Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

Similar documents
Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Buffer Overflow. Jo, Heeseung

BUFFER OVERFLOW. Jo, Heeseung

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM

Buffer overflows. Specific topics:

Sungkyunkwan University

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Machine-Level Programming V: Advanced Topics

Machine-Level Programming V: Buffer overflow

Buffer Overflows. CSE 351 Autumn Instructor: Justin Hsia

Buffer Overflows. CSE 410 Winter Kathryn Chan, Kevin Bi, Ryan Wong, Waylon Huang, Xinyu Sui

Buffer Overflows. CSE 351 Autumn 2018

Machine-level Programs Adv. Topics

Linux Memory Layout The course that gives CMU its Zip! Machine-Level Programming IV: Miscellaneous Topics Sept. 24, Text & Stack Example

CSC 252: Computer Organization Spring 2018: Lecture 9

Machine-Level Programming V: Miscellaneous Topics Sept. 24, 2002

Machine-Level Programming V: Advanced Topics

Machine- Level Programming V: Advanced Topics

Giving credit where credit is due

Buffer Overflows. Buffer Overflow. Many of the following slides are based on those from

Machine-Level Programming V: Advanced Topics

Machine Programming 5: Buffer Overruns and Stack Exploits

Machine-Level Programming V: Advanced Topics

Carnegie Mellon. Bryant and O Hallaron, Computer Systems: A Programmer s Perspective, Third Edition

Today. Machine-Level Programming V: Advanced Topics. x86-64 Linux Memory Layout. Memory Allocation Example. Today. x86-64 Example Addresses

Machine-Level Prog. V Miscellaneous Topics

Today. Machine-Level Programming V: Advanced Topics. x86-64 Linux Memory Layout. Memory Allocation Example. Today. x86-64 Example Addresses

Machine-Level Programming V: Advanced Topics

Computer Systems CEN591(502) Fall 2011

Why do we need Pointers? Call by Value vs. Call by Reference in detail Implementing Arrays Buffer Overflow / The Stack Hack

Machine-Level Programming IV: Structured Data

Machine-Level Prog. V Miscellaneous Topics

CSE 565 Computer Security Fall 2018

Blossom Hands-on exercises for computer forensics and security. Buffer Overflow


Buffer-Overflow Attacks on the Stack

Program Security and Vulnerabilities Class 2

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

Buffer-Overflow Attacks on the Stack

CMPSC 497 Buffer Overflow Vulnerabilities

CS356: Discussion #8 Buffer-Overflow Attacks. Marco Paolieri

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

Fundamentals of Computer Security

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

CSE 509: Computer Security

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

CS241 Computer Organization Spring Buffer Overflow

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

We will focus on Buffer overflow attacks SQL injections. See book for other examples

Buffer Overflow Attack (AskCypert CLaaS)

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Foundations of Computer Systems

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

Secure Programming I. Steven M. Bellovin September 28,

ECS 153 Discussion Section. April 6, 2015

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Summary. Alexandre David

logistics LEX assignment out exam in on week come with questions on Monday (review)

Lecture 08 Control-flow Hijacking Defenses

Secure Systems Engineering

CS356: Discussion #7 Buffer Overflows. Marco Paolieri

Lecture 4 September Required reading materials for this class

Basic Buffer Overflows

Changelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Machine- Level Programming V: Advanced Topics

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

Runtime Defenses against Memory Corruption

Virtual Memory. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

Buffer Overflow Attacks

18-600: Recitation #4 Exploits

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

20: Exploits and Containment

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

Secure Software Development: Theory and Practice

Buffer Overflows Defending against arbitrary code insertion and execution

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

ISA564 SECURITY LAB. Code Injection Attacks

Introduction Presentation A

Byte Ordering. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

Machine-Level Programming V: Unions and Memory layout

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CPSC 213. Introduction to Computer Systems. Procedures and the Stack. Unit 1e

CSC 405 Computer Security Stack Canaries & ASLR

Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena

Control Flow Hijacking Attacks. Prof. Dr. Michael Backes

Software Security II: Memory Errors - Attacks & Defenses

Hackveda Training - Ethical Hacking, Networking & Security

Language Security. Lecture 40

X86 Assembly Buffer Overflow III:1

Carnegie Mellon. Answer: 3

Transcription:

Buffer Overflow Jinkyu Jeong (jinkyu@skku.edu) Computer Systems Laboratory Sungkyunkwan University http://csl.skku.edu SSE2030: Introduction to Computer Systems, Spring 2018, Jinkyu Jeong (jinkyu@skku.edu)

x86-64/linux Memory Layout Stack Runtime stack (8MB limit) Heap Dynamically allocated as needed When call malloc(), calloc(), new() Data Statically allocated data e.g. global vars, static vars, string constants Text / Shared libraries Executable machine instructions Read-only 0x00007FFFFFFFFFFF 0x400000 Stack Shared Libraries Heap Data Text SSE2030: Introduction to Computer Systems, Spring 2018, Jinkyu Jeong (jinkyu@skku.edu) 2 2 8MB

x86-64 Addresses Example #include <stdio.h> #include <stdlib.h> int g = 1; int main(void) { char *p = malloc(100); printf( main() = %p\n, main); printf( &g = %p\n, &g); printf( &p = %p\n, &p); printf( p = %p\n, p); } 0x7FFFFFFFFFFF Stack Shared Libraries $ gcc Og g mem.c $./a.out main() = 0x4005f6 &g = 0x601048 &p = 0x7fff07b94b70 p = 0x1ece010 0x400000 Heap Data Text SSE2030: Introduction to Computer Systems, Spring 2018, Jinkyu Jeong (jinkyu@skku.edu) 3 3

Vulnerable Buffer Code /* Echo Line */ void echo() { // Way too small! char buf[4]; gets(buf); puts(buf); } int main() { printf( Type: ); echo(); return 0; } $./bufdemo Type:012 012 $./bufdemo Type: 01234567890123456789012 01234567890123456789012 $./bufdemo Type: 012345678901234567890123 Segmentation fault (core dumped) SSE2030: Introduction to Computer Systems, Spring 2018, Jinkyu Jeong (jinkyu@skku.edu) 4 4

String Library Code Implementation of Unix function gets() No way to specify limit on number of characters to read char *gets(char *dest) { // Get string from stdin int c = getc(); char *p = dest; while (c!= EOF && c!= \n ) { *p++ = c; c = getc(); } *p = \0 ; return dest; } Similar problems with other Unix functions strcpy: copies string of arbitrary length scanf / fscanf / sscanf, given %s conversion specification SSE2030: Introduction to Computer Systems, Spring 2018, Jinkyu Jeong (jinkyu@skku.edu) 5 5

Buffer Overflow Disassembly echo(): 00000000004006cf <echo>: 4006cf: 48 83 ec 18 sub $0x18,%rsp 4006d3: 48 89 e7 mov %rsp,%rdi 4006d6: e8 a5 ff ff ff callq 400680 <gets> 4006db: 48 89 e7 mov %rsp,%rdi 4006de: e8 3d fe ff ff callq 400520 <puts@plt> 4006e3: 48 83 c4 18 add $0x18,%rsp 4006e7: c3 retq main():... 4006ec: b8 00 00 00 00 mov $0x0,%eax 4006f1: e8 d9 ff ff ff callq 4006cf <echo> 4006f6: 48 83 c4 08 add $0x8,%rsp... SSE2030: Introduction to Computer Systems, Spring 2018, Jinkyu Jeong (jinkyu@skku.edu) 6 6

Buffer Overflow (1) Before call to gets() Stack Frame for main Return Address (8 bytes) %rip echo: 4006cf: sub $0x18,%rsp 4006d3: mov %rsp,%rdi 4006d6: callq 400680 <gets> 4006db: mov %rsp,%rdi 4006de: callq 400520 <puts@plt> 4006e3: add $0x18,%rsp 4006e7: retq 20 bytes unused [3] [2] [1] [0] buf %rsp main:... 4006ec: mov $0x0,%eax 4006f1: callq 4006cf <echo> 4006f6: add $0x8,%rsp... SSE2030: Introduction to Computer Systems, Spring 2018, Jinkyu Jeong (jinkyu@skku.edu) 7 7

Buffer Overflow (2) Before call to gets() Stack Frame for main 00 00 00 00 00 40 06 f6 %rip echo: 4006cf: sub $0x18,%rsp 4006d3: mov %rsp,%rdi 4006d6: callq 400680 <gets> 4006db: mov %rsp,%rdi 4006de: callq 400520 <puts@plt> 4006e3: add $0x18,%rsp 4006e7: retq 20 bytes unused [3] [2] [1] [0] buf %rsp main:... 4006ec: mov $0x0,%eax 4006f1: callq 4006cf <echo> 4006f6: add $0x8,%rsp... SSE2030: Introduction to Computer Systems, Spring 2018, Jinkyu Jeong (jinkyu@skku.edu) 8 8

Buffer Overflow (3) Overflowed buffer, but did not corrupt state Stack Frame for main 00 00 00 00 00 40 06 f6 00 32 31 30 39 38 37 36 35 34 33 32 31 30 39 38 37 36 35 34 [2] [0] [3] [1] 33 32 31 30 buf %rsp echo: 4006cf: sub $0x18,%rsp 4006d3: mov %rsp,%rdi 4006d6: callq 400680 <gets> 4006db: mov %rsp,%rdi 4006de: callq 400520 <puts@plt> 4006e3: add $0x18,%rsp 4006e7: retq $./bufdemo Type: 01234567890123456789012 01234567890123456789012 SSE2030: Introduction to Computer Systems, Spring 2018, Jinkyu Jeong (jinkyu@skku.edu) 9 9

Buffer Overflow (4) Overflowed buffer, and corrupted return pointer Stack Frame for main 00 00 00 00 00 40 06 00 33 32 31 30 39 38 37 36 35 34 33 32 31 30 39 38 37 36 35 34 [2] [0] [3] [1] 33 32 31 30 buf %rsp echo: 4006cf: sub $0x18,%rsp 4006d3: mov %rsp,%rdi 4006d6: callq 400680 <gets> 4006db: mov %rsp,%rdi 4006de: callq 400520 <puts@plt> 4006e3: add $0x18,%rsp 4006e7: retq $./bufdemo Type: 012345678901234567890123 Segmentation fault (core dumped) SSE2030: Introduction to Computer Systems, Spring 2018, Jinkyu Jeong (jinkyu@skku.edu) 1010

Buffer Overflow Attack Malicious use of buffer overflow Input string contains byte representation of executable code Overwrite return address A with address of buffer B When P() executes ret, will jump to exploit code return address A void P(){ Q();... } void Q() { char buf[64]; gets(buf);... } data written by gets() A à B P stack frame Q stack frame SSE2030: Introduction to Computer Systems, Spring 2018, Jinkyu Jeong (jinkyu@skku.edu) 1111 B pad exploit code Stack after call to gets()

Exploits Using Buffer Overflows Buffer overflow bugs can allow remote machines to execute arbitrary code on victim machines Distressingly common in real programs Programmers keep making the same mistakes L Recent measures make these attacks much more difficult SSE2030: Introduction to Computer Systems, Spring 2018, Jinkyu Jeong (jinkyu@skku.edu) 1212

Internet Worm (1988) Exploited a few vulnerabilities to spread Early versions of the finger server (fingerd) used gets() to read the argument sent by the client: finger kildong@skku.edu Worm attacked fingerd server by sending phony argument: finger exploit-code padding new-return-address exploit code: executed a root shell on the victim machine with a direct TCP connection to the attacker Once on a machine, scanned other machines to attack Invaded ~6000 computers in hours (10% of the Internet) The young author of the worm was prosecuted CERT(Computer Emergency Response Team) formed @ CMU SSE2030: Introduction to Computer Systems, Spring 2018, Jinkyu Jeong (jinkyu@skku.edu) 1313

Worms vs. Viruses Worm: A program that Can run by itself Can propagate a fully working version of itself to other computers Virus: Code that Adds itself to other programs Does not run independently Both are (usually) designed to spread among computers and to wreak havoc SSE2030: Introduction to Computer Systems, Spring 2018, Jinkyu Jeong (jinkyu@skku.edu) 1414

Code Red Worm (2001) History June 18, 2001, Microsoft announces buffer overflow vulnerability in IIS Internet Server July 19, 2001, Over 250,000 machines infected by new virus in 9 hours White house must change its IP address. Pentagon shut down public WWW servers for day Received strings of form GET /default.ida?nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn...nnnnnn NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9 090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801%u9090%u9090%u819 0%u00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0" 400 325 "-" "-" SSE2030: Introduction to Computer Systems, Spring 2018, Jinkyu Jeong (jinkyu@skku.edu) 1515

Code Red Worm (2001) Code Red exploit code Starts 100 threads running Spread self Generate random IP addresses & send attack string Between 1st & 19th of month Denial of service attack to www.whitehouse.gov Send 98,304 packets; sleep for 4-1/2 hours; repeat Between 21st & 27th of month Deface server s home page After waiting 2 hours SSE2030: Introduction to Computer Systems, Spring 2018, Jinkyu Jeong (jinkyu@skku.edu) 1616

Nimda Worm (2001) Five different infection methods Via e-mail Via open network shares Via browsing of compromised web sites Exploitation of various Microsoft IIS 4.0/5.0 directory traversal vulnerabilities Via back doors left behind by the Code Red II and Sadmind/IIS worms One of the most widespread virus/worm SSE2030: Introduction to Computer Systems, Spring 2018, Jinkyu Jeong (jinkyu@skku.edu) 1717

SQL Slammer Worm (2003) History Exploited two buffer overflow bugs in Microsoft s SQL Server and Desktop Engine Infected 75,000 victims within 10 minutes Generate random IP addresses and send itself out to those addresses, slowing down Internet traffic dramatically Jan. 25 nationwide Internet shutdown in South Korea 30 minutes after release SSE2030: Introduction to Computer Systems, Spring 2018, Jinkyu Jeong (jinkyu@skku.edu) 1818

Avoiding Buffer Overflow Use library routines that limit string lengths fgets() instead of gets() strncpy() instead of strcpy() Don t use scanf() with %s conversion specification Use fgets() to read the string Or use %ns where n is a suitable integer /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ fgets(buf, 4, stdin); puts(buf); } SSE2030: Introduction to Computer Systems, Spring 2018, Jinkyu Jeong (jinkyu@skku.edu) 1919

System-Level Protections Randomized stack offsets At start of program, allocate random amount of space on stack Makes it difficult for hacker to predict beginning of inserted code Executable space protection Mark certain areas of memory as non-executable (e.g. stack) Requires hardware assistance: x86-64 added explicit execute permission SSE2030: Introduction to Computer Systems, Spring 2018, Jinkyu Jeong (jinkyu@skku.edu) 2020

Stack Canaries Idea Place special value ( canary ) on stack just beyond buffer Check for corruption before exiting function GCC implementation -fstack-protector (now the default) $./bufdemo bufdemo with -fstack-protector Type:01234567 01234567 $./bufdemo Type: 012345678 012345678 *** stack smashing detected ***:./bufdemo terminated Aborted (core dumped) SSE2030: Introduction to Computer Systems, Spring 2018, Jinkyu Jeong (jinkyu@skku.edu) 2121

Summary Memory layout OS/machine dependent (including kernel version) Basic partitioning: stack, data, text, heap, shared libraries found in most machines Avoiding buffer overflow vulnerability Important to use library routines that limit string lengths Working with strange code Important to analyze nonstandard cases e.g. What happens when stack corrupted due to buffer overflow? Helps to step through with GDB SSE2030: Introduction to Computer Systems, Spring 2018, Jinkyu Jeong (jinkyu@skku.edu) 2222

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback