ISA564 SECURITY LAB. Code Injection Attacks

Similar documents
20: Exploits and Containment

Secure Software Development: Theory and Practice

CSE 509: Computer Security

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Basic Buffer Overflows

Buffer overflow background

Non-Control-Data Attacks Are Realistic Threats

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Lecture 4 September Required reading materials for this class

Intrusion Detection and Malware Analysis

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CSE 565 Computer Security Fall 2018

CSE 565 Computer Security Fall 2018

Is stack overflow still a problem?

Program Security and Vulnerabilities Class 2

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

Low-level software security

CMPSC 497 Buffer Overflow Vulnerabilities

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Buffer Overflow. Jo, Heeseung

BUFFER OVERFLOW. Jo, Heeseung

(Early) Memory Corruption Attacks

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Dataflow Anomaly Detection

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

Secure C Coding...yeah right. Andrew Zonenberg Alex Radocea

Hello? It s Me, Your Not So Smart Device. We Need to Talk.

One-Slide Summary. Lecture Outline. Language Security

Fundamentals of Linux Platform Security

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

CS 642 Homework #4. Due Date: 11:59 p.m. on Tuesday, May 1, Warning!

UMSSIA LECTURE I: SOFTWARE SECURITY

Defeat Exploit Mitigation Heap Attacks. compass-security.com 1

COMP 3704 Computer Security

Advanced System Security: Vulnerabilities

Lecture 08 Control-flow Hijacking Defenses

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

CSE 127 Computer Security

Buffer Overflows Defending against arbitrary code insertion and execution

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Fundamentals of Computer Security

typedef void (*type_fp)(void); int a(char *s) { type_fp hf = (type_fp)(&happy_function); char buf[16]; strncpy(buf, s, 18); (*hf)(); return 0; }

414-S17 (Shankar) Exam 1 PRACTICE PROBLEMS SOLUTIONS Page 1/7

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

CMPSC 497 Other Memory Vulnerabilities

String Oriented Programming Exploring Format String Attacks. Mathias Payer

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Solutions

Language-Based Protection

Introduction to Computer Security Software Security. Pavel Laskov Wilhelm Schickard Institute for Computer Science

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

CSE 127 Computer Security

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

CSE 127 Computer Security

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

MPATE-GE 2618: C Programming for Music Technology. Unit 4.1

Shellbased Wargaming

Software Security II: Memory Errors - Attacks & Defenses

Hacking Blind. Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazières, Dan Boneh. Stanford University

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

G Programming Languages - Fall 2012

Sample slides and handout

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.

Play with FILE Structure Yet Another Binary Exploitation Technique. Abstract

Buffer overflows. Specific topics:

Language Security. Lecture 40

sottotitolo System Security Introduction Milano, XX mese 20XX A.A. 2016/17 Federico Reghenzani


CS 161 Computer Security

Documentation for exploit entitled nginx 1.3.9/1.4.0 x86 Brute Force Remote Exploit

Calling Conventions. Hakim Weatherspoon CS 3410, Spring 2012 Computer Science Cornell University. See P&H 2.8 and 2.12

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Lec06: DEP and ASLR. Taesoo Kim

CS161 Midterm 1 Review

CS Exploiting Memory. Vitaly Shmatikov

Secure Software Programming and Vulnerability Analysis

Foundations of Network and Computer Security

Verification & Validation of Open Source

Lecture 1: Buffer Overflows

Memory Corruption 101 From Primitives to Exploit

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM

Analysis of Security Vulnerabilities

Homework 5: Exam Review

Buffer Overflow Vulnerability

Security and Authentication

Is Exploitation Over? Bypassing Memory Protections in Windows 7

How to Sandbox IIS Automatically without 0 False Positive and Negative

Overflows, Injection, & Memory Safety

CSE 127 Computer Security

The Edward S. Rogers Sr. Department of Electrical and Computer Engineering

Last week. Data on the stack is allocated automatically when we do a function call, and removed when we return

Reserve Engineering & Buffer Overflow Attacks. Tom Chothia Computer Security, Lecture 17

Transcription:

ISA564 SECURITY LAB Code Injection Attacks

Outline Anatomy of Code-Injection Attacks Lab 3: Buffer Overflow

Anatomy of Code-Injection Attacks Background About 60% of CERT/CC advisories deal with unauthorized control information tampering [XKI03] E.g.: Overflow buffer to overwrite return address Other bugs can also divert control

Anatomy of Code-Injection Attacks Three essential stages 1. Trigger software vulnerability 2. Hijack control flow 3. Execute attacker code We are not talking about social engineering attacks

Stage 1: Trigger Software Vulnerability What are those software vulnerabilities Buffer overflows Format-string vulnerability Integer overflows Double-free vulnerability SQL injection vulnerability XSS scripting vulnerability How to trigger them? Different vulnerabilities usually require different ways to exploit them We will focus on buffer overflows (Lab 3) and XSS/SQL Injection (Lab 6)

Stage 2: Hijack Control Flows How? Overwriting control data Overwriting non-control data What are those control data? Return address Function pointers Windows: IAT/EAT, VTABLE Linux: PLT/GOT

Stage 2: Hijack Control Flows (2) Control-data atttacks Currently the most dominant form of memory corruption attacks [CERT and Microsoft Security Bulletin] Non-control-data attacks: attacks not corrupting any control data i.e., attacks preserving the integrity of control flow of the victim process

Stack Overflow A buffer overflow occurs when you try to put too many bits into an allocated buffer. When this happens, the next contiguous chunk of memory is overwritten, such as Return address Function pointer Previous frame pointer, etc. Also an attack code is injected. This can lead to a serious security problem.

Stack Layout and Contaminated Memory by the Attack --- when function foo is called by bar. int bar (int val1) { int val2; foo (a_function_pointer); } Contaminated memory val1 val2 Stack frame bar String grows int foo (void (*funcp)()) { char* ptr = point_to_an_array; char buf[128]; } gets (buf); strncpy(ptr, buf, 8); (*funcp)(); Most popular target arguments (funcp) return address Previous Frame Pointer pointer var (ptr) buffer (buf) Stack frame foo Stack grows

Attack Scenario #1 --- by changing the return address set those pointers to the stack. Attack code /bin/sh args return address (funcp) system() Changes the return address to point to the attack code. After the function returns, it leads to the attack code. The existing instructions in the code segment can be used as an attack code; such as system(), exec(), etc. PFP pointer var buffer (ptr) (buf)

Attack Scenario #2 --- by changing pointer variables Attack code Changes a function pointer to point to the attack code. The succeeding function pointer call leads to the attack code. Any memory, even not in the stack, can be modified by the statement that stores a value into the compromised pointer. E.g. strncpy(ptr, buf, 8); *ptr = 0; Global Offset Table Function pointer args (funcp) return address PFP pointer var (ptr) buffer (buf)

Attack Scenario #3 --- by changing the previous frame pointer return address PFP Attack code modify the caller s frame to the nearby location. The frame contains a compromised return address. args return address PFP pointer var buffer (funcp) (ptr) (buf)

Data/BSS Overflow Data contains global or static compile-time initialized data Bss contains global or static uninitialized data Stored together with other sections that control program execution An attacker can overflow into other sections.data.eh_frame.ctors.dtors.got.bss.dtors function pointer function pointer

Heap Overflow Heap overflows and double frees exist for many memory allocators Dlmalloc (overflow, double free) CSRI (overflow) Quickfit (overflow) Phkmalloc (overflow) Boehm s Garbage Collector (overflow, double free)

Stage 2: Hijack Control Flows (2) Control-data atttacks Currently the most dominant form of memory corruption attacks [CERT and Microsoft Security Bulletin] Non-control-data attacks: attacks not corrupting any control data i.e., attacks preserving the integrity of control flow of the victim process

Example 1: Non-Control-Data Attack against WU- FTPD Server (via a format string bug) int x; FTP_service(...) { authenticate(); x uninitialized, run as EUID 0 x = user ID of the authenticated user; x=109, run as EUID 0 seteuid(x); x=109, run as EUID 109. Lose the root privilege! while (1) { get_ftp_command(...); Get a a data special command SITE EXEC (e.g., command. PUT) Exploit a format string vulnerability. if (a data command?) x= 0, still run as EUID 109. getdatasock(...); } } When return getdatasock( to service... ) loop, { still runs as EUID 0 (root). Allow us to upload seteuid(0); /etc/passwd x=0, run as EUID 0 We can setsockopt( grant ourselves... ); the root privilege! seteuid(x); x=0, run as EUID 0 Only corrupt } an integer, not a control data attack.

Example 2: Non-Control-Data Attack against NULL- HTTP Server (via a heap overflow bug) Attack the configuration string of CGI-BIN path. Mechanism of CGI suppose server name = www.foo.com CGI-BIN = /usr/local/httpd/exe Requested URL = http://www.foo.com/cgi-bin/bar The server executes Our attack The server gives me a root shell! Only overwrite four characters in the CGI-BIN string. Exploit the vulnerability to overwrite CGI-BIN to /bin Request URL http://www.foo.com/cgi-bin/sh The server executes

Example 3: Non-Control-Data Attack against SSH Communications SSH Server (via an integer overflow bug) void do_authentication(char *user,...) { int auth = 0;... while (!auth) { /* Get a packet from the client */ type = packet_read(); switch (type) {... case SSH_CMSG_AUTH_PASSWORD: if (auth_password(user, password)) auth =1; case... } if (auth) break; } /* Perform session preparation. */ do_authenticated( ); } auth = 0 auth = 0 auth = 1 Password incorrect, but auth = 1 auth = 1 Logged in without correct password

Stage 2: Hijack Control Flows (3) Discussion Control-data attack unrelated to the semantics of the victim process Hijack the control flow, do whatever you like Non-control-data attack rely on the semantics of the victim process Would this be a constraint for the attackers?

Stage 3: Execute Attack Code Reliable Execution Injected code vs. existing code Absolute vs. relative address dependencies Complexity vs. Features

Outline Anatomy of Code-Injection Attacks Lab 3: Buffer Overflow

Buffer Overflow Recap Intent Arbitrary code execution Spawn a remote shell or infect with worm/virus Denial of service Steps 1: Inject attack code into buffer 2: Redirect control flow to attack code 3: Execute attack code

Typical Address Space (Linux) 0xFFFFFFFF argument 2 argument 1 Return Address frame pointer locals buffer kernel space stack shared library heap bss static data code 0xC0000000 0x42000000 0x08048000 0x00000000

Two Important Locations To successfully launch a buffer overflow attack, two locations are important The location of return address The location of attack code

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback