Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Similar documents
Program Security and Vulnerabilities Class 2

CSE 565 Computer Security Fall 2018

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

Program Exploitation Intro

Buffer Overflows Defending against arbitrary code insertion and execution

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

CMPSC 497 Buffer Overflow Vulnerabilities

Practical Malware Analysis

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Lecture 08 Control-flow Hijacking Defenses

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 21: Generating Pentium Code 10 March 08

Fundamentals of Computer Security

Software Security: Buffer Overflow Attacks

CSC 2400: Computer Systems. Towards the Hardware: Machine-Level Representation of Programs

CSC 8400: Computer Systems. Machine-Level Representation of Programs

X86 Addressing Modes Chapter 3" Review: Instructions to Recognize"

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2

Buffer Overflow Attacks

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflow. Jo, Heeseung

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

Advanced Buffer Overflow

CS Exploiting Memory. Vitaly Shmatikov

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM

From Over ow to Shell

Biography. Background

We will focus on Buffer overflow attacks SQL injections. See book for other examples

Secure Systems Engineering

Is stack overflow still a problem?

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Software Security: Buffer Overflow Defenses

Architecture-level Security Vulnerabilities

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

Function Call Convention

X86 Review Process Layout, ISA, etc. CS642: Computer Security. Drew Davidson

Inject malicious code Call any library functions Modify the original code

Smashing the Buffer. Miroslav Štampar

Architecture-level Security Vulnerabilities. Julian Stecklina

Buffer Overflows. Buffer Overflow. Many of the following slides are based on those from

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

Advanced Buffer Overflow

Software Security II: Memory Errors - Attacks & Defenses

Assembly Language: Function Calls

U23 - Binary Exploitation

Control Flow Hijacking Attacks. Prof. Dr. Michael Backes

Buffer overflow prevention, and other attacks

Writing Exploits. Nethemba s.r.o.

Assembly Language: Function Calls" Goals of this Lecture"

Software Security (cont.): Defenses, Adv. Attacks, & More

An Introduction to x86 ASM

CSC 405 Computer Security Stack Canaries & ASLR

Basic Buffer Overflows

SOEN228, Winter Revision 1.2 Date: October 25,

20: Exploits and Containment

Assembly Language: Function Calls. Goals of this Lecture. Function Call Problems

Assembly Language: Function Calls" Goals of this Lecture"

Return-orientated Programming

Second Part of the Course

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

(Early) Memory Corruption Attacks

CPS104 Recitation: Assembly Programming

Process Layout and Function Calls

Reserve Engineering & Buffer Overflow Attacks. Tom Chothia Computer Security, Lecture 17

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CS642: Computer Security

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

Introduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Runtime Defenses against Memory Corruption

Midterm 1 Review. Memory Safety & Web Attacks

Lecture 1: Buffer Overflows

Buffer Overflow Attacks

Buffer overflows. Specific topics:

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

1/31/2007 C. Edward Chow. CS591 Page 1

CS 161 Computer Security

PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG

Low-Level Essentials for Understanding Security Problems Aurélien Francillon

Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

Hands-on Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

Exploits and gdb. Tutorial 5

Computer Systems Lecture 9

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Digital Forensics Lecture 3 - Reverse Engineering

Memory Corruption Vulnerabilities, Part I

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Buffer Overflow Attack

CSE 509: Computer Security

Shellcode Analysis. Chapter 19

Transcription:

Betriebssysteme und Sicherheit Sicherheit Buffer Overflows

Software Vulnerabilities Implementation error Input validation Attacker-supplied input can lead to Corruption Code execution... Even remote exploitation

Source: Vitaly Shmatikov Famous Buffer Overflow Attacks Morris worm (1988): overflow in fingerd 6,000 machines infected (10% of existing Internet) CodeRed (2001): overflow in MS-IIS server 300,000 machines infected in 14 hours SQL Slammer (2003): overflow in MS-SQL server 75,000 machines infected in 10 minutes (!!) Sasser (2004): overflow in Windows LSASS Around 500,000 machines infected Conficker (2008-09): overflow in Windows Server Around 10 million machines infected (estimates vary)

Buffer Overflow C / C++ program char buf[16]; What happens if we execute the following statement? buf[16] = '0';

Dangerous Library Functions Null-terminated strings Variable length vs. fixed buffer length String Functions strcpy() sprintf()...

A Primer Memory layout Intel x86 assembly language Compiler artefacts (without optimization)

Stack The stack is storage for Local variables Function parameters Return addresses

Process Memory Layout Stack High Adresses Stack Pointer (ESP) Free Memory Programtext / Heap Instruction Pointer (EIP) Low Adresses

Register Data Register a, b, c, d Divided into 8, 16, 32-Bits 8: al, ah 16: ax 32: eax Index Register: esi, edi Special Register Instruction Pointer: eip Stack Pointer: esp Frame Pointer: ebp

Memory Access Instructions loc 1 val/loc 2 mov loc 1, val/loc 2 lea loc 1, loc 2 (load effective address) Values Constants: 4 Locations Register: eax,... Memory Address: [] Fixed address: 0x... Pointer (register content): eax (Some) pointer arithmetic: [esp + 4]

Stack Access Instruction Writing to the stack push val/loc Decreases stack pointer by 4 bytes Moves values/loc to the stack pointer location Reading from the stack pop loc Moves value from stack pointer location to loc Increases stack pointer by 4 bytes

Arithmetic Instructions loc 1 loc 1 operator val/loc 2 Addition: add Subtraction: sub Sets register flags Zero (equal), negative, overflow,... Comparison cmp loc 1, val/loc 2 No storage, just subtraction for register flags

Control Flow Instructions Jump: jmp val/loc Absolute (loc) vs. relative (val) Conditional jump: je, jne, jl,... Function call: call val/loc Absolute address Pushes instruction pointer (of next instruction) on the stack Function return: ret Pops instruction pointer from the stack

C Function Call C f(1, 2); int f(int a, int b) { char buf[10]; return 3; Assembler push 2 push 1 call 0x... (= &f) push ebp mov ebp, esp sub esp, 12 mov eax, 3 mov esp, ebp pop ebp ret leave 3

Stack Frame Calling Function Parameter 2 Parameter 1 Return Address Saved Base Pointer Local Variable buf Base Pointer (EBP) Stack Frame Stack Pointer (ESP)

Attack Vulnerable Code void f (char* src) { char buf[10]; strcpy(buf, src); }

Attack If the parameter src contains a string of 20 characters or longer, then the return address is overwritten The ret instruction may jump anywhere The attacker may also insert additional code (often called shellcode) in the parameter and write it to the stack. He may then jump to this code.

Stack After Attack Calling Function Parameter 2 Parameter 1 Return Address Saved Base Pointer Local Variable buf Shellcode 90 90 90 90 90 90 90 90 90 90 90 90???????? 04 05 06 07 09 01 02 03 05 06 07 08 01 02 03 04

Countermeasures I Defensive programming Safe library functions strncpy() snprintf()... Advantage Implementation "only" requires programming discipline Disadvantage By far does not prevent all buffer overflows, e.g. off-byone errors or self-programmed copy routines.

Countermeasures II Non-executable stack The memory pages of the stack are marked as non-executable Advantage Shell code placed onto the stack by a buffer overflow can no longer be executed Disadvantage The control flow can still be arbitrarily deflected, e.g. directly to a system call or library (jump to libc).

Countermeasures III StackGuard In the function prologue a canary (test value) is placed before the return address. Before returning the integrity of the canary is verified. The instrumentation of the program code is performed during compilation. Two types of canaries Terminators: e.g. 00, EOF, etc. Random value Advantage Stack guard is very efficient Disadvantage Stack guard only protects the stack (there are also heap overflows, etc.)

Stack With StackGuard Calling Function Parameter 2 Parameter 1 Return Address Canary Saved Base Pointer Local Variable buf

Countermeasures IV StackShield In the function prologue the return address is copied to the heap. Before returning the address on the stack is compared to the heap. Again, instrumentation is performed during compilation

Countermeasures V Array Bound Checks Every index of an access to an array (buffer) is checked against the bounds of the array. This is done automatically the case in type safe languages, e.g. Java. Advantages Prevents buffer overflows for any type of data Disadvantages Every array access has to be check; therefore very slow. Can be difficult to implement for non-type safe languages, e.g. C (e.g. *(buf + 3))

Countermeasures VI Address Space Layout Randomization The base addresses of memory segments are chosen randomly, e.g. Stack Advantage Increases search time for correct parameters Increases the effort for an attacker to perform the same attack on multiple machines

Countermeasures VII Instruction Set Randomization The opcodes for instructions are chosen randomly Advantage Every method inserting malicious code is likely to fail. Disadvantages Slow Requires processor/vm support Currently not deployed in practice

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback