Language Security. Lecture 40

Similar documents
One-Slide Summary. Lecture Outline. Language Security

Security Analyses For The Lazy Superhero

Foundations of Network and Computer Security

Foundations of Network and Computer Security

Lecture 4 September Required reading materials for this class

Towards automated detection of buffer overrun vulnerabilities: a first step. NDSS 2000 Feb 3, 2000

ECS 153 Discussion Section. April 6, 2015

Basic Buffer Overflows

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Buffer Overflows Defending against arbitrary code insertion and execution

Static Analysis in Practice

(Early) Memory Corruption Attacks

Secure Software Development: Theory and Practice

Static Analysis in Practice

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

CS61C Machine Structures. Lecture 4 C Pointers and Arrays. 1/25/2006 John Wawrzynek. www-inst.eecs.berkeley.edu/~cs61c/

Control Flow Hijacking Attacks. Prof. Dr. Michael Backes

Buffer Overflow Vulnerability

Today Program Analysis for finding bugs, especially security bugs problem specification motivation approaches remaining issues

Secure Programming I. Steven M. Bellovin September 28,

Agenda. Peer Instruction Question 1. Peer Instruction Answer 1. Peer Instruction Question 2 6/22/2011

Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Finding User/Kernel Pointer Bugs with Type Inference p.1

Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to

CSE 565 Computer Security Fall 2018

CSE 565 Computer Security Fall 2018

Lecture 9 Assertions and Error Handling CS240

Memory Safety (cont d) Software Security

Multi-dimensional Arrays

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

CS61C : Machine Structures

Buffer overflow background

Static Vulnerability Analysis

Software Security II: Memory Errors - Attacks & Defenses

CCured. One-Slide Summary. Lecture Outline. Type-Safe Retrofitting of C Programs

CS107 Handout 08 Spring 2007 April 9, 2007 The Ins and Outs of C Arrays

HW1 due Monday by 9:30am Assignment online, submission details to come

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Lecture 08 Control-flow Hijacking Defenses

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Shellcode Analysis. Chapter 19

ECE 471 Embedded Systems Lecture 22

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

Scaling CQUAL to millions of lines of code and millions of users p.1

Is stack overflow still a problem?

CS 222: Pointers and Manual Memory Management

o Code, executable, and process o Main memory vs. virtual memory

Simple Overflow. #include <stdio.h> int main(void){ unsigned int num = 0xffffffff;

CS 61C: Great Ideas in Computer Architecture. C Arrays, Strings, More Pointers

Program Security and Vulnerabilities Class 2

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

Lecture Outline. Intermediate code Intermediate Code & Local Optimizations. Local optimizations. Lecture 14. Next time: global optimizations

Lecture 6: Buffer Overflow. CS 436/636/736 Spring Nitesh Saxena

Computer Programming: Skills & Concepts (CP) Strings

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.

Buffer overflows & friends CS642: Computer Security

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflow. Jo, Heeseung

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

CS 2630 Computer Organization. Meeting 10/11: data structures in MIPS Brandon Myers University of Iowa

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM

CSE 509: Computer Security

Goal. Overflow Checking in Firefox. Sixgill. Sixgill (cont) Verifier Design Questions. Sixgill: Properties 4/8/2010

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

Static Analysis methods and tools An industrial study. Pär Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU

CMSC 414 Computer and Network Security

Slide Set 3. for ENCM 339 Fall 2017 Section 01. Steve Norman, PhD, PEng

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

Buffer Overflow Vulnerability Lab

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

CS61C : Machine Structures

The Compiler So Far. Lexical analysis Detects inputs with illegal tokens. Overview of Semantic Analysis

C Review. MaxMSP Developers Workshop Summer 2009 CNMAT

18-600: Recitation #4 Exploits

Buffer overflow prevention, and other attacks

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

CPSC 213. Introduction to Computer Systems. Static Scalars and Arrays. Unit 1b

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

CS4264 Programming Assignment 1 Buffer Overflow Vulnerability Due 02/21/2018 at 5:00 PM EST Submit through CANVAS

Programming refresher and intro to C programming

Run-time Environments. Lecture 13. Prof. Alex Aiken Original Slides (Modified by Prof. Vijay Ganesh) Lecture 13

ISA564 SECURITY LAB. Code Injection Attacks

Register Allocation. Lecture 38

CSC 438 Systems and Software Security, Spring 2014 Instructor: Dr. Natarajan Meghanathan Question Bank for Module 6: Software Security Attacks

CSSV: Towards a Realistic Tool for Statically Detecting All Buffer Overflows in C

Other Forms of Intermediate Code. Local Optimizations. Lecture 34

Administrative. Other Forms of Intermediate Code. Local Optimizations. Lecture 34. Code Generation Summary. Why Intermediate Languages?

Week 5, continued. This is CS50. Harvard University. Fall Cheng Gong

Securing Software Applications Using Dynamic Dataflow Analysis. OWASP June 16, The OWASP Foundation

Università Ca Foscari Venezia

EURECOM 6/2/2012 SYSTEM SECURITY Σ

CSE351 Winter 2016, Final Examination March 16, 2016

CS 161 Computer Security

Transcription:

Language Security Lecture 40 (from notes by G. Necula) Prof. Hilfinger CS 164 Lecture 40 1

Lecture Outline Beyond compilers Looking at other issues in programming language design and tools C Arrays Exploiting buffer overruns Detecting buffer overruns Prof. Hilfinger CS 164 Lecture 40 2

Platitudes Language design has influence on Efficiency Safety Security Prof. Hilfinger CS 164 Lecture 40 3

C Design Principles Small language Maximum efficiency Safety less important Designed for the world as it was in 1972 Weak machines Superhuman programmers (or so they thought) Trusted networks Prof. Hilfinger CS 164 Lecture 40 4

Arrays in C char buffer[100]; Declares and allocates an array of 100 chars 0 1 2 99 100 *sizeof(char) Prof. Hilfinger CS 164 Lecture 40 5

C Array Operations char buf1[100], buf2[100]; Write: buf1[0] = a ; Read: return buf2[0]; Prof. Hilfinger CS 164 Lecture 40 6

What s Wrong with this Picture? int i; for(i = 0; buf1[i]!= \0 ; i++) { buf2[i] = buf1[i]; } buf2[i] = \0 ; Prof. Hilfinger CS 164 Lecture 40 7

Indexing Out of Bounds The following are all well-typed C and may generate no run-time errors char buffer[100]; buffer[-1] = a ; buffer[100] = a ; buffer[100000] = a ; Prof. Hilfinger CS 164 Lecture 40 8

Why? Why does C allow out-of-bounds array references? Proving at compile-time that all array references are in bounds is impossible in most languages Checking at run-time that all array references are in bounds is expensive But it is even more expensive to skip the checks Prof. Hilfinger CS 164 Lecture 40 9

Code Generation for Arrays The C code: The assembly code: Regular C r1 = &buf1; r2 = load i; r3 = r2 * 4; r4 = r1 + r3 store r4, 1 buf1[i] = 1; /* buf1 has type int[] */ C with bounds checks r1 = &buf1; r2 = load i; r3 = r2 * 4; if r3 < 0 then error; r5 = load limit of buf1; if r3 >= r5 then error; r4 = r1 + r3 store r4, 1 Costly! Finding the array limits is non-trivial Prof. Hilfinger CS 164 Lecture 40 10

C vs. Java C array reference typical case Offset calculation Memory operation (load or store) Java array reference typical case Offset calculation Memory operation (load or store) Array bounds check Type compatibility check (for some arrays) Prof. Hilfinger CS 164 Lecture 40 11

Buffer Overruns A buffer overrun writes past the end of an array Buffer usually refers to a C array of char But can be any array So who s afraid of a buffer overrun? Can cause a core dump Can damage data structures What else? Prof. Hilfinger CS 164 Lecture 40 12

Stack Smashing Buffer overruns can alter the control flow of your program! char buffer[100]; /* stack allocated array */ 0 1 2 99 return address 100 *sizeof(char) Prof. Hilfinger CS 164 Lecture 40 13

An Overrun Vulnerability void foo(char in[]) { char buffer[100]; int i = 0; for(i = 0; in[i]!= \0 ; i++) { buffer[i] = in[i]; } buffer[i] = \0 ; } Prof. Hilfinger CS 164 Lecture 40 14

An Interesting Idea char in[104] = {,,, magic 4 chars } foo(in); (**) foo entry 0 1 2 99 return address (**) 100 *sizeof(char) foo exit 0 1 2 99 return address magic 4 chars 100 *sizeof(char) Prof. Hilfinger CS 164 Lecture 40 15

Discussion So we can make foo jump wherever we like. How is this possible? Unanticipated interaction of two features: Unchecked array operations Stack-allocated arrays and return addresses Knowledge of frame layout allows prediction of where array and return address are stored Note the magic cast from char s to an address Prof. Hilfinger CS 164 Lecture 40 16

The Rest of the Story Say that foo is part of a network server and the in originates in a received message Some remote user can make foo jump anywhere! But where is a useful place to jump? Idea: Jump to some code that gives you control of the host system (e.g. code that spawns a shell) But where to put such code? Idea: Put the code in the same buffer and jump there! Prof. Hilfinger CS 164 Lecture 40 17

The Plan We ll make the code jump to the following code: In C: exec( /bin/sh ); In assembly (pretend): mov $a0, 15 ; load the syscall code for exec mov $a1, &Ldata ; load the command syscall ; make the system call Ldata:.byte /, b, i, n, /, s, h,0 ; null-terminated In machine code: 0x20, 0x42, 0x00, Prof. Hilfinger CS 164 Lecture 40 18

The Plan char in[104] = { 104 magic chars } foo(in); foo exit 0 1 2 99 return address 0x20, 0x42, 0x00, The last 4 bytes in in must equal the start of buffer Its position might depend on many factors! Prof. Hilfinger CS 164 Lecture 40 19

Guess the Location of the Injected Code Trial & error: gives you a ballpark Then pad the injected code with NOP E.g. add $0, $1, 0x2020 foo exit stores result in $0 which is hardwired to 0 anyway Encoded as 0x20202020 0 1 2 99 return address 0x20,, 0x20, 0x20, 0x42, 0x00, The bad code Works even with an approximate address of buffer! Prof. Hilfinger CS 164 Lecture 40 20

More Problems We do not know exactly where the return address is Depends on how the compiler chose to allocate variables in the stack frame Solution: pad the buffer at the end with many copies of the magic return address X foo exit 0 1 2 99 0x20,, 0x20, 0x20, 0x42, 0x00,, X, X, X, X,, X, X, The bad code return address Prof. Hilfinger CS 164 Lecture 40 21

Even More Problems The most common way to copy the bad code in a stack buffer is using string functions: strcpy, strcat, etc. This means that buf cannot contain 0x00 bytes Why? Solution: Rewrite the code carefully Instead of addiu $4,$0,0x0015 (code 0x20400015) Use addiu $4,$0,0x1126; subiu $4, $4, 0x1111 Prof. Hilfinger CS 164 Lecture 40 22

The State of C Programming Buffer overruns are common Programmers must do their own bounds checking Easy to forget or be off-by-one or more Program still appears to work correctly In C w.r.t. to buffer overruns Easy to do the wrong thing Hard to do the right thing Prof. Hilfinger CS 164 Lecture 40 23

The State of Hacking Buffer overruns are the attack of choice 40-50% of new vulnerabilities are buffer overrun exploits Many recent attacks of this flavor: Code Red, Nimda, MS-SQL server Highly automated toolkits available to exploit known buffer overruns Search for buffer overruns yields > 25,000 hits Prof. Hilfinger CS 164 Lecture 40 24

The Sad Reality Even well-known buffer overruns are still widely exploited Hard to get people to upgrade millions of vulnerable machines We assume that there are many more unknown buffer overrun vulnerabilities At least unknown to the good guys Prof. Hilfinger CS 164 Lecture 40 25

Static Analysis to Detect Buffer Overruns Detecting buffer overruns before distributing code would be better Idea: Build a tool similar to a type checker to detect buffer overruns Joint work by Alex Aiken, David Wagner, Jeff Foster, at Berkeley Prof. Hilfinger CS 164 Lecture 40 26

Focus on Strings Most important buffer overrun exploits are through string buffers Reading an untrusted string from the network, keyboard, etc. Focus the tool only on arrays of characters Prof. Hilfinger CS 164 Lecture 40 27

Idea 1: Strings as an Abstract Data Type A problem: Pointer operations & array dereferences are very difficult to analyze statically Where does *a point? What does buf[j] refer to? Idea: Model effect of string library functions directly Hard code effect of strcpy, strcat, etc. Prof. Hilfinger CS 164 Lecture 40 28

Idea 2: The Abstraction Model buffers as pairs of integer ranges Alloc min allocated size of the buffer in bytes Length max number of bytes actually in use Use integer ranges [x,y] = { x, x+1,, y-1, y } Alloc & length cannot be computed exactly Prof. Hilfinger CS 164 Lecture 40 29

The Strategy For each program expression, write constraints capturing the alloc and len of its string subexpressions Solve the constraints for the entire program Check for each string variable s len(s) alloc(s) Prof. Hilfinger CS 164 Lecture 40 30

The Constraints char s[n]; strcpy(dst,src) n alloc(s) len(src) len(dst) p = strdup(s) len(s) len(p) & len(s) alloc(p) p[n] = \0 n+1 len(p) Prof. Hilfinger CS 164 Lecture 40 31

Constraint Solving Solving the constraints is akin to solving dataflow equations (e.g., constant propagation) Build a graph Nodes are len(s), alloc(s) Edges are constraints len(s) len(t) Propagate information forward through the graph Special handling of loops in the graph Prof. Hilfinger CS 164 Lecture 40 32

Using Solutions Once you ve solved constraints to extract as much information as possible, look to see if len(s) alloc(s) is necessarily true. If not, may have a problem. For example, if b is parameter about which we know nothing, then in char s[100]; strcpy (s, b); assertion len(s) alloc(s) will not simplify to True. Prof. Hilfinger CS 164 Lecture 40 33

Results Found new buffer overruns in sendmail Found new exploitable overruns in Linux nettools package Both widely used, previously hand-audited packages Prof. Hilfinger CS 164 Lecture 40 34

Limitations Tool produces many false positives 1 out of 10 warnings is a real bug Tool has false negatives Unsound---may miss some overruns But still productive to use Prof. Hilfinger CS 164 Lecture 40 35

Summary Programming language knowledge useful beyond compilers Useful for programmers Understand what you are doing! Useful for tools other than compilers Big research direction Prof. Hilfinger CS 164 Lecture 40 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback