CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

Similar documents
CIS 4360 Secure Computer Systems. Buffer Overflows

CIS 4360 Secure Computer Systems. Integers

Software Security II: Memory Errors - Attacks & Defenses

Module: Safe Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CSCE 548 Building Secure Software Integers & Integer-related Attacks & Format String Attacks. Professor Lisa Luo Spring 2018

CMPSC 497: Midterm Review

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

Program Security and Vulnerabilities Class 2

CS 161 Computer Security

CSE 565 Computer Security Fall 2018

Buffer overflow background

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM

Secure Programming. Buffer Overflows Learning objectives. Type. 3 Buffer Overflows. 4 An Important Vulnerability. 5 Example Overflow

ECS 153 Discussion Section. April 6, 2015

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

We will focus on Buffer overflow attacks SQL injections. See book for other examples

Code with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function

CMPSC 497 Buffer Overflow Vulnerabilities

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

DAY 3. CS3600, Northeastern University. Alan Mislove

Software Security Buffer Overflows more countermeasures. Erik Poll. Digital Security Radboud University Nijmegen

Copyright (2004) Purdue Research Foundation. All rights reserved.

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Secure Programming I. Steven M. Bellovin September 28,

Buffer Overflow Attacks

Buffer Overflows. Buffers. Administrative. COMP 435 Fall 2017 Prof. Cynthia Sturton. Buffers

Topics in Software Security Vulnerability

Exploits and gdb. Tutorial 5

Sungkyunkwan University

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Lecture 08 Control-flow Hijacking Defenses

Software and Web Security 1. Root Cause Analysis. Abstractions Assumptions Trust. sws1 1

Computer Systems CEN591(502) Fall 2011

Basic Buffer Overflows

Machine-Level Programming V: Buffer overflow

Software Security: Buffer Overflow Attacks

Buffer overflow prevention, and other attacks

CSE 509: Computer Security

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CSE 127 Computer Security

Buffer Overflow Vulnerability

Software Security: Buffer Overflow Defenses

CSE 127 Computer Security

CS 161 Computer Security

Software Security Buffer Overflows more countermeasures. Erik Poll. Digital Security Radboud University Nijmegen

Buffer overflows. Specific topics:

Lecture 05 Integer overflow. Stephen Checkoway University of Illinois at Chicago

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

CSC 252: Computer Organization Spring 2018: Lecture 9

Secure Software Development: Theory and Practice

Fundamentals of Computer Security

UMSSIA LECTURE I: SOFTWARE SECURITY

CMPSC 311- Introduction to Systems Programming Module: Strings

CSE 127 Computer Security

Runtime Defenses against Memory Corruption

Writing Exploits. Nethemba s.r.o.

Lecture 9 Assertions and Error Handling CS240

Memory Corruption Vulnerabilities, Part I

Lecture 4 September Required reading materials for this class

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

ECE 471 Embedded Systems Lecture 22

Intrusion Detection and Malware Analysis

Lecture 1: Buffer Overflows

EURECOM 6/2/2012 SYSTEM SECURITY Σ

Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to

Copying and Concatenating C Strings with the str5 Functions

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

SoK: Eternal War in Memory

Introduction to N1031. Components of N1031. Guiding Principles. Walk through, issues, and rationale

Computer Programming: Skills & Concepts (CP) Strings

Buffer Overflows Defending against arbitrary code insertion and execution

Stack Overflow COMP620

Software Security: Buffer Overflow Attacks (continued)

Programmer s Points to Remember:

Foundations of Network and Computer Security

Control Hijacking Attacks

Buffer Overflow Defenses

CMSC 414 Computer and Network Security

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Applications. Cloud. See voting example (DC Internet voting pilot) Select * from userinfo WHERE id = %%% (variable)

Buffer Overflow. Jo, Heeseung

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflows. Buffer Overflow. Many of the following slides are based on those from

Reflections on using C(++) Root Cause Analysis

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Exploit Mitigation - PIE

Buffer Overflow Attack

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

Transcription:

CSCE 548 Building Secure Software Buffer Overflow Professor Lisa Luo Spring 2018

Previous Class Virus vs. Worm vs. Trojan & Drive-by download Botnet & Rootkit Malware detection Scanner Polymorphic malware Metamorphic malware Real time monitor Anti-debugger detection 2

Trojan vs. Virus vs. Worm Trojan Virus Worm Self-replicated N Y Y Self-contained Y N Y Relying on exploitation of vulnerabilities N Maybe (e.g., scripting viruses) Y 3

Previous Class Describe the main components in a classic botnet structure (1) Botmaster (2) Command & Control (C&C) Servers (3) Bots 4

Buffer Overflow Also called Buffer Overrun It occurs when the access to a buffer is out of the bounds of the buffer, e.g. char dst[5]; strcpy(dst, some user provided input ); 5

Common and dangerous E.g., strcpy(buffer, long-src-str); 6

Types of buffer overflows Direction Access beyond upper bound: overflow Access beyond lower bound: underflow People usually call both as Buffer Overflows The out-of-bound access can be read or write Overread (leak info) Overwrite (manipulate memory content) The access can occur on stack or heap (or data) Stack-based / heap-based buffer overflows 7

Improving Software Security with Monitoring, Automated Diagnosis, and Self-shielding 8 If buffer overflow vulnerabilities could be effectively eliminated, a very large portion of the most serious security threats would also be eliminated. C. Cowan 8

Improving Software Security with Monitoring, Automated Diagnosis, and Self-shielding 9 If buffer overflow vulnerabilities could be effectively eliminated, a very large portion of the most serious security threats would also be eliminated. C. Cowan It is now safe to declare the buffer overflow the vulnerability of the quarter-century. Y. Younan 9

Background representation of C string H e l l o \0 In C/C++ programming strlen( Hello ) returns 5 The space needed by Hello is 6 Each string needs a \0 to flag the ending Q: What problems will occur? memcpy(dst, src, strlen(src)) Bug 1: buffer overflow when dst is too small Bug 2: the ending \0 is not copied 10

Background - Calling a procedure Given this C program: void main() { f(1,2,3); exit(0); } The invocation of f() generates code (parameters are pushed from right to left): pushl $3 ; // constant 3 pushl $2 ; pushl $1 call f // push the return address on stack and jump to f() 11

Background: Stack Lower-numbered addresses Higher-numbered addresses 3 Stack pointer (SP) (current top of stack) 12

Background: Stack Lower-numbered addresses Higher-numbered addresses 2 Stack pointer (SP) (current top of stack) 3 Stack grows, e.g., due to procedure call 13

Background: Stack Lower-numbered addresses Higher-numbered addresses 1 2 Stack pointer (SP) (current top of stack) 3 Stack grows, e.g., due to procedure call 14

Background: Stack Lower-numbered addresses Return address in main() Stack pointer (SP) (current top of stack) Higher-numbered addresses 1 2 3 Stack grows, e.g., due to procedure call 15

Background: Function prologue Imagine f() has local variables, e.g. in C: void f(int a, int b, int c) { char buffer1[5]; char buffer2[10]; strcpy(buffer2, "This is a very long string!!!!!!!"); } 16

After prologue Lower-numbered addresses Local array buffer2 Stack pointer (SP) (current top of stack) Local array buffer1 Saved (old) frame pointer Return address in main() Frame pointer (FP) use this to access local variables & parameters Higher-numbered addresses 1 2 3 Stack grows, e.g., due to procedure call 17

Overflowing buffer2 Lower-numbered addresses strcpy(buffer2, "This is a very long string!!!!!!!"); Local array buffer2 Stack pointer (SP) (current top of stack) Local array buffer1 Overwrite Saved (old) frame pointer Return address in main() Frame pointer (FP) use this to access local variables & parameters Higher-numbered addresses 1 2 3 Stack grows, e.g., due to procedure call 18

What happens if we write past the end of buffer2? Overwrites whatever is past buffer2! As you go further, overwrite higher addresses Impact depends on system details In our example, can overwrite: Local values (buffer1) Saved frame pointer Return value (changing what we return to) Parameters to function Previous frames 19

Inserting code in the buffer overflow attack (e.g., shell code) Attacker can also include machine code that they want us to run If setting the return value to point to this malicious code, the victim will run that code on return Significant portion of the famous Smashing the Stack paper describes how to insert such code 20

Stack: One possible result after attack Lower-numbered addresses Malicious code Local array buffer2 Stack pointer (SP) (current top of stack) Higher-numbered addresses Local array buffer1 Saved (old) frame pointer Return Ptrto address malicious in main() code 1 2 Frame pointer (FP) use this to access local variables & parameters 3 Stack grows, e.g., due to procedure call 21

Other types of attacks possible with a stack buffer overflow Make return point to existing code that the attacker wants us to run now E.g., Return to libc Change value of adjacent local variables, e.g., a function pointer or a critical bool variable Change value of parameters... and so on 22

Obvious solution in C Obvious solution when using C is to always check bounds E.g., if (strlen(src) + 1 > dst_buffer_size) return error; However Programmers do not necessarily do that 23

Many C functions don t check bounds gets() reads input without checking. Don t use it! strcpy() strcpy(dest, src) copies from src to dest If src longer than dest buffer, keeps writing! strcat() strcat(dest, src) appends src to dest If src + data in dest longer than dest buffer, keeps writing! scanf() family of input functions e.g., scanf( %s, buf); scanf(), fscanf(), sscanf(), vscanf(), vsscanf(), vfscanf() Many options don t control max length (e.g., bare %s ) It s not just functions; ordinary loops can overflow Q: Whether strncpy(dst, src, n) is secure? 24

Do not use strncpy() First thing first, do not use strncpy(dst, src, n) Very weird behaviors If src is too long (strlen(src) >= n): copy the first n characters of src to dst (so the ending null is not copied) If src is short (strlen(src) < n): any extra space will be padded with 0 s (so inefficient) 25

Solution 1: strlcpy -- OpenBSD only strlcpy (dst, src, dst_size): size-bounded string copy strlcpy truncates src to fit in the destination buffer It Copies up to (dst_size 1) characters from src to dst The ending null is guaranteed It does not use \0 to fill the extra dst space Easy to detect if terminates in the middle => Returns bytes would have been written strlcpy(dst, src, dst_size) >= dst_size // truncation detected! 26

Solution 2: Best solution snprintf int snprintf(char *dst, size_t n, const char * format, char * src); Writes src to buffer dst up to n bytes Always writes \0 at end if n>=1 Returns length that would have been written (excluding the ending null) if n is large enough or negative if error, so result-checking can be slightly annoying Sample: len = snprintf(dst, n, "%s", src); if (len < 0 len >= n) // handle error/truncation If src is too long (strlen(src) >= n), only the (n-1) characters of src will be copied to dst, then an ending null will be attached; that is, truncation occurs. If src is short (strlen(src) < n), src (including the ending null) will be copied 27

Question Write the equivalent code of n = strlcpy(dst, src, len); n = snprintf(dst, len, "%s, src); 28

Solution 3: C++ std::string class (resize) If using C++, avoid using char* strings Instead, use std::string class Automatically resizes Avoids buffer overflow E.g., str1 = str2; str1.append(str2); 29

The System Has Done the Following Canary Insert a secret value (cookie) between the return address and the buffer on the stack at call entry, and check the canary integrity at the call exit If the canary is corrupted, a buffer overflow is detected Very effective against stack based overflows DEP: Data Execution Prevention Data on stack and heap cannot be executed Prevent injected code from being executed ASLR: Address Space Layout Randomization Scramble the locations of libraries and executables So attackers do not know how to reuse their code 30

The Compiler Can Do the Following Enabled by default in may systems, such as Ubuntu -fstack-protector --param=ssp-buffer-size=4 Any function that has a buffer whose size >=4 will be protected with canary checking -D_FORTIFY_SOURCE=2 Add overflow compile-time/runtime checking for strcpy/memcpy Needs O1 to take effect; -O2 is preferred To disable the protection above (very bad; but sometimes you may want to be crazy) -fno-stack-protector -D_FORTIFY_SOURCE=0 31

Question Compare strcpy, strncpy, and snprintf (1) strcpy(dst, src): regardless of the size of the dst buffer, copy the src (including the ending null) to dst (2) strncpy(dst, src, n): copy at most n characters from src to dst (the ending null is not guaranteed); extra space will be padded with 0 s (so inefficient) (3) snprintf(dst, n, "%s", src): copy at most n-1 characters from src to dst and the ending null is guaranteed 32

Question What concrete attacks can be launched by exploiting a buffer overflow vulnerability? List at least four. 1. Stack buffer overflow can conveniently overwrites the return address on the stack to hijack the control flow 2. Stack buffer overflow can overwrite local variables 3. Heap buffer overflow can modify buffers adjacent to the vulnerable buffer 4. A sub-object buffer overflow can modify the adjacent fields of the containing object * Thanks to some compilation option, 1 and 2 have been largely mitigated 33

Recap Buffer overflows can be devastating C/C++/Objective-C vulnerable to them Most other languages not natively vulnerable But many components/languages are in C/C++ The system has done a lot for us (but it is insufficient) Canary DEP (Data Execution Prevention) ASLR (Address Space Layout Randomization) What you should do Always enforce bounds checking in your code Use snprintf/strlcpy/strlcat in your code Do not use strncpy 34

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback