CSCE 548 Building Secure Software Integers & Integer-related Attacks & Format String Attacks Professor Lisa Luo Spring 2018
Previous Class Buffer overflows can be devastating It occurs when the access to a buffer is out of the bounds of the buffer The out-of-bound access can be read or write: overread (leak info); overwrite (manipulate memory content) The system has done a lot for us (but it is insufficient) Canary DEP (Data ExecutionPrevention) ASLR (Address Space Layout Randomization) What you should do Always enforce bounds checking in your code Use snprintf/strlcpy/strlcat in your code (Do not use strncpy) 2
Outline Integer Integer Representation Integer-related attacks Format string attacks 3
An example In binary search, m = (low + high) /2 This contains an integer overflow vulnerability E.g., low = 8; high = INT_MAX 4 You expect m = (INT_MAX + 4) / 2 But the real value you get is m = (INT_MIN + 3) / 2 You will find out the reason and the solution 4
Integer Representation: Two s Complement The two s complement form of a negative integer is created by adding one to the one s complement representation. How -41 is expressed in two s complement notation: 41 0 0 1 0 1 0 0 1 0 0 1 0 1 0 0 1-41 1 1 0 1 0 1 1 0 + 1 = 1 1 0 1 0 1 1 1 Write the binary representation of its absolute value Flip its bits Add one 5
n bits: n 2 1 If the variable is signed, the highest bit represents whether it is positive or negative If the variable is unsigned, all the bits represent the value of the variable 6
Unsigned Integers Unsigned integer values range from zero to a maximum that depends on the size of the type This maximum value can be calculated as 2 n -1, where n is the number of bits used to represent the unsigned type. 7
Unsigned Integer Representation UINT_MAX two s complement 8
Signed Integers Signed integers are used to represent positive and negative values. On a computer using two s complement arithmetic, a signed integer ranges from -2 n-1 through 2 n-1-1. 9
Signed Integer Representation INT_MIN INT_MAX 10
Integer Overflow Examples CIS 4360 Secure Computer 11
Vulnerability due to Integer Overflows Even an operation as simple as a + b and a*b may lead to integer overflows, and may be exploitable E.g., malloc(element_size * count); 12
Mitigation Checking unsigned int a, unsigned int b; if(a <= UINT_MAX - b) malloc(a + b); if(a <= UINT_MAX / b) malloc(a * b); Avoiding int a, b; ; int m = (a + b) / 2; // assume both a and b are positive m = a + (b - a) / 2; 13
Mitigation Use GCC s built-in overflow detection functions builtin_[us](operation)(l?l?)_overflow unsigned long a, b, c; // mul means multiplication; l means long if ( builtin_umull_overflow(a, b, &c)) { // returned non-zero: there has been an overflow } else { // return zero: there hasn't been an overflow } GCC 5+ and Clang 3.8+ additionally offer generic builtins that work without specifying the type of the values: builtin_add_overflow, builtin_sub_overflow and builtin_mul_overflow E.g., bool builtin_add_overflow (type1 a, type2 b, type3 *res) 14
Format String Attacks 15
Vulnerable code example Is the following code vulnerable? Why? void foo(char* user_provided) { printf(user_provided); } Yes. E.g., user_provided can be %d %d %d %d %d ; this will leak information Why? 16
Format String printf(): To print out a string according to a format. int printf(const char *format, ); The argument list of printf()consists of : One concrete argument format Zero or more optional arguments Hence, compilers don t complain if less arguments are passed to printf() during invocation. 17
How printf()access optional arguments Here, printf() has three optional arguments. Elements starting with % are called format specifiers. printf() scans the format string and prints out each character until % is encountered. printf() calls va_arg(), which returns the optional argument pointed by va_list and advances it to the next argument.
How printf()access optional arguments 1. When printf() is invoked, the arguments are pushed onto the stack. 2. When it scans and prints the format string, printf() replaces %d with the value from the first optional argument and prints out the value. 3. va_list is then moved to the position 2.
Missing Optional Arguments va_arg() macro doesn t understand if it reached the end of the optional argument list. It continues fetching data from the stack and advancing va_list pointer.
Vulnerable Code A special form of buffer overflow
What Can We Achieve? Attack 1: Crash program Attack 2: Print out secret value on the stack Attack 3: Change the program s data in the memory
Attack 1 : Crash Program Use input: %s%s%s%s%s%s%s%s printf() parses the format string. For each %s, it fetches a value where va_list points to and advances va_list to the next position. As we give %s, printf() treats the value as address and fetches data from that address. If the value is not a valid address, the program crashes.
Attack 2 : Print Out Data on the Stack Suppose a variable on the stack contains a secret (constant) and we need to print it out. Use user input: %x%x%x%x%x%x%x%x printf() prints out the integer value pointed by va_list pointer and advances it by 4 bytes. Number of %x is decided by the distance between the starting point of the va_list pointer and the variable. It can be achieved by trial and error.
Attack 3 : Change Program s Data in the Memory Goal: change the value of var variable to some other value. %n: Writes the number of characters printed out so far into memory. printf( hello%n,&i) When printf() gets to %n, it has already printed 5 characters, so it stores 5 to the provided memory address. %n treats the value pointed by the va_list pointer as a memory address and writes into that location.
Attack 3 : Change Program s Data in the Memory Goal: To move the va_list pointer to this location and then use %n to store some value. %d is used to advance the va_list pointer. Q: How many %d are required? %d%d%d%d%n var... 20 bytes Address of format string Return address
Countermeasures: Developer Avoid using untrusted user inputs for format strings in functions like printf, sprintf, fprintf, vprintf, scanf, vfscanf.
Countermeasures: Compiler Compilers can detect potential format string vulnerabilities We can see that there is a mismatch in the format string. Use two compilers to compile the program: gcc and clang.
Countermeasures: Compiler With default settings, both compilers gave warning for the first printf(). No warning was given out for the second one.
Countermeasures: Compiler On giving an option -wformat=2, both compilers give warnings for both printf statements stating that the format string is not a string literal. These warnings just act as reminders to the developers that there is a potential problem but nevertheless compile the programs.
Suggestions Avoid using user-provided format string; try your best to use fixed predefined format string GCC can detect the mismatch (in terms of type and parameter number) between the directives and parameters when you use -Wall or Wformat 31
Summary Integer Integer Representation Integer overflow Format string overflow Possible attacks Countermeasures 32