Reserve Engineering & Buffer Overflow Attacks. Tom Chothia Computer Security, Lecture 17

Similar documents
Buffer Overflows Defending against arbitrary code insertion and execution

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

CSC 2400: Computer Systems. Using the Stack for Function Calls

CNIT 127: Exploit Development. Ch 1: Before you begin. Updated

CSE 565 Computer Security Fall 2018

Practical Malware Analysis

Buffer Overflow Attacks

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

CNIT 127: Exploit Development. Ch 2: Stack Overflows in Linux

Writing Exploits. Nethemba s.r.o.

Buffer Overflows. A brief Introduction to the detection and prevention of buffer overflows for intermediate programmers.

Secure Programming Lecture 3: Memory Corruption I (Stack Overflows)

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES

Intro to x86 Binaries. From ASM to exploit

Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Buffer overflow background

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

CMPSC 497 Buffer Overflow Vulnerabilities

CSC 2400: Computing Systems. X86 Assembly: Function Calls

Roadmap: Security in the software lifecycle. Memory corruption vulnerabilities

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

The IA-32 Stack and Function Calls. CS4379/5375 Software Reverse Engineering Dr. Jaime C. Acosta

CMSC 313 COMPUTER ORGANIZATION & ASSEMBLY LANGUAGE PROGRAMMING

Advanced Computer Networks Smashing the Stack for Fun and Profit

Secure Programming I. Steven M. Bellovin September 28,

Lecture 6: Buffer Overflow. CS 436/636/736 Spring Nitesh Saxena

HW 8 CS681 & CS392 Computer Security Understanding and Experimenting with Memory Corruption Vulnerabilities DUE 12/18/2005

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

Lecture 4 September Required reading materials for this class

Software Security: Buffer Overflow Attacks (continued)

CSC 2400: Computer Systems. Using the Stack for Function Calls

Assembly Language: Function Calls

Buffer Overflow & Format Strings

Lecture 08 Control-flow Hijacking Defenses

CMSC 414 Computer and Network Security

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

CSC 8400: Computer Systems. Using the Stack for Function Calls

Assembly Language: Function Calls" Goals of this Lecture"

Buffer overflows. Specific topics:

Lecture 09 Code reuse attacks. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017

18-600: Recitation #4 Exploits

Biography. Background

Computer Systems Lecture 9

Program Security and Vulnerabilities Class 2

Buffer. This time. Security. overflows. Software. By investigating. We will begin. our 1st section: History. Memory layouts

CSC 2400: Computing Systems. X86 Assembly: Function Calls"

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

From Over ow to Shell

Assembly Language: Function Calls. Goals of this Lecture. Function Call Problems

Assembly Language: Function Calls" Goals of this Lecture"

String Oriented Programming Exploring Format String Attacks. Mathias Payer

Stack -- Memory which holds register contents. Will keep the EIP of the next address after the call

Smashing the Buffer. Miroslav Štampar

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Advanced Buffer Overflow

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

ENEE 457: Computer Systems Security. Lecture 16 Buffer Overflow Attacks

CSE 509: Computer Security

x86 assembly CS449 Fall 2017

BUFFER OVERFLOW. Jo, Heeseung

20: Exploits and Containment

Buffer Overflow. Jo, Heeseung

Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

COMP3441 Lecture 7: Software Vulnerabilities

CS 161 Computer Security

Memory Corruption 101 From Primitives to Exploit

CS 392/681 Lab 6 Experiencing Buffer Overflows and Format String Vulnerabilities

Lecture 4 CIS 341: COMPILERS

Lab 2: Buffer Overflows

Introduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Stack-Based Buffer Overflow Explained. Marc Koser. East Carolina University. ICTN 4040: Enterprise Information Security

Machine-Level Programming V: Unions and Memory layout

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

Function Calls COS 217. Reading: Chapter 4 of Programming From the Ground Up (available online from the course Web site)

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Memory corruption countermeasures

18-600: Recitation #4 Exploits (Attack Lab)

Sungkyunkwan University

Fundamentals of Computer Security

Function Call Convention

Buffer Overflow Attack (AskCypert CLaaS)

Format string vulnerabilities

Software Security: Buffer Overflow Defenses

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

SYSTEM CALL IMPLEMENTATION. CS124 Operating Systems Fall , Lecture 14

Hands-on Ethical Hacking: Preventing & Writing Buffer Overflow Exploits

Foundations of Network and Computer Security

CS 161 Computer Security

Secure Programming Lecture 5: Memory Corruption III (Countermeasures)

CSE 127 Computer Security

Buffer Overflow and Protection Technology. Department of Computer Science,

Transcription:

Reserve Engineering & Buffer Overflow Attacks Tom Chothia Computer Security, Lecture 17

Introduction A simplified, high-level view of buffer overflow attacks. x86 architecture overflows on the stack Some IDA examples. Exploiting buffer overflows using Metasploit

The x86 Architecture The program code Static variables, Strings, etc Data in use Text Data Registers e.g. The Accumulator Instruction point Stack point EAX EIP ESP Stack Free Memory

The Stack The stack part of the memory is mostly Last In, First Out. We can only write and read to the top of the stack. EAX: EIP: 7797F9CD ESP: 0018F9B0 PUSH 12345 PUSH 678245 POP EAX. Data Stack Free Memory

The Stack You write to the stack with push You read and remove an item from the stack with pop EAX: 678245 EIP: 7797F9CF ESP: 0018F9B1 PUSH 12345 PUSH 678245 POP EAX. Data Stack 123456 Free Memory

Screen shot, IDA

Common Pattern 1 Data is moved to a register, operation is call, result stored in memory location or register. Value at [esp+1ch] is moved to register eax, It is added to the value at [esp+18h] The results is stored at [esp+18h]

Common Pattern 2 Data is compared using cmp or test, then a jump is made based on the result. Value at [esp+1ch] compared to 3 If it is less than or equal to, the program jumps to location loc_80483df Otherwise it continues to the next command.

Reasons For Reverse Engineeing Analyse Malware Debug memory errors Analyse Legacy code Security Audit Particularly detect backdoors e.g. D-link router: http://bit.ly/1e6vzzz

Buffer Overflows In languages like C, you have to tell the compiler how to manage the memory. This is hard. If you get it wrong, then an attacker can usually exploit this bug to make your application run arbitrary code. Countless worms, attacks against SQL servers, Web Servers, iphone Jailbreak, SSH servers,

USS Yorktown US Navy Aegis missile cruiser Dead in the water for 2 and a half hours due to a buffer overflow. Because of politics, some things are being forced on us that without political pressure we might not do, like Windows NT. If it were up to me I probably would not have used Windows NT in this particular application. Ron Redman, deputy technical director Aegis

Function calls void main () { function (1,2); } PUSH <2> PUSH <1> CALL <function> Arguments 1 & 2 are passed on the stack. The CALL instruction runs a function EIP changed to point to code of function Old EIP stored on stack

Function Calls, Simplified PUSH <arg2> PUSH <arg1> CALL <function> CALL writes the instruction point (EIP) onto the stack and then sets the EIP to to equal the code for the function. Later a return instruction restores the old EIP and the program continues Old EIP Arg1 Arg2 Stack

Common Pattern 3 Data is loaded onto the stack Function is called that users these values, The result will be pointed to by eax Value in eax is moved to [esp+4] exit is put on top of the stack String compare is called on these. The result will be returned in the eax register

Buffer Overflows The instruction pointer controls which code executes, The instruction pointer is stored on the stack, I can write to the stack J

Buffers 1. Functions called with Hello World 2. Arg and EIP written to stack 3. Function runs 4. Buffer allocated 5. String copied function (user input); function (char *str) { char buffer[16]; strcpy(str,buffer); } Hello World Old EIP Hello World Stack

Buffer Overflow If user input is more than 16 bytes? function (user input); function (char *str) { char buffer[16]; strcpy(str,buffer); } Stack

Buffer Overflow If user input is more than 16 bytes 1. Runs as before function (user input); function (char *str) { char buffer[16]; strcpy(str,buffer); } Old EIP Hello WorldX XXXXXXXXX Stack

Buffer Overflow If user input is more than 16 bytes 1. Runs as before 2. But the string flows over the end of the buffer 3. EIP corrupted, segmentation fault function (user input); function (char *str) { char buffer[16]; strcpy(str,buffer); } Hello WorldXX XXXXIP Hello WorldX XXXXXXXXX Stack

Once more, with malice 1. Runs as before 2. Attack send a very long message, ending with the address of some code that gives him a shell. The attackers code could also be part of the message 3. The attackers value is copied over the old EIP 4. When the function returns the attacks code is run Hello WorldXX 7797F9 Hello WorldX X7797F9 Stack

Over Writing Other Values Attacking the instruction pointer (EIP) is the most powerful technique. However, any memory value can be attacked: Over write arguments on the stack e.g. change the parameters to a chmod call Overflows on the heap e.g. rewrite a password in memory

Defenses Stack canaries: values placed on the stack, which are later tested. if the stack is over written then the value test will fail. Randomisation Layout of the memory is randomised. This makes it very hard for the attack to find the memory to overwrite or code to jump to. For more information see the Secure Programming Module

Recommend Paper: Smashing the Stack for Fun and Profit Elias Levy (Aleph One) A simple introduction to buffer overflows from the mid 90s. Standard defences now stop the attacks in this paper, but it gives an excellent introduction.

Conclusion Buffer overflows are the result of poor memory management in languages like C even the best programmers sometimes make mistakes. Buffer overflow attacks exploit these to over write memory values. This often lets an attack execute arbitrary code.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback