Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Similar documents
Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Buffer Overflow Attacks

CMPSC 497 Buffer Overflow Vulnerabilities

CSE 509: Computer Security

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

CS 161 Computer Security

Lecture 08 Control-flow Hijacking Defenses

Code with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function

CSE 565 Computer Security Fall 2018

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

CNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated

Smashing the Buffer. Miroslav Štampar

CS 161 Computer Security

Basic Buffer Overflows

Buffer Overflows Defending against arbitrary code insertion and execution

Writing Exploits. Nethemba s.r.o.

Lecture 4 September Required reading materials for this class

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

Software Security: Buffer Overflow Attacks

Software Security II: Memory Errors - Attacks & Defenses

Return-orientated Programming

Lecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017

Modern Buffer Overflow Prevention Techniques: How they work and why they don t

Software Security: Buffer Overflow Defenses

20: Exploits and Containment

Università Ca Foscari Venezia

(Early) Memory Corruption Attacks

Program Security and Vulnerabilities Class 2

Is Exploitation Over? Bypassing Memory Protections in Windows 7

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

Bypassing Browser Memory Protections

Buffer overflow prevention, and other attacks

Runtime Defenses against Memory Corruption

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

CSE 127 Computer Security

CSE 127 Computer Security

Heap Off by 1 Overflow Illustrated. Eric Conrad October 2007

From Over ow to Shell

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

Biography. Background

Advanced Buffer Overflow

Topics in Software Security Vulnerability

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

Software Security: Buffer Overflow Attacks (continued)

Reserve Engineering & Buffer Overflow Attacks. Tom Chothia Computer Security, Lecture 17

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

Software Vulnerabilities. Jeff Foster University of Maryland, College Park

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

CSE 127 Computer Security

Secure Systems Engineering

ECS 153 Discussion Section. April 6, 2015

Bypassing SEHOP. Stéfan Le Berre Damien Cauquil

CYSE 411/AIT681 Secure Software Engineering Topic #8. Secure Coding: Pointer Subterfuge

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Architecture-level Security Vulnerabilities

Lecture 1: Buffer Overflows

Secure Coding Topics. Readings. CYSE 411/AIT681 Secure Software Engineering. Pointer Subterfuge. Outline. Data Locations (cont d) Data Locations

Secure Coding Topics. CYSE 411/AIT681 Secure Software Engineering. Readings. Outline. This lecture: Topic #8. Secure Coding: Pointer Subterfuge

Fundamentals of Linux Platform Security

Memory Safety (cont d) Software Security

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

Buffer overflow background

Lab 2: Buffer Overflows

Exploits and gdb. Tutorial 5

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

We will focus on Buffer overflow attacks SQL injections. See book for other examples

Syed Kamran Haider Department of Electrical & Computer Engineering University of Connecticut

Exercise 6: Buffer Overflow and return-into-libc Attacks

Buffer Overflow and Protection Technology. Department of Computer Science,

Buffer Overflow and Format String Overflow Vulnerabilities

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

String Oriented Programming Exploring Format String Attacks. Mathias Payer

Midterm 1 Review. Memory Safety & Web Attacks

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

Advanced Buffer Overflow

Lecture 10 Code Reuse

Software Security: Buffer Overflow Defenses and Miscellaneous

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

Defeat Exploit Mitigation Heap Attacks. compass-security.com 1

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2

malloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which

Intrusion Detection and Malware Analysis

ISA564 SECURITY LAB. Code Injection Attacks

Outline. Memory Exploit

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Fundamentals of Computer Security

Code Injection Attacks Buffer Overflows

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

Buffer Overflow Vulnerability

Lecture 07 Heap control data. Stephen Checkoway University of Illinois at Chicago

Lab 2: Buffer Overflows

Foundations of Network and Computer Security

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

INTRODUCTION TO EXPLOIT DEVELOPMENT

Selected background on ARM registers, stack layout, and calling convention

On Compilers, Memory Errors and Control-Flow Integrity

Architecture-level Security Vulnerabilities. Julian Stecklina

Transcription:

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus(MSR) and Brandon Baker (MS)

Buffer Overflows and How they Occur Buffer is a contiguous segment of memory of a fixed size Program tries to write beyond the boundary of the buffer C/C++ are not type safe, so any memory location can be interpreted as any type of data No boundary checking of arrays when data is written Data is written into adjacent memory locations beyond the boundary of the array and is the payload Payload can contain opcodeswhich are interpreted by the program as code and the program s flow of control is changed (Or the program will most likely just crash)

A Simple Buffer Overflow char buffer[5]; strcpy(buffer, "ABCDEF"); View of memory after allocation Buffer[0] Buffer[1] Buffer[2] Buffer[3] Buffer[4] After copying the string A B C D E F \0 The F and \0 are in adjacent memory locations

Convention I m Going to Use Virtual address space is 4 GB 0x00000000 to 0xFFFFFFFF Stack starts at the bottom of the page and grows towards lower addresses 0x00000000...... 0xFFFFFFFD 0xFFFFFFFE 0xFFFFFFFF SP

Function Calls The Stack The parameters to the function are pushed onto the stack The current point of execution, i.e. the instruction pointer (EIP) is pushed Points to the next instruction, i.e. the instruction to be performed after the function returns EBP is pushed onto the stack Local variables of the functions

Function Calls The Stack Consider the function void function(int A, int B) { int C; } The stack will look like SP C EBP EIP A B

Stack Smashing The local function is above the EBP and EIP on the stack Buffer overflows over the EBP and the EIP Saved EIP is overwritten with an address of the attacker s choice Execution path returns to the value pointed by EIP, which could be some custom code

0x00000000 Before and After an Attack buff[0] buff[0] : 0x90 0xB49E7884 Local Variables Arguments 0xFFFFFFFF buff[1] buff[n] D C EBP EIP A B buff[1] : Shell Code buff[n] : exit() D : 0x90909090 C : 0x90909090 EBP : 0x90909090 EIP : 0xB49E7884 A B

Buffer Overflow Protection Mechanisms Number of mechanisms have come to protect against buffer overflows Try and detect the buffer overflows or prevent the execution of the shellcode after the overflow Most common amongst these are Non executable stacks Canary Values (Stackguard) Address Space Layout Randomization (ASLR)

Non-Executable Stacks NX stack Marks certain areas of memory as non-executable Processor will refuse to execute instructions if EIP points into these locations Hardware or software implemented In Windows, the feature is called Data Execution Prevention or DEP

Canary Values Value is stored and written in between the buffer and control variables such as EBP and EIP on the stack Canary can be a random value stored in an arbitrary location in an unmapped page During a buffer overflow the canary value is overwritten before the EIP While returning from the function, the canary is checked If it has been overwritten, the program faults

Arc Injection Attack EIP is overrun to point to a location already in the program s address space system() takes an argument R and makes a system call to create the process R can be made to point to an attacker pointed string Since system is in libcwhich is automatically linked into all applications, also called return-to-libc attacks As code is on an executable page, NX is bypassed

Chaining Arc Injection Attacks Shell can be obtained by running the system() command with bin/sh as an argument When the called function has finished executing, it will look for a return address on the stack By providing the location of another function, we can get it to jump there and chain a number of function calls together The address of exit() is passed as the return for system() so that the program exits after executing and giving us a shell

Arc Injection Attack The buffer is filled with garbage EIP is overwritten with the address of system() Following this is the address of exit(), which acts as the EIP after the system() call returns Following this is the address of bin/sh A A system() exit() bin/sh

Function Pointer Clobbering Modify a function pointer to point to attacker supplied code When the pointer is used, it calls the modified code as opposed to the original code void f2a(void *arg, size_t len) { char buf[100]; void (*f)() =.; memcpy(buff, arg, len); f(); } Can bypass both NX and Canary values protection

Data Pointer Modification Occurs when there is a pointer that is used for assignment operations after the buffer overflow By writing a location into the pointer, one can write to any arbitrary memory location Can be used to modify an external function pointer, or also to overwrite the global canary value When the function is called, or the function is returning and comparing canary values, it uses the attacker modified value long val, *ptr; extern void (*f)(); memcpy(buff, arg, len); *ptr = val;

Exception Handler Hijacking Windows has an exception handling mechanism called Structured Exception Handlers (SEH) Program has a registered list of exceptions that are stored in a linked list When an exception occurs, one or more of these is invoked by calling the function pointer present on the list Exception handler of the entire Thread Environment Block can be replaced Exception Handlers contain two elements Handler code to handle the exception NextSEH pointer to the next exception handler

SEH Overflow The handler is filled up with the address of POP,POP, RET instructions to trampoline to a known location NextSEH is overflowed to contain a 6 byte jump to jump over the opcodeand the pointer to POP,POP, RET Shellcode starts immediately after the SEH handler Buffer NextSEH Handler Canary EBP EIP SEH Exception Handler AAAAAAA 909006EB POP, POP, RET Shellcode

VPTR Smashing C++ compilers implement a virtual function table (VTBL) with each class, which contains an array of function pointers called virtual pointers (VPTR) VPTR smashing replaces a VPTR in the VTBL with a user specified value This function is now called whenever that virtual function is invoked on the object Can happen when the object is allocated either on the stack or on the heap

Heap Smashing Heap smashing exploits the implementation of the dynamic memory allocation routines Some allocators keep headers in allocated and freed blocks which are chained together in doubly linked lists These are updated during malloc and free operations A buffer overflow can corrupt the pointers in the header of an adjacent block, which can lead to arbitrary code execution when the free is called on the adjacent block More difficult than stack smashing attacks, but have been commoditized recently

Conclusions The volume of existing low level code in C/C++ means that buffer overflows are likely to remain a major source of vulnerabilities Newer techniques give lie to the assumption that buffer overflows necessarily inject shellcodeor that they have to modify the saved return address New language functionality like virtual functions result in new avenues for buffer overflow attacks Arms-race between attackers and defenders is likely to continue

Questions Language Support Can we have languages that take care of vulnerabilities and prevent buffer overflows? Or is it impossible? How do type-safe languages prevent buffer overflows? Will changing the environment of languages (like using compiler extensions and safe versions of unsafe functions) prevent buffer overflows? Early attempts to move OSesfrom assembly to C were met with skepticism. Should we make a shift to a higher level language for operating systems where the exploits in the paper are not possible?

Questions Prevention Wouldn t carefully written and audited code prevent it? Does sandboxing the entire system like VM s work? Can we prove that there will be no attack past the protection boundary? Arc injection seems particularly scary. How do we prevent it? Can loading all function pointers and return addresses at compile time and marking them read only help?

Questions Miscellaneous Can these types of attacks affect the kernel? Is there any way around this arms race that they mention in the conclusion?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback