CSCE 548 Building Secure Software Integers & Integer-related Attacks & Format String Attacks. Professor Lisa Luo Spring 2018

Similar documents
CYSE 411/AIT681 Secure Software Engineering Topic #12. Secure Coding: Formatted Output

2/9/18. CYSE 411/AIT681 Secure Software Engineering. Readings. Secure Coding. This lecture: String management Pointer Subterfuge

CIS 4360 Secure Computer Systems. Integers

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

System Security Class Notes 09/23/2013

CS 161 Computer Security

A brief introduction to C programming for Java programmers

THE INTEGER DATA TYPES. Laura Marik Spring 2012 C++ Course Notes (Provided by Jason Minski)

Software Security II: Memory Errors - Attacks & Defenses

CSE 565 Computer Security Fall 2018

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Buffer overflow prevention, and other attacks

CSE 565 Computer Security Fall 2018

Secure Programming I. Steven M. Bellovin September 28,

Program Security and Vulnerabilities Class 2

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Intermediate Programming, Spring 2017*

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

Format String Dangers. Shachar Shemesh Security Consultant

ECS 153 Discussion Section. April 6, 2015

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CYSE 411/AIT681 Secure Software Engineering Topic #10. Secure Coding: Integer Security

Page 1. Today. Last Time. Is the assembly code right? Is the assembly code right? Which compiler is right? Compiler requirements CPP Volatile

Computer Programming: Skills & Concepts (CP) Strings

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Lecture 03 Bits, Bytes and Data Types

2/9/18. Readings. CYSE 411/AIT681 Secure Software Engineering. Introductory Example. Secure Coding. Vulnerability. Introductory Example.

2/9/18. CYSE 411/AIT681 Secure Software Engineering. Readings. Secure Coding. This lecture: String management Pointer Subterfuge

CSE 127 Computer Security

Lecture 05 Integer overflow. Stephen Checkoway University of Illinois at Chicago

Memory Corruption 101 From Primitives to Exploit

Lecture 9 Assertions and Error Handling CS240

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

Changelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part

Important From Last Time

Page 1. Today. Important From Last Time. Is the assembly code right? Is the assembly code right? Which compiler is right?

CSCI-243 Exam 1 Review February 22, 2015 Presented by the RIT Computer Science Community

Number Systems, Scalar Types, and Input and Output

Important From Last Time

CS113: Lecture 7. Topics: The C Preprocessor. I/O, Streams, Files

CS 161 Computer Security

Software Security: Buffer Overflow Attacks (continued)

11 'e' 'x' 'e' 'm' 'p' 'l' 'i' 'f' 'i' 'e' 'd' bool equal(const unsigned char pstr[], const char *cstr) {

CSE 127 Computer Security

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Static Vulnerability Analysis

String Oriented Programming Exploring Format String Attacks. Mathias Payer

C: Arrays, and strings. Department of Computer Science College of Engineering Boise State University. September 11, /16

Software Security: Buffer Overflow Defenses

Format string vulnerabilities

Undefined Behaviour in C

Hacking in C. Pointers. Radboud University, Nijmegen, The Netherlands. Spring 2019

To Detect Stack Buffer Overflow With Polymorphic Canaries

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

Software security, secure programming

Programming Studio #9 ECE 190

Code Injection Attacks Buffer Overflows

CSE 127 Computer Security

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

Lec06: DEP and ASLR. Taesoo Kim

Programming in C++ 5. Integral data types

Is Exploitation Over? Bypassing Memory Protections in Windows 7

typedef void (*type_fp)(void); int a(char *s) { type_fp hf = (type_fp)(&happy_function); char buf[16]; strncpy(buf, s, 18); (*hf)(); return 0; }

CSE 12 Spring 2016 Week One, Lecture Two

Computer System and programming in C

CSE 127 Computer Security

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

United States Naval Academy Electrical and Computer Engineering Department EC310-6 Week Midterm Spring 2015

Lecture 08 Control-flow Hijacking Defenses

COSC 2P91. Introduction Part Deux. Week 1b. Brock University. Brock University (Week 1b) Introduction Part Deux 1 / 14

Lecture Notes for 04/04/06: UNTRUSTED CODE Fatima Zarinni.

CpSc 111 Lab 3 Integer Variables, Mathematical Operations, & Redirection

Software and Web Security 1. Root Cause Analysis. Abstractions Assumptions Trust. sws1 1

Runtime Defenses against Memory Corruption

Fundamentals of Computer Security

Applications. Cloud. See voting example (DC Internet voting pilot) Select * from userinfo WHERE id = %%% (variable)

Introduction to Security

Software Vulnerabilities. Jeff Foster University of Maryland, College Park

EURECOM 6/2/2012 SYSTEM SECURITY Σ

Chapter Two MIPS Arithmetic

Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

211: Computer Architecture Summer 2016

Lecture 4 September Required reading materials for this class

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

CSC 591 Systems Attacks and Defenses Stack Canaries & ASLR

Computer Systems Lecture 9

4. Jump to *RA 4. StackGuard 5. Execute code 5. Instruction Set Randomization 6. Make system call 6. System call Randomization

More about Binary 9/6/2016

SECURE PROGRAMMING A.A. 2018/2019

C: Pointers, Arrays, and strings. Department of Computer Science College of Engineering Boise State University. August 25, /36

CS16 Exam #1 7/17/ Minutes 100 Points total

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Bits, Bytes and Integers

Lab 1: Introduction to C Programming

Chapter 7: User Defined Functions and Stack Mechanics

1. We have a code sequence that is potentially executed twice.

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Black Hat Webcast Series. C/C++ AppSec in 2014

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Transcription:

CSCE 548 Building Secure Software Integers & Integer-related Attacks & Format String Attacks Professor Lisa Luo Spring 2018

Previous Class Buffer overflows can be devastating It occurs when the access to a buffer is out of the bounds of the buffer The out-of-bound access can be read or write: overread (leak info); overwrite (manipulate memory content) The system has done a lot for us (but it is insufficient) Canary DEP (Data ExecutionPrevention) ASLR (Address Space Layout Randomization) What you should do Always enforce bounds checking in your code Use snprintf/strlcpy/strlcat in your code (Do not use strncpy) 2

Outline Integer Integer Representation Integer-related attacks Format string attacks 3

An example In binary search, m = (low + high) /2 This contains an integer overflow vulnerability E.g., low = 8; high = INT_MAX 4 You expect m = (INT_MAX + 4) / 2 But the real value you get is m = (INT_MIN + 3) / 2 You will find out the reason and the solution 4

Integer Representation: Two s Complement The two s complement form of a negative integer is created by adding one to the one s complement representation. How -41 is expressed in two s complement notation: 41 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1-41 1 1 0 1 0 1 1 0 + 1 = 1 1 0 1 0 1 1 1 Write the binary representation of its absolute value Flip its bits Add one 5

n bits: n 2 1 If the variable is signed, the highest bit represents whether it is positive or negative If the variable is unsigned, all the bits represent the value of the variable 6

Unsigned Integers Unsigned integer values range from zero to a maximum that depends on the size of the type This maximum value can be calculated as 2 n -1, where n is the number of bits used to represent the unsigned type. 7

Unsigned Integer Representation UINT_MAX two s complement 8

Signed Integers Signed integers are used to represent positive and negative values. On a computer using two s complement arithmetic, a signed integer ranges from -2 n-1 through 2 n-1-1. 9

Signed Integer Representation INT_MIN INT_MAX 10

Integer Overflow Examples CIS 4360 Secure Computer 11

Vulnerability due to Integer Overflows Even an operation as simple as a + b and a*b may lead to integer overflows, and may be exploitable E.g., malloc(element_size * count); 12

Mitigation Checking unsigned int a, unsigned int b; if(a <= UINT_MAX - b) malloc(a + b); if(a <= UINT_MAX / b) malloc(a * b); Avoiding int a, b; ; int m = (a + b) / 2; // assume both a and b are positive m = a + (b - a) / 2; 13

Mitigation Use GCC s built-in overflow detection functions builtin_[us](operation)(l?l?)_overflow unsigned long a, b, c; // mul means multiplication; l means long if ( builtin_umull_overflow(a, b, &c)) { // returned non-zero: there has been an overflow } else { // return zero: there hasn't been an overflow } GCC 5+ and Clang 3.8+ additionally offer generic builtins that work without specifying the type of the values: builtin_add_overflow, builtin_sub_overflow and builtin_mul_overflow E.g., bool builtin_add_overflow (type1 a, type2 b, type3 *res) 14

Format String Attacks 15

Vulnerable code example Is the following code vulnerable? Why? void foo(char* user_provided) { printf(user_provided); } Yes. E.g., user_provided can be %d %d %d %d %d ; this will leak information Why? 16

Format String printf(): To print out a string according to a format. int printf(const char *format, ); The argument list of printf()consists of : One concrete argument format Zero or more optional arguments Hence, compilers don t complain if less arguments are passed to printf() during invocation. 17

How printf()access optional arguments Here, printf() has three optional arguments. Elements starting with % are called format specifiers. printf() scans the format string and prints out each character until % is encountered. printf() calls va_arg(), which returns the optional argument pointed by va_list and advances it to the next argument.

How printf()access optional arguments 1. When printf() is invoked, the arguments are pushed onto the stack. 2. When it scans and prints the format string, printf() replaces %d with the value from the first optional argument and prints out the value. 3. va_list is then moved to the position 2.

Missing Optional Arguments va_arg() macro doesn t understand if it reached the end of the optional argument list. It continues fetching data from the stack and advancing va_list pointer.

Vulnerable Code A special form of buffer overflow

What Can We Achieve? Attack 1: Crash program Attack 2: Print out secret value on the stack Attack 3: Change the program s data in the memory

Attack 1 : Crash Program Use input: %s%s%s%s%s%s%s%s printf() parses the format string. For each %s, it fetches a value where va_list points to and advances va_list to the next position. As we give %s, printf() treats the value as address and fetches data from that address. If the value is not a valid address, the program crashes.

Attack 2 : Print Out Data on the Stack Suppose a variable on the stack contains a secret (constant) and we need to print it out. Use user input: %x%x%x%x%x%x%x%x printf() prints out the integer value pointed by va_list pointer and advances it by 4 bytes. Number of %x is decided by the distance between the starting point of the va_list pointer and the variable. It can be achieved by trial and error.

Attack 3 : Change Program s Data in the Memory Goal: change the value of var variable to some other value. %n: Writes the number of characters printed out so far into memory. printf( hello%n,&i) When printf() gets to %n, it has already printed 5 characters, so it stores 5 to the provided memory address. %n treats the value pointed by the va_list pointer as a memory address and writes into that location.

Attack 3 : Change Program s Data in the Memory Goal: To move the va_list pointer to this location and then use %n to store some value. %d is used to advance the va_list pointer. Q: How many %d are required? %d%d%d%d%n var... 20 bytes Address of format string Return address

Countermeasures: Developer Avoid using untrusted user inputs for format strings in functions like printf, sprintf, fprintf, vprintf, scanf, vfscanf.

Countermeasures: Compiler Compilers can detect potential format string vulnerabilities We can see that there is a mismatch in the format string. Use two compilers to compile the program: gcc and clang.

Countermeasures: Compiler With default settings, both compilers gave warning for the first printf(). No warning was given out for the second one.

Countermeasures: Compiler On giving an option -wformat=2, both compilers give warnings for both printf statements stating that the format string is not a string literal. These warnings just act as reminders to the developers that there is a potential problem but nevertheless compile the programs.

Suggestions Avoid using user-provided format string; try your best to use fixed predefined format string GCC can detect the mismatch (in terms of type and parameter number) between the directives and parameters when you use -Wall or Wformat 31

Summary Integer Integer Representation Integer overflow Format string overflow Possible attacks Countermeasures 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback