Secure Software Programming and Vulnerability Analysis

Similar documents
Secure Coding in C and C++

Secure Coding in C and C++ Dynamic Memory Management Lecture 5 Jan 29, 2013

==Phrack Inc.== Volume 0x0b, Issue 0x39, Phile #0x08 of 0x12. --=[ Disclaimer ]= //

Intrusion Detection and Malware Analysis

Control Hijacking Attacks

Agenda. Dynamic Memory Management. Robert C. Seacord. Secure Coding in C and C++

Memory Corruption 2. Advanced Internet Security

malloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which

2/9/18. Secure Coding. CYSE 411/AIT681 Secure Software Engineering. Agenda. Dynamic Memory Interface. Dynamic Memory Interface

Lecture 07 Heap control data. Stephen Checkoway University of Illinois at Chicago

Heap Off by 1 Overflow Illustrated. Eric Conrad October 2007

CSE / / 60567: Computer Security. Software Security 4

Dynamic memory allocation

Dynamic Memory Management

Buffer Overflow and Format String Overflow Vulnerabilities

Memory Corruption 101 From Primitives to Exploit

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

CSE 127 Computer Security

Dynamic Memory Allocation

Memory management. Johan Montelius KTH

Princeton University Computer Science 217: Introduction to Programming Systems. Dynamic Memory Management

CMPS 105 Systems Programming. Prof. Darrell Long E2.371

Lecture 8 Dynamic Memory Allocation

CSE 509: Computer Security

ECE 598 Advanced Operating Systems Lecture 12

Dynamic Memory Allocation: Basic Concepts

Dnmaloc: a more secure memory allocator

Reminder: compiling & linking

Introduction to Computer Systems /18 243, fall th Lecture, Oct. 22 th

Improving memory management security for C and C++

Princeton University. Computer Science 217: Introduction to Programming Systems. Dynamic Memory Management

Memory Allocator Security

==Phrack Inc.== Volume 0x0b, Issue 0x39, Phile #0x09 of 0x12

Dynamic Memory Allocation: Basic Concepts

Fastbin_dup into stack exploitation

o Code, executable, and process o Main memory vs. virtual memory

Dynamic Memory Management! Goals of this Lecture!

Today. Dynamic Memory Allocation: Basic Concepts. Dynamic Memory Allocation. Dynamic Memory Allocation. malloc Example. The malloc Package

Malloc Lab & Midterm Solutions. Recitation 11: Tuesday: 11/08/2016

Understanding Pointers

COSC345 Software Engineering. The Heap And Dynamic Memory Allocation

Memory Management. CSC215 Lecture

Memory Allocation. Copyright : University of Illinois CS 241 Staff 1

Inside ptmalloc2. Peng Xu Sep 14, 2013

Run-time Environments - 3

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CS 161 Computer Security

Dynamic Memory Allocation I Nov 5, 2002

Memory and C/C++ modules

Memory (Stack and Heap)

Dynamic Memory Allocation

Dynamic Memory Allocation I

Today. Dynamic Memory Allocation: Basic Concepts. Dynamic Memory Allocation. Dynamic Memory Allocation. malloc Example. The malloc Package

Proceedings of the 17 th Large Installation Systems Administration Conference

Memory Corruption Vulnerabilities, Part II

CS 33. Storage Allocation. CS33 Intro to Computer Systems XXVII 1 Copyright 2017 Thomas W. Doeppner. All rights reserved.

Dynamic Memory Allocation. Basic Concepts. Computer Organization 4/3/2012. CSC252 - Spring The malloc Package. Kai Shen

COSC Software Engineering. Lectures 14 and 15: The Heap and Dynamic Memory Allocation

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Dynamic Memory Allocation

Dynamic Memory Allocation. Gerson Robboy Portland State University. class20.ppt

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

ECE 598 Advanced Operating Systems Lecture 10

Memory Management. To do. q Basic memory management q Swapping q Kernel memory allocation q Next Time: Virtual memory

Dynamic Memory: Alignment and Fragmentation

Optimizing Dynamic Memory Management

My malloc: mylloc and mhysa. Johan Montelius HT2016

Recitation #11 Malloc Lab. November 7th, 2017

The Environment of a Unix Process

POINTER AND ARRAY SUNU WIBIRAMA

Dynamic memory. EECS 211 Winter 2019

Secure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows)

Processes. Johan Montelius KTH

Dynamic Memory Allocation

Memory Allocation in C C Programming and Software Tools. N.C. State Department of Computer Science

A process. the stack

Dynamic Memory Alloca/on: Basic Concepts

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Dynamic Memory Management

Dynamic Memory Alloca/on: Basic Concepts

Dynamic Memory Management. Bin Li Assistant Professor Dept. of Electrical, Computer and Biomedical Engineering University of Rhode Island

Basic Buffer Overflows

CSCI-UA /2. Computer Systems Organization Lecture 19: Dynamic Memory Allocation: Basics

ECE 264 Exam 2. 6:30-7:30PM, March 9, You must sign here. Otherwise you will receive a 1-point penalty.

Lecture 1: Buffer Overflows

CS201: Lab #4 Writing a Dynamic Storage Allocator

C and C++: vulnerabilities, exploits and countermeasures

Reminder of midterm 1. Next Thursday, Feb. 14, in class Look at Piazza announcement for rules and preparations

COSC Software Engineering. Lecture 16: Managing Memory Managers

Run-time Environments -Part 3

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

14. Memory API. Operating System: Three Easy Pieces

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

Project 2 Overview: Part A: User space memory allocation

Play with FILE Structure Yet Another Binary Exploitation Technique. Abstract

Arrays and Memory Management

Project 3a: Malloc and Free

Memory Management: The process by which memory is shared, allocated, and released. Not applicable to cache memory.

Dynamic Memory Allocation. Zhaoguo Wang

Security Lab. Episode 6: Format String Vulnerabilities. Jan Nordholz, Matthias Petschick, Julian Vetter

Transcription:

Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Heap Buffer Overflows and Format String Vulnerabilities Secure Software Programming 2

Overview Security issues at various stages of application life-cycle mistakes, vulnerabilities, and exploits avoidance, detection, and defense Architecture security considerations when designing the application Implementation security considerations when writing the application Operation security considerations when the application is in production Secure Software Programming 3 Buffer Overflow Vulnerable buffer can be located on the stack on the heap in static data areas Redirect execution flow by modifying stack frames longjump buffers function pointers! what can be done when overflowing a buffer on the heap? Secure Software Programming 4

Heap Buffer Overflow Overflowing dynamically allocated memory Dynamically allocated memory managed by a heap manager Heap manager handles memory requested by user programs during run-time sbrk() system call is very simple library between user program and sbrk() system call standardized malloc interface different implementations for different operating systems Secure Software Programming 5 Heap Management Goals maximize portability / compatibility alignment (8 byte hardwired), addressing rules maximize locality allocate chunks that are used together near each other avoid fragmentation maximize error detection debug hooks, deactivated by default minimize used space as little management information as possible minimize time for (de)allocation Secure Software Programming 6

Heap Management Implementations Algorithm Doug Lea s System V (AT&T) BSD phk, BSD kingsley RtlHeap Operating System GNU LibC (Linux) Solaris, IRIX *BSD, AIX Microsoft Windows keeps tags around allocated memory for book-keeping overflow may modify these tags functions malloc, realloc, free, calloc might be tricked into executing arbitrary code Secure Software Programming 7 Memory layout heap is divided into contiguous chunks of memory no two free chunks may be physically adjacent Heap low addresses " high addresses U U F U F U U Wilderness U... used chunk F... free chunk Wilderness... topmost free chunk Wilderness chunk only chunk that may be increased (with system call sbrk) treated as bigger than all other chunks Secure Software Programming 8

Memory chunk contiguous region of heap memory can be allocated, freed, split, coalesced (two free chunks) Public and Internal routines malloc(size_t n) calloc(size_t unit, size_t quantity) " chunk_alloc() realloc(void* ptr, size_t n) " chunk_alloc() / chunk_free() free(void *ptr) " chunk_free() Secure Software Programming 9 Boundary tag holds chunk management information stored in front of each chunk 16 bytes large " minimum allocated size struct malloc_chunk { size_t prev_size; // only used when previous chunk is free size_t size; // size of chunk in bytes + 2 status-bits struct malloc_chunk *fd; // only used for free chunks struct malloc_chunk *bk; // only used for free chunks }; pointer returned by malloc (for user) starts at fd usually 8 bytes overhead for allocated chunks Secure Software Programming 10

Allocated Chunk Free Chunk chunk size of previous chunk (in bytes) chunk unused (may hold user data) chunk size (in bytes) + status chunk size (in bytes) + status mem fd-ptr (here may be user data) fd-ptr for circular list (bins) bk-ptr (here may be user data) bk-ptr for circular list (bins) user data (may be 0 bytes) unused data (may be 0 bytes) next chunk size of previous chunk (unused) next chunk size of previous chunk (in bytes) Secure Software Programming 11 Boundary tag prev_size field only used when previous chunk is free to reduce memory wastage, field can hold user-data of previous chunk Boundary tag size field holds chunk size in bytes, but size is always a multiple of 8 chunk size = requested memory (by user via malloc) + 8 bytes (overhead) - 4 bytes (prev_field of next chunk) rounded up to next multiple of 8 3 least significant bits are always 0, two of them are used as status bits PREV_INUSE (0x01) 1 if previous chunk is in use IS_MMAPED (0x02) 1 if chunk is memory mapped Secure Software Programming 12

Bin Management available chunks are maintained in bins depending on the size of the chunk, the corresponding bin is chosen remainder of most-recently split (non-top) chunk and top (wilderness) chunk are never in any bin chunks with a size of less than 512 bytes are called small 128 available bins 62 small bins (for small chunks of size 16 504 byte) only hold chunks of a certain size regular bins hold chunks of a certain size range Secure Software Programming 13 chunks are stored in bins on a circular doubly-linked list the bin itself consists of two pointers (forward/back) and acts as the corresponding list head each bin is initially empty chunks are maintained in decreasing sorted order by size " best fit algorithm forward pointer Bin 79 1531 1502 1476 back pointer Secure Software Programming 14

Memory allocation 1. List of corresponding bin is scanned (starting backwards) - when chunk of exactly correct size (chunk size is equal or bigger by not more than 16 bytes than the requested size) is found, return it 2. Most-recent remainder of split is used (when large enough) - split it when it is too big, return it when size is exact 3. Other bins are scanned in increasing order - return chunk of exact size, split one that is too big 4. Split memory from wilderness chunk (when big enough) 5. Extend wilderness chunk (with sbrk()), when this fails, return NULL Secure Software Programming 15 Memory de-allocation (free operation) 1. When the chunk to be freed borders the wilderness chunk, it is consolidated into it 2. If the chunk before the one to be freed is unallocated, it is consolidated into a single large chunk 3. If the chunk after the one to be freed is unallocated, it is consolidated into a single large chunk Secure Software Programming 16

When chunks are handled, their entries have to be taken off or inserted into the corresponding lists Macro unlink() used to take off entry P with its pointers FD and BK #define unlink(p, BK, FD){ \ BK = P->bk; \ FD = P->fd; \ FD->bk = BK; \ BK->fd = FD; } Macro frontlink() used to insert P (size S, pointers FD, BK) into bin IDX Secure Software Programming 17 #define frontlink(a, P, S, IDX, BK, FD) { IDX = bin_index(s); \ BK = bin_at(a, IDX); \ FD = BK->fd; \ if (FD == BK) { \ mark_binblock(a, IDX); \ } else { \ while (FD!= BK && S < chunksize(fd) \ FD = FD->fd; \ } \ BK = FD->bk; \ } \ P->bk = BK; \ P->fd = FD; \ FD->bk = BK->fd = P; } Secure Software Programming 18

Exploiting the unlink() macro overwrite an arbitrary memory position with arbitrary integer overwrite address stored in FD + 12 (offset of bk) with BK BK = P->bk; FD = P->fd; FD->bk = BK; overwrite a function pointer (e.g. stored in GOT global offset table) with address of the shell code when function is later invoked, shell code is executed instead used against netscape, traceroute and slocate Secure Software Programming 19 Exploiting the frontlink() macro overwrite an arbitrary memory position with address of modified chunk overwrite address stored in BK + 8 (offset of fd) with address of chunk P while (FD!= BK && S < chunksize(fd) FD = FD->fd; BK = FD->bk; FD->bk = BK->fd = P; beginning of chunk (prev_size field) has to contain executable code (e.g. jump to shell code) same approach as unlink() macro no known exploit in the wild, but sudo example in Phrack 57-8 Secure Software Programming 20

Heap Overflow Heap overflow requires modification of boundary tags in-band management information task is to fake these tags to trick into overwriting addresses of attackers choice Different techniques for other memory managers System V (Solaris, IRIX) - self-adjusting binary trees Phrack 57-9 (Once upon a free()) Secure Software Programming 21 Format String Vulnerability Problem of user supplied input that is used with *printf() printf( Hello world\n ); // is ok printf(user_input); // vulnerable *printf() function with variable number of arguments int printf(const char *format,...) as usual, arguments are fetched from the stack const char *format is called format string used to specify type of arguments %d or %x for numbers %s for strings Secure Software Programming 22

Format String Vulnerability #include <stdio.h> int main(int argc, char **argv){ char buf[128]; int x = 1; snprintf(buf, sizeof(buf), argv[1]); buf[sizeof buf - 1] = '\0'; } printf("buffer (%d): %s\n", strlen(buf), buf); printf("x is %d/%#x (@ %p)\n", x, x, &x); return 0; Secure Software Programming 23 Format String Vulnerability chris@euler:~/test >./vul "%x %x %x %x buffer (28): 40017000 1 bffff680 4000a32c x is 1/0x1 (@ 0xbffff638) chris@euler:~/test >./vul "AAAA %x %x %x %x %x buffer (35): AAAA 40017000 1 bffff680 4000a32c 1 x is 1/0x1 (@ 0xbffff638) chris@euler:~/test >./vul "AAAA %x %x %x %x %x %x buffer (44): AAAA 40017000 1 bffff680 4000a32c 1 41414141 x is 1/0x1 (@ 0xbffff638) Secure Software Programming 24

Format String Vulnerability Stack Layout char buf[128] stack frame for main() int x fmt string sizeof(buf) arguments for snprintf() &buf[0] stack frame for snprintf() Secure Software Programming 25 Format String Vulnerability chris@euler:~/test > perl -e 'system "./vul", "\x38\xf6\xff\xbf %x %x %x %x %x %x ' buffer (44): 8öÿ 40017000 1 bffff680 4000a32c 1 bffff638 x is 1/0x1 (@ 0xbffff638) chris@euler:~/test > perl -e 'system "./vul", "\x38\xf6\xff\xbf %x %x %x %x %x%n ' buffer (35): 8öÿ 40017000 1 bffff680 4000a32c 1 x is 35/0x2f (@ 0xbffff638) One can use width modifier to write arbitrary values for example, %.500d even in case of truncation, the values that would have been written are used for %n Secure Software Programming 26

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback