Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Similar documents
Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Advanced System Security: Vulnerabilities

CSE543 - Introduction to Computer and Network Security

CMPSC 497 Buffer Overflow Vulnerabilities

CSE 509: Computer Security

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

Memory Corruption Vulnerabilities, Part II

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

CS 161 Computer Security

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Lecture 4 September Required reading materials for this class

CSE 565 Computer Security Fall 2018

Software Security: Buffer Overflow Defenses

Module: Advanced Program Vulnerabilities and Defenses. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Secure Programming I. Steven M. Bellovin September 28,

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Software Security: Buffer Overflow Attacks

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Lecture 1: Buffer Overflows

Advanced Systems Security: Ordinary Operating Systems

CSE / / 60567: Computer Security. Software Security 4

20: Exploits and Containment

CS 161 Computer Security

Intrusion Detection and Malware Analysis

This exam contains 7 pages (including this cover page) and 4 questions. Once we tell you to start, please check that no pages are missing.

ISA564 SECURITY LAB. Code Injection Attacks

Lecture 9 Assertions and Error Handling CS240

Memory Corruption 101 From Primitives to Exploit

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

Buffer overflow prevention, and other attacks

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Software Security: Buffer Overflow Attacks (continued)

Code Injection Attacks Buffer Overflows

CSE Computer Security

Syed Kamran Haider Department of Electrical & Computer Engineering University of Connecticut

CSE 565 Computer Security Fall 2018

Secure C Coding...yeah right. Andrew Zonenberg Alex Radocea

CSE Computer Security (Fall 2006)

EURECOM 6/2/2012 SYSTEM SECURITY Σ

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

CMPSC 497: Midterm Review

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Secure Software Programming and Vulnerability Analysis

Lecture 08 Control-flow Hijacking Defenses

Dnmaloc: a more secure memory allocator

CSci 4061 Introduction to Operating Systems. Programs in C/Unix

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Solutions

Basic Buffer Overflows

Lecture 07 Heap control data. Stephen Checkoway University of Illinois at Chicago

This exam contains 8 pages (including this cover page) and 4 questions. Once we tell you to start, please check that no pages are missing.

CSCE 548 Building Secure Software Integers & Integer-related Attacks & Format String Attacks. Professor Lisa Luo Spring 2018

CSE 544 Advanced Systems Security

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Cling: A Memory Allocator to Mitigate Dangling Pointers. Periklis Akritidis

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Exploits and gdb. Tutorial 5

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

UMSSIA LECTURE I: SOFTWARE SECURITY

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

CMPSC 497 Other Memory Vulnerabilities

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflow. Jo, Heeseung

IAGO ATTACKS: WHY THE SYSTEM CALL API IS A BAD UNTRUSTED RPC INTERFACE

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Program Security and Vulnerabilities Class 2

CMSC 414 Computer and Network Security

C and C++: vulnerabilities, exploits and countermeasures

CSE 127 Computer Security

Software Security II: Memory Errors - Attacks & Defenses

Lec06: DEP and ASLR. Taesoo Kim

Play with FILE Structure Yet Another Binary Exploitation Technique. Abstract

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

SoK: Eternal War in Memory

CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR

CSE 127 Computer Security

CSC 405 Computer Security Stack Canaries & ASLR

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

CS 161 Computer Security

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

finding vulnerabilities

Advanced Systems Security: Ordinary Operating Systems

Module: Safe Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Changelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part

Secure Software Development: Theory and Practice

Advanced Systems Security: Control-Flow Integrity

Software Security: Buffer Overflow Defenses and Miscellaneous

CSE 127 Computer Security

System Security Class Notes 09/23/2013

Memory Safety (cont d) Software Security

CSE 127 Computer Security

Identifying Memory Corruption Bugs with Compiler Instrumentations. 이병영 ( 조지아공과대학교

Transcription:

CSE543 - Introduction to Computer and Network Security Module: Program Vulnerabilities Professor Trent Jaeger 1

Programming Why do we write programs? Function What functions do we enable via our programs? Some we want -- some we don t need Adversaries take advantage of such hidden function 2

Broad Attack Categories Control-flow attacks Attacker takes control of control-flow E.g., return address overwrite through buffer overflow Data attacks E.g., critical variable overwrite through buffer overflow Program-specific input handling attacks E.g., SQL injection attacks Attacks during interaction with system resources E.g., symbolic link attacks, TOCTTOU race conditions Several program vulnerabilities allow attackers to achieve above attacks See CWE (http://cwe.mitre.org/) 3

A Simple Program void myfunc() { char string[16]; printf("enter a string\n"); scanf( %s, string); printf( You entered: %s\n, string); } int main() { myfunc(); } 4

What Happened? Brief refresher on program address space Stack -- local variables Heap -- dynamically allocated (malloc, free) Data -- global, uninitialized variables Text -- program code Stack Data Text 5

Stack What Happened? main() parameters(argc, argv) return address saved frame pointer main() local vars myfunc() parameters (void) sghfjdsh gjlkhgfd return address saved frame pointer jlkseghrueioshja myfunc() local vars string[16] 6

Stack Exploiting Buffer Overflow main() parameters(argc, argv) return address saved frame pointer main() local vars myfunc() parameters (void) pc + 8 return address saved frame pointer my evil code more evil code myfunc() local vars string[16] 7

A First Defense What if we made the stack non-executable? AMD NX-bit More general: W (xor) X Attacker response return-to-libc myfunc() parameters (void) pc of libc call() return address arguments for saved frame pointer libc call myfunc() local vars string[16] 8

Defense #2 - Canary main() parameters(argc, argv) return address saved frame pointer main() local vars myfunc() parameters (void) return address CANARY Canary on the stack Random value placed between the local vars and the return address If canary is modified, program is stopped Have we solved buffer overflows? saved frame pointer myfunc() local vars string[16] 9

Canary Shortcomings main() parameters(argc, argv) return address saved frame pointer main() local vars myfunc() parameters (void) return address CANARY saved frame pointer myfunc() local vars string[16]?????? Other local variables? Frame pointers? Anything left unprotected on stack can be used to launch attacks Not possible to protect everything Varargs Structure members Performance 10

A Simple Program int authenticated = 0; char packet[1000]; while (!authenticated) { PacketRead(packet); if (Authenticate(packet)) authenticated = 1; } if (authenticated) ProcessPacket(packet); 11

A Simple Program int authenticated = 0; char packet[1000]; while (!authenticated) { PacketRead(packet); if (Authenticate(packet)) authenticated = 1; } if (authenticated) ProcessPacket(packet); What if packet is only 1004 bytes? myfunc() parameters return address CANARY saved frame pointer int authenticated char packet[1000] 12

Overflow of Local Variables Don t need to modify return address Local variables may affect control What kinds of local variables would impact control? Ones used in conditionals (example) Function pointers What can you do to prevent that? 13

More Stack Defenses Separate control information (return address) and data Shadow stacks Maintain a shadow stack; compare return addresses on return If different, stop program Problem: performance Randomization 14

A Simple Program int authenticated = 0; char *packet = (char *)malloc(1000); while (!authenticated) { PacketRead(packet); if (Authenticate(packet)) authenticated = 1; } if (authenticated) ProcessPacket(packet); What if we allocate the packet buffer on the heap? 15

Heap Overflows Overflows on heap also possible char *packet = malloc(1000) ptr[1000] = M ; Classical heap overflow corrupts metadata Heap metadata maintains chunk size, previous and next pointers,... Heap metadata is inline with heap data And waits for heap management functions (malloc, free) to write corrupted metadata to target locations 16

Heap Overflows Heap allocators maintain a doubly-linked list of allocated and free chunks malloc() and free() modify this list http://www.sans.edu/student-files/presentations/heap_overflows_notes.pdf 17

Heap Overflows free() removes a chunk from allocated list chunk2->bk->fd = chunk2->fd chunk2->fd->bk = chunk2->bk By overflowing chunk2, attacker controls bk and fd Controls both where and what data is written! Arbitrarily change memory (e.g., function pointers) 18

Heap Overflow Defenses Separate data and metadata e.g., OpenBSD s allocator (Variation of PHKmalloc) Sanity checks during heap management free(chunk2) --> assert(chunk2->prev->next == chunk2) assert(chunk2->next->prev == chunk2) Added to GNU libc 2.3.5 Randomization Q. What are analogous defenses for stack overflows? 19

Other Heap Attacks Heap spraying Combat randomization by filling heap with allocated objects containing malicious code Use another vulnerability to overwrite a function pointer to any heap address, hoping it points to a sprayed object Heuristic defenses e.g., NOZZLE: If heap data is like code, flag attack Dangling pointers Memory reuse 20

Another Simple Program int size = BASE_SIZE; char *packet = (char *)malloc(1000); char *buf = (char *)malloc(1000+base_size); strcpy(buf, FILE_PREFIX); size += PacketRead(packet); if (size >= 1000+BASE_SIZE)) { return(-1) } else strcat(buf, packet); fd = open(buf); } Any problem with this conditional check? 21

Integer Overflow Signed variables represent positive and negative values Consider an 8-bit integer: -128 to 127 Weird math: 127+1 =??? This results in some strange behaviors size += PacketRead(packet) What is the possible value of size? if ( size >= 1000+BASE_SIZE ) { What is the possible result of this condition? How do we prevent these errors? 22

Another Simple Program int size = BASE_SIZE; char *packet = (char *)malloc(1000); char *buf = (char *)malloc(1000+base_size); strcpy(buf, FILE_PREFIX); size += PacketRead(packet); if ( size < 1000+BASE_SIZE) { } strcat(buf, packet); fd = open(buf); printf(packet); Any problem with this printf? 23

Format String Vulnerability Attacker control of the format string results in a format string vulnerability printf is a very versatile function %s - dereferences (crash program) %x - print addresses (leak addresses, break ASLR) %n - write to address (arbitrarily change memory) Never use printf(string); Instead, use printf( %s, string); 24

A Simple Program int authenticated = 0; char *packet = (char *)malloc(1000); while (!authenticated) { PacketRead(packet); if (Authenticate(packet)) authenticated = 1; } if (authenticated) ProcessQuery( Select, partof(packet)); Any problem with this query request? 25

Parsing Errors Have to be sure that user input can only be used for expected function SQL injection: user provides a substring for an SQL query that changes the query entirely (e.g., add SQL operations to query processing) SELECT * FROM students WHERE student_name = 'Robert ; Many scripting languages convert data between types automatically -- are not type-safe -- so must be extra careful 26

Character Strings String formats Unicode ASCII -- 0x00 -- 0x7F non-ascii -- 0x80 -- 0xF7 Also, multi-byte formats Decoding is a challenge URL: [IPaddr]/scripts/..%c0%af../winnt/system32 Decodes to /winnt/system32 Markus Kuhn s page on Unicode resources for Linux www.cl.cam.ac.uk/~mgk25/unicode.html 27

Secure Input Handling David Wheeler s Secure Programming for Linux and UNIX Avoid the various overflows Validate all input; Only execute application-defined inputs! Minimize process privileges Carefully invoke other resources Send information back carefully Minimize Privilege Avoid Overflows Bad Validate Input Server Invoke Safely Worker Return little 28

Take Away Programs have function Adversaries can exploit unexpected functions Vulnerabilities due to malicious input Subvert control-flow or critical data Buffer, heap, integer overflows, format string vulnerabilities Injection attacks Application-dependent If applicable, write programs in languages that eliminate classes of vulnerabilities E.g., Type-safe languages such as Java 29

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback