Lecture 07 Heap control data. Stephen Checkoway University of Illinois at Chicago

Similar documents
Heap Off by 1 Overflow Illustrated. Eric Conrad October 2007

Intrusion Detection and Malware Analysis

Secure Coding in C and C++ Dynamic Memory Management Lecture 5 Jan 29, 2013

Secure Coding in C and C++

CSE 127 Computer Security

Secure Software Programming and Vulnerability Analysis

malloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which

CSE 509: Computer Security

2/9/18. Secure Coding. CYSE 411/AIT681 Secure Software Engineering. Agenda. Dynamic Memory Interface. Dynamic Memory Interface

Dnmaloc: a more secure memory allocator

Memory Allocator Security

Agenda. Dynamic Memory Management. Robert C. Seacord. Secure Coding in C and C++

CSE / / 60567: Computer Security. Software Security 4

ENEE 457: Computer Systems Security. Lecture 16 Buffer Overflow Attacks

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

CS 161 Computer Security

Dynamic Memory Allocation. Zhaoguo Wang

Process Layout, Function Calls, and the Heap

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

Lecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller

Lecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017

Buffer Overflow and Format String Overflow Vulnerabilities

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Lecture 4 September Required reading materials for this class

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

C and C++: vulnerabilities, exploits and countermeasures

Buffer Overflows Defending against arbitrary code insertion and execution

Improving memory management security for C and C++

2

In Java we have the keyword null, which is the value of an uninitialized reference type

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

Dynamic Memory Allocation

Lecture 1: Buffer Overflows

Memory Corruption 101 From Primitives to Exploit

Lecture 08 Control-flow Hijacking Defenses

CSE509 System Security

Memory Corruption 2. Advanced Internet Security

ECE 598 Advanced Operating Systems Lecture 12

CSC 405 Computer Security Stack Canaries & ASLR

Shellcode Analysis. Chapter 19

Secure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows)

Memory Corruption Vulnerabilities, Part II

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Malloc Lab & Midterm Solutions. Recitation 11: Tuesday: 11/08/2016

SYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14

Announcements. assign0 due tonight. Labs start this week. No late submissions. Very helpful for assign1

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows)

Computer Systems Lecture 9

IAGO ATTACKS: WHY THE SYSTEM CALL API IS A BAD UNTRUSTED RPC INTERFACE

Secure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows)

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING

putting m bytes into a buffer of size n, for m>n corrupts the surrounding memory check size of data before/when writing

ECE 598 Advanced Operating Systems Lecture 10

Optimizing Dynamic Memory Management

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Memory Allocation. Copyright : University of Illinois CS 241 Staff 1

Digital Forensics Lecture 02 PDF Structure

Offensive Security My First Buffer Overflow: Tutorial

Dynamic Memory Allocation

Lecture 8 Dynamic Memory Allocation

CSC 1600 Memory Layout for Unix Processes"

putting m bytes into a buffer of size n, for m>n corrupts the surrounding memory check size of data before/when writing

==Phrack Inc.== Volume 0x0b, Issue 0x39, Phile #0x09 of 0x12

==Phrack Inc.== Volume 0x0b, Issue 0x39, Phile #0x08 of 0x12. --=[ Disclaimer ]= //

BBM 201 DATA STRUCTURES

Function Call Convention

Princeton University Computer Science 217: Introduction to Programming Systems. Dynamic Memory Management

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

On The Effectiveness of Address-Space Randomization. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

Secure C Coding...yeah right. Andrew Zonenberg Alex Radocea

Week 5, continued. This is CS50. Harvard University. Fall Cheng Gong

DAY 3. CS3600, Northeastern University. Alan Mislove

Università Ca Foscari Venezia

Non-stack Based Exploitation of Buffer Overrun Vulnerabilities on Windows NT/2000/XP

Inside ptmalloc2. Peng Xu Sep 14, 2013

Efficient protection against heap-based buffer overflows without resorting to magic 1

Foundations of Network and Computer Security

C- based applica-on exploits and countermeasures

20: Exploits and Containment

Process s Address Space. Dynamic Memory. Backing the Heap. Dynamic memory allocation 3/29/2013. When a process starts the heap is empty

Software Security The Dangers of Abstraction

Princeton University. Computer Science 217: Introduction to Programming Systems. Dynamic Memory Management

(Early) Memory Corruption Attacks

Vulnerabilities in C/C++ programs Part I

CS 33. Storage Allocation. CS33 Intro to Computer Systems XXVII 1 Copyright 2017 Thomas W. Doeppner. All rights reserved.

CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR

Jonathan Afek, 1/8/07, BlackHat USA

CNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated

Yet More Buffer Overflows

Linked Lists Structures

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

A Heap of Trouble Exploiting the Linux Kernel SLOB Allocator

Recitation #11 Malloc Lab. November 7th, 2017

Modular Synthesis of Heap Exploits

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

However, in C we can group related variables together into something called a struct.

Linked Lists in C and C++

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

Transcription:

Lecture 07 Heap control data Stephen Checkoway University of Illinois at Chicago

Layout of program memory Heap is managed by malloc - Many different malloc implementations - glibc uses a modified version of Doug Lea s Malloc (dlmalloc) Responsibilities - Requesting pages of memory from the OS - Managing free chunks of memory - Allocating memory for the program Image source: http://duartes.org/gustavo/blog/post/anatomy-of-a-program-in-memory/

Chunks Basic unit of memory managed by malloc prev_: of the previous chunk in memory : of this chunk - lsb is 1 if the previous chunk is in use (PREV_IN_USE bit) : forward pointer in free list : backward pointer in free list struct malloc_chunk { _t prev_; _t ; struct malloc_chunk *; struct malloc_chunk *; }

Free chunks/free lists A chunk can be allocated or free Free chunks are stored in doubly-linked lists using the and pointers prev_ refers to the of the previous chunk adjacent to the current chunk, not the chunk pointed to by the pointer malloc maintains several different free lists for chunks of various s

Example (lie, truth shortly) prev_ xx 801 unallocated space

Example (lie, truth shortly) prev_ xx 801 unallocated space void *p = malloc(100); prev_ prev_ xx 117 NULL NULL 100-byte user data 116 685 unallocated space p

Example (lie, truth shortly) prev_ xx 801 unallocated space void *p = malloc(100); prev_ prev_ xx 117 NULL NULL 100-byte user data 116 685 unallocated space p void *q = malloc(300); prev_ prev_ prev_ xx 117 NULL NULL 100-byte user data 116 317 NULL NULL 300-byte user data 316 368 p q

Freeing chunks When freeing a chunk c, malloc looks at the chunk just before and the chunk just after c to see if they are free The adjacent free chunks are - removed from their free lists - combined with c to form a new, larger chunk c c (or c if neither neighbor were free) is added to a free list Malloc uses the prev_ and fields plus some pointer arithmetic to find the preceding and following chunks Malloc uses the lsb of the fields to determine if the previous chunks are in use or free

Optimization and are only used when the chunk is free prev_ is only used when the previous chunk is free (to combine struct malloc_chunk { _t prev_; _t ; struct malloc_chunk *; with the current chunk) Malloc saves space by overlapping these fields with user data } struct malloc_chunk *;

Optimization and are only used when the chunk is free prev_ is only used when the previous chunk is free (to combine struct malloc_chunk { _t prev_; _t ; struct malloc_chunk *; with the current chunk) Malloc saves space by overlapping these fields with user data } struct malloc_chunk *; prev_ prev_ xx 117 NULL NULL 100-byte user data 116 685 unallocated space p

Optimization and are only used when the chunk is free prev_ is only used when the previous chunk is free (to combine struct malloc_chunk { _t prev_; _t ; struct malloc_chunk *; with the current chunk) Malloc saves space by overlapping these fields with user data } struct malloc_chunk *; prev_ prev_ xx 117 NULL NULL 100-byte user data 116 685 unallocated space p 105 100-byte user data 697 unallocated space p

Example (truth but not to scale) 801 unallocated space

Example (truth but not to scale) 801 unallocated space void *p = malloc(100);

Example (truth but not to scale) 801 unallocated space void *p = malloc(100); 105 100-byte user data 697 unallocated space p

Example (truth but not to scale) 801 unallocated space void *p = malloc(100); 105 100-byte user data 697 unallocated space p void *q = malloc(300);

Example (truth but not to scale) 801 unallocated space void *p = malloc(100); 105 100-byte user data 697 unallocated space p void *q = malloc(300); 105 100-byte user data 305 300-byte user data 393 unallocated space p q

Example continued 105 100-byte user data 305 300-byte user data 393 unallocated space p q

Example continued 105 100-byte user data 305 300-byte user data 393 unallocated space p free(p); q

Example continued 105 100-byte user data 305 300-byte user data 393 unallocated space p free(p); q prev_ 105 u-s 104 304 300-byte user data 393 unallocated space q

Example continued 105 100-byte user data 305 300-byte user data 393 unallocated space p free(p); q prev_ 105 u-s 104 304 300-byte user data 393 unallocated space q void *r = malloc(252);

Example continued 105 100-byte user data 305 300-byte user data 393 unallocated space p free(p); q prev_ 105 u-s 104 304 300-byte user data 393 unallocated space q void *r = malloc(252); prev_ 105 u-s 104 304 300-byte user data 257 252-byte user data 137 q r

Example continued prev_ 105 u-s 104 304 300-byte user data 257 252-byte user data 137 q r

Example continued prev_ 105 u-s 104 304 300-byte user data 257 252-byte user data 137 free(q); q r

Example continued prev_ 105 u-s 104 304 300-byte user data 257 252-byte user data 137 free(q); q r prev_ 409 unallocated space 408 256 252-byte user data 137 r

Example continued prev_ 105 u-s 104 304 300-byte user data 257 252-byte user data 137 free(q); q r prev_ 409 unallocated space 408 256 252-byte user data 137 r free(r);

Example continued prev_ 105 u-s 104 304 300-byte user data 257 252-byte user data 137 free(q); q r prev_ 409 unallocated space 408 256 252-byte user data 137 r free(r); 801 unallocated space

Removing chunks from free lists Chunks are removed using the unlink macro P is the chunk to unlink BK and FD are temporaries #define unlink(p, BK, FD) \ BK = P->; \ FD = P->; \ FD-> = BK; \ BK-> = FD; P

Removing chunks from free lists Chunks are removed using the unlink macro P is the chunk to unlink BK and FD are temporaries #define unlink(p, BK, FD) \ BK = P->; \ FD = P->; \ FD-> = BK; \ BK-> = FD; BK P

Removing chunks from free lists Chunks are removed using the unlink macro P is the chunk to unlink BK and FD are temporaries #define unlink(p, BK, FD) \ BK = P->; \ FD = P->; \ FD-> = BK; \ BK-> = FD; BK P FD

Removing chunks from free lists Chunks are removed using the unlink macro P is the chunk to unlink BK and FD are temporaries #define unlink(p, BK, FD) \ BK = P->; \ FD = P->; \ FD-> = BK; \ BK-> = FD; BK P FD

Removing chunks from free lists Chunks are removed using the unlink macro P is the chunk to unlink BK and FD are temporaries #define unlink(p, BK, FD) \ BK = P->; \ FD = P->; \ FD-> = BK; \ BK-> = FD; BK P FD

Overwriting heap metadata The chunk metadata is inline (meaning the user data and the metadata are side-by-side) We can modify the metadata with a buffer overflow on the heap Consider char *x = malloc(100); void *y = malloc(100); strcpy(x, attacker_controlled); free(y); 105 105 x y We can overflow x and overwrite y s metadata

Attacking malloc 105 105 x y When free(y) is called, it will examine x s chunk to see if it is free. If x s chunk is free, then unlink will be called on it to remove it from its free list We can carefully structure the attacker-controlled data to - convince free that x s chunk is free (how do we do this?) - convince the unlink macro to overwrite a saved instruction pointer on the stack by setting x s chunk s and pointers - inject shellcode When the function returns, our shellcode runs!

Attacking malloc prev_ 105 104 x y 1. Change y s chunk s from 105 to 104 (clears the PREV_IN_USE bit); y s chunk s prev_ and x s chunk s and are now used

Attacking malloc prev_ 105 104 104 x y 1. Change y s chunk s from 105 to 104 (clears the PREV_IN_USE bit); y s chunk s prev_ and x s chunk s and are now used 2. Set y s chunk s prev_ to 104 so free looks back 104 bytes to find the start of the chunk to unlink

Attacking malloc prev_ 105 104 104 P x y 1. Change y s chunk s from 105 to 104 (clears the PREV_IN_USE bit); y s chunk s prev_ and x s chunk s and are now used 2. Set y s chunk s prev_ to 104 so free looks back 104 bytes to find the start of the chunk to unlink 3. P in the unlink macro is x s chunk, so its and pointers need to be valid

Attacking malloc prev_ 105 104 104 P x seip-12 y 1. Change y s chunk s from 105 to 104 (clears the PREV_IN_USE bit); y s chunk s prev_ and x s chunk s and are now used 2. Set y s chunk s prev_ to 104 so free looks back 104 bytes to find the start of the chunk to unlink 3. P in the unlink macro is x s chunk, so its and pointers need to be valid 4. Point P-> to saved eip (seip) - 12

Attacking malloc prev_ 105 jmp shellcode 104 104 P x seip-12 y 1. Change y s chunk s from 105 to 104 (clears the PREV_IN_USE bit); y s chunk s prev_ and x s chunk s and are now used 2. Set y s chunk s prev_ to 104 so free looks back 104 bytes to find the start of the chunk to unlink 3. P in the unlink macro is x s chunk, so its and pointers need to be valid 4. Point P-> to saved eip (seip) - 12 5. Point P-> to a short jump to shellcode

Unlinking P (zooming in on P) p_sz 105 jmp shellcode P x Stack y saved eip saved ebp #define unlink(p, BK, FD) \ BK = P->; \ FD = P->; \ FD-> = BK; \ BK-> = FD;

Unlinking P (zooming in on P) p_sz 105 jmp shellcode P x BK Stack y saved eip saved ebp #define unlink(p, BK, FD) \ BK = P->; \ FD = P->; \ FD-> = BK; \ BK-> = FD;

Unlinking P (zooming in on P) p_sz 105 jmp shellcode P x BK Stack y saved eip saved ebp #define unlink(p, BK, FD) \ BK = P->; \ FD = P->; \ FD-> = BK; \ FD BK-> = FD;

Unlinking P (zooming in on P) p_sz 105 jmp shellcode P x BK Stack y saved eip saved ebp #define unlink(p, BK, FD) \ BK = P->; \ FD = P->; \ FD-> = BK; \ FD BK-> = FD;

Unlinking P (zooming in on P) p_sz 105 jmp shellcode P x BK Stack y saved eip saved ebp #define unlink(p, BK, FD) \ BK = P->; \ FD = P->; \ FD-> = BK; \ FD BK-> = FD;

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback