memory Allocation

Native Language Exploitation

Function Call Convention

Is stack overflow still a problem?

CS4264 Programming Assignment 1 Buffer Overflow Vulnerability Due 02/21/2018 at 5:00 PM EST Submit through CANVAS

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

1 Recommended Readings

Transcription:

Secure C Coding...yeah right Andrew Zonenberg Alex Radocea

Agenda Some Quick Review Data Representation Pointer Arithmetic Memory Management Basic C Vulnerabilities Memory Corruption Ignoring Return values Typos

Everything is made of bits int main(){ char one[] = JARS ; char two[] = {0x74, 0x65, 0x82, 0x83}; short three[] = {16714, 21330}; int four = 1397899594; float five = 9.03038500864E11; asm{ dec edx inc ecx push edx push ebx } }

Two's complement trivia Under 32-bit signed number arithmetic using 2's complement number representation: What is abs(-2147483648)?

C string representation is all about the NUL byte termination 47 4f 4f 53 45 00 GOOSE. char buf[]= hi ; sizeof(buf) =? Photo Credit: http://www.flickr.com/photo /benimoto/911325473/

Pointer Arithmetic Quiz void *x = 0x1337c000; char *c = (char *)x; short *s = (short *)x; int *i = (int *)x; double *d = (double *)x; x + 1 =? c + 1 =? s + 1 =? i + 1 =? d + 1 =?

This is the pattern. (ptr *)p + count => p + sizeof(ptr_type)*count double *p = 400; p + 5 => p + sizeof(double)*5 = 440 unsigned short *x = 400; x + 10 =>??

Even the hex perts get it wrong. CVE-2009-3234 Incomplete fix for buffer overflow in perf_copy_attr, signed off by core developer(s) Vulnerable code should always get special care and attention, where there's one bug there's often many more. http://lkml.org/lkml/2009/9/19/155

Pointer Trivia Will this compile? What happens?

Memory management in a nutshell The Stack Fixed size buffers* Flow control information Function pointers Activation records Implicitly cleaned up Uninitialized The Heap Dynamic size Flow control informatio Function pointers Internal memory structures Explicitly cleaned up Uninitialized

Stack First in First Out int func(int a, int b, int c){ int x; char y; FILE* f; char buffer[1000]; func(1,2,3);... } etsylove.ning.com

Misc Stack Info Stack cookies mitigate buffer overflows Security mechanisms rearrange variable allocation where possible to ensure cookies work, prevent pointer overwrites alloca(int sz); dynamic stack allocation Void func(int sz){ int buf[sz]; }; C99 variable-length arrays ->Phrack 63-13

Heap allocation C-style buf = malloc(sz); free(buf); C++ buf = new char[sz]; delete []buf

Heap Zoo Linux doug lea malloc based implementations FreeBSD phkmalloc Windows RTL heap Mac OS -- Bertrand Serlet Older unixes (System V) - tree based heap

Heap Misc Info Pointers, flags, and other control information used to manage the chunks Control information can be used for generic exploitation ( Once upon a free()... Phrack 57-9)

More Info realloc() is extremely tricky to use correctly Forgetting to free memory is a memory leak Memory allocation functions fail

Memory corruption Data is overwritten or modified to enter an undefined program state. Causes include arithmetic errors, bad error checking, uninitialized memory usage, and unintended code flow paths. Not a recoverable state (some programs will try anyway)

What is wrong with this code? int main(int argc, char *argv[]){ char buf[256]; strcpy(buf,argv[1]); }

A typical attack scenario 1) Hijack control flow information (function pointer, return address) with memory corruption 2) Redirect execution to an unexpected state or injected code (shellcode) 3) Install backdoor, maintain access

Common Terminology Stack overflow ran out of stack memory (recursive function) Buffer overflow/overrun data is copied beyond the end of the buffer Buffer underrun data is copied before the start of the buffer

Spot the bug in thttpd defang static void defang (char* str, char* dfstr, int dfsize ) { char* cp1; char* cp2; for ( cp1 = str, cp2 = dfstr; *cp1!= '\0' && cp2 - dfstr < dfsize - 1; ++cp1, + +cp2 ) { switch ( *cp1 ) { case '<': *cp2++ = '&'; *cp2++ = 'l'; *cp2++ = 't'; *cp2 = ';'; break; case '>': *cp2++ = '&'; *cp2++ = 'g'; *cp2++ = 't'; *cp2 = ';'; break; default: *cp2 = *cp1; break; } } *cp2 = '\0'; }

Ignoring return values has security implications Improper privilege separation Unexpected system states Memory corruption Uninitialized memory

Trivia initgroups(user, pw->pw_gid); setgid(pw->pw_gid); setuid(pw->pw_uid); execv("/bin/sh",0); Which functions can fail?

Hint: only one function to misuse void func(int fd){ char buf[256]; char *ptr = buf, *end = &buf[sizeof(buf)]; buf = ptr; while(ptr < end){ ptr += read(fd, ptr, 1); } } See Lars' CVE-2009-0017

Typos Typos in C, C++ can be hilarious Only takes a few characters Awesome.

Isn't this cute? if(authenticated=1){ } do stuff

This too, right? if(!authenticated); return

What's wrong with this code? char * func(int fd) { unsigned int len; len = read_data(4); char *data = malloc(len); recv(fd, &data, len, 0); return data; }

Spoiler page Similar to ActiveX bugs that came out last summer Ironically code is from security enhancements hr = pstream->read((void*)&pbarray, (ULONG)cbSize, NULL); should be hr = pstream->read((void*)pbarray, (ULONG)cbSize, NULL); http://arstechnica.com/microsoft/news/2009/ 07/a-single-extra-resulted-in-ie-exploit.ars

Oops Obj *o = new obj[100]; delete o;

Constants #define SZ 40 char buf[20]; strncpy(buf, src, SZ-2); buf[sz-1] = 0; Constants are signed by default (0 vs 0U).

Upcoming Advanced heap issues Off by ones Integer safety underflows, overflows, signedness truncation, typecasting

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback