Software Vulnerabilities. Jeff Foster University of Maryland, College Park

Similar documents
CMPSC 497 Buffer Overflow Vulnerabilities

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Assembly Language: Function Calls" Goals of this Lecture"

Assembly Language: Function Calls" Goals of this Lecture"

Assembly Language: Function Calls

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Format string vulnerabilities

Software Security: Buffer Overflow Defenses

Secure Programming I. Steven M. Bellovin September 28,

Assembly Language: Function Calls. Goals of this Lecture. Function Call Problems

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

Software Security: Buffer Overflow Attacks (continued)

Lecture 4 September Required reading materials for this class

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

Operating systems. Lecture 9

Return-orientated Programming

Lecture 08 Control-flow Hijacking Defenses

CS 161 Computer Security

SYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14

Function Calls COS 217. Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site)

CSC 2400: Computing Systems. X86 Assembly: Function Calls"

X86 Review Process Layout, ISA, etc. CS642: Computer Security. Drew Davidson

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Software Security: Buffer Overflow Attacks

Software Security II: Memory Errors - Attacks & Defenses

Midterm 1 Review. Memory Safety & Web Attacks

Advanced Systems Security: Ordinary Operating Systems

20: Exploits and Containment

Runtime Defenses against Memory Corruption

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

What the CPU Sees Basic Flow Control Conditional Flow Control Structured Flow Control Functions and Scope. C Flow Control.

CS 31: Intro to Systems Functions and the Stack. Martin Gagne Swarthmore College February 23, 2016

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Intro to x86 Binaries. From ASM to exploit

Secure Programming Lecture 5: Memory Corruption III (Countermeasures)

Buffer overflow risks have been known for over 30 years. Is it still a problem? Try searching at to see.

CSE 565 Computer Security Fall 2018

Memory corruption countermeasures

Format String Dangers. Shachar Shemesh Security Consultant

Buffer Overflows Defending against arbitrary code insertion and execution

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Is stack overflow still a problem?

Basic Buffer Overflows

Final Exam, Spring 2012 Date: May 14th, 2012

Foundations of Network and Computer Security

CSC 2400: Computing Systems. X86 Assembly: Function Calls

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Applications of. Virtual Memory in. OS Design

Function Call Convention

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

CS 161 Computer Security

ECS 153 Discussion Section. April 6, 2015

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

New York University CSCI-UA : Advanced Computer Systems: Spring 2016 Midterm Exam

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CSE 509: Computer Security

Topics in Software Security Vulnerability

CS642: Computer Security

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

Systems I. Machine-Level Programming V: Procedures

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

Princeton University Computer Science 217: Introduction to Programming Systems. Dynamic Memory Management

ECE 471 Embedded Systems Lecture 22

Princeton University. Computer Science 217: Introduction to Programming Systems. Dynamic Memory Management

Procedure Calls. Young W. Lim Sat. Young W. Lim Procedure Calls Sat 1 / 27

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

CSC 2400: Computer Systems. Using the Stack for Function Calls

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

CSE 127 Computer Security

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

CS 33 (Week 4) Section 1G, Spring 2015 Professor Eggert (TA: Eric Kim) v1.0

CMSC 430 Introduction to Compilers. Spring Code Generation

CSE 127 Computer Security

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

x86 assembly CS449 Fall 2017

CS 31: Intro to Systems Pointers and Memory. Kevin Webb Swarthmore College October 2, 2018

Advanced Systems Security: Control-Flow Integrity

CMSC 414 Computer and Network Security

Buffer Overflow and Protection Technology. Department of Computer Science,

Buffer Overflow Attack (AskCypert CLaaS)

Program Security and Vulnerabilities Class 2

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflow. Jo, Heeseung

INFLUENTIAL OPERATING SYSTEM RESEARCH: SECURITY MECHANISMS AND HOW TO USE THEM CARSTEN WEINHOLD

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

Università Ca Foscari Venezia

X86 Stack Calling Function POV

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

Procedure Calls. Young W. Lim Mon. Young W. Lim Procedure Calls Mon 1 / 29

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

CSE 127 Computer Security

Buffer Overflows. Buffer Overflow. Many of the following slides are based on those from

Compiler Construction D7011E

Transcription:

Software Vulnerabilities Jeff Foster University of Maryland, College Park

When is a Program Secure? When it does exactly what it should! But what is it supposed to do? - Someone tells us (do we trust them?) - We decide ourselves (how do we check?) - We write the code ourselves (how much of the software you use have you written?) Perfect security does not exist Must trade off performance, cost, usability, functionality When is software secure enough? 2

Integrity No improper modification of data Data E.g., account balance updated only by authorized transactions, only you can change your password Integrity of security mechanism is crucial Enforcement: access control, digital signatures,... 3

Confidentiality Protect information from improper release Data Limit knowledge of data or actions (secrecy) - E.g., D-Day attack date, contract bids Enforcement: access control, encryption,... Hard to enforce after the fact... 4

Availability System must respond to requests Data I.e., do not ensure confidentiality and integrity by unplugging your computer! 5

Vulnerabilities A security vulnerability is a bug that allows an adversary to compromise security What is the difference between a vulnerability and an ordinary bug? Unclear! Ordinary users try to avoid bugs - Adversaries seek out vulnerabilities Also can change over time - E.g., publicly available info at courthouse vs. on Internet - E.g., modem access to SCADA (industrial control) system 6

Two classes of vulnerabilities 1.Application-specific issue E.g., forget to check login credentials in one place These problems can be severe But finding a bug in one application doesn t necessarily give clues to other vulnerabilities 2.Language/library/system design issue E.g., buffer overflows These problems tend to cut across many different software systems built with same technology So efforts to exploit and defend against them have a potentially large consequence 7

Languages and vulnerabilities We ll look at three vulnerabilities in C programs: Null pointer errors Format-string vulnerabilities Buffer overflows All of these stem from design choices that are fundamental to the C language and its libraries Vulnerabilities exist in lots of systems Everyone knows about them Yet, still hard to stamp out - (Ok, the null ones are basically fixed...) 8

Null pointer errors You all know what these are x = NULL;... *x; Obvious problem: denial of service attack Trick target program into dereferencing NULL and it will crash - Could take down a server this way - If have access as a local user to a machine and the kernel dereferences null, could crash the kernel 9

Null pointer errors (cont d) What if this happens: fp = NULL;... fp(x,y,z); Looks about the same, right? NULL = 0, which is just another memory addr By convention, NULL is not a valid addr, so results in a failure when we try to look up that logical address But we can change that with mmap! 10

mmap NAME mmap, munmap - map or unmap files or devices into memory SYNOPSIS #include <sys/mman.h> void *mmap(void *start, size_t length, int prot, int flags, int fd, off_t offset); int munmap(void *start, size_t length); DESCRIPTION The mmap() function asks to map length bytes starting at offset offset from the file (or other object) specified by the file descriptor fd into memory, preferably at address start. This latter address is a hint only, and is usually specified as 0. The actual place where the object is mapped is returned by mmap(). 11

Mapping the 0 page If we look more closely at the options, we can force the lowest page to be mapped mmap(0, 4096, PROT_READ PROT_WRITE, MAP_PRIVATE MAP_ANONYMOUS MAP_FIXED, -1, 0); PROT_READ PROT_WRITE = can read and write page MAP_FIXED = allocate at starting addr or fail - Use of this option is discouraged MAP_PRIVATE = for my process only MAP_ANONYMOUS = don t map to any file 12

Kernel memory model In Linux, jumping into kernel does not remap pages This would add a lot of expense to syscalls So, if we mmap page 0 and then jump into the kernel, that page will still be in memory Uh oh... 13

Exploiting a NULL pointer error Recipe for exploit: Find a function call, null pointer error in the kernel - There are probably lots of them Get access to a local user account mmap the 0 page load whatever code you want executed there trigger the null pointer error kernel jumps to code you control Privilege escalation 14

Impractical solution Eliminate all NULL pointer errors Tony Hoare, Null References: The Billion Dollar Mistake Could try to remove use of NULL in C - Pervasive use in system, library, and many coding idioms makes this unrealistic Can try to give programmers tools to detect null pointer errors - But practical tools will always miss some errors 15

Actual solution Don t allow 0 page to be remapped Modern systems have a check in the kernel s mmap function that requires the mapped page to be some minimal address: $ cat /proc/sys/vm/mmap_min_addr 4096 16

Lesson learned? Vulnerability results from interaction between Language feature (NULL) OS feature (mmap) Lesson: it s hard to anticipate all possible interactions 17

Printing strings in C How to print a string in C: printf( %s, some_string); That s too much typing...why don t we just write: printf(some_string); We saved 5 characters and some whitespace! 18

Format-string vulnerabilities What happens if an attacker can control that string? printf(some_string_from_network); Could pass in %s%s%s - For each %s, printf looks for corresponding arg on stack, treats it as pointer to char, derefs pointers, and prints until hitting NULL - Args not there, so printf will chase garbage pointers - very likely to produce segfault 19

What can we do with this? Crash program, as above Print out data in memory Display sensitive information (e.g., plaintext passwords or keys) Find pointer values, offsets, return addresses, etc - Help make further exploitation easier, defeat ASLR Can even print arbitrary memory addresses 20

Reading arbitrary memory x86 stack grows downward Suppose format string itself lives on stack E.g., perhaps it goes in a stack-allocated buffer 0xdeadbeef %d%d%d%d...%s &format-string stack top printf( \xde\xad\xbe\xef%d%d...%d%s ) Each format specifier will cause printf to look for the next arg on the stack Args pushed right-to-left So, with the right # of %d s, the %s will match the 0xdeadbeef value printf will start printing memory from that addr 21

Writing to memory NAME printf, fprintf, sprintf, snprintf, asprintf, dprintf, vprintf, vfprintf, vsprintf, vsnprintf, vasprintf, vdprintf -- formatted output conversion...... The conversion specifiers and their meanings are: n The number of characters written so far is stored into the integer indicated by the int * (or variant) pointer argument. No argument is converted. Oops! 22

Writing arbitrary memory Same trick as with reading memory printf( \xde\xad\xbe\xef%d%d...%d%n ) Add enough %d s so %n corresponds to 0xdeadbeef Control the value by controlling # bytes written To write large value, write one byte at a time - printf( \xde\xad\xbe\xef...%n...\xde\xad\xbe\xf0...%n... \xde\xad\xbe\xf1...%n...\xde\xad\xbe\xf2...%n ) - Note must write increasing sequence of values Fortunately, x86 has lots of instructions! 23

Solution and lessons Only use trusted strings in format positions Harder than it seems, e.g., internationalization Input validation problem, similar to SQL injection Potential problems known for a long time Only became well known as vulnerability in 2000 Vulnerability results from interaction between Language feature (stack ) Library feature (printf) Lesson? 24

The x86 Stack Frame The stack just after f transfers control to g previous frames f s locals, saves return instruction ptr ebp for caller of f frame boundary parameters for g return instr ptr (eip) saved ebp of f frame boundary ebp esp Based on Fig 6-1 in Intel ia-32 manual 25

x86 Calling Convention To call a function Push parameters for function onto stack Invoke CALL instruction to - Push current value of eip onto stack - I.e., save the program counter - Start executing code for called function Callee pushes ebp onto stack to save it When a function returns Put return value in eax Invoke LEAVE to pop stack frame - Set esp to ebp - Restore ebp that was saved on stack and pop it off the stack Invoke RET instruction to load return address into eip - I.e., start executing code where we left off at call 26

Example int f(int a, int b) { return a + b; } int main(void) { int x; } x = f(3, 4); gcc -S a.c f: pushl %ebp movl %esp, %ebp movl 12(%ebp), %eax addl 8(%ebp), %eax leave ret main:... subl $8, %esp pushl $4 pushl $3 call f l: addl $16, %esp movl %eax, -4(%ebp) leave ret 27

Buffer overflows void f() { char buf[32]; } buf = gets(); gets() may return more than 32 characters Might write past the end of buf What s going to happen on the stack? Could overwrite eip When f() returns, jump to attacker-specified address higher addresses saved eip saved ebp buf[28..31] buf[0..3] lower addresses 28

Problematic functions Lots of C functions do not check buffer sizes strcpy(dst, src) copy null-terminated src to dst - Does not check size of dst strcat(s1, s2) concatenate null-terminated strings - Adds to end of s1, but doesn t check size sprintf(str, fmt,...) print to string - Does not check size of str Also, many large systems have custom wrappers around these functions, or similar custom fns Hard to avoid something that s so widely used! 29

Lesson learned? Buffer overflows caused by interaction of No array bounds checks in C - It s faster that way! Stack-based calling convention Arrays are stack-allocated - Can exploit buffer overflows on heap, but harder, less systematic type and memory safety are good properties 30

Exploiting buffer overflows low high blah blah blah blah 0x8abc1244 start of evil code buf = 0x8abc1234 Idea #1: Overwrite ret with address in overflowed buffer So whatever code we put in the buffer will execute Problem: need to know address on stack ret Might vary some from run to run, e.g., if environment variables change, system configuration slightly different, etc 31

NOP sled low high blah blah blah blah nop nop nop nop start of evil code buf = 0x8abc1234 ret... Idea #2: Add a bunch of no-ops at the front of the code, so we don t need to get the exact address 32

Preventing buffer overflows Eliminate them in the source code Use C safely - This is much harder than it seems... Don t use C! Use static analysis to detect and prevent vulnerabilities - Can never be perfect Modify the system to deter exploits Stack canaries Address space layout randomization (ASLR) Non-executable stack (NX) 33

StackGuard (canaries) low Embed random canaries in stack and ensure integrity prior to function return canary eip high buf = 0x8abc1234 Limitations Adds overhead Only works for stack overflows Canaries should be random to avoid guessing ret Canaries could still be discovered via other means (e.g., format string vulnerabilities) 34

ASLR Randomize starting location of the stack Makes it hard for overwritten eip to go to attackercontrolled location Commonly in use today Limitations Some implementations don t have enough randomness - Can be brute-forced Other vulnerabilities could reveal stack addresses 35

NX Mark memory page containing stack data as non-executable in the page tables Processor will fault if try to set eip to point anywhere on the stack Commonly in use today Limitations Only protects stack Can be defeated with fancier exploit techniques... 36

Return-oriented programming See next slide deck 37

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback