Lecture 4 September Required reading materials for this class

Similar documents
CSE 565 Computer Security Fall 2018

CSE 509: Computer Security

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Software Security: Buffer Overflow Defenses

Secure Programming I. Steven M. Bellovin September 28,

CS 161 Computer Security

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Foundations of Network and Computer Security

Buffer overflow background

CS 161 Computer Security

Sandboxing Untrusted Code: Software-Based Fault Isolation (SFI)

Runtime Defenses against Memory Corruption

Program Security and Vulnerabilities Class 2

Basic Buffer Overflows

Software Security: Buffer Overflow Attacks

CSE 565 Computer Security Fall 2018

Week 5, continued. This is CS50. Harvard University. Fall Cheng Gong

Lecture 1: Buffer Overflows

CMPSC 497 Buffer Overflow Vulnerabilities

Secure Software Development: Theory and Practice

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

CS 161 Computer Security

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

Last week. Data on the stack is allocated automatically when we do a function call, and removed when we return

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Language Security. Lecture 40

Memory Safety (cont d) Software Security

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

Buffer Overflows Defending against arbitrary code insertion and execution

Fundamentals of Computer Security

Memory Corruption 101 From Primitives to Exploit

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM

Software Security; Common Implementation Flaws

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

typedef void (*type_fp)(void); int a(char *s) { type_fp hf = (type_fp)(&happy_function); char buf[16]; strncpy(buf, s, 18); (*hf)(); return 0; }

One-Slide Summary. Lecture Outline. Language Security

(Early) Memory Corruption Attacks

Software Security: Buffer Overflow Attacks (continued)

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

Hacking in C. Pointers. Radboud University, Nijmegen, The Netherlands. Spring 2019

Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

System Security Class Notes 09/23/2013

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Modern Buffer Overflow Prevention Techniques: How they work and why they don t

Control Flow Hijacking Attacks. Prof. Dr. Michael Backes

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Sample slides and handout

PRESENTED BY: SANTOSH SANGUMANI & SHARAN NARANG

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e Feb 11, 13, 15, and 25. Winter Session 2018, Term 2

Limitations of the stack

ENEE 457: Computer Systems Security. Lecture 16 Buffer Overflow Attacks

Software Vulnerabilities. Jeff Foster University of Maryland, College Park

Malloc Lab & Midterm Solutions. Recitation 11: Tuesday: 11/08/2016

CS 31: Intro to Systems Pointers and Memory. Kevin Webb Swarthmore College October 2, 2018

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

ISA564 SECURITY LAB. Code Injection Attacks

CS 161 Computer Security

Stack Overflow COMP620

Lecture 9 Assertions and Error Handling CS240

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

CS 31: Intro to Systems Pointers and Memory. Martin Gagne Swarthmore College February 16, 2016

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

Code with red border means vulnerable code. Code with green border means corrected code. This program asks the user for a password with the function

Intrusion Detection and Malware Analysis

20: Exploits and Containment

How to Break Software by James Whittaker

SoK: Eternal War in Memory

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

A program execution is memory safe so long as memory access errors never occur:

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Bypassing Browser Memory Protections

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

Memory Corruption Vulnerabilities, Part II

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

UMSSIA LECTURE I: SOFTWARE SECURITY

COMP3441 Lecture 7: Software Vulnerabilities

We will focus on Buffer overflow attacks SQL injections. See book for other examples

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflow. Jo, Heeseung

Is stack overflow still a problem?

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

NET 311 INFORMATION SECURITY

Run-time Environments

Run-time Environments

A brief introduction to C programming for Java programmers

Lecture 07 Heap control data. Stephen Checkoway University of Illinois at Chicago

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I Solutions

Smashing the Buffer. Miroslav Štampar

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Plan for Today. Safe Programming Languages. What is a secure programming language?

Transcription:

EECS 261: Computer Security Fall 2007 Lecture 4 September 6 Lecturer: David Wagner Scribe: DK Moon 4.1 Required reading materials for this class Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns, Pincus and Baker Exploiting Format String Vulnerabilities Basic Integer Overflows 4.2 Reasons for vulnerabilities The lack of security design Architectural level flaws violating the design principles in Lecture 2 Micro-level implementation bugs (The topic of this lecture)... 4.3 Buffer Overrun Morris worm (1988): the first major Internet worm used the technique State of the art at that time: stack smashing only But, heap smashing is also possible 4.3.1 Stack Smashing By overwriting a return address stored on stack 1 f ( ) { 2 char buf [ 8 0 ], p = buf ; 3 while ( ( p = read from net ( ) )!= \0 ) { 4 ++p ; 5 } 6 } 4-1

Low Address f() Stack Growth buf p sfp ret High Address f() s caller Figure 4.1. an example of Stack smashing. Stack grows from high address. A box with rounded corners represents a function frame. The above code is vulnerable as there s no boundary check in line #3; it will write beyond buf unless null is given in the first 80 bytes. Figure 4.1 depicts the memory layout. An attacker can jump to wherever she wants by overflowing buf until overwriting the return address; when returning from f(), CPU will see the modified return address, pops the frame, and jumps to the address an attacker specified. In addition, an attacker can also put code into memory (i.e. in buf). So, an attacker can inject code and jump to the code. 4.3.2 Heap Smashing For long time, people thought buffer overrun doesn t work for heap allocated buffer. However.. At least, an attacker can crash a process by corrupting heap. An attacker can run arbitrary code she wants by keep overflowing heap-allocated buffer until overwriting a heap-allocated function pointer. This gives a control to an attacker not immediately, but after the overwritten function pointer is dereferenced. Figure 4.2 shows this scenario. Note that it s possible to calculate how many bytes to overflow if we can use some determinism: e.g. a vulnerable code is deterministic. Low heap address target buffer... offset High heap address function pointer Figure 4.2. an example of Heap smashing. An attack can get a control by overwriting a function pointer on heap. She needs to overflow as many bytes as the offset; it s possible to calculate the offset when a process bases on determinism. A more sophisticated attack: an attacker can write any value to any location by overwriting a heap control block used by malloc() and free(); malloc() prepends a heap control block, like Figure 4.3, to maintain doubly-linked memory chunks. On freeing header, free() adjusts link pointers in a heap control block like this: header next prev = header prev 4-2

Suppose that an attacker did overflow to fill some value, V, into header prev and some address, A, into header next. Now, calling free() results in (A + C) = V, where C is the constant offset of prev. This lets an attacker write any value to arbitrary location. So, she can change return address, jump to malicious code, overwrite function pointer, and so on. prev next app uses this portion prev next app uses this portion prev next app uses this portion Figure 4.3. malloc() prepends header control blocks(shaded in the figure), which contain doubly-linked-list, to maintain memory chunks. Why do we more worry about an attack for full control than a crash? Whole control gives more options (including crashes). Crashes are noticeable. Compromising a superuser-privileged process such as sshd means that a whole host is on an attacker s hand. Buffer overrun is really common and easy to exploit. Saying like it s very hard to exploit because an attacker should know every detail of program s behavior. So, it will give only limited control is a totally wrong idea. There are tons of clever guys, and even a single-byte buffer overflow can cause significant impacts like changing frame pointer. We better assume all buffer overrun vulnerabilities exploitable and fix them right a way. 4.4 Format string vulnerabilities 1 f ( ) { 2 char buf [ 5 1 2 ] ; 3 read ( netfd, buf, sizeof ( buf ) ) ; 4 p r i n t f ( buf ) ; // buggy! 5 } This code is buggy. The line #4 should have been printf( %s, buf). If a string supplied by an attacker contains %d%d%d%d%d..., printf() is going to look for arguments on stack, which don t exist there. printf() has an internal pointer to look for format arguments on stack. For example, it expects 4-byte integer pointed by the pointer and increment the pointer by 4 bytes, when it 4-3

encounters a format specifier %d in a format string. Figure 4.4 shows the call stack of the above code snippet. The internal pointer, p, reads and moves beyond printf() s stack frame because there is no corresponding format argument on the stack. Therefore, we can move the pointer to the stack location storing f() s return address by multiple %d s. (something like %100d can be used to reduce many %d s.) And, we can also read the adress value by %x. internal pointer,p, for next format argument... local variables ret format string buf ret printf() s stack frame f() s stack frame Figure 4.4. printf() has an internal pointer to seek for format arguments. We can move the pointer toward f() s ret by using format specifiers Worse, an attacker can also write. And she can specify both an address and a value to write! Specifying an address: An attacker can also write by %n. Basically, %n writes the number of printed characters so far into a given address. An attacker can supply a target address in buf, then %n touches the address. Specifying a value: A returned value by %n is usually small as we do not write such many characters. So, 4-byte value is created by concatenating four 1-byte values. For example, we can write 4-byte value into A by using four %n s with overlapping addresses (A + 0), (A + 1), (A + 2), and (A + 3) (works for little endian machines). 4.5 Double free vulnerability This causes heap corruption by calling f ree() twice with the same argument. Either a crash or taking over a control. 4.6 Integer overflow It occurs when down-casting or up-casting between integer variables of different sizes. This can cause buffer overrun when overflowed or underflowed integer is used as a buffer index. Then, How to prevent integer overflows? Checking integer arithmetics every time (e.g. C#) Not allowing implicit type castings 4-4

Using big integers: (e.g LISP, SmallTalk, and so on): Downside: performance trade-off; malicious user can pick numbers to hurt performance Supporting range types and making sure all arithmetic results always reside in the range (e.g. int [0-512]) 4.7 Memory Safety Vulnerabilities so far violates the memory safety: writing outside the range of an object, violating the stack integrity, violating the integrity of a control flow,... Violations of memory safety are pretty sure indications of security holes. Memory-safe languages prevent these violations by defining language semantics. (e.g. all array should be bounce-checked) All strongly type-safe languages are memory safe. For example, java, C#, LISP, Scheme, ML, etc. So, we can use a memory-safe language when writing a security critical program. Then, why still C is widely used? low-level control. e.g. memory mapped i/o performance many legacy programs and libs are in C everybody knows C easy integration: a lot of system interfaces are in c/c++ 4.8 Command Injection Vulnerabilities It usually pops up when control and data interleave in the same channel. For example, format string vulnerabilities are due to mixing control and data; we expect data from user, but an attacker gives a control. Type checking doesn t help here. So, even memory-safe languages are under risk, too. Shell meta character injection:e.g. system( mail + $addr) : a user can use semicolon SQL injection: select from users where name = $username : username can be another SQL query. username can contain a semicolon. How can we prevent these command injection vulnerabilities? 4-5

sanitization by the whitelist of characters do not use string, but use object type (e.g. passing SQL parse tree rather than using string concatenation or something Lesson from pay-phone story: separate control and data channel! 4-6

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback