Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM

Similar documents
Buffer overflows. Specific topics:

Machine-Level Programming V: Advanced Topics

Machine-Level Programming V: Buffer overflow

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Buffer Overflows. CSE 351 Autumn Instructor: Justin Hsia

Buffer Overflows. CSE 351 Autumn 2018

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

Buffer Overflows. CSE 410 Winter Kathryn Chan, Kevin Bi, Ryan Wong, Waylon Huang, Xinyu Sui

CSC 252: Computer Organization Spring 2018: Lecture 9

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Sungkyunkwan University

Machine-level Programs Adv. Topics

Machine-Level Programming V: Advanced Topics

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Machine-Level Programming V: Advanced Topics

Machine-Level Programming V: Advanced Topics

Buffer Overflows. Buffer Overflow. Many of the following slides are based on those from

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflow. Jo, Heeseung

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Today. Machine-Level Programming V: Advanced Topics. x86-64 Linux Memory Layout. Memory Allocation Example. Today. x86-64 Example Addresses

Today. Machine-Level Programming V: Advanced Topics. x86-64 Linux Memory Layout. Memory Allocation Example. Today. x86-64 Example Addresses

Carnegie Mellon. Bryant and O Hallaron, Computer Systems: A Programmer s Perspective, Third Edition

Machine- Level Programming V: Advanced Topics

Machine-Level Prog. V Miscellaneous Topics

Computer Systems CEN591(502) Fall 2011

Machine-Level Prog. V Miscellaneous Topics


Linux Memory Layout The course that gives CMU its Zip! Machine-Level Programming IV: Miscellaneous Topics Sept. 24, Text & Stack Example

Machine-Level Programming V: Miscellaneous Topics Sept. 24, 2002

CS356: Discussion #8 Buffer-Overflow Attacks. Marco Paolieri

Giving credit where credit is due

Machine-Level Programming V: Advanced Topics

Machine Programming 5: Buffer Overruns and Stack Exploits

Foundations of Computer Systems

CS356: Discussion #7 Buffer Overflows. Marco Paolieri

Blossom Hands-on exercises for computer forensics and security. Buffer Overflow

18-600: Recitation #4 Exploits

Why do we need Pointers? Call by Value vs. Call by Reference in detail Implementing Arrays Buffer Overflow / The Stack Hack

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Machine-Level Programming IV: Structured Data

CSE 509: Computer Security

Program Security and Vulnerabilities Class 2

CS429: Computer Organization and Architecture

Machine-Level Programming III: Procedures

Machine-level Programs Procedure

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

18-600: Recitation #4 Exploits (Attack Lab)

Buffer Overflow Attack (AskCypert CLaaS)

Princeton University Computer Science 217: Introduction to Programming Systems. Machine Language

Princeton University Computer Science 217: Introduction to Programming Systems. A paradox. Machine Language. Machine language.

Lecture 4 September Required reading materials for this class

Bryant and O Hallaron, Computer Systems: A Programmer s Perspective, Third Edition. Carnegie Mellon

CSE 351 Midterm - Winter 2015 Solutions

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

CS241 Computer Organization Spring Buffer Overflow

CSE 351 Midterm - Winter 2015

Buffer-Overflow Attacks on the Stack

Buffer-Overflow Attacks on the Stack

Fundamentals of Computer Security

CS-220 Spring 2018 Test 2 Version Practice Apr. 23, Name:

Machine- Level Programming V: Advanced Topics

Mechanisms in Procedures. CS429: Computer Organization and Architecture. x86-64 Stack. x86-64 Stack Pushing

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

CMPSC 497 Buffer Overflow Vulnerabilities

The Stack & Procedures

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

CSE 565 Computer Security Fall 2018

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

Memory Corruption Vulnerabilities, Part I

Procedures and the Call Stack

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Cyber Security Software Security: Exploits and Mitigations. Dr Chris Willcocks

Machine-Level Programming (2)

Assembly III: Procedures. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

The Stack & Procedures

Midterm Exam, Fall 2015 Date: October 29th, 2015

logistics LEX assignment out exam in on week come with questions on Monday (review)

Where We Are. Optimizations. Assembly code. generation. Lexical, Syntax, and Semantic Analysis IR Generation. Low-level IR code.

Buffer overflow background

Buffer Overflows Defending against arbitrary code insertion and execution

1 Number Representation(10 points)

Computer Systems C S Cynthia Lee

Machine- Level Representa2on: Procedure

Secure Programming I. Steven M. Bellovin September 28,

CSCI 2021: x86-64 Control Flow

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

Software Security: Buffer Overflow Defenses

Machine Program: Procedure. Zhaoguo Wang

ECS 153 Discussion Section. April 6, 2015

CSE 351 Midterm - Winter 2017

CS 261 Fall Machine and Assembly Code. Data Movement and Arithmetic. Mike Lam, Professor

Buffer Overflows. Buffers. Administrative. COMP 435 Fall 2017 Prof. Cynthia Sturton. Buffers

University of Washington

7.1. CS356 Unit 7. Data Layout & Intermediate Stack Frames

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

CSE351 Autumn 2012 Midterm Exam (5 Nov 2012)

Programmer s Points to Remember:

Transcription:

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM

x86-64 Linux Memory Layout 0x00007fffffffffff not drawn to scale Stack... Caller Frame Optional Frame pointer %rbp Extra Arguments Return Addr Old %rbp 0x0000000000400000 0x0000000000000000 Heap Data Text Stack pointer %rsp Saved Registers + Local Variables Setup Extra Arguments 2

String Library Code C standard libray function gets() /* Get string from stdin */ char* gets(char* dest) { int c = getchar(); char* p = dest; while (c!= EOF && c!= '\n') { *p++ = c; c = getchar(); *p = '\0'; return dest; What could go wrong in this code? pointer to start of an array same as: *p = c; p = p + 1; Same problem in many functions: strcpy: Copies string of arbitrary length scanf, fscanf, sscanf, when given %s conversion specification 3

Vulnerable Buffer Code /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ gets(buf); puts(buf); int main() { printf("type a string:"); echo(); return 0; $./bufdemo Type a string:1234567 1234567 $./bufdemo Type a string:12345678 Segmentation Fault $./bufdemo Type a string:123456789abc Segmentation Fault 4

Buffer Overflow Disassembly echo code 00000000004006cf <echo>: 4006cf: 48 83 ec 18 sub $0x24,%rsp 4006d3: 48 89 e7 mov %rsp,%rdi 4006d6: e8 a5 ff ff ff callq 400680 <gets> 4006db: 48 89 e7 mov %rsp,%rdi 4006de: e8 3d fe ff ff callq 400520 <puts@plt> 4006e3: 48 83 c4 18 add $0x24,%rsp 4006e7: c3 retq caller code 4006e8: 48 83 ec 08 sub $0x8,%rsp 4006ec: b8 00 00 00 00 mov $0x0,%eax 4006f1: e8 d9 ff ff ff callq 4006cf <echo> 4006f6: 48 83 c4 08 add $0x8,%rsp 4006fa: c3 retq 5

Buffer Overflow Stack Before call to gets Stack frame for call_echo Return address (8 bytes) 20 bytes unused /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ gets(buf); puts(buf); echo: subq $24, %rsp movq %rsp, %rdi call gets [3] [2] [1] [0] buf %rsp 6

Buffer Overflow Stack Example Before call to gets Stack frame for call_echo 00 00 00 00 00 40 06 f6 20 bytes unused Return Address void echo() { char buf[4]; gets(buf); call_echo: echo: subq $24, %rsp movq %rsp, %rdi call gets 4006f1: callq 4006cf <echo> 4006f6: add $0x8,%rsp [3] [2] [1] [0] buf %rsp 7

Buffer Overflow Stack Example #1 After call to gets Stack frame for call_echo 00 00 00 00 00 40 06 f6 00 32 31 30 39 38 37 36 35 34 33 32 31 30 39 38 37 36 35 34 33 32 31 30 void echo() { char buf[4]; gets(buf); Return Address call_echo: buf %rsp echo: subq $24, %rsp movq %rsp, %rdi call gets 4006f1: callq 4006cf <echo> 4006f6: add $0x8,%rsp Null Terminator $./bufdemo Type a string: 01234567890123456789012 01234567890123456789012 Overflowed buffer, but did not corrupt state 8

Buffer Overflow Stack Example #2 After call to gets Stack frame for call_echo 00 00 00 00 00 40 00 34 33 32 31 30 39 38 37 36 35 34 33 32 31 30 39 38 37 36 35 34 33 32 31 30 void echo() { char buf[4]; gets(buf); Return Address call_echo: buf %rsp echo: subq $24, %rsp movq %rsp, %rdi call gets 4006f1: callq 4006cf <echo> 4006f6: add $0x8,%rsp unix>./bufdemo Type a string: 0123456789012345678901234 Segmentation Fault Overflowed buffer and corrupted return pointer 9

Buffer Overflow Stack Example #3 After call to gets Stack frame for call_echo 00 00 00 00 00 40 06 00 33 32 31 30 39 38 37 36 35 34 33 32 31 30 39 38 37 36 35 34 33 32 31 30 void echo() { char buf[4]; gets(buf); Return Address call_echo: buf %rsp echo: subq $24, %rsp movq %rsp, %rdi call gets 4006f1: callq 4006cf <echo> 4006f6: add $0x8,%rsp unix>./bufdemo-nsp Type a string: 012345678901234567890123 012345678901234567890123 Overflowed buffer, corrupted return pointer, but program seems to work! 10

Buffer Overflow Stack Example #3 Explained After call to gets Stack frame for call_echo 00 00 00 00 00 40 06 00 33 32 31 30 39 38 37 36 35 34 33 32 31 30 39 38 37 36 35 34 33 32 31 30 Return Address buf %rsp Some other place in.text 400600: mov %rsp,%rbp 400603: mov %rax,%rdx 400606: shr $0x3f,%rdx 40060a: add %rdx,%rax 40060d: sar %rax 400610: jne 400614 400612: pop %rbp 400613: retq Returns to unrelated code Lots of things happen, without modifying critical state Eventually executes retq back to main 11

Malicious Use of Buffer Overflow Stack after call to gets() void foo(){ bar();... return address A B (was A) foo stack frame int bar() { char buf[64]; gets(buf);... return...; data written by gets() B pad exploit code bar stack frame Input string contains byte representation of executable code Overwrite return address A with address of buffer (need to know B) When bar() executes ret, will jump to exploit code (instead of A) 17

Exploiting Buffer Overflows Buffer overflow bugs allow remote attackers to execute arbitrary code on machines running vulnerable software. 1988: Internet worm Early versions of the finger server daemon (fingerd) used gets() to read the argument sent by the client: finger somebody@cs.wellesley.edu... Attack by sending phony argument: finger exploit-code padding new-return-address Still happening commandline facebook of the 80s! "Ghost:" 2015 gethostname() 18

Heartbleed (2014) Buffer over-read in OpenSSL Widely used encryption library (https) Heartbeat packet Specifies length of message Server echoes that much back Library just trusted this length Allowed attackers to read contents of memory anywhere they wanted ~17% of Internet affected Catastrophic Github, Yahoo, Stack Overflow, Amazon AWS,... By FenixFeather - Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=32276981 19

Avoiding Overrun Vulnerabilities 1. Use a memory-safe language (not C)! 2. If you have to use C, use library functions that limit string lengths. fgets instead of gets /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ fgets(buf, 4, stdin); puts(buf); strncpy instead of strcpy Don t use scanf with %s conversion specification Use fgets to read the string Or use %ns where n is a suitable integer Other ideas? 21

Modern System-Level Protections Available in modern OSs/compilers/hardware (We disabled these for buffer assignment.) 1. Randomize stack base, maybe frame padding not drawn to scale Stack 2. Detect stack corruption save and check stack "canary" values 3. Non-executable memory segments stack, heap, data, everything except text hardware support Helpful, not foolproof! Return-oriented programming, over-reads, etc. Heap Data Text 22

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback