Program Security and Vulnerabilities Class 2

Similar documents
Fundamentals of Computer Security

Software Security: Buffer Overflow Attacks and Beyond

Software Security: Buffer Overflow Attacks and Beyond

CSE 565 Computer Security Fall 2018

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Software Security: Buffer Overflow Attacks and Beyond

CS Exploiting Memory. Vitaly Shmatikov

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

We will focus on Buffer overflow attacks SQL injections. See book for other examples

CMPSC 497 Buffer Overflow Vulnerabilities

Buffer overflow background

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Buffer Overflow. Jo, Heeseung

BUFFER OVERFLOW. Jo, Heeseung

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

Secure Software Development: Theory and Practice

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Lecture 9 Assertions and Error Handling CS240

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

CSE 509: Computer Security

Lecture 4 September Required reading materials for this class

UMSSIA LECTURE I: SOFTWARE SECURITY

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Software Security: Buffer Overflow Attacks (continued)

ECS 153 Discussion Section. April 6, 2015

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

CS 161 Computer Security

Basic Buffer Overflows

Runtime Defenses against Memory Corruption

Software Security; Common Implementation Flaws

Vulnerabilities. Code Injection - Buffer overflows. Some Commonly Exploitable Flaws

Memory Corruption Vulnerabilities, Part I

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

Software Security: Buffer Overflow Attacks

DAY 3. CS3600, Northeastern University. Alan Mislove

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Information Security CS 526

(Early) Memory Corruption Attacks

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Is stack overflow still a problem?

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.

Computer Programming: Skills & Concepts (CP) Strings

1/31/2007 C. Edward Chow. CS591 Page 1

Buffer Overflows Defending against arbitrary code insertion and execution

typedef void (*type_fp)(void); int a(char *s) { type_fp hf = (type_fp)(&happy_function); char buf[16]; strncpy(buf, s, 18); (*hf)(); return 0; }

Buffer Overflow Attacks

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Buffer Overflow Vulnerability

Machine-Level Programming V: Buffer overflow

Buffer overflows. Specific topics:

CSE 565 Computer Security Fall 2018

CSCD 303 Fall Lecture 15 Buffer Overflows

Computer Systems CEN591(502) Fall 2011

Secure Systems Engineering

Foundations of Network and Computer Security

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Software Security: Buffer Overflow Defenses

Lecture 08 Control-flow Hijacking Defenses

CS 361S - Network Security and Privacy Spring Homework #2

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

CS 161 Computer Security

CS 161 Computer Security

Secure Programming I. Steven M. Bellovin September 28,

Sungkyunkwan University

Buffer Overflows. Buffer Overflow. Many of the following slides are based on those from

Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to

COMP3441 Lecture 7: Software Vulnerabilities

CMSC 414 Computer and Network Security

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Solutions

CSC 252: Computer Organization Spring 2018: Lecture 9

Memory Corruption Vulnerabilities, Part II

CSE / / 60567: Computer Security. Software Security 4

ISA564 SECURITY LAB. Code Injection Attacks

Topics in Software Security Vulnerability

Stack Overflow COMP620

Defense against Code-injection, and Code-reuse Attack

CSCE 548 Building Secure Software Integers & Integer-related Attacks & Format String Attacks. Professor Lisa Luo Spring 2018

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Making C Less Dangerous

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

NET 311 INFORMATION SECURITY

Secure Programming. Buffer Overflows Learning objectives. Type. 3 Buffer Overflows. 4 An Important Vulnerability. 5 Example Overflow

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall 2011.

One-Slide Summary. Lecture Outline. Language Security

Foundations of Network and Computer Security

CS4264 Programming Assignment 1 Buffer Overflow Vulnerability Due 02/21/2018 at 5:00 PM EST Submit through CANVAS

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

CS 161 Computer Security

Lecture 1: Buffer Overflows

Machine-Level Programming V: Advanced Topics

CMPSC 497: Midterm Review

Università Ca Foscari Venezia

EURECOM 6/2/2012 SYSTEM SECURITY Σ

Buffer Overflow Attack

Software Security: Buffer Overflow Defenses and Miscellaneous

Transcription:

Program Security and Vulnerabilities Class 2 CEN-5079: 28.August.2017 1

Secure Programs Programs Operating System Device Drivers Network Software (TCP stack, web servers ) Database Management Systems Integrity Confidentiality Availability Secure Programs CNT-4403: 18.Oct.2012 2

Security Properties Confidentiality Information about system or its users cannot be learned by an attacker Integrity The system continues to operate properly, only reaching states that would occur if there were no attacker Availability Actions by an attacker do not prevent users from having access to use of the system CNT-4403: 18.Oct.2012 3

Security Properties (cont d) System Alice Malory Security is about Honest user (e.g., Alice, Bob, ) Dishonest Attacker How the Attacker Disrupts honest user s use of the system (Integrity, Availability) Learns information intended for Alice only (Confidentiality) CNT-4403: 18.Oct.2012 4

What is Security? System correctness If user supplies expected input, system generates desired output Good input Good output More features: better Security If attacker supplies unexpected input, system does not fail in certain ways Bad input Bad output More features: can be worse CNT-4403: 18.Oct.2012 5

In This Section Buffer Overflow SQL Injection Attack Incomplete Mediation Time-of-Check to Time-of-Use Errors Malicious Code CNT-4403: 18.Oct.2012 6

Famous Buffer Overflow Attacks Morris worm (1988): overflow in fingerd 6,000 machines infected (10% of existing Internet) CodeRed (2001): overflow in MS-IIS web server Internet Information Services (IIS) Web server application The most used web server after Apache HTTP Server 300,000 machines infected in 14 hours SQL Slammer(2003): overflow in MS-SQL server 75,000 machines infected in 10 minutes (!!) CNT-4403: 18.Oct.2012 7 slide 7

Famous Buffer Overflow Attacks Sasser (2004): overflow in Windows LSASS Local Security Authority Subsystem Service Process in Windows OS Responsible for enforcing the security policy on the system. Verifies users logging on to a Windows computer or server, handles password changes, and creates access tokens Around 500,000 machines infected Conficker (2008-09): overflow in Windows Server Around 10 million machines infected (estimates vary) CNT-4403: 18.Oct.2012 8 slide 8

Memory Exploits Buffer is a data storage area inside computer memory (stack or heap) Intended to hold pre-defined amount of data If executable code is supplied as data, victim s machine may be fooled into executing it Code will give attacker control over machine CNT-4403: 18.Oct.2012 9 slide 9

Stack Buffers Suppose Web server contains this function void func(char *str) { char buf[126]; strcpy(buf,str); } Allocate local buffer (126 bytes reserved on stack) Copy argument into local buffer When this function is invoked, a new frame with local variables is pushed onto the stack Stack grows this way buf sfp ret addr str Frame of the calling function Top of stack Local variables Pointer to previous frame Execute code at this address after func() finishes Arguments slide CNT-4403: 18.Oct.2012 10 10

Stack Buffers (cont d) When func returns The local variables are popped from the stack The old value of the stack frame pointer (sfp) is recovered The return address is retrieved The stack frame is popped Execution continues from return address (calling function) buf sfp ret addr Stack grows this way str Frame of the calling function Top of stack Local variables Pointer to previous frame Execute code at this address after func() finishes Arguments slide CNT-4403: 18.Oct.2012 11 11

What If Buffer Is Overstuffed Memory pointed to by str is copied onto stack void func(char *str) { char buf[126]; strcpy(buf,str); } strcpy does NOT check whether the string at *str contains fewer than 126 characters If a string longer than 126 bytes is copied into buffer, it will overwrite adjacent stack locations buf overflow sfp ret addr str Stack grows this way Frame of the calling function Top of stack This will be interpreted as return address! CNT-4403: 18.Oct.2012 slide 12 12

Attack 1: Smashing the Stack Suppose buffer contains attacker-created string For example, *str contains a string received from the network as input to some network service daemon Frame of the code ret str calling function Top of stack Attacker puts actual assembly instructions into his input string, e.g., binary code of execve( /bin/sh ) In the overflow, a pointer back into the buffer appears in the location where the system expects to find return address When function exits, code in the buffer will be executed, giving attacker a shell Root shell if the victim program is setuid root CNT-4403: 18.Oct.2012 13 slide 13

Buffer Overflow Difficulties Executable attack code is stored on stack, inside the buffer containing attacker s string Stack memory is supposed to contain only data, but For the basic attack, overflow portion of the buffer must contain correct address of attack code in the RET position The value in the RET position must point to the beginning of attack assembly code in the buffer Otherwise application will give segmentation violation Attacker must correctly guess in which stack position his buffer will be when the function is called CNT-4403: 18.Oct.2012 14 slide 14

Problem: No Range Checking strcpy does not check input size strcpy(buf, str) simply copies memory contents into buf starting from *str until \0 is encountered, ignoring the size of area allocated to buf Many C library functions are unsafe strcpy(char *dest, const char *src) strcat(char *dest, const char *src) gets(char *s) scanf(const char *format, ) printf(const char *format, ) CNT-4403: 18.Oct.2012 15 slide 15

Does Range Checking Help? strncpy(char *dest, const char *src, size_t n) If strncpy is used instead of strcpy, no more than n characters will be copied from *src to *dest Programmer has to supply the right value of n Potential overflow in htpasswd.c (Apache 1.3): strcpy(record, user); strcat(record, : ); strcat(record, cpw); Published fix (do you see the problem?): strncpy(record,user, MAX_STRING_LEN-1); strcat(record, : ); strncat(record,cpw, MAX_STRING_LEN-1); Copies username ( user ) into buffer ( record ), then appends : and hashed password ( cpw ) CNT-4403: 18.Oct.2012 16 slide 16

Strncpy Missuse in htpasswd Fix Published fix for Apache htpasswd overflow: strncpy(record,user, MAX_STRING_LEN-1); strcat(record, : ); strncat(record,cpw, MAX_STRING_LEN-1); MAX_STRING_LEN bytes allocated for record buffer contents of *user : contents of *cpw Put up to MAX_STRING_LEN-1 characters into buffer Put : Again put up to MAX_STRING_LEN-1 characters into buffer CNT-4403: 18.Oct.2012 17

Attack 2: Variable Overflow Somewhere in the code authenticated is set only if login procedure is successful Other parts of the code test authenticated to provide special access char buf[80]; int authenticated = 0; void vulnerable() { buf authenticated overflow } gets(buf); authenticated becomes 1! Attacker passes 81 bytes as input to buf CNT-4403: 18.Oct.2012 18

Attack 3: Pointer Variables fnptr is invoked somewhere else in the program This is only the definition void func(char *s){ char buf[80]; int (*fnptr)(); gets(buf); } buf fnptr sfp ret addr s Frame of the calling function Local variables Pointer to previous frame Execute code at this address after func() finishes Arguments CNT-4403: 18.Oct.2012 19 slide 19

Attack 3: Pointer Variables (cont d) Send malicious code in s Overflow fnptr void func(char *s){ char buf[80]; int (*fnptr)(); gets(buf); } Pass more than 80 bytes in gets fnptr now points to malicious code When fnptr is executed, malicious code is executed! buf fnptr o flow sfp ret addr s malicious code Frame of the calling function Local variables Pointer to previous frame Execute code at this address after func() finishes Arguments CNT-4403: 18.Oct.2012 20 slide 20

Attack 4: Frame Pointer void func(char *s){ char buf[80]; gets(buf); } Send malicious code in s Change the caller s saved frame ptr. Pass more than 80 bytes in gets sfp now points to malicious code Caller s return address read from sfp When func returns, mal. code runs! buf sfp o flow ret addr s malicious code Frame of the calling function Local variables Pointer to previous frame Execute code at this address after func() finishes Arguments CNT-4403: 18.Oct.2012 slide 21 21

Attack 5: Integer Overflow static int getpeername1(p, uap, compat) { // In FreeBSD kernel, retrieves address of peer to which a socket is connected } struct sockaddr *sa; len = MIN(len, sa->sa_len); copyout(sa, (caddr_t)uap->asa, (u_int)len); Copies len bytes from kernel memory to user space Checks that len is not too big Negative len will always pass this check interpreted as a huge unsigned integer here will copy up to 4G of kernel memory CNT-4403: 18.Oct.2012 22 slide 22

Buffer Overflow Prevention Canary Bounds checking Tagging CNT-4403: 18.Oct.2012 23 slide 23

Canary Canary words Known values placed between a buffer and control data on the stack When the buffer overflows, the first data to be corrupted will be the canary Failed verification of the canary data: overflow alert! CNT-4403: 18.Oct.2012 24 slide 24

Bounds Checking Compiler based technique For each allocated memory block Add run-time bounds information Checks all pointers against bounds at run-time CNT-4403: 18.Oct.2012 25 slide 25

Tagging Tag the type of each piece of data in memory Used for type checking Mark data buffers as non-executable Prevent them from storing executable code CNT-4403: 18.Oct.2012 26 slide 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback