Software Security: Buffer Overflow Defenses and Miscellaneous

Similar documents
Software Security: Buffer Overflow Attacks

Software Security: Buffer Overflow Defenses

Software Security: Miscellaneous

Software Security: Buffer Overflow Attacks (continued)

Software Security: Misc and Principles

Software Security (cont.): Defenses, Adv. Attacks, & More

Runtime Defenses against Memory Corruption

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

(Continue) Cryptography + (Back to) Software Security

Software Security: Buffer Overflow Attacks and Beyond

Software Security: Buffer Overflow Attacks and Beyond

Software Security: Buffer Overflow Attacks and Beyond

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

MEMORY SAFETY ATTACKS & DEFENSES

Outline. Memory Exploit

So$ware Security (II): Buffer- overflow Defenses

CS 161 Computer Security

CSE 565 Computer Security Fall 2018

Software Security II: Memory Errors - Attacks & Defenses

Software Security; Common Implementation Flaws

Lecture 08 Control-flow Hijacking Defenses

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Fundamentals of Computer Security

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

CS 161 Computer Security

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Cryptography [Symmetric Encryption]

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Control Hijacking: Defenses

UMSSIA LECTURE I: SOFTWARE SECURITY

Lecture 4 September Required reading materials for this class

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

Memory Safety (cont d) Software Security

CS 361S - Network Security and Privacy Spring Homework #2

Required reading: StackGuard: Simple Stack Smash Protection for GCC

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Return-orientated Programming

CSE 565 Computer Security Fall 2018

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

CNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

CSE 509: Computer Security

Cryptography: Symmetric Encryption [continued]

CMPSC 497 Buffer Overflow Vulnerabilities

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Control Hijacking Attacks

Outline. Format string attack layout. Null pointer dereference

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Defeat Exploit Mitigation Heap Attacks. compass-security.com 1

Program Security and Vulnerabilities Class 2

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Secure Software Development: Theory and Practice

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

20: Exploits and Containment

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

Inject malicious code Call any library functions Modify the original code

1/31/2007 C. Edward Chow. CS591 Page 1

Cryptography: Symmetric Encryption (finish), Hash Functions, Message Authentication Codes

Foundations of Network and Computer Security

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

Crypto meets Web Security: Certificates and SSL/TLS

Protection. Thierry Sans

Secure Programming I. Steven M. Bellovin September 28,

Smashing the Buffer. Miroslav Štampar

CSE 127 Computer Security

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

CS 161 Computer Security

Page 1. Goals for Today. Buffer Overrun Vulnerabilities. Simple Example. More Serious Exploit Example. Modified Example

Lecture 1: Buffer Overflows

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

On The Effectiveness of Address-Space Randomization. H. Shacham, M. Page, B. Pfaff, E.-J. Goh, N. Modadugu, and D. Boneh Stanford University CCS 2004

Code Injection Attacks Buffer Overflows

Defending Computer Networks Lecture 4: Exploit Defenses. Stuart Staniford Adjunct Professor of Computer Science

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Review

I run a Linux server, so we re secure

Buffer overflow risks have been known for over 30 years. Is it still a problem? Try searching at to see.

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Buffer Overflow Attacks

CS 161 Computer Security

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Web Security: Loose Ends

Outline. Heap meta-data. Non-control data overwrite

CS161 Midterm 1 Review

Secure Programming Lecture 5: Memory Corruption III (Countermeasures)

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2

CSCD 303 Fall Lecture 15 Buffer Overflows

CSE 127 Computer Security

Modern Buffer Overflow Prevention Techniques: How they work and why they don t

CSE 484 / CSE M 584: Computer Security and Privacy. Anonymity Mobile. Autumn Tadayoshi (Yoshi) Kohno

Security and Exploit Mitigation. CMSC Spring 2016 Lawrence Sebald

Computer Security Course. Midterm Review

Memory corruption countermeasures

Cryptography (cont.)

Is Exploitation Over? Bypassing Memory Protections in Windows 7

Transcription:

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses and Miscellaneous Spring 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials...

Looking Forward Today: more on software security Friday: guest lecture by Karl Koscher Next week: finish software security, start crypto Reading #1 due Thursday (584M only) Homework #1 due Friday Lab #1 out! Submit your group + public key to the form sent out via email Instructions for creating a key are in the lab description Section this week: Lab 1 4/3/17 CSE 484 / CSE M 584 - Spring 2017 2

Buffer Overflow: Causes and Cures Typical memory exploit involves code injection Put malicious code at a predictable location in memory, usually masquerading as data Trick vulnerable program into passing control to it Possible defenses: 1. Prevent execution of untrusted code 2. Stack canaries 3. Encrypt pointers 4. Address space layout randomization 4/3/17 CSE 484 / CSE M 584 - Spring 2017 3

W-xor-X / DEP Mark all writeable memory locations as nonexecutable Example: Microsoft s Data Execution Prevention (DEP) This blocks (almost) all code injection exploits Hardware support AMD NX bit, Intel XD bit (in post-2004 CPUs) Makes memory page non-executable Widely deployed Windows (since XP SP2), Linux (via PaX patches), OS X (since 10.5) 4/3/17 CSE 484 / CSE M 584 - Spring 2017 4

What Does W-xor-X Not Prevent? Can still corrupt stack or function pointers or critical data on the heap As long as saved EIP points into existing code, W-xor-X protection will not block control transfer This is the basis of return-to-libc exploits Overwrite saved EIP with address of any library routine, arrange stack to look like arguments Does not look like a huge threat Attacker cannot execute arbitrary code 4/3/17 CSE 484 / CSE M 584 - Spring 2017 5

return-to-libc on Steroids Overwritten saved EIP need not point to the beginning of a library routine Any existing instruction in the code image is fine Will execute the sequence starting from this instruction What if instruction sequence contains RET? Execution will be transferred to where? Read the word pointed to by stack pointer (ESP) Guess what? Its value is under attacker s control! Use it as the new value for EIP Now control is transferred to an address of attacker s choice! Increment ESP to point to the next word on the stack 4/3/17 CSE 484 / CSE M 584 - Spring 2017 6

Chaining RETs for Fun and Profit Can chain together sequences ending in RET Krahmer, x86-64 buffer overflow exploits and the borrowed code chunks exploitation technique (2005) What is this good for? Answer [Shacham et al.]: everything Turing-complete language Build gadgets for load-store, arithmetic, logic, control flow, system calls Attack can perform arbitrary computation using no injected code at all return-oriented programming 4/3/17 CSE 484 / CSE M 584 - Spring 2017 7

Return-Oriented Programming 4/3/17 CSE 484 / CSE M 584 - Spring 2017 8

Run-Time Checking: StackGuard Embed canaries (stack cookies) in stack frames and verify their integrity prior to function return Any overflow of local variables will damage the canary buf canary sfp ret addr Frame of the calling function Top of stack Local variables Pointer to previous frame Return execution to this address 4/3/17 CSE 484 / CSE M 584 - Spring 2017 9

Run-Time Checking: StackGuard Embed canaries (stack cookies) in stack frames and verify their integrity prior to function return Any overflow of local variables will damage the canary buf canary sfp ret addr Frame of the calling function Top of stack Local variables Pointer to previous frame Return execution to this address Choose random canary string on program start Attacker can t guess what the value of canary will be Terminator canary: \0, newline, linefeed, EOF String functions like strcpy won t copy beyond \0 4/3/17 CSE 484 / CSE M 584 - Spring 2017 10

StackGuard Implementation StackGuard requires code recompilation Checking canary integrity prior to every function return causes a performance penalty For example, 8% for Apache Web server StackGuard can be defeated A single memory write where the attacker controls both the value and the destination is sufficient 4/3/17 CSE 484 / CSE M 584 - Spring 2017 11

Defeating StackGuard Suppose program contains strcpy(dst,buf) where attacker controls both dst and buf Example: dst is a local pointer variable buf dst canary sfp RET Return execution to this address BadPointer, attack code &RET canary sfp RET Overwrite destination of strcpy with RET position strcpy will copy BadPointer here 4/3/17 CSE 484 / CSE M 584 - Spring 2017 12

PointGuard Attack: overflow a function pointer so that it points to attack code Idea: encrypt all pointers while in memory Generate a random key when program is executed Each pointer is XORed with this key when loaded from memory to registers or stored back into memory Pointers cannot be overflowed while in registers Attacker cannot predict the target program s key Even if pointer is overwritten, after XORing with key it will dereference to a random memory address 4/3/17 CSE 484 / CSE M 584 - Spring 2017 13

[Cowan] Normal Pointer Dereference CPU 1. Fetch pointer value 2. Access data referenced by pointer Memory Pointer 0x1234 Data 0x1234 1. Fetch pointer value CPU 2. Access attack code referenced by corrupted pointer Memory Corrupted pointer 0x1234 0x1340 Data Attack code 0x1234 0x1340 4/3/17 CSE 484 / CSE M 584 - Spring 2017 14

[Cowan] PointGuard Dereference CPU 1. Fetch pointer value Decrypt 0x1234 2. Access data referenced by pointer Memory Encrypted pointer 0x7239 Data 0x1234 1. Fetch pointer value Decrypts to random value Decrypt CPU 0x9786 2. Access random address; segmentation fault and crash Memory Corrupted pointer 0x7239 0x1340 Data Attack code 0x1234 0x1340 0x9786 4/3/17 CSE 484 / CSE M 584 - Spring 2017 15

PointGuard Issues Must be very fast Pointer dereferences are very common Compiler issues Must encrypt and decrypt only pointers If compiler spills registers, unencrypted pointer values end up in memory and can be overwritten there Attacker should not be able to modify the key Store key in its own non-writable memory page PG d code doesn t mix well with normal code What if PG d code needs to pass a pointer to OS kernel? 4/3/17 CSE 484 / CSE M 584 - Spring 2017 16

ASLR: Address Space Randomization Map shared libraries to a random location in process memory Attacker does not know addresses of executable code Deployment (examples) Windows Vista: 8 bits of randomness for DLLs Linux (via PaX): 16 bits of randomness for libraries Even Android More effective on 64-bit architectures Other randomization methods Randomize system call ids or instruction set 4/3/17 CSE 484 / CSE M 584 - Spring 2017 17

Example: ASLR in Vista Booting Vista twice loads libraries into different locations: 4/3/17 CSE 484 / CSE M 584 - Spring 2017 18

ASLR Issues NOP slides and heap spraying to increase likelihood for custom code (e.g. on heap) Brute force attacks or memory disclosures to map out memory on the fly Disclosing a single address can reveal the location of all code within a library 4/3/17 CSE 484 / CSE M 584 - Spring 2017 19

Other Possible Solutions Use safe programming languages, e.g., Java What about legacy C code? (Though Java doesn t magically fix all security issues J) Static analysis of source code to find overflows Dynamic testing: fuzzing LibSafe: dynamically loaded library that intercepts calls to unsafe C functions and checks that there s enough space before doing copies Also doesn t prevent everything 4/3/17 CSE 484 / CSE M 584 - Spring 2017 20

Beyond Buffer Overflows 4/3/17 CSE 484 / CSE M 584 - Spring 2017 21

Another Type of Vulnerability Consider this code: int openfile(char *path) { struct stat s; if (stat(path, &s) < 0) return -1; if (!S_ISRREG(s.st_mode)) { error("only allowed to regular files!"); return -1; } return open(path, O_RDONLY); } Goal: Open only regular files (not symlink, etc) What can go wrong? 4/3/17 CSE 484 / CSE M 584 - Spring 2017 22

TOCTOU (Race Condition) TOCTOU == Time of Check to Time of Use: int openfile(char *path) { struct stat s; if (stat(path, &s) < 0) return -1; if (!S_ISRREG(s.st_mode)) { error("only allowed to regular files!"); return -1; } return open(path, O_RDONLY); } Goal: Open only regular files (not symlink, etc) Attacker can change meaning of path between stat and open (and access files he or she shouldn t) 4/3/17 CSE 484 / CSE M 584 - Spring 2017 23

Another Type of Vulnerability Consider this code: char buf[80]; void vulnerable() { int len = read_int_from_network(); char *p = read_string_from_network(); if (len > sizeof buf) { error("length too large, nice try!"); return; } memcpy(buf, p, len); } void *memcpy(void *dst, const void * src, size_t n); typedef unsigned int size_t; 4/3/17 CSE 484 / CSE M 584 - Spring 2017 24

Integer Overflow and Implicit Cast Consider this code: char buf[80]; void vulnerable() { int len = read_int_from_network(); char *p = read_string_from_network(); if (len > sizeof buf) { error("length too large, nice try!"); return; } memcpy(buf, p, len); } void *memcpy(void *dst, const void * src, size_t n); typedef unsigned int size_t; If len is negative, may copy huge amounts of input into buf. 4/3/17 CSE 484 / CSE M 584 - Spring 2017 25

Another Example size_t len = read_int_from_network(); char *buf; buf = malloc(len+5); read(fd, buf, len); (from www-inst.eecs.berkeley.edu implflaws.pdf) 4/3/17 CSE 484 / CSE M 584 - Spring 2017 26

Integer Overflow and Implicit Cast size_t len = read_int_from_network(); char *buf; buf = malloc(len+5); read(fd, buf, len); What if len is large (e.g., len = 0xFFFFFFFF)? Then len + 5 = 4 (on many platforms) Result: Allocate a 4-byte buffer, then read a lot of data into that buffer. (from www-inst.eecs.berkeley.edu implflaws.pdf) 4/3/17 CSE 484 / CSE M 584 - Spring 2017 27

Password Checker Functional requirements PwdCheck(RealPwd, CandidatePwd) should: Return TRUE if RealPwd matches CandidatePwd Return FALSE otherwise RealPwd and CandidatePwd are both 8 characters long Implementation (like TENEX system) PwdCheck(RealPwd, CandidatePwd) // both 8 chars for i = 1 to 8 do if (RealPwd[i]!= CandidatePwd[i]) then return FALSE return TRUE Clearly meets functional description 4/3/17 CSE 484 / CSE M 584 - Spring 2017 28

Attacker Model PwdCheck(RealPwd, CandidatePwd) // both 8 chars for i = 1 to 8 do if (RealPwd[i]!= CandidatePwd[i]) then return FALSE return TRUE Attacker can guess CandidatePwds through some standard interface Naive: Try all 256 8 = 18,446,744,073,709,551,616 possibilities Better: Time how long it takes to reject a CandidatePasswd. Then try all possibilities for first character, then second, then third,... Total tries: 256*8 = 2048 4/3/17 CSE 484 / CSE M 584 - Spring 2017 29

Timing Attacks Assume there are no typical bugs in the software No buffer overflow bugs No format string vulnerabilities Good choice of randomness Good design The software may still be vulnerable to timing attacks Software exhibits input-dependent timings Complex and hard to fully protect against 4/3/17 CSE 484 / CSE M 584 - Spring 2017 30

Other Examples Plenty of other examples of timings attacks AES cache misses AES is the Advanced Encryption Standard It is used in SSH, SSL, IPsec, PGP,... RSA exponentiation time RSA is a famous public-key encryption scheme It s also used in many cryptographic protocols and products 4/3/17 CSE 484 / CSE M 584 - Spring 2017 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback