Detecting and exploiting integer overflows

Similar documents
Using static analysis to detect use-after-free on binary code

MEMORY SAFETY ATTACKS & DEFENSES

CYSE 411/AIT681 Secure Software Engineering Topic #10. Secure Coding: Integer Security

2/9/18. Readings. CYSE 411/AIT681 Secure Software Engineering. Introductory Example. Secure Coding. Vulnerability. Introductory Example.

2/9/18. CYSE 411/AIT681 Secure Software Engineering. Readings. Secure Coding. This lecture: String management Pointer Subterfuge

Static Vulnerability Analysis

CSE 565 Computer Security Fall 2018

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

U23 - Binary Exploitation

World Inside a Computer is Binary

Program Security and Vulnerabilities Class 2

CS 31: Introduction to Computer Systems. 03: Binary Arithmetic January 29

CIS 4360 Secure Computer Systems. Integers

Computer Programming: Skills & Concepts (CP) Strings

Bitwise Data Manipulation. Bitwise operations More on integers

Module: Safe Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

CS 31: Intro to Systems Binary Arithmetic. Kevin Webb Swarthmore College January 26, 2016

CSCE 548 Building Secure Software Integers & Integer-related Attacks & Format String Attacks. Professor Lisa Luo Spring 2018

Reading Assignment. Strings. K.N. King Chapter 13. K.N. King Sections 23.4, Supplementary reading. Harbison & Steele Chapter 12, 13, 14

Groups of two-state devices are used to represent data in a computer. In general, we say the states are either: high/low, on/off, 1/0,...

Implementation Sins. C Language Issues. Adrian Coleșa. October 12, Universitatea Tehnică din Cluj-Napoca Computer Science Department

Required reading: StackGuard: Simple Stack Smash Protection for GCC

Lecture 05 Integer overflow. Stephen Checkoway University of Illinois at Chicago

IntFlow: Integer Error Handling With Information Flow Tracking

Software Security: Buffer Overflow Attacks

Lecture 12 Integers. Computer and Network Security 19th of December Computer Science and Engineering Department

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

Systems Programming and Computer Architecture ( )

How Software Executes

Chapter Two MIPS Arithmetic

Software Security: Buffer Overflow Defenses and Miscellaneous

Software Security: Misc and Principles

Finding 0-days by Using VulnHunt

Identifying and Analyzing Pointer Misuses for Sophisticated Memory-corruption Exploit Diagnosis

Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

SOEN228, Winter Revision 1.2 Date: October 25,

CS 31: Intro to Systems Binary Arithmetic. Martin Gagné Swarthmore College January 24, 2016

Question 4: a. We want to store a binary encoding of the 150 original Pokemon. How many bits do we need to use?

Data III & Integers I

But first, encode deck of cards. Integer Representation. Two possible representations. Two better representations WELLESLEY CS 240 9/8/15

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

Computer Security. Robust and secure programming in C. Marius Minea. 12 October 2017

Programming refresher and intro to C programming

Computer Systems CEN591(502) Fall 2011

Static analysis for exploitable vulnerability detection

Static Analysis methods and tools An industrial study. Pär Emanuelsson Ericsson AB and LiU Prof Ulf Nilsson LiU

data within a computer system are stored in one of 2 physical states (hence the use of binary digits)

Copyright (2004) Purdue Research Foundation. All rights reserved.

EURECOM 6/2/2012 SYSTEM SECURITY Σ

Fundamentals of Computer Security

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

Strings(2) CS 201 String. String Constants. Characters. Strings(1) Initializing and Declaring String. Debzani Deb

Automatically Fixing C Buffer Overflows Using Program Transformations

Binary Arithmetic CS 64: Computer Organization and Design Logic Lecture #2 Fall 2018

Processor. Lecture #2 Number Rep & Intro to C classic components of all computers Control Datapath Memory Input Output

M1 Computers and Data

Representation of Information

A brief introduction to C programming for Java programmers

Information page for written examinations at Linköping University

Time: 8:30-10:00 pm (Arrive at 8:15 pm) Location What to bring:

CNIT 127: Exploit Development. Ch 18: Source Code Auditing. Updated

Simple Overflow. #include <stdio.h> int main(void){ unsigned int num = 0xffffffff;

Buffer overflow prevention, and other attacks

C strings. (Reek, Ch. 9) 1 CS 3090: Safety Critical Programming in C

Computer Systems C S Cynthia Lee

CS107, Lecture 3 Bits and Bytes; Bitwise Operators

Control Flow Hijacking Attacks. Prof. Dr. Michael Backes

Integer Representation

Computer Organization & Systems Exam I Example Questions

Data III & Integers I

Representing and Manipulating Integers. Jo, Heeseung

Software security, secure programming

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Number System. Introduction. Decimal Numbers

Kinds Of Data CHAPTER 3 DATA REPRESENTATION. Numbers Are Different! Positional Number Systems. Text. Numbers. Other

Decimal & Binary Representation Systems. Decimal & Binary Representation Systems

SECURE PROGRAMMING A.A. 2018/2019

COMP 3704 Computer Security

AGENDA Binary Operations CS 3330 Samira Khan

Jared DeMott Crucial Security, Inc. Black Hat Special thanks to ISE for smoking me with this test once upon an interview

Arithmetic and Bitwise Operations on Binary Data

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

Advanced Systems Security: Control-Flow Integrity

Making C Less Dangerous

CS140 Lecture 08: Data Representation: Bits and Ints. John Magee 13 February 2017

Brave New 64-Bit World. An MWR InfoSecurity Whitepaper. 2 nd June Page 1 of 12 MWR InfoSecurity Brave New 64-Bit World

INFORMATION SECURITY - PRACTICAL ASSESSMENT - BASICS IN BUFFER EXPLOITATION

CS107, Lecture 2 Bits and Bytes; Integer Representations

2.1. Unit 2. Integer Operations (Arithmetic, Overflow, Bitwise Logic, Shifting)

COMP2611: Computer Organization. Data Representation

Number Systems for Computers. Outline of Introduction. Binary, Octal and Hexadecimal numbers. Issues for Binary Representation of Numbers

Computer Components. Software{ User Programs. Operating System. Hardware

Finding Vulnerabilities in Source Code

Arithmetic Operations

Overview AEG Conclusion CS 6V Automatic Exploit Generation (AEG) Matthew Stephen. Department of Computer Science University of Texas at Dallas

LAB A Translating Data to Binary

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

EURECOM 6/2/2012 SYSTEM SECURITY Σ

8. Characters, Strings and Files

Practical Malware Analysis

Transcription:

Detecting and exploiting integer overflows Guillaume TOURON Laboratoire Verimag, Ensimag - Grenoble INP Marie-Laure Potet, Laurent Mounier 20/05/11 1 / 18

Context Binary representation Integers misinterpretation Static binary analysis Data flow analysis Implementation 2 / 18

Context Binary representation Integers misinterpretation Work subject Subject Binary code static analysis for vulnerabilities detection Focus on arithmetic problems Application security is critical for information systems Programming bad practices Goals Work with a professional environment : IDA Pro Develop some analysis to make easier vulnerabilities detection 3 / 18

Context Binary representation Integers misinterpretation Work subject Subject Binary code static analysis for vulnerabilities detection Focus on arithmetic problems Application security is critical for information systems Programming bad practices Goals Work with a professional environment : IDA Pro Develop some analysis to make easier vulnerabilities detection 3 / 18

Context Binary representation Integers misinterpretation Work subject Subject Binary code static analysis for vulnerabilities detection Focus on arithmetic problems Application security is critical for information systems Programming bad practices Goals Work with a professional environment : IDA Pro Develop some analysis to make easier vulnerabilities detection 3 / 18

Buffer overflow Outline Context Binary representation Integers misinterpretation 4 / 18

Context Binary representation Integers misinterpretation Buffer overflow vulnerabilities Exploitability Integer overflow can lead to buffer overflow Buffer overflow can lead to arbitrary code execution Integer overflows and buffer overflows top ranked by CWE Exploitability (CWE): Buffer overflow: High to Very High (3 rd ) Integers overflow: Medium (16 th ) We have to care about arithmetic overflow and avoid them 5 / 18

Context Binary representation Integers misinterpretation Buffer overflow vulnerabilities Exploitability Integer overflow can lead to buffer overflow Buffer overflow can lead to arbitrary code execution Integer overflows and buffer overflows top ranked by CWE Exploitability (CWE): Buffer overflow: High to Very High (3 rd ) Integers overflow: Medium (16 th ) We have to care about arithmetic overflow and avoid them 5 / 18

Context Binary representation Integers misinterpretation Buffer overflow vulnerabilities Exploitability Integer overflow can lead to buffer overflow Buffer overflow can lead to arbitrary code execution Integer overflows and buffer overflows top ranked by CWE Exploitability (CWE): Buffer overflow: High to Very High (3 rd ) Integers overflow: Medium (16 th ) We have to care about arithmetic overflow and avoid them 5 / 18

x86 integers binary representation Context Binary representation Integers misinterpretation Basic C types on x86 32 bits: char short int long int signed [-128,127] [-32,768,32,767] [ 2 31,2 31 1] [ 2 63,2 63 1] unsigned [0,255] [0,65535] [0,2 32 1] [0,2 64 1] Signed values representation For negative values, MSB = 1 (2 s complement representation) e.g 1 = 0xFFFFFFFF 6 / 18

x86 integers binary representation Context Binary representation Integers misinterpretation Basic C types on x86 32 bits: char short int long int signed [-128,127] [-32,768,32,767] [ 2 31,2 31 1] [ 2 63,2 63 1] unsigned [0,255] [0,65535] [0,2 32 1] [0,2 64 1] Signed values representation For negative values, MSB = 1 (2 s complement representation) e.g 1 = 0xFFFFFFFF 6 / 18

Context Binary representation Integers misinterpretation Dangerousness of misinterpreting First issue Small negative integers can be interpreted as huge integers Dangerous cases: Sanity checks Copy operations Array indexations Dangerous functions Some famous functions: strncpy, strncat, snprintf, memcpy... These functions take a length unsigned parameter 7 / 18

Context Binary representation Integers misinterpretation Dangerousness of misinterpreting First issue Small negative integers can be interpreted as huge integers Dangerous cases: Sanity checks Copy operations Array indexations Dangerous functions Some famous functions: strncpy, strncat, snprintf, memcpy... These functions take a length unsigned parameter 7 / 18

Context Binary representation Integers misinterpretation Dangerousness of misinterpreting First issue Small negative integers can be interpreted as huge integers Dangerous cases: Sanity checks Copy operations Array indexations Dangerous functions Some famous functions: strncpy, strncat, snprintf, memcpy... These functions take a length unsigned parameter 7 / 18

Context Binary representation Integers misinterpretation Dangerousness of misinterpreting First issue Small negative integers can be interpreted as huge integers Dangerous cases: Sanity checks Copy operations Array indexations Dangerous functions Some famous functions: strncpy, strncat, snprintf, memcpy... These functions take a length unsigned parameter 7 / 18

Context Binary representation Integers misinterpretation Dangerousness of misinterpreting First issue Small negative integers can be interpreted as huge integers Dangerous cases: Sanity checks Copy operations Array indexations Dangerous functions Some famous functions: strncpy, strncat, snprintf, memcpy... These functions take a length unsigned parameter 7 / 18

Dangerousness of misinterpreting Context Binary representation Integers misinterpretation memcpy example void *memcpy(void *dest, const void *src, size t n); What happens if this value is user-controlled? Let s take an example Bad #d e f i n e LEN 512... v o i d v u l n ( char s r c, i n t s ) { char d s t [ LEN ] ; i n t s i z e = s ; i f ( s < LEN) { memcpy ( dst, s r c, s i z e ) ; } }... v u l n ( Test, 1); 8 / 18

Dangerousness of misinterpreting Context Binary representation Integers misinterpretation memcpy example void *memcpy(void *dest, const void *src, size t n); What happens if this value is user-controlled? Let s take an example Bad #d e f i n e LEN 512... v o i d v u l n ( char s r c, i n t s ) { char d s t [ LEN ] ; i n t s i z e = s ; i f ( s < LEN) { memcpy ( dst, s r c, s i z e ) ; } }... v u l n ( Test, 1); 8 / 18

Dangerousness of misinterpreting Context Binary representation Integers misinterpretation Analysis We have size = 1 (0xFFFFFFFF ) CPU compares size and 512 as signed values size < 512 == True Vulnerability But memcpy takes a unsigned argument, so size = 2 32 1 By consequences, a buffer overflow occurs A potential attacker can take control of flow execution 9 / 18

Dangerousness of misinterpreting Context Binary representation Integers misinterpretation Analysis We have size = 1 (0xFFFFFFFF ) CPU compares size and 512 as signed values size < 512 == True Vulnerability But memcpy takes a unsigned argument, so size = 2 32 1 By consequences, a buffer overflow occurs A potential attacker can take control of flow execution 9 / 18

Dangerousness of misinterpreting Context Binary representation Integers misinterpretation Analysis We have size = 1 (0xFFFFFFFF ) CPU compares size and 512 as signed values size < 512 == True Vulnerability But memcpy takes a unsigned argument, so size = 2 32 1 By consequences, a buffer overflow occurs A potential attacker can take control of flow execution 9 / 18

Pattern matching Outline Static binary analysis Data flow analysis Implementation Patterns We look for interesting (= dangerous) patterns Some patterns: Calls to dangerous functions (memcpy, strncpy...) Search signed comparisons on unsigned parameters Dangerous instructions r e p movsd Array indexation movl $0x2a, 0x2c(%ebp,%eax, 4 ) 10 / 18

Pattern matching Outline Static binary analysis Data flow analysis Implementation Patterns We look for interesting (= dangerous) patterns Some patterns: Calls to dangerous functions (memcpy, strncpy...) Search signed comparisons on unsigned parameters Dangerous instructions r e p movsd Array indexation movl $0x2a, 0x2c(%ebp,%eax, 4 ) 10 / 18

Pattern matching Outline Static binary analysis Data flow analysis Implementation Patterns We look for interesting (= dangerous) patterns Some patterns: Calls to dangerous functions (memcpy, strncpy...) Search signed comparisons on unsigned parameters Dangerous instructions r e p movsd Array indexation movl $0x2a, 0x2c(%ebp,%eax, 4 ) 10 / 18

Pattern matching Outline Static binary analysis Data flow analysis Implementation Patterns We look for interesting (= dangerous) patterns Some patterns: Calls to dangerous functions (memcpy, strncpy...) Search signed comparisons on unsigned parameters Dangerous instructions r e p movsd Array indexation movl $0x2a, 0x2c(%ebp,%eax, 4 ) 10 / 18

Data dependencies Outline Static binary analysis Data flow analysis Implementation Looking for interesting data dependencies Sensitive parameters (e.g size from memcpy) Counter registers (e.g %ecx for rep prefixed instructions) Analysis steps Scan code to find interesting data Sensitive parameters (e.g size for memcpy) Backtrack these data for dependencies Apply code patterns to exhib vulnerabilities Misinterpretation (e.g comparison as signed values) 11 / 18

Data dependencies Outline Static binary analysis Data flow analysis Implementation Looking for interesting data dependencies Sensitive parameters (e.g size from memcpy) Counter registers (e.g %ecx for rep prefixed instructions) Analysis steps Scan code to find interesting data Sensitive parameters (e.g size for memcpy) Backtrack these data for dependencies Apply code patterns to exhib vulnerabilities Misinterpretation (e.g comparison as signed values) 11 / 18

Data dependencies Outline Static binary analysis Data flow analysis Implementation Looking for interesting data dependencies Sensitive parameters (e.g size from memcpy) Counter registers (e.g %ecx for rep prefixed instructions) Analysis steps Scan code to find interesting data Sensitive parameters (e.g size for memcpy) Backtrack these data for dependencies Apply code patterns to exhib vulnerabilities Misinterpretation (e.g comparison as signed values) 11 / 18

Data dependencies Outline Static binary analysis Data flow analysis Implementation Looking for interesting data dependencies Sensitive parameters (e.g size from memcpy) Counter registers (e.g %ecx for rep prefixed instructions) Analysis steps Scan code to find interesting data Sensitive parameters (e.g size for memcpy) Backtrack these data for dependencies Apply code patterns to exhib vulnerabilities Misinterpretation (e.g comparison as signed values) 11 / 18

Backward analysis Outline Static binary analysis Data flow analysis Implementation Dependencies For a block B we have: OUT (B) = S Successors(B) IN(S) 12 / 18

Static binary analysis Data flow analysis Implementation Backward analysis Transfer function Computes new tainted variables set for a basic block B: IN(B) = F B(StmSeq, OUT (B)) We must define a subset of x86 (grammar) Focus on instructions that imply dependencies Examples: mov[ɛ s sx zx] Binary operations (add, addc, sub, sbb, and, xor, or...) 13 / 18

Static binary analysis Data flow analysis Implementation Backward analysis Transfer function Computes new tainted variables set for a basic block B: IN(B) = F B(StmSeq, OUT (B)) We must define a subset of x86 (grammar) Focus on instructions that imply dependencies Examples: mov[ɛ s sx zx] Binary operations (add, addc, sub, sbb, and, xor, or...) 13 / 18

Static binary analysis Data flow analysis Implementation Backward analysis Transfer function Computes new tainted variables set for a basic block B: IN(B) = F B(StmSeq, OUT (B)) We must define a subset of x86 (grammar) Focus on instructions that imply dependencies Examples: mov[ɛ s sx zx] Binary operations (add, addc, sub, sbb, and, xor, or...) 13 / 18

Environment Outline Static binary analysis Data flow analysis Implementation Several tools used: Binary analysis environment IDA Pro Very used in security industry Powerful, many features available CFG display Several plugins API First, IDAPython API for Python script in IDA Pro Then, Paimei Framework Layer above IDAPython (easier to use) 14 / 18

Output example Outline Static binary analysis Data flow analysis Implementation Example on CVE-201-3970 15 / 18

Results Pros: Automation Customization Cons: False positive Improvements: Improve data-flow analysis Symbolic computation engine? Add more dangerous code patterns Allow users to write their own patterns Simple generic description language 16 / 18

Results Pros: Automation Customization Cons: False positive Improvements: Improve data-flow analysis Symbolic computation engine? Add more dangerous code patterns Allow users to write their own patterns Simple generic description language 16 / 18

Results Pros: Automation Customization Cons: False positive Improvements: Improve data-flow analysis Symbolic computation engine? Add more dangerous code patterns Allow users to write their own patterns Simple generic description language 16 / 18

General conclusion Great subject, interesting people First approach in research Documentation stage Backward analysis Vulnerabilities examples Implementation experimentation Use new tools, techniques and frameworks 17 / 18

Q & A 18 / 18

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback