attacking the stack continued
play

Attacking the stack (continued) hic 1 1 Firefox bugs this - PowerPoint PPT Presentation

Dec 18, 2023 •224 likes •647 views

Attacking the stack (continued) hic 1 1 Firefox bugs this morning hic 2 Last week Using buffer overruns or format string attacks to read out or corrupt the stack, esp. the control data on the stack: frame pointers and return

  1. Attacking the stack (continued) hic 1 1

  2. Firefox bugs this morning hic 2

  3. Last week • Using buffer overruns or format string attacks to read out or corrupt the stack, esp. the control data on the stack: frame pointers and return addresses • A classic buffer overflow: 1. first insert malicious shell code into some buffer on the stack 2. then overwrite return address on the stack to jump to that code This is also called smashing the stack • More generally, any read or write out-of-bounds, use of a stale pointer, or reading of uninitialized memory, ... can be a security problem Today: • some variations of messing with frame pointers & return addresses • some defenses hic 3

  4. Spot the defect /* Process incoming message with the format | hbtype | len | payload[0] .... payload [len-1] | one byte two bytes len bytes payload */ unsigned char *p; // pointer to the incoming message unsigned int len; // called payload in the original code unsigned short hbtype; hbtype = *p++; // Puts *p into hbtype n2s(p, len); // Takes two bytes from p, and puts them in len // This is the length of the payload unsigned char* buffer = malloc(1 + 2 + len); /* Enter response type, length and copy payload */ buffer++ = TLS1_HB_RESPONSE; s2n(len, buffer); // takes 16-bit value len and puts it into two bytes memcpy(buffer, p, len); // copy len bytes from p into buffer hic 4

  5. Spot the defect – Heartbleed /* Process incoming message with the format | hbtype | len | payload[0] .... payload [len-1] | one byte two bytes len bytes payload */ unsigned char *p; // pointer to the incoming message unsigned int len; // called payload in the original code unsigned short hbtype; hbtype = *p++; // Puts *p into hbtype n2s(p, len); // Takes two bytes from p, and puts them in len // This is the length of the payload unsigned char* buffer = malloc(1 + 2 + len); /* Enter response type, length and copy payload */ buffer++ = TLS1_HB_RESPONSE; s2n(len, buffer); // takes 16-bit value len and puts it into two bytes memcpy(buffer, p, len); // copy len bytes from p into buffer – POSSIBLE OVERRUN hic 5

  6. Spot the defect – Cloudbleed Vulnerable code // char* p is a pointer to a buffer containing the incoming messages to be process // char* end is a pointer to the end of this buffer .... // code inspecting *p, which increases p .... if ( ++p == end ) goto _test_eof; More secure code .... if ( ++p >= end ) goto _test_eof; hic 6

  7. How common are these problems? Look at websites such as • https://www.us-cert.gov/ncas/bulletins • http://cve.mitre.org/ • http://www.securityfocus.com/vulnerabilities Vulnerability descriptions that mention • ‘ buffer ’ • ‘ boundary condition error ’ • ‘ lets remote users execute arbitrary code ’ • or simply ‘remote security vulnerability’ are often caused by buffer overflows. Some sites use the CWE (Common Weakness Enumeration) to classify vulnerabilities hic 7

  8. CWE classification The CWE (Common Weakness Enumeration) provides a standardised classfication of security vulnerabilities https://cwe.mitre.org/ NB the classification is long (over 800 classes!) and confusing! Eg • CWE-118 ... CWE-129, CWE-680, and CWE 787 are buffer errors • CWE-822 ... CWE-835 and CWE-465 are pointer errors • CWE-872 are integer-related issues Have a look at • https://cwe.mitre.org/data/definitions/787.html - buffer issues • https://cwe.mitre.org/data/definitions/465.html - pointer issues • https://cwe.mitre.org/data/definitions/872.html - integer issuess hic 8

  9. warning: potential exam questions coming up hic 9

  10. example vulnerable code m(){ int x = 4; f(); // return_to_m printf (“x is % i ”, x);} f(){ int y = 7; g(); // return_to_f printf (“y+10 is % i ”, y+10);} g(){ char buf[80]; gets(buf); printf(buf); gets(buf);} hic

  11. example vulnerable code An attacker could m(){ 1. first inspect the stack using a int x = 4; malicious format string f(); // return_to_m (entered in first gets and printed with printf ) printf (“x is % i ”, x);} 2. then overflow buf to corrupt the stack f(){ (with the second gets ) int y = 7; g(); // return_to_f printf (“y+10 is % i ”, y+10); } potential g(){ overflow of buf char buf[80]; gets(buf); printf(buf); potential format string attack gets(buf); } hic

  12. example vulnerable code stack m(){ frame for m x 4 int x = 4; f(); // return_to_m return_to_m stack printf (“x is % i ”, x);} fp_m frame for f y `7 f(){ int y = 7; return_to_f g(); // return_to_f fp_f stack printf (“y+10 is % i ”, y+10);} frame buf[70..79] for g ... g(){ ... char buf[80]; buf[0..7] gets(buf); printf(buf); gets(buf);} hic

  13. Normal execution • After completing g execution continues with f from program point return_to_f This will print 17. • After completing f execution continues with main from program point return_to_m This will print 4. If we start smashing the stack different things can happen hic 13

  14. Attack scenario 1 in g() we overflow buf to overwrite values of x or y. • After completing g execution continues with f from program point return_to_f This will print whatever value we gave to y +10. • After completing f execution continues with m from program point return_to_m This will print whatever value we gave to x. Of course, it is easier to overwrite local variables in the current frame than variables in ‘lower’ frames hic 14

  15. Attack scenario 2 In g() we overflow buf to overwrite return address return_to_f with return_to_m • After completing g execution continues with m instead of f but with f ’s stack frame. This will print 7. • After completing m execution continues with m. This will print 4. hic 15

  16. Attack scenario 3 In g() we overflow buf to overwrite frame pointer fp_f with fp_m • After completing g execution continues with f but with m ’s stack frame This will print 14. • After completing f execution continues with whatever code called m. So we never finish the function call m , the remaining part of the code (after the call to f ) will never be executed. hic 16

  17. Attack scenario 4 In g() we overflow buf to overwrite frame pointer fp_f with fp_g • After completing g execution continues with f but with g ’s stack frame. This will print (some bytes of buf +10). • After completing f , execution might continue with f , again with g ’s stack frame, repeating this for ever. This depends on whether the compiled code looks up values from the top of g ’s stack frame, or the bottom of g ’s stack frame. In the latter case the code will jump to some code depending on the contents of buf . hic 17

  18. Attack scenario 5 In g() we overflow buf to overwrite frame pointer fp_f with some pointer into buf • After completing g execution continues with f but with part of buf as stack frame. This will print (some part of buf)+10. • After completing f not clear what will happen... hic 18

  19. Attack scenario 6 In g() we overflow buf to overwrite the return address return_to_f to point in some code somewhere, and the frame pointer to point inside buf. • After completing g execution continues executing that code using part of buf as stack frame. This can do all sorts of things! If we have enough code to choose from, this can do anything we want. Often a return address in some library routine in libc is used, in what is then called a return-to-libc attack. hic 19

  20. Attack scenario 7 In g() we overflow buf to overwrite the return address to point inside buf • After completing g execution continues with whatever code (aka shell code) was written in buf , using f ’s stack frame. This can do anything we want. This is the classic buffer overflow attack discussed last week • You could also overwrite sp_f and supply the attack code with a fake stack frame, but typically the shell code won’t need a stack frame • This attack requires that the computer (OS+ hardware) can be tricked into executing data allocated on the stack. Many systems will no longer execute data (code) on the stack or on the heap – see slide 29 & further on hic 20

  21. Memory segments revisited Normally (always?) the program counter should point somewhere in the code segment stack The attack scenarios discussed in these slides only involved overflowing buffers heap on the stack. global data Buffers allocated on the heap or as global variables (data and bss can also be overflowed to change program segments) behaviour, but to mess with return addresses or frame pointers we need to overflow on the stack code hic 21

  22. Defense mechanisms How do we stop this from happening? Thanks to and for some of thse slides

  23. Defenses Different strategies: • Prevent • Detect • React prevent Ideally, you’d like to prevent problems, but typically you cannot,. The best we can do • detect make it harder for the attacker • mitigate the potential impact • detect attacks and react react hic 23

  24. Defenses at different levels • At program level – to prevent attacks by removing the vulnerabilities • At compiler level – to detect and block exploit attempts • At operating system level – to make the exploitation much more difficult hic 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of

Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of

Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of Technology for some of these slides sws1 1 1 Attacking the stack We have seen how the stack works. Now: lets see how we can abuse this. We have

733 views • 48 slides
Attacking the stack Thanks to SysSec and Secure Systems Labs at Vienna University of Technology

Attacking the stack Thanks to SysSec and Secure Systems Labs at Vienna University of Technology

Attacking the stack Thanks to SysSec and Secure Systems Labs at Vienna University of Technology for some of these slides Attacking the stack We have seen how the stack works. Now: lets see how we can abuse this. We have already seen how code

671 views • 47 slides
y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna

y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna

Security bug of the week (in iOS and OS X) y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of Technology for some of these slides sws1 2 2 Attacking the stack g We have seen how the

850 views • 47 slides
Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats,

792 views • 44 slides
SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1 Alexander @sh2kerr Polyakov. PCI QSA,PA-QSA 11 We change look but we keep mind Company Digital Security Research Group International

924 views • 59 slides
Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping

Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping

Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping etc. Implementations of stacks using array linked list The Stack ADT A stack is a list with the restriction that insertions and

566 views • 44 slides
The Stack Eric McCreath The Stack The stack is a simple but useful data structure in computer

The Stack Eric McCreath The Stack The stack is a simple but useful data structure in computer

The Stack Eric McCreath The Stack The stack is a simple but useful data structure in computer science. The stack is an abstract data type that has two main operations. These are push which adds an element to the top of the stack and pop which

754 views • 8 slides
Stack ADT Tiziana Ligorio 1 Todays Plan Questons? Stack ADT 2 Abstract Data Types

Stack ADT Tiziana Ligorio 1 Todays Plan Questons? Stack ADT 2 Abstract Data Types

Stack ADT Tiziana Ligorio 1 Todays Plan Questons? Stack ADT 2 Abstract Data Types Bag List Stack 3 Stack 34 A data structure representing a stack of things Objects can be pushed onto the stack or popped from the stack

1.62k views • 116 slides
1 Array-based Stack (2.1.1) Algorithm pop (): if isEmpty () then A simple way of throw

1 Array-based Stack (2.1.1) Algorithm pop (): if isEmpty () then A simple way of throw

Elementary Data Structures Stacks, Queues, Vectors, Lists & Sequences Trees The Stack ADT (2.1.1) The Stack ADT stores arbitrary objects Insertions and deletions Auxiliary stack follow the last-in first-out operations: scheme

473 views • 13 slides
ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF

ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF

ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF THE STACK Add, remove rock and book from the top, or else 3 Stack at logical level A stack is an ADT in which elements add added and

1.06k views • 37 slides
ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF

ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF

ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF THE STACK Add, remove rock and book from the top, or else 3 Stack at logical level A stack is an ADT in which elements add added and

679 views • 19 slides
Call Stack Stack Bottom Memory region managed with stack discipline Procedures and the Call

Call Stack Stack Bottom Memory region managed with stack discipline Procedures and the Call

Call Stack Stack Bottom Memory region managed with stack discipline Procedures and the Call Stack higher %rsp holds lowest stack address addresses (address of "top" element) Topics stack grows Procedures toward lower

76 views • 5 slides
Stack 7 January 2019 OSU CSE 1 Stack The Stack component family allows you to manipulate

Stack 7 January 2019 OSU CSE 1 Stack The Stack component family allows you to manipulate

Stack 7 January 2019 OSU CSE 1 Stack The Stack component family allows you to manipulate strings of entries of any (arbitrary) type in LIFO (last-in-first-out) order A kind of dual to Queue Remember, "first" and

450 views • 33 slides
Compilers Stack Machines Alex Aiken Stack Machines Only storage is a stack An

Compilers Stack Machines Alex Aiken Stack Machines Only storage is a stack An

Compilers Stack Machines Alex Aiken Stack Machines Only storage is a stack An instruction r = F(a 1 ,a n ): Pops n operands from the stack Computes the operation F using the operands Pushes the result r on the stack Alex

362 views • 13 slides
Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack

Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack

Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack Overflow for Teams Roberta Arcoverde 1 /whois /whois recifense programadora h 15 anos principal software developer na stack overflow

711 views • 52 slides
Stack machines (Using slides adapted from the book) Stacks A stack machine maintains an

Stack machines (Using slides adapted from the book) Stacks A stack machine maintains an

Stack machines (Using slides adapted from the book) Stacks A stack machine maintains an unbounded stack of symbols We'll represent these stacks as strings Left end of the string is the top of the stack For example, abc is a stack

406 views • 12 slides
Tor: Anonymous Communications for the US Dept of Defense ... and you. Roger Dingledine The Free

Tor: Anonymous Communications for the US Dept of Defense ... and you. Roger Dingledine The Free

Tor: Anonymous Communications for the US Dept of Defense ... and you. Roger Dingledine The Free Haven Project http://tor.eff.org/ 1 Tor: Big Picture Freely available (Open Source), unencumbered. Comes with a spec and full

1k views • 54 slides
On t On the F he Feas easibilit ibility o y of Re Rerouting-bas based D d DDoS D S Defens

On t On the F he Feas easibilit ibility o y of Re Rerouting-bas based D d DDoS D S Defens

On t On the F he Feas easibilit ibility o y of Re Rerouting-bas based D d DDoS D S Defens nses Mu Muoi Tran , Min Suk Kang, Hsu-Chun Hsiao, Wei-Hsuan Chiang, Shu-Po Tung, Yu-Su Wang May 2019 | San Francisco, CA Transit-link DDoS

548 views • 29 slides
Surveillance Defense Small Easy Steps for Security and Privacy Pete Snyder psnyde2@uic.edu -

Surveillance Defense Small Easy Steps for Security and Privacy Pete Snyder psnyde2@uic.edu -

Surveillance Defense Small Easy Steps for Security and Privacy Pete Snyder psnyde2@uic.edu - peteresnyder.com Surveillance Defense 1. Good Practices 2. System / PC Security 3. Mobile Security 4. Browser Security 5. Secure Networking Tools

443 views • 27 slides
CSE 544 Advanced Systems Security Trent Jaeger Systems and Internet Infrastructure Security

CSE 544 Advanced Systems Security Trent Jaeger Systems and Internet Infrastructure Security

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CSE 544 Advanced Systems Security Trent Jaeger Systems and

651 views • 28 slides
Efficient and Accurate Estimation of Lipschitz Constants for Deep Neural Networks Mahyar Fazlyab,

Efficient and Accurate Estimation of Lipschitz Constants for Deep Neural Networks Mahyar Fazlyab,

Efficient and Accurate Estimation of Lipschitz Constants for Deep Neural Networks Mahyar Fazlyab, Alexander Robey Hamed Hassani, Manfred Morari, George J. Pappas NeurIPS 2019 Lipschitz Constant of Neural Networks Definition: the smallest L

521 views • 8 slides
Gradient Masking in Machine Learning Nicolas Papernot Pennsylvania State University ARO

Gradient Masking in Machine Learning Nicolas Papernot Pennsylvania State University ARO

@NicolasPapernot Gradient Masking in Machine Learning Nicolas Papernot Pennsylvania State University ARO Workshop on Adversarial Machine Learning, Stanford September 2017 @NicolasPapernot Thank you to our collaborators Sandy Huang

432 views • 32 slides
InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Mengjia Yan, Jiho Choi,

InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Mengjia Yan, Jiho Choi,

InvisiSpec: Making Speculative Execution Invisible in the Cache Hierarchy Mengjia Yan, Jiho Choi, Dimitrios Skarlatos, Adam Morrison, Christopher W. Fletcher, and Josep Torrellas University of Illinois at Urbana-Champaign Tel Aviv

559 views • 22 slides
Effective Layering of Defenses Nathaniel Boggs, Salvatore J. Stolfo Columbia University

Effective Layering of Defenses Nathaniel Boggs, Salvatore J. Stolfo Columbia University

ALDR: A New Metric for Measuring Effective Layering of Defenses Nathaniel Boggs, Salvatore J. Stolfo Columbia University 12/6/2011 Layered Assurance Workshop 1 Motivation Buy security product X? Am I secure? 12/6/2011 Layered

630 views • 18 slides

More recommend