Outline. Classic races: files in /tmp. Race conditions. TOCTTOU example. TOCTTOU gaps. Vulnerabilities in OS interaction

Similar documents
Other array problems. Integer overflow. Outline. Integer overflow example. Signed and unsigned

Outline. Security as an economic good. Risk budgeting with ALE. Failure: Risk compensation. Failure: Displacement activity

Buffer overflow background

CSE 565 Computer Security Fall 2018

CSCE 548 Building Secure Software Buffer Overflow. Professor Lisa Luo Spring 2018

Outline. Format string attack layout. Null pointer dereference

Advanced System Security: Vulnerabilities

Software Security: Buffer Overflow Attacks

Fundamentals of Computer Security

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Module: Safe Programming. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

C and C++ Secure Coding 4-day course. Syllabus

Homework 3 CS161 Computer Security, Fall 2008 Assigned 10/07/08 Due 10/13/08

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Outline. Heap meta-data. Non-control data overwrite

Reflections on using C(++) Root Cause Analysis

CNIT 127: Exploit Development. Ch 18: Source Code Auditing. Updated

CSE543 - Introduction to Computer and Network Security

I m paranoid, but am I paranoid enough? Steven M. Bellovin February 20,

Secure Programming I. Steven M. Bellovin September 28,

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Module: Program Vulnerabilities. Professor Trent Jaeger. CSE543 - Introduction to Computer and Network Security

Buffer Overflow. Jinkyu Jeong Computer Systems Laboratory Sungkyunkwan University

Lecture 05 Integer overflow. Stephen Checkoway University of Illinois at Chicago

Buffer overflow prevention, and other attacks

Copyright (2004) Purdue Research Foundation. All rights reserved.

Software Security II: Memory Errors - Attacks & Defenses

CSE 565 Computer Security Fall 2018

Memory Corruption 101 From Primitives to Exploit

CMSC 414 Computer and Network Security

CSci 4061 Introduction to Operating Systems. Programs in C/Unix

CYSE 411/AIT681 Secure Software Engineering Topic #12. Secure Coding: Formatted Output

2/9/18. CYSE 411/AIT681 Secure Software Engineering. Readings. Secure Coding. This lecture: String management Pointer Subterfuge

Basic Buffer Overflows

Making C Less Dangerous

Secure Programming. Buffer Overflows Learning objectives. Type. 3 Buffer Overflows. 4 An Important Vulnerability. 5 Example Overflow

CMPSC 497 Buffer Overflow Vulnerabilities

Secure Software Development: Theory and Practice

CYSE 411/AIT681 Secure Software Engineering Topic #10. Secure Coding: Integer Security

Advanced Systems Security: Ordinary Operating Systems

2/9/18. Readings. CYSE 411/AIT681 Secure Software Engineering. Introductory Example. Secure Coding. Vulnerability. Introductory Example.

2/9/18. CYSE 411/AIT681 Secure Software Engineering. Readings. Secure Coding. This lecture: String management Pointer Subterfuge

ECE 471 Embedded Systems Lecture 22

Advanced Systems Security: Ordinary Operating Systems

Important From Last Time

Secure Software Programming and Vulnerability Analysis

A brief introduction to C programming for Java programmers

I m paranoid, but am I paranoid enough? Steven M. Bellovin October 2,

Programming refresher and intro to C programming

Introduction to Computer Systems , fall th Lecture, Sep. 28 th

Secure Programming Lecture 6: Memory Corruption IV (Countermeasures)

Important From Last Time

CS 326 Operating Systems C Programming. Greg Benson Department of Computer Science University of San Francisco

Software Security; Common Implementation Flaws

Runtime Defenses against Memory Corruption

CSE 127 Computer Security

Computer Security. 04r. Pre-exam 1 Concept Review. Paul Krzyzanowski. Rutgers University. Spring 2018

Secure C Coding...yeah right. Andrew Zonenberg Alex Radocea

EURECOM 6/2/2012 SYSTEM SECURITY Σ

Software and Web Security 1. Root Cause Analysis. Abstractions Assumptions Trust. sws1 1

Control Flow Hijacking Attacks. Prof. Dr. Michael Backes

The first Secure Programming Laboratory will be today! 3pm-6pm in Forrest Hill labs 1.B31, 1.B32.

Page 1. Today. Important From Last Time. Is the assembly code right? Is the assembly code right? Which compiler is right?

Automatic program generation for detecting vulnerabilities and errors in compilers and interpreters

Intrusion Detection and Malware Analysis

Buffer Overflow. Jin-Soo Kim Computer Systems Laboratory Sungkyunkwan University

Program Security and Vulnerabilities Class 2

Does Making The Kernel Harder Make

Secure Programming II. Steven M. Bellovin September 29,

One-Slide Summary. Lecture Outline. Language Security

CSE 544 Advanced Systems Security

Princeton University Computer Science 217: Introduction to Programming Systems. Dynamic Memory Management

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Quiz I

CSE / / 60567: Computer Security. Software Security 4

Security and Privacy in Computer Systems. Lecture 5: Application Program Security

Changelog. Corrections made in this version not in first posting: 1 April 2017: slide 13: a few more %c s would be needed to skip format string part

CMPSC 311- Introduction to Systems Programming Module: Strings

Software Security: Buffer Overflow Defenses and Miscellaneous

Sandwiches for everyone

CS 645: Lecture 3 Software Vulnerabilities. Rachel Greenstadt July 3, 2013

BUFFER OVERFLOW. Jo, Heeseung

Buffer Overflow. Jo, Heeseung

CSE 509: Computer Security

Memory corruption countermeasures

CS 61C: Great Ideas in Computer Architecture C Pointers. Instructors: Vladimir Stojanovic & Nicholas Weaver

System Security Class Notes 09/23/2013

Memory Corruption Vulnerabilities, Part II

DAY 3. CS3600, Northeastern University. Alan Mislove

Computer Security. Robust and secure programming in C. Marius Minea. 12 October 2017

CSE 127 Computer Security

CSE 374 Midterm Exam Sample Solution 2/11/13. Question 1. (8 points) What does each of the following bash commands do?

Verification & Validation of Open Source

CSE 127 Computer Security

CS 161 Computer Security

CS140 Operating Systems Final December 12, 2007 OPEN BOOK, OPEN NOTES

CSE 127 Computer Security

Foundations of Network and Computer Security

CSE 303 Midterm Exam

CIS 551 / TCOM 401 Computer and Network Security. Spring 2007 Lecture 2

Required reading: StackGuard: Simple Stack Smash Protection for GCC

Transcription:

Outline CSci 5271 Introduction to Computer Security Day 3: Low-level vulnerabilities Stephen McCamant University of Minnesota, Computer Science & Engineering Race conditions Classic races: files in /tmp Two actions in parallel; result depends on which happens first Usually attacker racing with you 1. Write secret data to file 2. Restrict read permissions on file Many other examples Temp filenames must already be unique But unguessable is a stronger requirement Unsafe design (mktemp(3)): function to return unused name Must use O EXCL for real atomicity TOCTTOU gaps TOCTTOU example Time-of-check (to) time-of-use races 1. Check it s OK to write to file 2. Write to file Attacker changes the file between steps 1 and 2 Just get lucky, or use tricks to slow you down int safe_open_file(char *path) f int fd = -1; struct stat s; stat(path, &s) if (!S ISREG(s.st mode)) error("only regular files allowed"); else fd = open(path, O RDONLY); return fd; g

TOCTTOU example TOCTTOU example int safe_open_file(char *path) f int fd = -1, res; struct stat s; res = stat(path, &s) if (res!s ISREG(s.st mode)) error("only regular files allowed"); else fd = open(path, O RDONLY); return fd; g int safe_open_file(char *path) f int fd = -1, res; struct stat s; res = stat(path, &s) if (res!s ISREG(s.st mode)) error("only regular files allowed"); else fd = open(path, O RDONLY); return fd; g Changing file references Directory traversal with.. With symbolic links With hard links With changing parent directories Avoid by instead using: f* functions that operate on fds *at functions that use an fd in place of the CWD Program argument specifies file with directory files What about files/../../../../etc/passwd? Environment variables Can influence behavior in unexpected ways PATH LD LIBRARY PATH IFS... Also umask, resource limits, current directory IFS and why it s a problem In Unix, splitting a command line into words is the shell s job String! argv array grep a b c vs. grep 'a b' c Choice of separator characters (default space, tab, newline) is configurable Exploit system("/bin/uname")

Outline Overall layout (Linux 32-bit) Detail: static code and data Detail: heap Detail: initial stack Example stack frame

Outline HA1 materials posted Instructions PDF BCVI source code VM instructions web page Discussion forum and submissions on Moodle Getting your virtual machines Sequence of exploits Ubuntu 16.04 server, hosted on CSE Labs 64-bit kernel but 32-bit BCVI, gcc -m32 One VM per group (up to 3 students) For allocation, send group list to Se Eun Don t put off until the last minute Week 1 (9/15): bad feature, 10 points Week 2 (9/22): easier, 20 points Week 3 (9/29): harder, 30 points Week 4 (10/6): harder, 30 points Plus, design suggestions (10 points) Week 5 (10/13): hardest, 10 n extra credit Types of vulnerabilities Part of challenge: automation OS interaction/logic errors Memory safety errors E.g., exploit with control-flow hijacking Attacks may require crafted text files and chosen program inputs Must represent your attack as an exploit script Must be fully automatic No user interaction Works reliably, within 60 seconds Must work on a clean VM Use test-exploit script

Still coming soon Outline Research project pre-proposal due a week from today Stack frame overflow Overwriting adjacent objects Forward or backward on stack Other local variables, arguments Fields within a structure Global variables Other heap objects Overwriting metadata Double free On stack: Return address Saved registers, incl. frame pointer On heap: Size and location of adjacent blocks Passing the same pointer value to free more than once More dangerous the more other heap operations occur in between

Use after free Outline AKA use of a dangling pointer Could overwrite heap metadata Or, access data with confused type Library funcs: unusable gets writes unlimited data into supplied buffer No way to use safely (unless stdin trusted) Finally removed in C11 standard Library funcs: dangerous Big three unchecked string functions strcpy(dest, src) strcat(dest, src) sprintf(buf, fmt,...) Must know lengths in advance to use safely (complicated for sprintf) Similar pattern in other funcs returning a string Library funcs: bounded Just add n : strncpy(dest, src, n) strncat(dest, src, n) snprintf(buf, size, fmt,...) Tricky points: Buffer size vs. max characters to write Failing to terminate strncpy zero-fill More library attempts OpenBSD strlcpy, strlcat Easier to use safely than n versions Non-standard, but widely copied Microsoft-pushed strcpy s, etc. Now standardized in C11, but not in glibc Runtime checks that abort Compute size and use memcpy C++ std::string, glib, etc.

Still a problem: truncation Off-by-one bugs Unexpectedly dropping characters from the end of strings may still be a vulnerability E.g., if attacker pads paths with /////// or /./././. Avoiding length limits is best, if implemented correctly strlen does not include the terminator Comparison with < vs. <= Length vs. last index x++ vs. ++x Even more buffer/size mistakes Other array problems Inconsistent code changes (use sizeof) Misuse of sizeof (e.g., on pointer) Bytes vs. wide chars (UCS-2) vs. multibyte chars (UTF-8) OS length limits (or lack thereof) Missing/wrong bounds check One unsigned comparison suffices Two signed comparisons needed Beware of clever loops Premature optimization Outline Integer overflow Fixed size result 6= math result Sum of two positive ints negative or less than addend Also multiplication, left shift, etc. Negation of most-negative value (low + high)/2

Integer overflow example Signed and unsigned int n = read_int(); obj *p = malloc(n * sizeof(obj)); for (i = 0; i < n; i++) p[i] = read_obj(); Unsigned gives more range for, e.g., size t At machine level, many but not all operations are the same Most important difference: ordering In C, signed overflow is undefined behavior Mixing integer sizes Null pointers Complicated rules for implicit conversions Also includes signed vs. unsigned Generally, convert before operation: E.g., 1ULL << 63 Sign-extend vs. zero-extend char c = 0xff; (int)c Vanilla null dereference is usually non-exploitable (just a DoS) But not if there could be an offset (e.g., field of struct) And not in the kernel if an untrusted user has allocated the zero page Undefined behavior Linux kernel example C standard undefined behavior : anything could happen Can be unexpectedly bad for security Most common problem: compiler optimizes assuming undefined behavior cannot happen struct sock *sk = tun->sk; //... if (!tun) return POLLERR; // more uses of tun and sk

Format strings Next time printf format strings are a little interpreter printf(fmt) with untrusted fmt lets the attacker program it Allows: Dumping stack contents Denial of service Arbitrary memory modifications! Exploitation techniques for these vulnerabilities

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback