buffer overflow defenses
play

Buffer overflow defenses Deian Stefan Some slides adopted from - PowerPoint PPT Presentation

Dec 06, 2022 •29 likes •1.33k views

CSE 127: Computer Security Buffer overflow defenses Deian Stefan Some slides adopted from Nadia Heninger, Kirill Levchenko, Stefan Savage, and Stephen Checkoway Today: mitigating buffer overflows Lecture objectives: Understand how to

  1. Perfect for brute forcing • Forked process has same saved ret memory layout and contents as saved ebp 0xbadcaffe parent, including canary values! %ebp 0x41414141 • The fork on crash lets us try 0x41414141 different canary values 0x41414141 %esp

  2. Perfect for brute forcing • Forked process has same saved ret memory layout and contents as saved ebp 0xbadcaffe parent, including canary values! %ebp 0x41414141 • The fork on crash lets us try 0x41414141 different canary values 0x41414141 %esp

  3. Perfect for brute forcing • Forked process has same saved ret memory layout and contents as saved ebp 0xbadcaffe parent, including canary values! %ebp 0x41414141 • The fork on crash lets us try 0x41414141 different canary values 0x41414141 %esp Figured out size of buffer!

  4. Perfect for brute forcing • Forked process has same saved ret memory layout and contents as saved ebp 0xbadcaf41 parent, including canary values! %ebp 0x41414141 • The fork on crash lets us try 0x41414141 different canary values 0x41414141 %esp

  5. Perfect for brute forcing • Forked process has same saved ret memory layout and contents as saved ebp 0xbadcaf41 parent, including canary values! %ebp 0x41414141 • The fork on crash lets us try 0x41414141 different canary values 0x41414141 %esp

  6. Perfect for brute forcing • Forked process has same saved ret memory layout and contents as saved ebp 0xbadcaf42 parent, including canary values! %ebp 0x41414141 • The fork on crash lets us try 0x41414141 different canary values 0x41414141 %esp

  7. Perfect for brute forcing • Forked process has same saved ret memory layout and contents as saved ebp 0xbadcaf42 parent, including canary values! %ebp 0x41414141 • The fork on crash lets us try 0x41414141 different canary values 0x41414141 %esp

  8. Perfect for brute forcing • Forked process has same saved ret memory layout and contents as saved ebp 0xbadcaffe parent, including canary values! %ebp 0x41414141 • The fork on crash lets us try 0x41414141 different canary values 0x41414141 %esp

  9. Perfect for brute forcing • Forked process has same saved ret memory layout and contents as saved ebp 0xbadcaffe parent, including canary values! %ebp 0x41414141 • The fork on crash lets us try 0x41414141 different canary values 0x41414141 %esp

  10. Perfect for brute forcing • Forked process has same saved ret memory layout and contents as saved ebp 0xbadc41fe parent, including canary values! %ebp 0x41414141 • The fork on crash lets us try 0x41414141 different canary values 0x41414141 %esp

  11. Perfect for brute forcing • Forked process has same saved ret memory layout and contents as saved ebp 0xbadc41fe parent, including canary values! %ebp 0x41414141 • The fork on crash lets us try 0x41414141 different canary values 0x41414141 %esp

  12. Perfect for brute forcing • Forked process has same saved ret memory layout and contents as saved ebp 0xbadcaffe parent, including canary values! %ebp 0x41414141 • The fork on crash lets us try 0x41414141 different canary values 0x41414141 %esp

  13. Perfect for brute forcing • Forked process has same saved ret memory layout and contents as saved ebp 0xbadcaffe parent, including canary values! %ebp 0x41414141 • The fork on crash lets us try 0x41414141 different canary values 0x41414141 %esp

  14. Perfect for brute forcing • Forked process has same saved ret memory layout and contents as saved ebp 0xbadcaffe parent, including canary values! %ebp 0x41414141 • The fork on crash lets us try 0x41414141 different canary values 0x41414141 %esp

  15. Perfect for brute forcing • Forked process has same saved ret memory layout and contents as saved ebp 0xbadcaffe parent, including canary values! %ebp 0x41414141 • The fork on crash lets us try 0x41414141 different canary values 0x41414141 %esp

  16. Perfect for brute forcing • Forked process has same saved ret memory layout and contents as saved ebp 0xbadcaffe parent, including canary values! %ebp 0x41414141 • The fork on crash lets us try 0x41414141 different canary values 0x41414141 %esp Figured out size of canary!

  17. Buffer overflow mitigations • Avoid unsafe functions (last lecture) • Stack canaries • Separate control stack • Memory writable or executable, not both (W^X) • Address space layout randomization (ASLR)

  18. Separate control stack Problem: Control data is stored next to data Solution: Bridge the implementation and abstraction gap: 
 separate the control stack User stack arg i+1 Control stack arg i %ebp local 1 saved ret local 2 saved ebp %esp %esp’

  19. Safe stack Problem: Unsafe data structures stored next to control Solution: Move unsafe data structures to separate stack Safe stack arg i+1 arg i Unsafe stack saved ret saved ebp %ebp &i local var buf local var %esp’ %esp

  20. How do we implement these? • There is no actual separate stack, we only have linear memory and loads/store instructions • Put the safe/separate stack in a random place in the address space ➤ Location of control/stack stack is secret

  21. How do we defeat this? Find a function pointer and overwrite it to point to shellcode!

  22. Buffer overflow mitigations • Avoid unsafe functions (last lecture) • Stack canaries • Separate control stack • Memory writable or executable, not both (W^X) • Address space layout randomization (ASLR)

  23. W^X: write XOR execute • Goal: prevent execution of shell code from the stack • Insight: use memory page permission bits ➤ Use MMU to ensure memory cannot be both writeable and executable at same time • Many names for same idea: ➤ XN: eXecute Never ➤ W^X: Write XOR eXecute ➤ DEP: Data Execution Prevention

  24. Recall our memory layout kernel user stack shared libs runtime heap static data segment text segment unused

  25. Recall our memory layout kernel user stack rw shared libs rx runtime heap rw static data rw segment text segment rx unused

  26. Recall our memory layout kernel user stack rw saved ret saved ebp shared libs rx %ebp buf[0-3] runtime heap rw %esp static data rw segment text segment rx unused

  27. Recall our memory layout kernel shellcode user stack rw hijacked ret shared libs rx %ebp runtime heap rw %esp static data rw segment text segment rx unused

  28. Recall our memory layout kernel shellcode user stack rw hijacked ret shared libs rx %ebp runtime heap rw %esp static data rw segment text segment rx unused

  29. W^X tradeoffs • Easy to deploy: No code changes or recompilation • Fast: Enforced in hardware ➤ Downside: what do you do on embedded devices? • Some pages need to be both writeable and executable ➤ Why?

  30. How can we defeat W^X? • Can still write to return address stored on the stack ➤ Jump to existing code • Search executable for code that does what you want ➤ E.g. if program calls system(“/bin/sh”) you’re done ➤ libc is a good source of code (return-into-libc attacks)

  32. Normal system() call &cmd saved ret %esp

  33. Redirecting control flow to system() • We redirected control flow in previous lecture to baz() saved ret saved ebp • Calling system() is the same, %ebp buf[4-7] but need to have argument to buff[0-3] %esp string “/bin/sh” on stack

  34. saved ret saved ebp %ebp buf[4-7] buff[0-3] %esp

  35. saved ret ???? %ebp %esp

  36. &system ???? %ebp %esp

  37. &cmd &exit &system ???? %ebp %esp

  38. “/bin/sh” &cmd &exit &system ???? %ebp %esp

  39. “/bin/sh” &cmd &exit &system ???? %ebp %esp mov %ebp, %esp leave = pop %ebp

  40. “/bin/sh” &cmd &exit &system ???? %esp, %ebp mov %ebp, %esp leave = pop %ebp

  41. %ebp ???? “/bin/sh” &cmd &exit &system %esp ???? mov %ebp, %esp leave = pop %ebp

  42. %ebp ???? “/bin/sh” &cmd &exit &system %esp ???? ret = pop %eip

  43. %ebp ???? “/bin/sh” &cmd &exit %esp &system ???? %eip &system ret = pop %eip

  44. To system this looks like a normal call “/bin/sh” arg0 &cmd saved ret &exit %esp

  45. But I want to execute shellcode, not just call system() !

  46. Can we inject code?

  47. Can we inject code?

  48. Can we inject code? • Just-in-time compilers produce data that becomes executable code • JIT spraying: ➤ 1. Spray heap with shellcode (and NOP slides) ➤ 2. Overflow code pointer to point to spray area

  49. What does JIT shellcode look like?

  50. What does JIT shellcode look like?

  51. What does JIT shellcode look like?

  52. Buffer overflow mitigations • Avoid unsafe functions (last lecture) • Stack canaries • Separate control stack • Memory writable or executable, not both (W^X) • Address space layout randomization (ASLR)

  53. ASLR kernel user stack • Traditional exploits need precise addresses ➤ stack-based overflows: shellcode shared libs ➤ return-into-libc: library addresses • Insight: Make it harder for attacker to runtime heap guess location of shellcode/libc by static data randomizing the address of different segment memory regions text segment unused

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Last time We finished up By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow defenses (and workarounds) Format string vulnerabilities Integer overflow vulnerabilities This time

1.29k views • 80 slides
Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a very common attack mechanism from 1988 Morris Worm to Code Red, Slammer, Sasser and many others prevention techniques known still of major concern

873 views • 53 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow

Last time We continued By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow attacks & other vulnerabilities Overflow defenses Everything youve always wanted to know about

2.41k views • 197 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

1.49k views • 117 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

1.23k views • 95 slides
Buffer Overflow Attacks & Defenses Slides are borrowed from Franziska Roesner @UW and Dawn

Buffer Overflow Attacks & Defenses Slides are borrowed from Franziska Roesner @UW and Dawn

Buffer Overflow Attacks & Defenses Slides are borrowed from Franziska Roesner @UW and Dawn Song @Berkeley Linux (32-bit) process memory layout -0xFFFFFFFF Reserved for Kernal -0xC0000000 user stack %esp shared libraries -0x40000000

994 views • 85 slides
BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018 RECALL OUR CHALLENGES

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018 RECALL OUR CHALLENGES

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Finding the return address (guess the raw address)

1.12k views • 94 slides
Software Security: Buffer Overflow Defenses Autumn 2020 Franziska (Franzi) Roesner

Software Security: Buffer Overflow Defenses Autumn 2020 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Autumn 2020 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

234 views • 22 slides
Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner

Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

760 views • 23 slides
Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by the Morris Worm in 1988 Prevention techniques known NX bit, stack canaries, ASLR Still of major concern Recent examples:

354 views • 21 slides
Security: Buffer Overflows and Defenses CS 416: Operating Systems Design Department of Computer

Security: Buffer Overflows and Defenses CS 416: Operating Systems Design Department of Computer

Security: Buffer Overflows and Defenses CS 416: Operating Systems Design Department of Computer Science Rutgers University http://www.cs.rutgers.edu/~vinodg/416 Buffer Overflow a very common attack mechanism from 1988 Morris Worm to Code Red,

950 views • 55 slides
Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

1 Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed in buffer overflow exploits to create backdoors Execution of additional network services via the INETD daemon The addition of new users

497 views • 30 slides
Buffer Overflow CS461/ECE422 Spring 2012 Reading Material

Buffer Overflow CS461/ECE422 Spring 2012 Reading Material

Buffer Overflow CS461/ECE422 Spring 2012 Reading Material Based on Chapter 11 of the text Outline Buffer Overflow Stack Buffer Overflow Shell

783 views • 28 slides
History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood as early as 1972 Computer Security Technology Planning Study Morris Worm First

1.07k views • 42 slides
CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking

CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking

CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking & Loading, continued Buffer Overflow Read: CSAPP2: section 3.12: out-of-bounds memory references & buffer overflow K&R:

775 views • 43 slides
IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A

IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A

IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold.

221 views • 3 slides
Palatini cosmology in different frames Andrzej Borowiec joint work with Aleksander Stachowski

Palatini cosmology in different frames Andrzej Borowiec joint work with Aleksander Stachowski

Cosmological models based on Palatini f ( f ( Dynamics of Palatini gravity in different frames R )-gravity R ) Palatini cosmology Dynamical Palatini cosmology in different frames Andrzej Borowiec joint work with Aleksander Stachowski

1.05k views • 42 slides
Mechanical aspects of the full-scale HV test at PC4 1 month after review Jeff Nelson, William

Mechanical aspects of the full-scale HV test at PC4 1 month after review Jeff Nelson, William

Mechanical aspects of the full-scale HV test at PC4 1 month after review Jeff Nelson, William & Mary HV test weekly meeting 8/18/16 Current Schedule - 7/29/16 (if approved) 4 weeks - 10/27/2016 Freeze design and release

205 views • 8 slides
A More Ambitious Proton EDM Prototype Richard Talman Laboratory for Elementary-Particle Physics

A More Ambitious Proton EDM Prototype Richard Talman Laboratory for Elementary-Particle Physics

1 A More Ambitious Proton EDM Prototype Richard Talman Laboratory for Elementary-Particle Physics Cornell University EDM Task Force, Juelich 19 January, 2018 2 Outline Reduced energy EDM ring on COSY footprint Spin tunes in superimposed

333 views • 30 slides
Spitzer Space Telescope Unprecedented Efficiency and Excellent Science on a Limited Budget Lisa

Spitzer Space Telescope Unprecedented Efficiency and Excellent Science on a Limited Budget Lisa

Spitzer Space Telescope Unprecedented Efficiency and Excellent Science on a Limited Budget Lisa Storrie-Lombardi Manager & Assistant Director for Community Affairs Spitzer Science Center, Caltech ADASS 2011 1 NASAs Infrared Great

448 views • 42 slides
A BSTRACTIONS FOR C OMMUNITY - B ASED A DMINISTRATION Alva L. Couch Assoc. Prof. of Electrical

A BSTRACTIONS FOR C OMMUNITY - B ASED A DMINISTRATION Alva L. Couch Assoc. Prof. of Electrical

LISA-96 Oct 4, 1996 Effective Abstractions for Community-Based Administration SLINK: S IMPLE , E FFECTIVE F ILESYSTEM M AINTENANCE A BSTRACTIONS FOR C OMMUNITY - B ASED A DMINISTRATION Alva L. Couch Assoc. Prof. of Electrical Engineering and

478 views • 13 slides
Systems More Sequential Circuits Shankar Balachandran* Associate Professor, CSE Department

Systems More Sequential Circuits Shankar Balachandran* Associate Professor, CSE Department

Spring 2015 Week 5 Module 26 Digital Circuits and Systems More Sequential Circuits Shankar Balachandran* Associate Professor, CSE Department Indian Institute of Technology Madras *Currently a Visiting Professor at IIT Bombay Frequency

494 views • 14 slides
Chapter 7: Communication Techniques EET-223: RF Communication Circuits Walter Lara Basic

Chapter 7: Communication Techniques EET-223: RF Communication Circuits Walter Lara Basic

Chapter 7: Communication Techniques EET-223: RF Communication Circuits Walter Lara Basic Frequency Synthesizer Often a highly accurate and programmable frequency source is needed (function generators, spectrum analyzers, communication

152 views • 3 slides
MSP430 Clock System and Timer College of Computer and Information Science , Northeastern

MSP430 Clock System and Timer College of Computer and Information Science , Northeastern

MSP430 Clock System and Timer College of Computer and Information Science , Northeastern University References: Texas Instruments, MSP430x1xx Family Users Guide Texas Instruments, MSP430x15x, MSP430x16x, MSP430x161x MIXED SIGNAL

361 views • 22 slides

More recommend