Secure Systems Engineering

Similar documents
Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Binary Exploitation 1 Buffer Overflows

Return-orientated Programming

The Geometry of Innocent Flesh on the Bone

Is stack overflow still a problem?

Betriebssysteme und Sicherheit Sicherheit. Buffer Overflows

CMPSC 497 Buffer Overflow Vulnerabilities

Beyond Stack Smashing: Recent Advances in Exploiting. Jonathan Pincus(MSR) and Brandon Baker (MS)

Basic Buffer Overflows

Software Security II: Memory Errors - Attacks & Defenses

CSE 127: Computer Security. Memory Integrity. Kirill Levchenko

2 Sadeghi, Davi TU Darmstadt 2012 Secure, Trusted, and Trustworthy Computing Chapter 6: Runtime Attacks

Buffer overflow is still one of the most common vulnerabilities being discovered and exploited in commodity software.

Lecture 08 Control-flow Hijacking Defenses

Architecture-level Security Vulnerabilities

CSE 127: Computer Security Control Flow Hijacking. Kirill Levchenko

Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall Nitesh Saxena

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

Advanced Security for Systems Engineering VO 05: Advanced Attacks on Applications 2

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflow. Jo, Heeseung

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

Countermeasures in Modern Operating Systems. Yves Younan, Vulnerability Research Team (VRT)

String Oriented Programming Exploring Format String Attacks. Mathias Payer

CNIT 127: Exploit Development. Ch 3: Shellcode. Updated

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

CSE 565 Computer Security Fall 2018

CSE 509: Computer Security

We will focus on Buffer overflow attacks SQL injections. See book for other examples

This time. Defenses and other memory safety vulnerabilities. Everything you ve always wanted to know about gdb but were too afraid to ask

Biography. Background

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Architecture-level Security Vulnerabilities. Julian Stecklina

Topics. What is a Buffer Overflow? Buffer Overflows

Software Security: Buffer Overflow Defenses

Hacking Blind BROP. Presented by: Brooke Stinnett. Article written by: Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Mazie`res, Dan Boneh

Lecture 6: Buffer Overflow. CS 436/636/736 Spring Nitesh Saxena

CS 161 Computer Security

1/31/2007 C. Edward Chow. CS591 Page 1

Selected background on ARM registers, stack layout, and calling convention

Università Ca Foscari Venezia

Lecture 10 Code Reuse

Program Security and Vulnerabilities Class 2

From Over ow to Shell

Advanced Buffer Overflow

CSC 591 Systems Attacks and Defenses Return-into-libc & ROP

Inject malicious code Call any library functions Modify the original code

Defense against Code-injection, and Code-reuse Attack

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

Lecture 1: Buffer Overflows

Software Vulnerabilities August 31, 2011 / CS261 Computer Security

20: Exploits and Containment

Secure Programming Lecture 5: Memory Corruption III (Countermeasures)

Buffer overflow risks have been known for over 30 years. Is it still a problem? Try searching at to see.

Introduction to Operating Systems Prof. Chester Rebeiro Department of Computer Science and Engineering Indian Institute of Technology, Madras

Linux Memory Layout. Lecture 6B Machine-Level Programming V: Miscellaneous Topics. Linux Memory Allocation. Text & Stack Example. Topics.

Software Security: Buffer Overflow Attacks

Exploits and gdb. Tutorial 5

Lecture 4 September Required reading materials for this class

CSC 405 Computer Security Shellcode

Outline. Format string attack layout. Null pointer dereference

Introduction to Reverse Engineering. Alan Padilla, Ricardo Alanis, Stephen Ballenger, Luke Castro, Jake Rawlins

Advanced Buffer Overflow

CS161 Midterm 1 Review

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

Robust Shell Code Return Oriented Programming and HeapSpray. Zhiqiang Lin

Memory corruption countermeasures

buffer overflow exploitation

Smashing the Buffer. Miroslav Štampar

ECS 153 Discussion Section. April 6, 2015

Software Security: Buffer Overflow Attacks (continued)

Buffer Overflow Attack

Lecture Embedded System Security A. R. Darmstadt, Runtime Attacks

Intro to x86 Binaries. From ASM to exploit

Lab 2: Buffer Overflows

Buffer Overflows Defending against arbitrary code insertion and execution

Stack Vulnerabilities. CS4379/5375 System Security Assurance Dr. Jaime C. Acosta

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Sungkyunkwan University

Midterm 1 Review. Memory Safety & Web Attacks

Buffer Overflow Vulnerability

Exercise 6: Buffer Overflow and return-into-libc Attacks

Machine-Level Programming V: Buffer overflow

CS 161 Computer Security

Fundamentals of Computer Security

Module: Return-oriented Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Outline. Memory Exploit

EURECOM 6/2/2012 SYSTEM SECURITY Σ

Runtime Defenses against Memory Corruption

CSc 466/566. Computer Security. 20 : Operating Systems Application Security

CNIT 127: Exploit Development. Ch 14: Protection Mechanisms. Updated

Lecture 04 Control Flow II. Stephen Checkoway University of Illinois at Chicago CS 487 Fall 2017 Based on Michael Bailey s ECE 422

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Security Workshop HTS. LSE Team. February 3rd, 2016 EPITA / 40

System Security. Aurélien Francillon

CS 161 Computer Security. Week of January 22, 2018: GDB and x86 assembly

The geometry of innocent flesh on the bone: Return-into-libc without function calls (on the x86) Hovav Shacham presented by: Fabian Fäßler

Exploiting Stack Buffer Overflows Learning how blackhats smash the stack for fun and profit so we can prevent it

Shell Code For Beginners

Transcription:

Secure Systems Engineering Chester Rebeiro Indian Institute of Technology Madras

Flaws that would allow an attacker access the OS flaw Bugs in the OS The Human factor Chester Rebeiro, IITM 2

Program Bugs that can be exploited Buffer overflows In the stack In the heap Return-to-libc attacks Double frees Integer overflows Format string bugs Chester Rebeiro, IITM 3

Buffer Overflows in the Stack We need to first know how a stack is managed Chester Rebeiro, IITM 4

Stack in a Program (when function is executing) Parameters for main return Address prev frame pointer Locals of main Parameters for function Frame pointer return Address prev frame pointer Stack pointer Locals of function Chester Rebeiro, IITM 5

Stack Usage (example) Stack (top to bottom): address stored data 1000 to 997 3 996 to 993 2 stack pointer Parameters for function Return Address frame pointer prev frame pointer Locals of function 992 to 989 1 988 to 985 return address 984 to 981 %ebp (stored frame pointer) (%ebp)980 to 976 buffer1 975 to 966 buffer2 (%sp) 964 Chester Rebeiro, IITM 6

Stack Usage Contd. Stack (top to bottom): address stored data 1000 to 997 3 996 to 993 2 What is the output of the following? printf( %x, buffer2) : 966 printf( %x, &buffer2[10]) 976 buffer1 Therefore buffer2[10] = buffer1[0] A BUFFER OVERFLOW 992 to 989 1 988 to 985 return address 984 to 981 %ebp (stored frame pointer) (%ebp)980 to 976 buffer1 976 to 966 buffer2 (%sp) 964 Chester Rebeiro, IITM 7

Modifying the Return Address buffer2[19] = &arbitrary memory location This causes execution of an arbitrary memory location instead of the standard return Stack (top to bottom): address stored data 1000 to 997 3 996 to 993 2 992 to 989 1 988 to 985 Return Arbitrary Address Location 19 984 to 981 %ebp (stored frame pointer) (%ebp)980 to 976 buffer1 976 to 966 buffer2 (%sp) 964 Chester Rebeiro, IITM 8

address Stack (top to bottom): 1000 to 997 3 996 to 993 2 992 to 989 1 stored data 988 to 985 ATTACKER S code pointer 984 to 981 %ebp (stored frame pointer) (%ebp)980 to 976 buffer1 Now that we seen how buffer overflows can skip an instruction, We will see how an attacker can use it to execute his own code (exploit code) 976 to 966 buffer2 (%sp) 964 Chester Rebeiro, IITM 9

Big Picture of the exploit Fill the stack as follows (where is buffer address) stack pointer Parameters for function Return Address frame pointer prev frame pointer buffer Exploit code buffer Address Chester Rebeiro, IITM 10

Exploit Code Lets say the attacker wants to spawn a shell ie. do as follows: How does he put this code onto the stack? Chester Rebeiro, IITM 11

Step 1 : Get machine codes objdump disassemble-all shellcode.o Get machine code : eb 1e 5e 89 76 08 c6 46 07 00 c7 46 0c 00 00 00 00 b8 0b 00 00 00 89 f3 8d 4e 08 8d 56 0c cd 80 cd 80 If there are 00s replace it with other instructions Chester Rebeiro, IITM 12

Step 2: Find Buffer overflow in an application Defined on stack O O O O o Chester Rebeiro, IITM 13

Step 3 : Put Machine Code in Large String large_string shellcode Chester Rebeiro, IITM 14

Step 3 (contd) : Fill up Large String with Address of buffer is large_string shellcode Chester Rebeiro, IITM 15

Final state of Stack Copy large string into buffer When strcpy returns the exploit code would be executed buffer shellcode large_string shellcode buffer Address Chester Rebeiro, IITM 16

Putting it all together bash$ gcc overflow1.c bash$./a.out $sh Chester Rebeiro, IITM 17

Buffer overflow in the Wild Worm CODERED released on 13 th July 2001 Infected 3,59,000 computers by 19 th July. Chester Rebeiro, IITM 18

CODERED Worm Targeted a bug in Microsoft s IIS web server CODERED s string GET /default.ida?nnnnnnnnnnnnnnnnnnnnnnnnn NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNN %u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u78 01%u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u 00c3%u0003%u8b00%u531b%u53ff%u0078%u0000%u00=a HTTP/1.0 Chester Rebeiro, IITM 19

How to Protect against buffer overflows Chester Rebeiro, IITM 20

Non-executable stack Mark the stack pages as non-executable. bash$ gcc overflow1.c bash$./a.out Segmentation Fault Chester Rebeiro, IITM 21

Non Executable Stack Implementations In Intel processors, NX bit present to mark stack as non-executable. Works for most programs Does not work for some programs that NEED to execute from the stack. Eg. Linux signal delivery. Chester Rebeiro, IITM 22

Will non executable stack prevent buffer overflow attacks? return to libc attacks Chester Rebeiro, IITM 23

Return to Libc (big picture) Return Address buffer Exploit code This will not work if NX bit is set Chester Rebeiro, IITM 24

Return to Libc (big picture contd.) Return Address buffer F1ptr F1ptr F1ptr F1ptr F1ptr F1ptr F1ptr F1ptr F1ptr Some Function F1 What is F1? It is some function present in the program It should be able to execute attacker s code Chester Rebeiro, IITM 25

F1 = system() One option is function system present in libc system( /bin/bash ); would create a bash shell So we need to 1. Find the address of system in the process 2. Supply an address that points to the string /bin/sh Chester Rebeiro, IITM 26

The return-to-libc attack Return Address buffer F1ptr F1 ptr Shell ptr F1ptr F1ptr F1ptr F1ptr F1ptr F1ptr /bin/bash system() In libc Chester Rebeiro, IITM 27

Find address of system $ gdb a.out (gdb) p system $1 {<text variable >} 0x28086526 <system> Chester Rebeiro, IITM 28

Find address of /bin/sh Every process stores the enviroment variables We need to find this and extract the string /bin/sh from it Chester Rebeiro, IITM 29

Limitation of ret2libc Difficult to execute arbitrary code Chester Rebeiro, IITM 30

Return Oriented Programming Attacks Discovered by Hovav Shacham of Stanford University Allows arbitrary computation without code injection thus can be used with non executable stacks Chester Rebeiro, IITM 31

Gadgets (1) Lets say this is the payload needed to be executed by an attacker. Chester Rebeiro, IITM 32

Gadgets (2) Scan the entire binary for code snippets of the form useful instruction(s) ret This is called a gadget Chester Rebeiro, IITM 33

Gadgets (3) Find gadgets in the binary for the payload movb $0x0, 0x7(%esi) ret G2 movl $0xb, %eax ret G4 movb $0x0, 0xc(%esi) ret movl %esi, 0x8(%esi) ret G3 G1 Program Binary Chester Rebeiro, IITM 34

Other Precautions for buffer overflows Use a programming language that automatically check array bounds Example java Use securer libraries. For example C11 annex K, gets_s, strcpy_s, strncpy_s, etc. (_s is for secure) Chester Rebeiro, IITM 35

Canaries Known (pseudo random) values placed on stack to monitor buffer overflows. A change in the value of the canary indicates a buffer overflow. Implemented in gcc by default. Evaded if canary is known Insert a canary here check if the canary value has got modified Stack (top to bottom): stored data 3 2 1 ret addr sfp (%ebp) Insert canary here buffer1 buffer2 Chester Rebeiro, IITM 36

Bounds Checking Check accesses to each buffer so that it cannot be beyond the bounds In C and C++, bound checking performed at pointer calculation time or dereference time. Requires run-time bound information for each allocated block. Chester Rebeiro, IITM 37

Address Space Randomization Attackers need to know specific locations in the code. For instance, where the stack begins Where functions are placed in memory, etc. Address space layout randomization (ASLR) makes this difficult by randomizing the address space layout of the process Chester Rebeiro, IITM 38

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback