attacking the stack
play

Attacking the stack Thanks to SysSec and Secure Systems Labs at - PowerPoint PPT Presentation

Nov 06, 2023 •193 likes •671 views

Attacking the stack Thanks to SysSec and Secure Systems Labs at Vienna University of Technology for some of these slides Attacking the stack We have seen how the stack works. Now: lets see how we can abuse this. We have already seen how code

  1. Attacking the stack Thanks to SysSec and Secure Systems Labs at Vienna University of Technology for some of these slides

  2. Attacking the stack We have seen how the stack works. Now: let’s see how we can abuse this. We have already seen how code (incl. malware) can deliberately do ‘strange things’, • accessing raw memory representations • manipulate memory anywhere on the heap and stack Now: let’s see how benign, but buggy code can be manipulated into doing strange things by malicious input We’ll show two techniques for this 1. buffer overflows 2. format strings attacks hic 2

  3. Attacking the stack Goals for an attacker 1. leaking data - eg HeartBleed, or just last week Cloudbleed 2. corrupting data 3. corrupting program execution This can be 3a) crashing 3b) doing something more interesting In CIA terminology , such attacks result in breaking 1. confidentiality of data 2. integrity of data integrity of program in execution (ie the “process”) 3. 4. availability of data or the process (if data is destroyed or program crashes) hic 3

  4. Format string attacks hic 4

  5. Format strings attacks • Format string attacks were only discovered (invented?) in 2000, after people had been programming in C for over 25 years! • These attacks allow an attacker to read or to corrupt the stack • Not such a big problem as buffer overflows, as potential for format string attacks is easy to spot and remove – format attacks should be history by now... • Still, a great example of how some harmless looking code can turn out to be vulnerable hic 5

  6. Leaking data int main( int argc, char** argv) int pincode = 1234; printf(argv[1]); } This program echoes the first program argument. hic 6

  7. Aside on main(int argc, char** argv) argc is the numbers of arguments, argv are the argument values. argv has type is a char**, so it is a pointer to a pointer to a char *argv has type char* (ie a string) **argv has type char and using pointer arithmetic argv[i] has type char* , ie a string argv[i][j] has type char , So effectively argv is an array of strings, or a 2-dimensional array of char ’s Note that • when you call an executable from the command line, then argv[0] is the name of the executable, and argv[1] is the first real argument • char** argv can also be written as char **argv hic 7

  8. format strings for printf , using the % character printf( ”j is % i.\ n” , j); // %i to print integer value printf( ”j is %x in hex. \ n” , j); // %x to print 4-byte hexadecimal value ”j is % i ” is called a format string Other printing functions, eg snprintf , also accept format strings. Any guess what printf (”j is %x in hex”); does ? It will print the top 4 bytes of the stack hic 8

  9. Leaking data with format string attack int main( int argc, char** argv) int pincode = 1234; printf(argv[1]); } This program may leak information from the stack when given malicious input , namely an argument that contains special control characters , which are interpreted by printf Eg supplying %x%x%x as input will dump top 12 bytes of the stack hic 9

  10. Leaking data from memory – using strings printf( ”j is %s. \ n” , str); // %s to print a string, ie a char* Any guess what printf (”j is %s in hex”); // %s instead of %i does ? It will interpret the top of the stack as a pointer (an address) and will print the string allocated in memory at that address Of course, there might not be a string allocated at that address, and printf simply prints whatever is in memory up to next null terminator hic 10

  11. Corrupting data with format string attack int j; char* msg; ... printf ( ”how long is %s anyway %n” , msg, &j); %n causes the number of characters printed to be written to j, here it will write 20+length(msg) Any guess what printf (”how long is this %n”); does ? It interprets the top of the stack as an address, and writes a value there hic 11

  12. Example malicious format strings Interesting inputs for the string str to attack printf(str) • %x%x%x%x%x%x%x%x will print bytes from the top of the stack • %p%p%p%p%p%p%p%p will print these bytes as pointer values • %s will interpret the top bytes of the stack as an address X, and then prints the string starting at that address A in memory, ie. it dumps all memory from A up to the next null terminator • %n will interpret the top bytes of the stack as an address X, and then writes the number of characters output so far to that address hic 12

  13. Example really malicious format strings An attacker can try to control which address X is used for reading from memory using %s or for writing to memory using %n with specially crafted format strings of the form • \xEF\xCD\xCD\xAB %x %x ... %x %s With the right number of %x characters, this will print the string located at memory address ABCDCDEF • \xEF\xCD\xCD\xAB %x %x ... %x %n With the right number of %x characters, this will write the number of characters printed so far to memory address ABCDCDEF The tricky things are inserting the right number of %x , and choosing an interesting address hic 13

  14. stack layout for printf printf (”blah blah %i %i ”, a, b) Recall: string is written upwards %i %i blah blah .... 2nd %i : print this value b 1st %i : print this value a pointer to string hic 14

  15. stack layout for really malicious strings printf (“ \xEF\xCD\xCD\xAB %x %x ... %x %s”); With the right number of %x 's, this will print the string located at address ABCDCDEF %s %x %x %x use this as address for %s EF CD CD AB ... 2nd %x : print this value 1st %x : print this value pointer to string hic 15

  16. Format strings attacks are easy to get rid of! • Potentially vulnerable code is easy to spot // unsafe printf(str); printf("Some string literal"); printf("Some integer %i",n); // safe equivalent printf("%s",str); • Only the first statement is potentially vulnerable – namely, if string is or contains user-supplied input aka string is untrusted or tainted • First and last statement have same effect, so unsafe first statement can be replaced by the safe last statement, getting rid of any format string vulnerabilities • This has to be done for all functions in the ..print.. family hic 16

  17. buffer overflows hic 17

  18. Buffer overflows It is easy to make mistakes using arrays, pointers and strings, and accidentally read or write memory you shouldn't • going outside array bounds • copying a string into buffer where it does not fit • having a string without a NULL terminator – string operations, such as printf and strcopy , assume there is a NULL, and will go off the rails if there is none • having a pointer pointing to the wrong place, eg – a stale pointer that points to memory that has been freed – a mistake in your pointer arithmetic – ... hic 18

  19. Typical string problem – incorrect buffer length void vulnerable(char *s){ char buffer[10]; strcpy(buffer, s); // copy s into buffer } void main( int argc, char** argv) { vulnerable(argv[1]); // argv[1] is first command line argument } What can go wrong here? Buffer overflow in strcpy may corrupt the stack, with user input hic 19

  20. Typical string problem: using gets int main(int argc, char** archv i){ char *msg = "hello"; f(); printf("%s", msg); } int f(){ char p[20]; int j; gets(p); return 1; } What can go wrong here? gets reads user input until the first NULL character. The program has no way of knowing how long this string will be. The stack can be corrupted with user input! hic 20

  21. recall: the stack stack Stack during call to f frame int i for main main(int i){ char *msg ="hello"; char *msg f(); int return value print ("%s", msg); } return address saved frame pointer frame pointer int f(){ stack frame char p[20]; for int j; f() gets(p); char p[ ] return 1; } int j stack pointer hic 22

  22. Corrupting the stack (1) stack What if we overrun p frame int i for and to set return address main to point to some existing code, say inside a function g() ? char *msg int return value When f returns, corrupted execution will resume saved frame pointer with executing g instead stack of main frame for f() char p[ ] int j hic 23

  23. Corrupting the stack (2) stack What if we overrun p frame int i for to set return address main to point inside p? char *msg When f returns, int return value execution will resume corrupted ret with what is written in p , saved frame pointer interpreted as machine stack code frame for f() char p[ ] int j hic 24

  24. Corrupting the stack (3) stack What if we overrun p frame int i for to set saved frame pointer main to point inside p? char *msg When f returns, int return value execution of main will resume, return address but interpreting wrong part corrupted fp of the stack as stack frame stack for main frame for f() char p[ ] int j hic 25

  25. Corrupting the stack (4) stack What if we overrun p frame int i for and to set return address main to point to some existing code, say inside a function g(), char *msg and to set saved frame int return value pointer to point inside p? corrupted ret corrupted fp When f returns, stack execution will resume frame for with executing g instead f() of main and char p[ ] interpreting stack starting at p as a stack frame for g int j hic 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of

Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of

Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of Technology for some of these slides sws1 1 1 Attacking the stack We have seen how the stack works. Now: lets see how we can abuse this. We have

733 views • 48 slides
Attacking the stack (continued) hic 1 1 Firefox bugs this morning hic 2 Last week

Attacking the stack (continued) hic 1 1 Firefox bugs this morning hic 2 Last week

Attacking the stack (continued) hic 1 1 Firefox bugs this morning hic 2 Last week Using buffer overruns or format string attacks to read out or corrupt the stack, esp. the control data on the stack: frame pointers and return

647 views • 42 slides
y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna

y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna

Security bug of the week (in iOS and OS X) y g sws1 1 Attacking the stack Thanks to SysSec and Int. Secure Systems Labs at Vienna University of Technology for some of these slides sws1 2 2 Attacking the stack g We have seen how the

850 views • 47 slides
Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat

Who Whos Really Attacking Y s Really Attacking Your our #WHOAMI Threat Researcher at Trend Micro- research and blogger on criminal underground, persistent threats,

792 views • 44 slides
SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1

SAP Security: Attacking SAP users Attacking SAP users with sapsploit eXtended 1.1 Xt d d 1 1 Alexander @sh2kerr Polyakov. PCI QSA,PA-QSA 11 We change look but we keep mind Company Digital Security Research Group International

924 views • 59 slides
Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping

Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping

Stack and Queue Stack Overview Stack ADT Basic operations of stack Pushing, popping etc. Implementations of stacks using array linked list The Stack ADT A stack is a list with the restriction that insertions and

566 views • 44 slides
The Stack Eric McCreath The Stack The stack is a simple but useful data structure in computer

The Stack Eric McCreath The Stack The stack is a simple but useful data structure in computer

The Stack Eric McCreath The Stack The stack is a simple but useful data structure in computer science. The stack is an abstract data type that has two main operations. These are push which adds an element to the top of the stack and pop which

754 views • 8 slides
Stack ADT Tiziana Ligorio 1 Todays Plan Questons? Stack ADT 2 Abstract Data Types

Stack ADT Tiziana Ligorio 1 Todays Plan Questons? Stack ADT 2 Abstract Data Types

Stack ADT Tiziana Ligorio 1 Todays Plan Questons? Stack ADT 2 Abstract Data Types Bag List Stack 3 Stack 34 A data structure representing a stack of things Objects can be pushed onto the stack or popped from the stack

1.62k views • 116 slides
1 Array-based Stack (2.1.1) Algorithm pop (): if isEmpty () then A simple way of throw

1 Array-based Stack (2.1.1) Algorithm pop (): if isEmpty () then A simple way of throw

Elementary Data Structures Stacks, Queues, Vectors, Lists & Sequences Trees The Stack ADT (2.1.1) The Stack ADT stores arbitrary objects Insertions and deletions Auxiliary stack follow the last-in first-out operations: scheme

473 views • 13 slides
ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF

ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF

ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF THE STACK Add, remove rock and book from the top, or else 3 Stack at logical level A stack is an ADT in which elements add added and

1.06k views • 37 slides
ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF

ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF

ADT Stack 1 Stacks of Coins and Plates 2 Stacks of Rocks and Books TOP OF THE STACK TOP OF THE STACK Add, remove rock and book from the top, or else 3 Stack at logical level A stack is an ADT in which elements add added and

679 views • 19 slides
Call Stack Stack Bottom Memory region managed with stack discipline Procedures and the Call

Call Stack Stack Bottom Memory region managed with stack discipline Procedures and the Call

Call Stack Stack Bottom Memory region managed with stack discipline Procedures and the Call Stack higher %rsp holds lowest stack address addresses (address of "top" element) Topics stack grows Procedures toward lower

76 views • 5 slides
Stack 7 January 2019 OSU CSE 1 Stack The Stack component family allows you to manipulate

Stack 7 January 2019 OSU CSE 1 Stack The Stack component family allows you to manipulate

Stack 7 January 2019 OSU CSE 1 Stack The Stack component family allows you to manipulate strings of entries of any (arbitrary) type in LIFO (last-in-first-out) order A kind of dual to Queue Remember, "first" and

450 views • 33 slides
Compilers Stack Machines Alex Aiken Stack Machines Only storage is a stack An

Compilers Stack Machines Alex Aiken Stack Machines Only storage is a stack An

Compilers Stack Machines Alex Aiken Stack Machines Only storage is a stack An instruction r = F(a 1 ,a n ): Pops n operands from the stack Computes the operation F using the operands Pushes the result r on the stack Alex

362 views • 13 slides
Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack

Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack

Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack Overflow for Teams Roberta Arcoverde 1 /whois /whois recifense programadora h 15 anos principal software developer na stack overflow

711 views • 52 slides
Stack machines (Using slides adapted from the book) Stacks A stack machine maintains an

Stack machines (Using slides adapted from the book) Stacks A stack machine maintains an

Stack machines (Using slides adapted from the book) Stacks A stack machine maintains an unbounded stack of symbols We'll represent these stacks as strings Left end of the string is the top of the stack For example, abc is a stack

406 views • 12 slides
# of true positives true positive rate = # of known positives (Proportion of actual positives

# of true positives true positive rate = # of known positives (Proportion of actual positives

True positive rate (Sensitivity) # of true positives true positive rate = # of known positives (Proportion of actual positives that are correctly identified) True negative rate (Specificity) # of true negatives true negative rate = # of known

475 views • 24 slides
Green Chemistry Student Resources Examples of What You Can Do! Lead or Join a Student led

Green Chemistry Student Resources Examples of What You Can Do! Lead or Join a Student led

beyondbenign green chemistry education Green Chemistry Student Resources Examples of What You Can Do! Lead or Join a Student led initiative ACS-GCI- encourage your Chemistry Club to get a green chemistry award Encourage your Chemistry

255 views • 7 slides
Analyzing Federated Learning through an Adversarial Lens Arjun Nitin Bhagoji 1 , Supriyo

Analyzing Federated Learning through an Adversarial Lens Arjun Nitin Bhagoji 1 , Supriyo

Analyzing Federated Learning through an Adversarial Lens Arjun Nitin Bhagoji 1 , Supriyo Chakraborty 2 , Prateek Mittal 1 and Seraphin Calo 2 1 Princeton University 2 IBM Research ICML 2019 Federated learning (with a malicious agent) Federated

1.46k views • 59 slides
You Wont Believe It: Exploring the Advertising Ecosystem of Fake News Websites Catherine Han

You Wont Believe It: Exploring the Advertising Ecosystem of Fake News Websites Catherine Han

You Wont Believe It: Exploring the Advertising Ecosystem of Fake News Websites Catherine Han Allen Tong CS 261N 1 Misinformation Flavors: Deception 2 Misinformation Flavors: Junk Science 3 Misinformation Flavors: Unreliable Clickbait 4

556 views • 24 slides
AccessMiner: Using System-Centric Models for Malware Protection Andrea Lanzi 1 Davide Balzarotti 1

AccessMiner: Using System-Centric Models for Malware Protection Andrea Lanzi 1 Davide Balzarotti 1

AccessMiner: Using System-Centric Models for Malware Protection Andrea Lanzi 1 Davide Balzarotti 1 Christopher Kruegel 2 Mihai Christodorescu 3 Engin Kirda 1 1 Institute Eurecom 2 UC Santa Barbara 3 IBM T.J. Watson Research 17th ACM Conference on

545 views • 43 slides
A Multiversion Programming Inspired Approach to Detecting Audio Adversarial Examples Qiang Zeng ,

A Multiversion Programming Inspired Approach to Detecting Audio Adversarial Examples Qiang Zeng ,

A Multiversion Programming Inspired Approach to Detecting Audio Adversarial Examples Qiang Zeng , Jianhai Su, Chenglong Fu, Golam Kayas, Lannan Luo, Xiaojiang Du, Chiu C. Tan, and Jie Wu DSN 2019 2 3 Audio AE generation Open the front

353 views • 20 slides
HEAP BGP Observatory Johannes Zirngibl, Patrick Sattler, Markus Sosnowski, Georg Carle

HEAP BGP Observatory Johannes Zirngibl, Patrick Sattler, Markus Sosnowski, Georg Carle

Chair of Network Architectures and Services Department of Informatics Technical University of Munich HEAP BGP Observatory Johannes Zirngibl, Patrick Sattler, Markus Sosnowski, Georg Carle Acknowledgements: Johann Schlamp, Ralph Holz, Quentin

223 views • 10 slides
Forensic Markers of Elder Abuse Laura Mosqueda, M.D. Chair and Professor of Family Medicine and

Forensic Markers of Elder Abuse Laura Mosqueda, M.D. Chair and Professor of Family Medicine and

Forensic Markers of Elder Abuse Laura Mosqueda, M.D. Chair and Professor of Family Medicine and Geriatrics Keck School of Medicine of USC University of Southern California The Game Plan Introductory comments Age-related changes and how

417 views • 27 slides

More recommend