Secure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows)

Similar documents
putting m bytes into a buffer of size n, for m>n corrupts the surrounding memory check size of data before/when writing

Secure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows)

putting m bytes into a buffer of size n, for m>n corrupts the surrounding memory check size of data before/when writing

Is stack overflow still a problem?

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

Università Ca Foscari Venezia

Buffer Overflow Vulnerability

Buffer Overflow Vulnerability Lab Due: September 06, 2018, Thursday (Noon) Submit your lab report through to

CSC 405 Computer Security Shellcode

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

Memory Corruption 101 From Primitives to Exploit

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

Secure Coding in C and C++ Dynamic Memory Management Lecture 5 Jan 29, 2013

Secure Coding in C and C++

malloc() is often used to allocate chunk of memory dynamically from the heap region. Each chunk contains a header and free space (the buffer in which

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

buffer overflow exploitation

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Memory corruption countermeasures

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Buffer overflow background

Basic Buffer Overflows

Control Hijacking Attacks

Lecture 04 Control Flow II. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Based on Michael Bailey s ECE 422

CSE 509: Computer Security

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

Secure Software Programming and Vulnerability Analysis

Buffer Overflow Attack

ECS 153 Discussion Section. April 6, 2015

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Buffer overflow prevention, and other attacks

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Buffer Overflow Vulnerability Lab

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

1 Recommended Readings

CS 161 Computer Security

Data Structures and Algorithms for Engineers

Practical Malware Analysis

CS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities

Foundations of Network and Computer Security

Foundations of Network and Computer Security

CSE / / 60567: Computer Security. Software Security 4

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

Buffer-Overflow Attacks on the Stack

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Lecture 4 September Required reading materials for this class

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

SYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14

CSE 127 Computer Security

CS 5513 Entry Quiz. Systems Programming (CS2213/CS3423))

Secure Programming Lecture 5: Memory Corruption III (Countermeasures)

Lecture 10 Return-oriented programming. Stephen Checkoway University of Illinois at Chicago Based on slides by Bailey, Brumley, and Miller

Buffer Overflows Defending against arbitrary code insertion and execution

CNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated

Week 5, continued. This is CS50. Harvard University. Fall Cheng Gong

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

CMPSC 497 Buffer Overflow Vulnerabilities

Lecture 08 Control-flow Hijacking Defenses

Shell Code For Beginners

Biography. Background

Intro to x86 Binaries. From ASM to exploit

1 Lab Overview. 2 Resources Required. CSC 666 Lab #11 Buffer Overflow November 29, 2012

CSC 405 Computer Security Stack Canaries & ASLR

CS4264 Programming Assignment 1 Buffer Overflow Vulnerability Due 02/21/2018 at 5:00 PM EST Submit through CANVAS

Outline. Memory Exploit

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Buffer overflow risks have been known for over 30 years. Is it still a problem? Try searching at to see.

CS 537 Lecture 2 - Processes

ISA564 SECURITY LAB. Shellcode. George Mason University

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Heap Off by 1 Overflow Illustrated. Eric Conrad October 2007

Intrusion Detection and Malware Analysis

Buffer-Overflow Attacks on the Stack

My malloc: mylloc and mhysa. Johan Montelius HT2016

Advanced Buffer Overflow

Stack overflow exploitation

Class Information ANNOUCEMENTS

CYSE 411/AIT681 Secure Software Engineering Topic #8. Secure Coding: Pointer Subterfuge

CYSE 411/AIT681 Secure Software Engineering Topic #12. Secure Coding: Formatted Output

2/9/18. CYSE 411/AIT681 Secure Software Engineering. Readings. Secure Coding. This lecture: String management Pointer Subterfuge

Buffer overflows & friends CS642: Computer Security

Lecture 8 Dynamic Memory Allocation

From Over ow to Shell

CSE 127 Computer Security

Secure Coding Topics. Readings. CYSE 411/AIT681 Secure Software Engineering. Pointer Subterfuge. Outline. Data Locations (cont d) Data Locations

Secure Coding Topics. CYSE 411/AIT681 Secure Software Engineering. Readings. Outline. This lecture: Topic #8. Secure Coding: Pointer Subterfuge

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

CS24: INTRODUCTION TO COMPUTING SYSTEMS. Spring 2017 Lecture 7

CSC369 Lecture 2. Larry Zhang

Transcription:

Secure Programming Lecture 4: Memory Corruption II (Stack & Heap Overflows) David Aspinall, Informatics @ Edinburgh 25th January 2018

Memory corruption Buffer overflow is a common vulnerability. Simple cause: putting m bytes into a buffer of size n, for m>n corrupts the surrounding memory Simple fix: check size of data before/when writing Overflow exploits, where corruption performs something specific the attacker wants, can be very complex. We ll study simple examples to explain how devastating overflows can be, starting with simple stack overflows and heap overflows. Examples will use Linux/x86 to demonstrate; principles are similar on other OSes/architectures.

Outline Stack variable corruption Executable code exploits Shellcode Redirecting execution Heap overflows Specific heap attacks General heap attacks Summary

How the stack works (reminder) high addresses Stack (frames). Data low addresses Code Memory

Corrupting stack variables Local variables are put close together on the stack. If a stray write goes beyond the size of one variable... it can corrupt another

Application scenario int authenticate(char *username, char *password) { } int authenticated; // flag, non-zero if authenticated char buffer[1024]; // buffer for username authenticated = verify_password(username, password); if (authenticated == 0) { sprintf(buffer, "Incorrect password for user %s\n", username); log("%s",buffer); } return authenticated; Vulnerability in authenticate() call to sprintf(). If the username is longer than 995 bytes, data will be written past the end of the buffer.

Possible stack frame before exploit... password: 0x080B8888 1235 username: 0x080B4444 AAAAAA... saved EIP (return addr) saved EBP (frame ptr) authenticated: 0x00000000 buffer[1024] (undefined contents) buffer start addr...

Stack frame after exploit password: 0x080B8888 1235 username: 0x080B4444 AAAAAA... saved EIP (return addr) saved EBP (frame ptr) authenticated: 0x0000000A AAAA buffer. AAAA buffer start addr If username is >995 letters long, authenticated is corrupted and may be set to non-zero. E.g., char 1024= \n, the low byte becomes 10.

Local variable corruption remarks Tricky in practice: location of variables may not be known memory addresses can vary between invocations C standards don t specify stack layout compiler moves things around, optimises layout effect depends on behaviour of application code A more predictable, general attack works by corrupting the fixed information in every stack frame: the frame pointer and return address.

Outline Stack variable corruption Executable code exploits Shellcode Redirecting execution Heap overflows Specific heap attacks General heap attacks Summary

Stack overflow exploit. return address. attack code. buffer The malicious argument overwrites all of the space allocated for the buffer, all the way to the return address location. The return address is altered to point back into the stack, somewhere before the attack code. Typically, the attack code executes a shell..

Attacker controlled execution By over-writing the return address, the attacker may either: 1. set it to point to some known piece of the application code, or code inside a shared library, which achieves something useful, or 2. supply his/her own code somewhere in memory, which may do anything, and arrange to call that. The second option is the most general and powerful. How does it work?

Arbitrary code exploit The attacker takes these steps: 1. store executable code somewhere in memory 2. use stack overflow to direct execution there 3. code does something useful to attacker The attack code is known as shellcode. Typically, it launches a shell or network connection. Shellcode is ideally: small and self-contained position independent free of ASCII NUL (0x00) characters Question. Why?

Arbitrary code exploit 1. store executable code somewhere in memory 2. use stack overflow to re-direct execution there 3. code does something useful to attacker

Outline Stack variable corruption Executable code exploits Shellcode Redirecting execution Heap overflows Specific heap attacks General heap attacks Summary

Building shellcode Consider spawning a shell in Unix. The code looks like this: #include <unistd.h>... char *args[] = { "/bin/sh", NULL }; execve("bin/sh", args, NULL) execve() is part of the Standard C Library, libc it starts a process with the given name and argument list and the environment as the third parameter. We want to write (relocatable) assembly code which does the same thing: constructing the argument lists and then invoking the execve function.

Invoking system calls To execute a library function, the code would need to find the location of the function. for a dynamically loaded library, this requires ensuring it is loaded into memory, negotiating with the linker this would need quite a bit of assembly code It is easier to make a system call directly to the operating system. luckily, execve() is a library call which corresponds exactly to a system call.

Invoking system calls Linux system calls (32 bit x86) operate like this: Store parameters in registers EBX, ECX,... Put the desired system call number into AL Use the interrupt int 128 to trigger the call

Invoking a shell Here is the assembly code for a simple system call invoking a shell: args: arg: main:.section.rodata # data section.long arg # char *["/bin/sh"].long 0 #.string "/bin/sh".text.globl main movl $arg, %ebx movl $args, %ecx movl $0, %edx movl $0xb, %eax int $0x80 # execve("/bin/sh",["/bin/sh"],null) ret

From assembly to shellcode However, this is not yet quite shellcode: it contains hard-wired (absolute) addresses and a data section. Question. How could you turn this into position independent code without separate data?

From assembly to shellcode Moreover, we need to find the binary representation of the instructions (i.e., the compiled code). This will be the data that we can then feed back into our attack.

$ gcc shellcode.s -o shellcode.out $ objdump -d shellcode.out... 080483ed <main>: 80483ed: bb a8 84 04 08 mov $0x80484a8,%ebx 80483f2: b9 a0 84 04 08 mov $0x80484a0,%ecx 80483f7: ba 00 00 00 00 mov $0x0,%edx 80483fc: b8 0b 00 00 00 mov $0xb,%eax 8048401: cd 80 int $0x80 8048403: c3 ret We take the hex op code sequence bb a8 84... etc and encode it as a string (or URL, filename, etc) to feed into the program as malicious input.

Outline Stack variable corruption Executable code exploits Shellcode Redirecting execution Heap overflows Specific heap attacks General heap attacks Summary

Arbitrary code exploit 1. store executable code somewhere in memory 2. use stack overflow to direct execution there 3. code does something useful to attacker Two options: shellcode on stack shellcode in another part of the program data Problem in both cases is : how to find out where the code is?

Attack code on stack: the NOP sled... corrupted ret. addr.. attack code NOP. The exact address of the attack code in the stack is hard to guess. The attacker can increase the chance of success by allowing a range of addresses to work. The overflow uses a NOP sled, which the CPU execution "lands on", before being directed to the attack code. NOP

Attack code elsewhere in memory... password: 0x080B8888 username: 0x080B4444 saved EIP 0x0BADC0DE user-controlled data seeded with executable code saved EBP 0x41414141 authenticated: 0x41414141 AAAA buffer. AAAA buffer start addr Various (intricate) possibilities E.g., modifying function pointers or corrupting caller s saved frame pointer

Outline Stack variable corruption Executable code exploits Shellcode Redirecting execution Heap overflows Specific heap attacks General heap attacks Summary

Heap overflows: overview The heap is the region of memory that a program uses for dynamically allocated data. The runtime or operating system provides memory management for the heap. With explicit memory management, the programmer uses library functions to allocate and deallocate regions of memory.

Memory safety (reminder) Memory safety A programming language or analysis tool is said to enforce memory safety if it ensures that reads and writes stay within clearly defined memory areas, belonging to different parts of the program.

Memory allocation in C malloc(size) tries to allocate a space of size bytes. It returns a pointer to the allocated region... of type void* which the programmer can cast to the desired pointer type or it fails and returns a NULL pointer The memory is uninitialised so should be written before being read from Question. Which points above contribute to (memory) unsafe behaviour in C?

Memory allocation in C calloc(size) behaves like malloc(size) but it also initialises the memory, clearing it to zeroes. Question. Suppose we allocate a string buffer, and immediately assign the empty string to it. What security reason may there be to prefer calloc() over malloc()?

Memory allocation in C free(ptr) frees the previously allocated space at ptr. No return value (void) If it fails (ptr a non-allocated value), what happens? if ptr is NULL, nothing undefined otherwise, program may abort, or might carry on and let bad things happen What happens if ptr is dereferenced after being freed? depends on behaviour of allocator Question. Suppose we accidently call free(ptr) before the final dereference of ptr() but before another call to malloc(). Is that safe?

Outline Stack variable corruption Executable code exploits Shellcode Redirecting execution Heap overflows Specific heap attacks General heap attacks Summary

Simple heap variable attack Without memory safety, heap-allocated variables may overflow from one to another. char *user = (char *)malloc(sizeof(char)*8); char *adminuser = (char *)malloc(sizeof(char)*8); strcpy(adminuser, "root"); if (argc > 1) strcpy(user, argv[1]); else strcpy(user, "guest"); /* Now we'll do ordinary operations as "user" and create sensitive system files as "adminuser" */ Is it possible to overflow user and change adminuser?

Simple heap variable attack Problem: how do we know where the allocations will be made? Heap allocator is free to allocate anywhere, not necessarily in adjacent memory Let s investigate what happens on Linux x86, glibc. (for a particular version, on a particular day,... )

Simple heap variable attack #include <stdlib.h> #include <string.h> #include <stdio.h> void main(int argc, char *argv[]) { } char *user = (char *)malloc(sizeof(char)*8); char *adminuser = (char *)malloc(sizeof(char)*8); strcpy(adminuser, "root"); if (argc > 1) strcpy(user, argv[1]); else strcpy(user, "guest"); printf("user is at %p, contains: %s\n", user, user); printf("admin user is at %p, contains: %s\n", adminuser, adminuser);

$ gcc useradminuser.c -o useradminuser.out $./useradminuser.out User is at 0x9504008, contains: guest Admin user is at 0x9504018, contains: root $./useradminuser.out User is at 0x9483008, contains: guest Admin user is at 0x9483018, contains: root $./useradminuser.out frank User is at 0x8654008, contains: frank Admin user is at 0x8654018, contains: root Buffers not adjacent, there s some extra space Addresses not identical each run (next lecture... ) But admin user is stored higher in memory!

Let s try overflowing.... $./useradminuser.out frank...david User is at 0x9405008, contains: frank...david Admin user is at 0x9405018, contains: id

Let s try overflowing.... $./useradminuser.out frank...david User is at 0x9405008, contains: frank...david Admin user is at 0x9405018, contains: id Count more carefully: $./useradminuser.out frank56789abcdefdavid User is at 0x9f0b008, contains: frank56789abcdefdavid Admin user is at 0x9f0b018, contains: david Whoa!

Let s try overflowing.... $./useradminuser.out frank...david User is at 0x9405008, contains: frank...david Admin user is at 0x9405018, contains: id Count more carefully: $./useradminuser.out frank56789abcdefdavid User is at 0x9f0b008, contains: frank56789abcdefdavid Admin user is at 0x9f0b018, contains: david Whoa! Question. Can you think of a way to prevent this attack?

Remarks about heap variable attack same kind of attack is possible for (mutable) global variables, which are allocated statically in another memory segment this is an application-specific attack, need to find security-critical path near overflowed variable need to be lucky: overwriting intervening memory might cause crashes later, before the program gets to use the intentionally corrupted data Is there a more generic attack for the heap?

Outline Stack variable corruption Executable code exploits Shellcode Redirecting execution Heap overflows Specific heap attacks General heap attacks Summary

Heap allocator implementation A common heap implementation is to use blocks laid out contiguously in memory, with a free list intermingled. Heap blocks have headers which give information such as: size of previous block size of this block flags, e.g., in-use flag if not in use, pointers to next/previous free block The doubly-linked free list makes finding spare memory fast for the malloc() operation.

Heap allocator implementation typedef struct mallocblock { struct mallocblock *next; struct mallocblock *prev; int prevsize; int thissize; int freeflag; // malloc space follows the header } mallocblock_t; If freeflag is non-zero, the block is in the freelist Allocator will split blocks and coalesce them again

General heap overflow attack Rough idea: Coalescing blocks unlinks them from the free list Attacker makes unlink() do an arbitrary write! uses overflow to set next and previous and set flags to indicate free unlink() then performs write

Unlinking operation void unlink(mallocblock_t *element) { mallocblock_t *mynext = element->next; mallocblock_t *myprev = element->prev; } mynext->prev = myprev; myprev->next = mynext; performs two (related) word writes mynext->prev= *mynext+2, myprev->next=*myprev attacker arranges at least one of these to be useful Exercise. Check you understand this: draw a picture of a doubly linked list and explain how the attacker can make an arbitrary write.

Writing to arbitrary locations What locations might the attacker choose? Global Offset Table (GOT) used to link ELF-format binaries. Allows arbitrary locations to be called instead of a library call. Exit handlers used in Unix for return from main(). Lock pointers or exception handlers stored in the Windows Process Environment Block (PEB) Application-level function pointers (e.g. C++ virtual member tables). The details are intricate, but library exploits and tookits are available (e.g., Metasploit).

Heap spraying and browser exploits Apart from operating system (C code) memory management, other application runtimes provide memory allocation features, which may be accessible to an attacker. A particular case is in browser-based exploits which have made use of heaps for managed runtimes such as JavaScript, VBScript, Flash, HTML5. Writing shell code to predictable heap locations is sometimes called heap spraying. This is simple in concept: string variables manipulated in scripts are allocated in a heap.

Outline Stack variable corruption Executable code exploits Shellcode Redirecting execution Heap overflows Specific heap attacks General heap attacks Summary

Review questions Stack overflows Explain how uncontrolled memory writing can let an attacker corrupt the value of local variables. Explain how an attacker can exploit a stack overflow to execute arbitrary code. Draw an stack during a stack overflow attack with a NOP sled and shell code, giving addresses Heap overflows Describe the API functions used to interface to heap allocation in C. Give two examples of risky behaviour. Show how overflowing one heap-allocated variable can corrupt a second. Explain how a heap overflow attack can exploit memory allocation routines to allow arbitrary writes.

Coming next We ll looking other kinds of overflow attacks, and the general protection mechanisms mentioned at the start. The best way to understand these attacks is to try them out! We will try out more examples in Lab 2 next week.

References and credits This lecture included examples from: M. Dowd, J. McDonald and J. Schuh. The Art of Software Security Assessment, Addison-Wesley 2007. See the extras page for more pointers.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback