MEMORY SAFETY ATTACKS & DEFENSES

Similar documents
This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Required reading: StackGuard: Simple Stack Smash Protection for GCC

Software Security: Buffer Overflow Attacks

Overflows, Injection, & Memory Safety

Software Security: Misc and Principles

CSE 565 Computer Security Fall 2018

Software Security: Buffer Overflow Defenses and Miscellaneous

Memory safety, continued

Software Security: Buffer Overflow Attacks and Beyond

Software Security: Miscellaneous

Software Security; Common Implementation Flaws

CS 161 Computer Security

Memory Corruption Vulnerabilities, Part II

Software Security: Buffer Overflow Attacks and Beyond

So$ware Security (II): Buffer- overflow Defenses

CYSE 411/AIT681 Secure Software Engineering Topic #10. Secure Coding: Integer Security

2/9/18. Readings. CYSE 411/AIT681 Secure Software Engineering. Introductory Example. Secure Coding. Vulnerability. Introductory Example.

2/9/18. CYSE 411/AIT681 Secure Software Engineering. Readings. Secure Coding. This lecture: String management Pointer Subterfuge

Page 1. Goals for Today. Buffer Overrun Vulnerabilities. Simple Example. More Serious Exploit Example. Modified Example

CSCI-243 Exam 1 Review February 22, 2015 Presented by the RIT Computer Science Community

Software Security: Buffer Overflow Attacks and Beyond

UMSSIA LECTURE I: SOFTWARE SECURITY

Detecting and exploiting integer overflows

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

ECE 264 Exam 2. 6:30-7:30PM, March 9, You must sign here. Otherwise you will receive a 1-point penalty.

Programming refresher and intro to C programming

Static Vulnerability Analysis

CS 161: Computer Security

Jared DeMott Crucial Security, Inc. Black Hat Special thanks to ISE for smoking me with this test once upon an interview

Computer Programming: Skills & Concepts (CP) Strings

CS Programming In C

A brief introduction to C programming for Java programmers

Brave New 64-Bit World. An MWR InfoSecurity Whitepaper. 2 nd June Page 1 of 12 MWR InfoSecurity Brave New 64-Bit World

Final Exam, Spring 2012 Date: May 14th, 2012

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

C strings. (Reek, Ch. 9) 1 CS 3090: Safety Critical Programming in C

Fundamentals of Computer Security

Lecture 4 September Required reading materials for this class

System Security Class Notes 09/23/2013

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflow. Jo, Heeseung

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM

Security Lab. Episode 6: Format String Vulnerabilities. Jan Nordholz, Matthias Petschick, Julian Vetter

Program Security and Vulnerabilities Class 2

Integer overflows. Integer overflow types. Signed vs unsigned integers. Casting between different size integer types. Arithmetic wraparound

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Buffer overflow prevention, and other attacks

CS 261 Fall Mike Lam, Professor. Structs and I/O

C: Pointers, Arrays, and strings. Department of Computer Science College of Engineering Boise State University. August 25, /36

Topics in Software Security Vulnerability

Secure C Coding...yeah right. Andrew Zonenberg Alex Radocea

Final Exam. Fall Semester 2016 KAIST EE209 Programming Structures for Electrical Engineering. Name: Student ID:

Software Security: Buffer Overflow Defenses

Buffer overflow risks have been known for over 30 years. Is it still a problem? Try searching at to see.

Systems I. Machine-Level Programming V: Procedures

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Systems Programming and Computer Architecture ( )

U23 - Binary Exploitation

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Computer Systems CEN591(502) Fall 2011

Module: Safe Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Buffer Overflows. Buffer Overflow. Many of the following slides are based on those from

414-S17 (Shankar) Exam 1 PRACTICE PROBLEMS SOLUTIONS Page 1/7

Secure Programming Lecture 5: Memory Corruption III (Countermeasures)

5.Coding for 64-Bit Programs

COMP 2355 Introduction to Systems Programming

Project 1 Buffer Overflow

CSC 252: Computer Organization Spring 2018: Lecture 9

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

5) Attacker causes damage Different to gaining control. For example, the attacker might quit after gaining control.

Lecture 8 Dynamic Memory Allocation

CSE 565 Computer Security Fall 2018

Secure Software Programming and Vulnerability Analysis

11 'e' 'x' 'e' 'm' 'p' 'l' 'i' 'f' 'i' 'e' 'd' bool equal(const unsigned char pstr[], const char *cstr) {

3/7/2018. Sometimes, Knowing Which Thing is Enough. ECE 220: Computer Systems & Programming. Often Want to Group Data Together Conceptually

a) Write the signed (two s complement) binary number in decimal: b) Write the unsigned binary number in hexadecimal:

Memory Corruption Vulnerabilities, Part I

CSE / / 60567: Computer Security. Software Security 4

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Automatically Fixing C Buffer Overflows Using Program Transformations

Tutorial 1: C-Language

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

Computer Systems Programming. Practice Midterm. Name:

Operating Systems CS 217. Provides each process with a virtual machine. Promises each program the illusion of having whole machine to itself

Lecture 9 Assertions and Error Handling CS240

Exercise Session 2 Systems Programming and Computer Architecture

Administrivia. Introduction to Computer Systems. Pointers, cont. Pointer example, again POINTERS. Project 2 posted, due October 6

Pointers as Arguments

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

CSE 509: Computer Security

Biography. Background

CS240: Programming in C

Hacking in C. Pointers. Radboud University, Nijmegen, The Netherlands. Spring 2019

CSC209H Lecture 4. Dan Zingaro. January 28, 2015

Introduction to Security

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

How Software Executes

Transcription:

MEMORY SAFETY ATTACKS & DEFENSES CMSC 414 FEB 06 2018

void safe() { char buf[80]; fgets(buf, 80, stdin); void safer() { char buf[80]; fgets(buf, sizeof(buf), stdin);

void safe() { char buf[80]; fgets(buf, 80, stdin); void safer() { char buf[80]; fgets(buf, sizeof(buf), stdin); void vulnerable() { char buf[80]; if(fgets(buf, sizeof(buf), stdin)==null) return; printf(buf);

void safe() { char buf[80]; fgets(buf, 80, stdin); void safer() { char buf[80]; fgets(buf, sizeof(buf), stdin); void vulnerable() { char buf[80]; if(fgets(buf, sizeof(buf), stdin)==null) return; printf(buf);

FORMAT STRING VULNERABILITIES

PRINTF FORMAT STRINGS int i = 10; printf( %d %p\n, i, &i);

PRINTF FORMAT STRINGS int i = 10; printf( %d %p\n, i, &i); 0x00000000 0xffffffff %ebp %eip &fmt 10 &i

PRINTF FORMAT STRINGS int i = 10; printf( %d %p\n, i, &i); 0x00000000 0xffffffff %ebp %eip &fmt 10 &i printf s stack frame

PRINTF FORMAT STRINGS int i = 10; printf( %d %p\n, i, &i); 0x00000000 0xffffffff %ebp %eip &fmt 10 &i printf s stack frame caller s stack frame

PRINTF FORMAT STRINGS int i = 10; printf( %d %p\n, i, &i); 0x00000000 0xffffffff %ebp %eip &fmt 10 &i printf s stack frame caller s stack frame

PRINTF FORMAT STRINGS int i = 10; printf( %d %p\n, i, &i); 0x00000000 0xffffffff %ebp %eip &fmt 10 &i printf s stack frame printf takes variable number of arguments caller s stack frame printf pays no mind to where the stack frame ends It presumes that you called it with (at least) as many arguments as specified in the format string

PRINTF FORMAT STRINGS int i = 10; printf( %d %p\n, i, &i); 0x00000000 0xffffffff %ebp %eip &fmt 10 &i printf s stack frame printf takes variable number of arguments caller s stack frame printf pays no mind to where the stack frame ends It presumes that you called it with (at least) as many arguments as specified in the format string

PRINTF FORMAT STRINGS int i = 10; printf( %d %p\n, i, &i); 0x00000000 0xffffffff %ebp %eip &fmt 10 &i printf s stack frame printf takes variable number of arguments caller s stack frame printf pays no mind to where the stack frame ends It presumes that you called it with (at least) as many arguments as specified in the format string

PRINTF FORMAT STRINGS int i = 10; printf( %d %p\n, i, &i); 0x00000000 0xffffffff %ebp %eip &fmt 10 &i printf s stack frame printf takes variable number of arguments caller s stack frame printf pays no mind to where the stack frame ends It presumes that you called it with (at least) as many arguments as specified in the format string

void vulnerable() { char buf[80]; if(fgets(buf, sizeof(buf), stdin)==null) return; printf(buf);

void vulnerable() { char buf[80]; if(fgets(buf, sizeof(buf), stdin)==null) return; printf(buf); %d %x"

void vulnerable() { char buf[80]; if(fgets(buf, sizeof(buf), stdin)==null) return; printf(buf); %d %x" 0x00000000 0xffffffff %ebp %eip &fmt caller s stack frame

void vulnerable() { char buf[80]; if(fgets(buf, sizeof(buf), stdin)==null) return; printf(buf); %d %x" 0x00000000 0xffffffff %ebp %eip &fmt caller s stack frame

void vulnerable() { char buf[80]; if(fgets(buf, sizeof(buf), stdin)==null) return; printf(buf); %d %x" 0x00000000 0xffffffff %ebp %eip &fmt caller s stack frame

FORMAT STRING VULNERABILITIES

FORMAT STRING VULNERABILITIES printf( 100% dml );

FORMAT STRING VULNERABILITIES printf( 100% dml ); Prints stack entry 4 byes above saved %eip

FORMAT STRING VULNERABILITIES printf( 100% dml ); Prints stack entry 4 byes above saved %eip printf( %s );

FORMAT STRING VULNERABILITIES printf( 100% dml ); Prints stack entry 4 byes above saved %eip printf( %s ); Prints bytes pointed to by that stack entry

FORMAT STRING VULNERABILITIES printf( 100% dml ); Prints stack entry 4 byes above saved %eip printf( %s ); Prints bytes pointed to by that stack entry printf( %d %d %d %d );

FORMAT STRING VULNERABILITIES printf( 100% dml ); Prints stack entry 4 byes above saved %eip printf( %s ); Prints bytes pointed to by that stack entry printf( %d %d %d %d ); Prints a series of stack entries as integers

FORMAT STRING VULNERABILITIES printf( 100% dml ); Prints stack entry 4 byes above saved %eip printf( %s ); Prints bytes pointed to by that stack entry printf( %d %d %d %d ); Prints a series of stack entries as integers printf( %08x %08x %08x %08x );

FORMAT STRING VULNERABILITIES printf( 100% dml ); Prints stack entry 4 byes above saved %eip printf( %s ); Prints bytes pointed to by that stack entry printf( %d %d %d %d ); Prints a series of stack entries as integers printf( %08x %08x %08x %08x ); Same, but nicely formatted hex

FORMAT STRING VULNERABILITIES printf( 100% dml ); Prints stack entry 4 byes above saved %eip printf( %s ); Prints bytes pointed to by that stack entry printf( %d %d %d %d ); Prints a series of stack entries as integers printf( %08x %08x %08x %08x ); Same, but nicely formatted hex printf( 100% no way! )

FORMAT STRING VULNERABILITIES printf( 100% dml ); Prints stack entry 4 byes above saved %eip printf( %s ); Prints bytes pointed to by that stack entry printf( %d %d %d %d ); Prints a series of stack entries as integers printf( %08x %08x %08x %08x ); Same, but nicely formatted hex printf( 100% no way! ) WRITES the number 3 to address pointed to by stack entry

FORMAT STRING PREVALENCE 0.5 0.375 0.25 % of vulnerabilities that involve format string bugs 0.125 0 2002 2004 2006 2008 2010 2012 2014 2016 http://web.nvd.nist.gov/view/vuln/statistics

WHAT S WRONG WITH THIS CODE? #define BUF_SIZE 16 char buf[buf_size]; void vulnerable() { int len = read_int_from_network(); char *p = read_string_from_network(); if(len > BUF_SIZE) { printf( Too large\n ); return; memcpy(buf, p, len);

WHAT S WRONG WITH THIS CODE? #define BUF_SIZE 16 char buf[buf_size]; void vulnerable() { int len = read_int_from_network(); char *p = read_string_from_network(); if(len > BUF_SIZE) { printf( Too large\n ); return; memcpy(buf, p, len); void *memcpy(void *dest, const void *src, size_t n);

WHAT S WRONG WITH THIS CODE? #define BUF_SIZE 16 char buf[buf_size]; void vulnerable() { int len = read_int_from_network(); char *p = read_string_from_network(); if(len > BUF_SIZE) { printf( Too large\n ); return; memcpy(buf, p, len); void *memcpy(void *dest, const void *src, size_t n); typedef unsigned int size_t;

WHAT S WRONG WITH THIS CODE? #define BUF_SIZE 16 char buf[buf_size]; void vulnerable() { Negative int len = read_int_from_network(); char *p = read_string_from_network(); if(len > BUF_SIZE) { printf( Too large\n ); return; memcpy(buf, p, len); void *memcpy(void *dest, const void *src, size_t n); typedef unsigned int size_t;

WHAT S WRONG WITH THIS CODE? #define BUF_SIZE 16 char buf[buf_size]; void vulnerable() { Negative int len = read_int_from_network(); char *p = read_string_from_network(); Ok if(len > BUF_SIZE) { printf( Too large\n ); return; memcpy(buf, p, len); void *memcpy(void *dest, const void *src, size_t n); typedef unsigned int size_t;

WHAT S WRONG WITH THIS CODE? #define BUF_SIZE 16 char buf[buf_size]; void vulnerable() { Negative int len = read_int_from_network(); char *p = read_string_from_network(); Ok if(len > BUF_SIZE) { printf( Too large\n ); return; memcpy(buf, p, len); Implicit cast to unsigned void *memcpy(void *dest, const void *src, size_t n); typedef unsigned int size_t;

INTEGER OVERFLOW VULNERABILITIES

WHAT S WRONG WITH THIS CODE? void vulnerable() { size_t len; char *buf; len = read_int_from_network(); buf = malloc(len + 5); read(fd, buf, len);...

WHAT S WRONG WITH THIS CODE? void vulnerable() { size_t len; char *buf; HUGE len = read_int_from_network(); buf = malloc(len + 5); read(fd, buf, len);...

WHAT S WRONG WITH THIS CODE? void vulnerable() { size_t len; char *buf; HUGE len = read_int_from_network(); buf = malloc(len + 5); read(fd, buf, len);... Wrap-around

WHAT S WRONG WITH THIS CODE? void vulnerable() { size_t len; char *buf; HUGE len = read_int_from_network(); buf = malloc(len + 5); read(fd, buf, len);... Wrap-around Takeaway: You have to know the semantics of your programming language to avoid these errors

INTEGER OVERFLOW PREVALENCE 2.5 2 % of vulnerabilities that involve integer overflows 1.5 1 0.5 0 2002 2004 2006 2008 2010 2012 2014 2016 http://web.nvd.nist.gov/view/vuln/statistics

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback