System Security Class Notes 09/23/2013

Similar documents
CSCE 548 Building Secure Software Integers & Integer-related Attacks & Format String Attacks. Professor Lisa Luo Spring 2018

Lecture 4 September Required reading materials for this class

CSE 565 Computer Security Fall 2018

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CS 161 Computer Security

Software Security: Buffer Overflow Defenses

Introduction to Programming in C Department of Computer Science and Engineering. Lecture No. #29 Arrays in C

CYSE 411/AIT681 Secure Software Engineering Topic #12. Secure Coding: Formatted Output

2/9/18. CYSE 411/AIT681 Secure Software Engineering. Readings. Secure Coding. This lecture: String management Pointer Subterfuge

Software Security: Buffer Overflow Attacks (continued)

Page 1. Today. Last Time. Is the assembly code right? Is the assembly code right? Which compiler is right? Compiler requirements CPP Volatile

Memory Corruption 101 From Primitives to Exploit

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Week 5, continued. This is CS50. Harvard University. Fall Cheng Gong

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

prin'() tricks DC4420 slides, Feb 2012

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Computer Systems Lecture 9

Technical Questions. Q 1) What are the key features in C programming language?

EURECOM 6/2/2012 SYSTEM SECURITY Σ

QUIZ. What are 3 differences between C and C++ const variables?

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e Feb 11, 13, 15, and 25. Winter Session 2018, Term 2

Intermediate Programming, Spring 2017*

Pointers and Memory 1

Intel assembly language using gcc

QUIZ. Source:

Important From Last Time

C How to Program, 6/e by Pearson Education, Inc. All Rights Reserved.

20: Exploits and Containment

Intro to x86 Binaries. From ASM to exploit

Computer Science 50: Introduction to Computer Science I Harvard College Fall Quiz 0 Solutions. Answers other than the below may be possible.

Important From Last Time

CSE 509: Computer Security

Format String Dangers. Shachar Shemesh Security Consultant

C Pointers. 6th April 2017 Giulio Picierro

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CSCI-243 Exam 1 Review February 22, 2015 Presented by the RIT Computer Science Community

Static Analysis in Practice

CSE 565 Computer Security Fall 2018

Software Security: Buffer Overflow Attacks

5) Attacker causes damage Different to gaining control. For example, the attacker might quit after gaining control.

Announcements. assign0 due tonight. Labs start this week. No late submissions. Very helpful for assign1

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Non-stack Based Exploitation of Buffer Overrun Vulnerabilities on Windows NT/2000/XP

Static Vulnerability Analysis

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Secure Programming I. Steven M. Bellovin September 28,

Part 7. Stacks. Stack. Stack. Examples of Stacks. Stack Operation: Push. Piles of Data. The Stack

For example, let s say we define an array of char of size six:

Memory Safety (cont d) Software Security

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

CSE 361S Intro to Systems Software Lab Assignment #4

Exercise 6.2 A generic container class

CS113: Lecture 7. Topics: The C Preprocessor. I/O, Streams, Files

Lecture 9 Assertions and Error Handling CS240

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

MEMORY SAFETY ATTACKS & DEFENSES

Page 1. Today. Important From Last Time. Is the assembly code right? Is the assembly code right? Which compiler is right?

First of all, it is a variable, just like other variables you studied

Software Security; Common Implementation Flaws

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

Changelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part

Variables Data types Variable I/O. C introduction. Variables. Variables 1 / 14

Software Vulnerabilities. Jeff Foster University of Maryland, College Park

6 WEEK EXAM NAME: ALPHA: SECTION:

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.

Outline. Computer programming. Debugging. What is it. Debugging. Hints. Debugging

Ch. 11: References & the Copy-Constructor. - continued -

CSC 1600 Memory Layout for Unix Processes"

Buffer overflow prevention, and other attacks

CS 61c: Great Ideas in Computer Architecture

Procedures, Parameters, Values and Variables. Steven R. Bagley

Program Security and Vulnerabilities Class 2

General Syntax. Operators. Variables. Arithmetic. Comparison. Assignment. Boolean. Types. Syntax int i; float j = 1.35; int k = (int) j;

War Industries Presents: An Introduction to Programming for Hackers Part III - Advanced Variables & Flow Control.

Lecture 08 Control-flow Hijacking Defenses

Static Analysis in Practice

A brief introduction to C programming for Java programmers

CE221 Programming in C++ Part 2 References and Pointers, Arrays and Strings

CMPSC 497 Other Memory Vulnerabilities

CS 61C: Great Ideas in Computer Architecture. C Arrays, Strings, More Pointers

DECLARAING AND INITIALIZING POINTERS

Buffer Overflow & Format Strings

Pointer Basics. Lecture 13 COP 3014 Spring March 28, 2018

Infix to Postfix Conversion

CpSc 1011 Lab 11 Pointers

3/7/2018. Sometimes, Knowing Which Thing is Enough. ECE 220: Computer Systems & Programming. Often Want to Group Data Together Conceptually

United States Naval Academy Electrical and Computer Engineering Department EC310-6 Week Midterm Spring 2015

Programming Studio #9 ECE 190

Agenda. Peer Instruction Question 1. Peer Instruction Answer 1. Peer Instruction Question 2 6/22/2011

PIC 10A Pointers, Arrays, and Dynamic Memory Allocation. Ernest Ryu UCLA Mathematics

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Subprograms: Arguments

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

CS 31: Intro to Systems Pointers and Memory. Martin Gagne Swarthmore College February 16, 2016

CS61C Machine Structures. Lecture 5 C Structs & Memory Mangement. 1/27/2006 John Wawrzynek. www-inst.eecs.berkeley.edu/~cs61c/

Stack Overflow COMP620

Plan for Today. Safe Programming Languages. What is a secure programming language?

Transcription:

System Security Class Notes 09/23/2013 1 Format String Exploits a Format String bugs The printf family consists of functions with variable arguments i printf (char* format, ) ii sprint (char* dest, char* format, ) Etc printf internals / varargs functions The following is how printf behaves with its arguments Like in the case of other functions, the function calling printf pushes the arguments into the stack in the Right to Left order That is, it first pushes in the variable arguments and then the format string fmt printf maintains a pointer ARGP which points just above the format string fmt in the stack Each time a format code (%d, %s, %c, etc) is encountered in the printf s format string, the ARGP pointer takes the bytes at the location pointed by it, interprets it according to the format code and prints it out It then increments the ARGP pointer In addition, it also maintains a count variable somewhere on the stack which maintains a count of how many characters have been printed This count can be retrieved with the %n format code Eg int x; printf( Hello %n, OK, &x) This code will copy the number of characters printed so far into the variable x

By passing extra format codes into the format string fmt, the attacker can trick the function into printing the contents of the memory locations on the stack, beyond the arguments that were passed For example, if the format string is %d %d %d in the above case, that is the function call is as follows printf( %d %d %d, a,b); Then, printf will interpret the locations beyond b as integers to be printed and print it out Compilers typically warn when the number of format codes don t match with the number of variable arguments But when the format string is accepted from the user or is generated at run-time, it is not possible for the complier to detect it For eg in the following code snippet which was present in the wu-ftpd server, user is a string provided by the user void logger(char* user) { char buffer[512]; snprintf(buffer, sizeof(buffer), user); write(log_file); }

The compiler can t check the string user as it is provided by the user The attacker can enter %x %x %x %x to print the contents of the stack to the log_file And later, he can manage to read the log files This technique can also be used to overcome the ASLR present on systems For example, suppose there is a friendly function run_cmd in wu-ftpd But because the system has ASLR enabled, the attacker doesn t know where the function is located But the attacker knows that the function logger returns to handle_user_login function and that handle_user_login is at 1500 bytes (say) from run_cmd As ASLR doesn t move the functions internally within an executable, the attacker can continue reading off the stack using the above described technique till he figures out the return address of the handle_user_login function Once, he figures that out, he can easily compute the location of the run_cmd function as he knows that it is 1500 bytes from handle_user_login function Also, this technique doesn t crash the application, since the attacker is only reading values off the stack So, the ASLR won t run again and randomize the memory location

2 Using %n to overwrite arbitrary memory We aim to design a format string that does -- Memory[a] V We ll be able to string these format strings together to achieve complex attacks Suppose the ARGP pointer points to the starting location of the buffer array Then, the attacker can send in a user string in the following manner -- user = <address to be written> %n The number of underscores is the value that the attacker wants to be written to the specified address printf will write the address and the underscores to the buffer and will increment its internal count variable each time a character is written to the buffer When the %n is encountered, it will write the value of the internal count variable to the memory location pointed by the value on the stack that ARGP points to In this case, since ARGP points to the address the attacker wants to write to and the count contains the value the attacker wants to write, this achieves the target of writing the value to the desired memory location To write to a series of address locations, the attacker can string together the addresses,

followed by correctly positioned %n format codes separated by correct number of underscores user = <a1> <a2> <a3> <a4> (enough number of underscores to increment the count to the required value) %n %n %n %n for eg if the attacker wants to write 0x12, 0x34, 0x56, 0x78 to memory locations a1, a2, a3, a4, he ll form the string user as follows user = <a1><a2><a3><a4> (enough underscores so that count ends in 78) %n (enough underscores so that count ends up 56) %n (enough underscores so that count ends in 34) %n (enough underscores so that count ends in 12) %n How to prevent Varargs can be modified to accept the number of vararg parameters This way, the extra format codes can be detected and the ARGP will not proceed beyond the number of vararg parameters passed actually This way, the attack can be prevented

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback