Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Similar documents
2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

The IA-32 Stack and Function Calls. CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta

String Oriented Programming Exploring Format String Attacks. Mathias Payer

CMPSC 497 Buffer Overflow Vulnerabilities

CS 161 Computer Security

CS 161 Computer Security

CSE 565 Computer Security Fall 2018

Advanced Buffer Overflow

Lecture 1: Buffer Overflows

Exploits and gdb. Tutorial 5

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Buffer overflow prevention, and other attacks

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Reserve Engineering & Buffer Overflow Attacks. Tom Chothia Computer Security, Lecture 17

Runtime Defenses against Memory Corruption

Advanced Buffer Overflow

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

ENEE 457: Computer Systems Security. Lecture 16 Buffer Overflow Attacks

Software Security II: Memory Errors - Attacks & Defenses

Buffer overflows. Specific topics:

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Writing Exploits. Nethemba s.r.o.

Memory Safety (cont d) Software Security

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflow. Jo, Heeseung

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

Smashing the Buffer. Miroslav Štampar

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

Lecture 08 Control-flow Hijacking Defenses

Buffer Overflow Attacks

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

Buffer overflow background

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

Lecture 4 September Required reading materials for this class

Exercise 6: Buffer Overflow and return-into-libc Attacks

Software Security: Buffer Overflow Defenses

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Stack Overflow COMP620

Play with FILE Structure Yet Another Binary Exploitation Technique. Abstract

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CSE 509: Computer Security

Buffer Overflows. Buffer Overflow. Many of the following slides are based on those from

CNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated

Software Security: Buffer Overflow Attacks

CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR

Reverse Engineering Low Level Software. CS5375 Software Reverse Engineering Dr. Jaime C. Acosta

Buffer Overflow Defenses

Inject malicious code Call any library functions Modify the original code

Is Exploitation Over? Bypassing Memory Protections in Windows 7

INTRODUCTION TO EXPLOIT DEVELOPMENT

Outline. Format string attack layout. Null pointer dereference

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

Q: Exploit Hardening Made Easy

A program execution is memory safe so long as memory access errors never occur:

EXPLOITING BUFFER OVERFLOWS ON MIPS ARCHITECTURES

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

20: Exploits and Containment

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Selected background on ARM registers, stack layout, and calling convention

Topics in Software Security Vulnerability

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

CSC 1600 Memory Layout for Unix Processes"

Università Ca Foscari Venezia

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.

Stack Overflow. Faculty Workshop on Cyber Security May 23, 2012

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG

Basic Buffer Overflows

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

Secure Software Programming and Vulnerability Analysis

Secure Systems Engineering

CMSC 414 Computer and Network Security

CSE509 System Security

Outline. Heap meta-data. Non-control data overwrite

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

Code with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function

Lab 2: Buffer Overflows

in memory: an evolution of attacks Mathias Payer Purdue University

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

SoK: Eternal War in Memory

EURECOM 6/2/2012 SYSTEM SECURITY Σ

kguard++: Improving the Performance of kguard with Low-latency Code Inflation

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

Lec06: DEP and ASLR. Taesoo Kim

Transcription:

1 Stack Vulnerabilities CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Part 1 2

3 An Old, yet Still Valid Vulnerability Buffer/Stack Overflow ESP Unknown Data (unused) Unknown Data (unused) EBP Saved EBP Return Address Parameters

4 An Old, yet Still Valid Vulnerability Where on the stack is a char[4] allocated? char [4] var ESP EBP Unknown Data (unused) Unknown Data (unused) Unknown Data (unused) Saved EBP Return Address Parameters Stack Frame

5 An Old, yet Still Valid Vulnerability Buffer/Stack Overflow char [4] var ESP EBP Unknown Data (unused) a b c \0 Saved EBP Return Address Parameters Local variable Stack Frame

6 An Old, yet Still Valid Vulnerability Buffer/Stack Overflow char [4] var ESP EBP Unknown Data (unused) a b c \0 Saved EBP Return Address Parameters Local variable Stack Frame What if more than 4 bytes stored?

7 An Old, yet Still Valid Vulnerability Buffer/Stack Overflow Lower memory ESP EBP Unknown Data (unused) a b c \0 Saved EBP Return Address Parameters char [4] var Local variable Stack Frame What if more than 4 bytes stored? Higher memory

8 Buffer Overflow Earliest buffer overflow exploit documented in 1988 1996, Phrack Magazine NIST Stats:

9 Buffer Overflow Earliest buffer overflow exploit documented in 1988 Exploited Finger Program Started at MIT and was used to determine the size of the Internet Infected 6000 Unix machines 1996, Phrack Magazine Provides a step by step guide NIST Stats: 1996: 8 vulnerabilities 2008: 339 vulnerabilities 2012: 418 vulnerabilities 2015: 344 vulnerabilities

Buffer Overflow ExerciseCode.c 10

11 Buffer Overflow ExerciseCode.c Reads string from stdin

12 Buffer Overflow ExerciseCode.c Copies string to another buffer Reads string from stdin

C Program 13

14 C Program Allocates 16 bytes of memory on the stack

15 C Program Allocates 16 bytes of memory on the stack Heap calls the allocator explicitly (new, malloc, calloc.)

C Program 16

17 C Program Print data to screen Using an external library ( we did not implement printf ) External library function destination Maximum size of input (anymore will be ignored) Source (terminal input)

C Program 18

19 C Program Call the user function Print to screen w/ external library

C Program 20

21 C Program Input parameter Pointer to character address of location where this array starts //allocate 0x800 000c Mem???? Push 0x800 000c

C Program 22

23 C Program Copy all characters from name[ ] to copy[ ] Then add null terminator

Is there a problem? 24

Is there a problem? 25

Compilation 26

27 Compilation Source code A windows c compiler Output file (Results are the same w/ cygwin s gcc)

Execution 28

Execution 29

Execution 30

31 Execution Let us debug Typed in 7 A s Why? Isn t our buffer of size 8 at least?

IDA Pro Debug 32

33 IDA Pro Debug Could follow and conduct a thorough manhunt or Now where?

IDA Pro Debug 34

35 IDA Pro Debug Or look for text that appears on the screen Search for obvious external libraries function calls

docopy - IDA Pro Debug 36

37 docopy - IDA Pro Debug arg_0.text How do we know this is 4 bytes? Stack

38 docopy - IDA Pro Debug arg_0.text 4 bytes why? Stack 8 bytes docopy Stack frame 4 bytes

IDA Pro Debug 39

40 IDA Pro Debug Setup stack and i=0 for ( i=0; name[i]!= /0 ; i++) i = 0 {.} name[i] == /0 copy[i] = /0 loop

docopy - IDA Pro Debug 41

42 docopy - IDA Pro Debug After 1 iteration A Input is copied here 1 at a time

43 docopy - IDA Pro Debug After 7 iterations A

44 docopy - IDA Pro Debug What is this doing here?

45 docopy - IDA Pro Debug Ah We pressed enter

46 docopy - IDA Pro Debug 4 bytes of what was allocated?

47 docopy - IDA Pro Debug Before After

48 EBP Corrupted!

49 EBP Corrupted! This particular program will still execute But eventually we get an illegal instruction

Exercise 50

Part 2 51

Overwriting the Return Address 52

53 Overwriting the Return Address 13 values

Overwriting the Return Address 54

55 Overwriting the Return Address ; D 13 th iteration

56 Malicious Opportunities Execution Flow

Malicious Opportunities 57

58 Malicious Opportunities malicious code (shell code) Make the return address here

Some Defenses 59

60 Some Defenses Data Execution Prevention

61 Some Defenses Data Execution Prevention, but The program can be made to jump to library code (libc contains useful functions) instructions sequence A Buffer Overflow overwritten ra address of instruction seq. A

62 Some Defenses Data Execution Prevention, but The program can be made to jump to library code (libc contains useful functions) instructions sequence B instructions sequence A Buffer Overflow instructions sequence C overwritten ra <controllable>

63 Some Defenses Data Execution Prevention, but The program can be made to jump to library code (libc contains useful functions) 2 instructions sequence B gadgets 1 instructions sequence A 1 2 3 in the correct sequence, these accomplish some desired task 3 Buffer Overflow instructions sequence C overwritten ra Return Oriented Programming (ROP) (mona.py plugin finds instruction so interest) Addr to 1 Addr to 2 Addr to 3

Some Defenses Address Space Layout Randomization 64

Some Defenses Address Space Layout Randomization 65 The stack may exist at a different location after a reboot after system reboot 0x40 f000 0x404000...............

66 Some Defenses Address Space Layout Randomization but,

67 Some Defenses Address Space Layout Randomization but, Legacy (old, but still in use) libraries may not support ASLR

68

69 High privilege account

70 More Defenses Type and Memory Safe Languages Check memory access at runtime

71 More Defenses Type and Memory Safe Languages Check memory access at runtime However, performance Coding Standards, walkthroughs, boundary/fuzz testing

72 More Defenses Type and Memory Safe Languages Check memory access at runtime However, performance Coding Standards, walkthroughs, boundary/fuzz testing However Time, cost, laziness humans

73 More Defenses Canary ESP 0xFEFF0102 0x20330002 ESP 0xFEFF0102 0x20330002 0xFEFF0101 0x31323334 Saved EBP Saved EBP EBP Return Address EBP Return Address Parameters Parameters

74 More Defenses Canary At return time ESP 0xFEFF0102 0x20330002 ESP 0xFEFF0102 0x20330002 0xFEFF0101 0x31323334 Saved EBP Saved EBP EBP Canary value Return Address EBP Changed? Return Address Parameters Parameters

75 More Defenses Canary but, Performance costs (especially in embedded code) Some legacy code does not support it Many times would no be enabled by default Can use other methods to bypass. (heap, ebp, )

Exercise 76

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback