Vulnerabilities. Code Injection - Buffer overflows. Some Commonly Exploitable Flaws

Similar documents
CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

Control Hijacking Attacks

CSE 565 Computer Security Fall 2018

1/31/2007 C. Edward Chow. CS591 Page 1

Information Security CS 526

Basic Control Hijacking Attacks

Program Security and Vulnerabilities Class 2

UMSSIA LECTURE I: SOFTWARE SECURITY

Fundamentals of Computer Security

Software Security: Buffer Overflow Attacks (continued)

Software Security II: Memory Errors - Attacks & Defenses

CSE 565 Computer Security Fall 2018

CMPSC 497 Buffer Overflow Vulnerabilities

Software Security: Buffer Overflow Defenses

Runtime Defenses against Memory Corruption

Secure Programming I. Steven M. Bellovin September 28,

ECS 153 Discussion Section. April 6, 2015

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Secure Software Development: Theory and Practice

Topics in Software Security Vulnerability

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Software Security: Buffer Overflow Attacks

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Lecture 4 September Required reading materials for this class

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

Basic Buffer Overflows

Buffer Overflow Defenses

Buffer overflow background

Software Security: Buffer Overflow Defenses and Miscellaneous

Buffer Overflow Attacks

CSE / / 60567: Computer Security. Software Security 4

Basic Memory Corrup+on A3acks

CYSE 411/AIT681 Secure Software Engineering Topic #12. Secure Coding: Formatted Output

2/9/18. CYSE 411/AIT681 Secure Software Engineering. Readings. Secure Coding. This lecture: String management Pointer Subterfuge

We will focus on Buffer overflow attacks SQL injections. See book for other examples

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

Foundations of Network and Computer Security

Libsafe 2.0: Detection of Format String Vulnerability Exploits

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.

Buffer Overflow and Format String Overflow Vulnerabilities

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Solutions

Lecture 9 Assertions and Error Handling CS240

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Buffer Overflow Vulnerability

BUFFER OVERFLOW. Jo, Heeseung

20: Exploits and Containment

Buffer Overflow. Jo, Heeseung

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

CSE 127 Computer Security

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

Lecture 08 Control-flow Hijacking Defenses

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

CSE 509: Computer Security

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Software Security (cont.): Defenses, Adv. Attacks, & More

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

Foundations of Network and Computer Security

Control Flow Hijacking Attacks. Prof. Dr. Michael Backes

Software Vulnerabilities. Jeff Foster University of Maryland, College Park

CSE 127 Computer Security

Memory Corruption Vulnerabilities, Part I

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Buffer Overflows Defending against arbitrary code insertion and execution

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

CS 161 Computer Security

CSE 127 Computer Security

Secure Systems Engineering

Secure Programming. Buffer Overflows Learning objectives. Type. 3 Buffer Overflows. 4 An Important Vulnerability. 5 Example Overflow

Buffer overflow prevention, and other attacks

CNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review

Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to

The Geometry of Innocent Flesh on the Bone

CNIT 127: Exploit Development. Ch 18: Source Code Auditing. Updated

Modern Buffer Overflow Prevention Techniques: How they work and why they don t

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

Statically Detecting Likely Buffer Overflow Vulnerabilities

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

Generic Technical Defences. Shaun Clowes SecureReality

COMP3441 Lecture 7: Software Vulnerabilities

CSCD 303 Fall Lecture 15 Buffer Overflows

Exercise 6: Buffer Overflow and return-into-libc Attacks

Outline. Format string attack layout. Null pointer dereference

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Basic Control Hijacking A5acks

One-Slide Summary. Lecture Outline. Language Security

Buffer Overflow Vulnerability Lab

Buffer overflows. Specific topics:

Memory corruption countermeasures

Software Security: Buffer Overflow Attacks and Beyond

Memory Safety (cont d) Software Security

Lab 2: Buffer Overflows

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

1 Recommended Readings

Protection. Thierry Sans

Format String Dangers. Shachar Shemesh Security Consultant

Transcription:

Vulnerabilities Lecture 2: Exploiting Vulnerabilities: Buffer Overflow, Format string, Timing Attacks, and Logic Attacks ECE1776 David Lie We define a vulnerability as: A program flaw (or bug) that when exercised has a security implication Notice that two things need to be true. There has to be a flaw or a bug, that an attacker can exploit to weaken the security a system (security implication) Examples flaws are: buffer overflow unchecked inputs race conditions A security implication could be: Attacker can execute arbitrary code Attacker can gain access to a system Attacker can put the system in an illegal state 1 2 Some Commonly Exploitable Flaws Code Injection - Buffer overflows 4 General Categories flaws: Memory corruption: redirection control flow, code injection, argument overwrite Buffer overflows, format string errors, heap overflows Incomplete mediation. An attacker can access a resource because a certain path through the code does not check for authorization. Forgetting to check for valid inputs, undocumented features Difference between time check and time use. In concurrent systems, the attacker may exploit races. Attacker gains access to a low security object, but switches it with a high security one. Information Leakage: System behavior unintentionally reveals some information Extremely common bug. First major exploit in 1988: Morris Worm exploited fingerd. 10 years later: over 50% all CERT advisories: 1997: 16 out 28 CERT advisories. 1998: 9 out 13 - - 1999: 6 out 12 - - Often leads to total compromise host because arbitrary code execution: Fortunately: exploit requires expertise and patience. Two steps: Locate buffer overflow within an application. Design an exploit. 3 4 1

What are buffer overflows? Basic smashing exploit Suppose a web server contains a function: void func(char *str) { char buf[128]; strcpy(buf, str); When the function is invoked the looks like: buf sfp ret-addr str What if *str is 136 bytes long? After strcpy: *str ret str Stack grows downwards, but buffers are written upwards in memory 5 Now the attacker wants to execute injected code, so attacker puts the code in the buffer, and returns back into it Shell Code When func() exits, the user will be given a shell!! The difficult part: To determine ret, the attacker has to correctly guess position when func() is called. Main problem: no range checking in strcpy(). Technique throughly explained in Aleph s article ret Shell Code = execve( /bin/sh ) str 6 Some unsafe libc functions Other types Redirection/Injection Attacks strcpy (char *dest, const char *src) strcat (char *dest, const char *src) gets (char *s) scanf ( const char *format, ) printf (conts char *format, ) Function pointers: buf[128] FuncPtr Heap or Overflowing buf will override function pointer. Other injection attacks: Malloc errors can cause free to overwrite arbitrary addresses in memory Attacker can overwrite entries in Global Offset Table (GOT) Table function pointers used for dynamic linking in ELF Not all attacks require/allow attacker to inject code: Attacker can setup a false frame and redirect execution into existing code (i.e. system() in libc) 7 8 2

Incomplete Mediation Example a Missing Check These are cases where access should have been controlled/checked but was not, as a result the access is unmediated e.g.: The debug mode for sendmail Recent do_brk vulnerability in Linux 2.4.22 kernels Incorrect checking arguments allows a user to map pages from kernel into process address space Undocumented system calls (in windows) allow direct access to protected structures Somewhat less common than code-injection, but still common enough These missed checks are not always obvious /* 2.4.5/drivers/char/drm/i810_dma.c */ if(copy_from_user(&d, arg, size(arg))) return EFAULT; if(d.idx > dma->buf_count) return EINVAL; buf = dma->buflist[d.idx]; Copy_from_user(buf->virtual, d.address, d.used); Missing lower bounds check for d.idx, what if d.idx < 0? This allows attacker to put arbitrary kernel address into buf, and then copy arbitrary data (in d.used) into that address 9 10 Concurrency Vulnerabilities Other Races Involve the time between time--check to time--use where the attacker is able to manipulate system state in a way to gain access or privileges. In a recent Usenix Security 2005 paper some authors demonstrated a similar file system race: Programs like the print daemon, run as root. To determine whether you are allowed to print a file or not, they check the ownership the file To cause the race to happen, try to print a file in a VERY deep directory structure with a sym-link at the end, so it takes a long time to open the file. Initially point the sym-link to a file you own. After the print daemon has checked the permissions, the OS spends a long time opening the file. At this time, switch the sym-link to point at a file that doesn t belong to you and print it out. More recent (in Linux 2.2.x and 2.4.x) ptrace-kmod exploit: Ptrace is a facility used by debuggers to observe and modify another process, can s the process, examine memory, and inject code Normally, a user process cannot ptrace a root process. A user process to can attach to a root setuid process before it becomes root. However, a race condition allows the tracing process to remain attached even if the setuid process takes on it s root privileges, thus the tracing process inherets control over a root process. Exploits for these are rarer, since the flaws are very difficult to find. 11 12 3

Information Leakage Timing attacks: example Systems leak information that can be used by an attacker While computer systems are vulnerable, many other types devices are ten more vulnerable since they are simpler and usually only have one application: Smartcards. Cell phones. PCI cards. Some examples are: Leakage in Timing Channels Power analysis Consider the following pwd checking code: int password-check( char *inp, char *pwd) if (strlen(inp)!= strlen(pwd)) return 0; for( i=0; i < strlen(pwd); ++i) if ( *inp[i]!= *pwd[i] ) return 0; return 1; A simple timing attack will expose the password one character at a time. 13 14 Timing attacks: example Timing Attacks Correct code: int password-check( char *inp, char *pwd) { oklen = ( strlen(inp) == strlen(pwd) ) ; for( ok=1, i=0; i < strlen(pwd) ; ++i) ok = ok & ( inp[i] == pwd[i] ) ; return ok & oklen; Make the function take the same amount time no matter what Brumly and Boneh Timing attack on OpenSSL With detailed knowledge on cryptographic routines used, can correlate chose cipher texts with time to decrypt Effective even with network and OS by trying many times to reduce random noise Other things may affect the timing functions: Page Faults System calls Interrupts 15 16 4

Power Analysis Finding buffer overflows Power Analysis (Kocher) To attack chips that perform cryptographic encryption/decryption Can watch the power consumption a device to ascertain the value the key it is using 12 0 10 0 Hackers find buffer overflows as follows: Run web server on local machine. Issue requests with long tags. All long tags end with $$$$$. If web server crashes, search core dump for $$$$$ to find overflow location. 80 60 Some automated tools exist in industry 40 20 0 0 10 20 30 40 50 60 70 80 90 100 110 120 130 Time 17 18 Preventing buf overflow attacks Marking as non-execute Main problem: strcpy(), strcat(), sprintf() have no range checking. Safe versions strncpy(), strncat() are misleading strncpy() may leave buffer unterminated. strncpy(), strncat() encourage f by 1 bugs. Defenses: Type safe languages (Java, ML). Legacy code? Mark as non-execute or Random location. Static source code analysis. Run time checking: StackGuard, Libsafe, SafeC, (Purify). Basic exploit can be prevented by marking segment as non-executable or randomizing location. Openwall code patches exist for Linux to allow this (Solar Designer) Made obsolete by hardware support in Intel (XD bit) and AMD (NX bit) processors Problems: Does not block more general overflow exploits: Overflow on heap: overflow buffer next to func pointer. Return into libc attack Some apps need executable Interpreted Languages OS Trampolines for signals 19 20 5

Static source code analysis Run time checking: StackGuard Statically check source to detect buffer overflows. Several consulting companies. Can we automate the review process? Several tools exist: @stake.com (l0pht.com): SLINT (designed for UNIX) rstcorp: its4. Scans function calls. Berkeley: Wagner, et al. Test constraint violations. Stanford: Engler, et al. Test trust inconsistency. Many many run-time checking techniques StackGuard (WireX) Run time tests for integrity. Embed canaries in frames and verify their integrity prior to function return. local canary Frame 2 sfp ret str local Frame 1 canary sfp ret str Find lots bugs, but not all. 21 22 Run time checking: Libsafe Libsafe Drawbacks Libsafe (Avaya Labs) Dynamically loaded library Overrids libc.so (with /etc/ld.so.preload) Done at runtime so doesn t need recompile Intercepts calls to strcpy (dest, src) Validates sufficient space in current frame: frame-pointer dest > strlen(src) If so, does strcpy. Otherwise, terminates application. sfp ret-addr libsafe dest src buf sfp ret-addr main 23 Makes assumptions about the Only works on x86 machines Statically linked programs won t be protected Some optimized programs (no frame pointer) won t be protected Only catches overflows on library functions: While (*c!= \n ) { *p++ = *c++ 24 6

More methods PAX/grsecurity: Randomize location functions in libc. Attacker cannot jump directly to exec function. Emulate execute bits on pages so only pages originating on disk can have code Extra Slides Exec Shield Make code pages executable only Randomize starting location 25 26 Exploiting buffer overflows Format string problem Suppose web server calls func() with given URL. Attacker can create a 200 byte URL to obtain shell on web server. Some complications: Program P should not contain the \0 character. Overflow should not crash program before func() exists. Sample buffer overflows this type: Overflow in MIME type field in MS Outlook. Overflow in ISAPI in IIS. int func(char *user) { fprintf( stdout, user); Problem: what if user = %s%s%s%s%s%s%s?? Most likely program will crash: DoS. If not, program will print memory contents. Privacy? Full exploit using user = %n Correct form: int func(char *user) { fprintf( stdout, %s, user); 27 28 7

History Vulnerable functions Danger discovered in June 2000. Examples: wu-ftpd 2.* : remote root. Linux rpc.statd: remote root IRIX telnetd: remote root BSD chpass: local root Any function using a format string. Printing: printf, fprintf, sprintf, vprintf, vfprintf, vsprintf, Logging: syslog, err, warn 29 30 Exploit Overflow using format string Dumping arbitrary memory: Walk up until desired pointer is found. printf( %08x.%08x.%08x.%08x %s ) char errmsg[512], outbuf[512]; sprintf (errmsg, Illegal command: %400s, user); sprintf( outbuf, errmsg ); Writing to arbitrary memory: printf( hello %n, &temp) -- writes 6 into temp. What if user = %500d <nops> <shellcode> Bypass %400s limitation. Will ovreflow outbuf. printf( %08x.%08x.%08x.%08x.%n ) 31 32 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback