buffer overflow
play

Buffer Overflow Attacks & Defenses Slides are borrowed from - PowerPoint PPT Presentation

Feb 24, 2024 •130 likes •994 views

Buffer Overflow Attacks & Defenses Slides are borrowed from Franziska Roesner @UW and Dawn Song @Berkeley Linux (32-bit) process memory layout -0xFFFFFFFF Reserved for Kernal -0xC0000000 user stack %esp shared libraries -0x40000000

  1. Buffer Overflow Attacks & Defenses Slides are borrowed from Franziska Roesner @UW and Dawn Song @Berkeley

  10. Linux (32-bit) process memory layout -0xFFFFFFFF Reserved for Kernal -0xC0000000 user stack %esp shared libraries -0x40000000 brk run time heap static data segment Loaded from exec text segment (program) -0x08048000 unused -0x00000000

  11. Registers • %esp current stack pointer • %ebp base pointer for the current stack frame

  12. Registers • When you call a function, typically space is reserved on the stack for local variables. • This space is usually referenced via %ebp (all local variables and function parameters are a known constant offset from this register for the duration of the function call.)

  13. Registers • %esp , on the other hand, will change during the function call as other functions are called, or as temporary stack space is used for partial operation results. • Most compilers have an option to reference all local variables through %esp . This frees up %ebp for use as a general purpose register • So %ebp will point to the top of you stack, and %esp will point to the next available byte on the stack (Stacks usually – but not necessarily – grow down in memory.)

  14. Stack Frame -0xC0000000 To previous stack frame pointer user stack arguments return address stack frame pointer exception handlers shared libraries To the point at which -0x40000000 this function was called local variables run time heap callee saved registers static data segment text segment (program) -0x08048000 unused -0x00000000

  15. Stack Frame 1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i ]!=‘ \ 0’ && in[ i ]!=‘n’) { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: buf[i ] = ‘ \ 0’; 8:} 9:int parse(FILE *fp) { 10: char buf[5], *url, cmd[128]; 11: fread(cmd, 1, 128, fp); 12: int header_ok = 0; 13: if (cmd [0] == ‘G’) 14: if (cmd [1] == ‘E’) 15: if (cmd [2] == ‘T’) 16: if (cmd [3] == ‘ ’) 17: header_ok = 1; 18: if (!header_ok) return -1; 19: url = cmd + 4; 20: copy_lower(url, buf); 21: printf (‚Location is %s \ n‛, buf); 22: return 0; } A quick example to illustrate multiple stack frames

  16. Viewing Stack Frame with GDB Our example modified to include a main function Compile: parse.c gcc – g parse.c – o parse 1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i ]!=‘ \ 0’ && in[ i ]!=‘n’) { 4: out[i] = tolower(in[i]); Run: 5: i++; ./parse 6: } 7: buf[i ] = ‘ \ 0’; 8:} 9:int parse(FILE *fp) { 10: char buf[5], *url, cmd[128]; Debug: 11: fread(cmd, 1, 128, fp); 12: int header_ok = 0; We can debug using gdb. 13: if (cmd [0] == ‘G’) gdb parse 14: if (cmd [1] == ‘E’) 15: if (cmd [2] == ‘T’) 16: if (cmd [3] == ‘ ’) Then we can take a look at the stack. 17: header_ok = 1; 18: if (!header_ok) return -1; (gdb) break 7 19: url = cmd + 4; 20: copy_lower(url, buf); (gdb) run 21: printf (‚Location is %s \ n‛, buf); (gdb) x/64x $esp 22: return 0; } 23: /** main to load a file and run parse */

  17. Viewing Stack Frame with GDB Our running example modified to illustrate multiple stack frames Debug: parse.c (gdb) x/64x $esp

  18. What are buffer overflows? parse’s parse.c frame 1:void copy_lower (char* in, char* out) { 2: int i = 0; 0xbffff760 0x0804a008 args fp 3: while (in[i ]!=‘ \ 0’ && in[ i ]!=‘n’) { 0xbffff75c return address 0x080485a2 ret address 4: out[i] = tolower(in[i]); 5: i++; stack frame ptr 0xbffff758 0xbffff778 frame ptr 6: } 0xbffff74c 7: buf[i ] = ‘ \ 0’; 0xbffff6c4 url 8:} 0xbffff748 0x00000001 header_ok 0xbffff744 0xbfef20dc buf[4] 9:int parse(FILE *fp) { 0xbffff740 0xbf02224c local variables buf[3,2,1,0] 10: char buf[5], *url, cmd[128]; 0xbffff73c 0x00000000 11: fread(cmd, 1, 256, fp); cmd[128,127,126,125] . . . . 12: int header_ok = 0; . . . . . . . 0xbffff6c4 0x41414141 . cmd[7,6,5,4] 0xbffff6c0 19: url = cmd + 4; 0x20544547 cmd[3,2,1,0] 20: copy_lower(url, buf); 0xbffff74c callee saved 0xbffff6c4 url 21: printf (‚Location is %s \ n‛, buf); 0xbffff748 0x00000001 header_ok registers 22: return 0; } 23: /** main to load a file and run parse */ out 0xbffff6b4 0xbffff740 args in 0xbffff6b0 0xbffff6c4 (input file) file ret address return address 0xbffff6ac 0x080485a2 GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA frame ptr 0xbffff6a8 stack frame ptr 0xbffff758 local variables i 0xbffff69c 0x00000000 callee saved copy_lower’s registers frame (Unallocated)

  19. What are buffer overflows? parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 0xbffff760 0x0804a008 fp 3: while (in[i ]!=‘ \ 0’ && in[ i ]!=‘n’) { 0xbffff75c return address 0x080485a2 4: out[i] = tolower(in[i]); 5: i++; stack frame ptr 0xbffff758 0xbffff778 6: } 0xbffff74c 7: buf[i ] = ‘ \ 0’; 0xbffff6c4 url 8:} 0xbffff748 0x00000001 header_ok 0xbffff744 0xbfef20dc buf[4] 9:int parse(FILE *fp) { 0xbffff740 0xbf022261 buf[3,2,1,0] 10: char buf[5], *url, cmd[128]; 0xbffff73c 0x00000000 11: fread(cmd, 1, 256, fp); cmd[128,127,126,125] . . . . 12: int header_ok = 0; . . . . . . . 0xbffff6c4 0x41414141 . cmd[7,6,5,4] 0xbffff6c0 19: url = cmd + 4; 0x20544547 cmd[3,2,1,0] 20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url 21: printf (‚Location is %s \ n‛, buf); 0xbffff748 0x00000001 header_ok 22: return 0; } 23: /** main to load a file and run parse */ out 0xbffff6b4 0xbffff740 in 0xbffff6b0 0xbffff6c4 (input file) file return address 0xbffff6ac 0x080485a2 GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0xbffff6a8 stack frame ptr 0xbffff758 i 0xbffff69c 0x00000000 (Unallocated)

  20. What are buffer overflows? parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 0xbffff760 0x0804a008 fp 3: while (in[i ]!=‘ \ 0’ && in[ i ]!=‘n’) { 0xbffff75c return address 0x080485a2 4: out[i] = tolower(in[i]); 5: i++; stack frame ptr 0xbffff758 0xbffff778 6: } 0xbffff74c 7: buf[i ] = ‘ \ 0’; 0xbffff6c4 url 8:} 0xbffff748 0x00000001 header_ok 0xbffff744 0xbfef20dc buf[4] 9:int parse(FILE *fp) { 0xbffff740 0xbf026161 buf[3,2,1,0] 10: char buf[5], *url, cmd[128]; 0xbffff73c 0x00000000 11: fread(cmd, 1, 256, fp); cmd[128,127,126,125] . . . . 12: int header_ok = 0; . . . . . . . 0xbffff6c4 0x41414141 . cmd[7,6,5,4] 0xbffff6c0 19: url = cmd + 4; 0x20544547 cmd[3,2,1,0] 20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url 21: printf (‚Location is %s \ n‛, buf); 0xbffff748 0x00000001 header_ok 22: return 0; } 23: /** main to load a file and run parse */ out 0xbffff6b4 0xbffff740 in 0xbffff6b0 0xbffff6c4 (input file) file return address 0xbffff6ac 0x080485a2 GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0xbffff6a8 stack frame ptr 0xbffff758 i 0xbffff69c 0x00000001 (Unallocated)

  21. What are buffer overflows? parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 0xbffff760 0x0804a008 fp 3: while (in[i ]!=‘ \ 0’ && in[ i ]!=‘n’) { 0xbffff75c return address 0x080485a2 4: out[i] = tolower(in[i]); 5: i++; stack frame ptr 0xbffff758 0xbffff778 6: } 0xbffff74c 7: buf[i ] = ‘ \ 0’; 0xbffff6c4 url 8:} 0xbffff748 0x00000001 header_ok 0xbffff744 0xbfef20dc buf[4] 9:int parse(FILE *fp) { 0xbffff740 0xbf616161 buf[3,2,1,0] 10: char buf[5], *url, cmd[128]; 0xbffff73c 0x00000000 11: fread(cmd, 1, 256, fp); cmd[128,127,126,125] . . . . 12: int header_ok = 0; . . . . . . . 0xbffff6c4 0x41414141 . cmd[7,6,5,4] 0xbffff6c0 19: url = cmd + 4; 0x20544547 cmd[3,2,1,0] 20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url 21: printf (‚Location is %s \ n‛, buf); 0xbffff748 0x00000001 header_ok 22: return 0; } 23: /** main to load a file and run parse */ out 0xbffff6b4 0xbffff740 in 0xbffff6b0 0xbffff6c4 (input file) file return address 0xbffff6ac 0x080485a2 GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0xbffff6a8 stack frame ptr 0xbffff758 i 0xbffff69c 0x00000002 (Unallocated)

  22. What are buffer overflows? parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 0xbffff760 0x0804a008 fp 3: while (in[i ]!=‘ \ 0’ && in[ i ]!=‘n’) { 0xbffff75c return address 0x080485a2 4: out[i] = tolower(in[i]); 5: i++; stack frame ptr 0xbffff758 0xbffff778 6: } 0xbffff74c 7: buf[i ] = ‘ \ 0’; 0xbffff6c4 url 8:} 0xbffff748 0x00000001 header_ok 0xbffff744 0xbfef20dc buf[4] 9:int parse(FILE *fp) { 0xbffff740 0x61616161 buf[3,2,1,0] 10: char buf[5], *url, cmd[128]; 0xbffff73c 0x00000000 11: fread(cmd, 1, 256, fp); cmd[128,127,126,125] . . . . 12: int header_ok = 0; . . . . . . . 0xbffff6c4 0x41414141 . cmd[7,6,5,4] 0xbffff6c0 19: url = cmd + 4; 0x20544547 cmd[3,2,1,0] 20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url 21: printf (‚Location is %s \ n‛, buf); 0xbffff748 0x00000001 header_ok 22: return 0; } 23: /** main to load a file and run parse */ out 0xbffff6b4 0xbffff740 in 0xbffff6b0 0xbffff6c4 (input file) file return address 0xbffff6ac 0x080485a2 GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0xbffff6a8 stack frame ptr 0xbffff758 i 0xbffff69c 0x00000003 (Unallocated)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by the Morris Worm in 1988 Prevention techniques known NX bit, stack canaries, ASLR Still of major concern Recent examples:

354 views • 21 slides
Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

1 Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed in buffer overflow exploits to create backdoors Execution of additional network services via the INETD daemon The addition of new users

497 views • 30 slides
Buffer Overflow CS461/ECE422 Spring 2012 Reading Material

Buffer Overflow CS461/ECE422 Spring 2012 Reading Material

Buffer Overflow CS461/ECE422 Spring 2012 Reading Material Based on Chapter 11 of the text Outline Buffer Overflow Stack Buffer Overflow Shell

783 views • 28 slides
History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood as early as 1972 Computer Security Technology Planning Study Morris Worm First

1.07k views • 42 slides
CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking

CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking

CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking & Loading, continued Buffer Overflow Read: CSAPP2: section 3.12: out-of-bounds memory references & buffer overflow K&R:

775 views • 43 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Last time We finished up By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow defenses (and workarounds) Format string vulnerabilities Integer overflow vulnerabilities This time

1.29k views • 80 slides
IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A

IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A

IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold.

221 views • 3 slides
Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a very common attack mechanism from 1988 Morris Worm to Code Red, Slammer, Sasser and many others prevention techniques known still of major concern

873 views • 53 slides
Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Last time We continued By launching our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow fundamentals This time We will finish up By looking at Buffer Overflow overflows

1.33k views • 103 slides
Buffer Overflow EXAMPLE CASE STUDY WALKTHROUGH PADRAIGNIX 12/09/2019 Agenda ELF file format

Buffer Overflow EXAMPLE CASE STUDY WALKTHROUGH PADRAIGNIX 12/09/2019 Agenda ELF file format

Buffer Overflow EXAMPLE CASE STUDY WALKTHROUGH PADRAIGNIX 12/09/2019 Agenda ELF file format layout Buffer Overflow theory Example code Initial Investigation / Assembly Registers Tooling Fuzzing Shellcode /

700 views • 16 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow

Last time We continued By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow attacks & other vulnerabilities Overflow defenses Everything youve always wanted to know about

2.41k views • 197 slides
VOTD: Buffer Overflow Engineering Secure Software Last Revised: August 17, 2020 SWEN-331:

VOTD: Buffer Overflow Engineering Secure Software Last Revised: August 17, 2020 SWEN-331:

VOTD: Buffer Overflow Engineering Secure Software Last Revised: August 17, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 What is Buffer Overflow? Writing data outside of the intended buffer (memory space) SWEN-331:

298 views • 6 slides
More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester Rebeiro Indian Institute of Technology Madras Buffer Overreads 2 Buffer Overread Example 3 Buffer Overread Example len read from command line

906 views • 76 slides
Delta Pointers: Buffer Overflow Checks Without the Checks Tadde us Kroes & Koen Koning

Delta Pointers: Buffer Overflow Checks Without the Checks Tadde us Kroes & Koen Koning

Delta Pointers: Buffer Overflow Checks Without the Checks Tadde us Kroes & Koen Koning Erik van der Kouwe Herbert Bos Cristiano Giuffrida June 19, 2018 Preview buffer[10] secret 2 Preview buffer[10] secret buffer[5] 2 Preview

934 views • 74 slides
Software Vulnerability I Presenter: Yinzhi Cao Lehigh University Overview Buffer Overflow

Software Vulnerability I Presenter: Yinzhi Cao Lehigh University Overview Buffer Overflow

CSE350/450 Lehigh University Fall 2016 Software Vulnerability I Presenter: Yinzhi Cao Lehigh University Overview Buffer Overflow Shellcode Heap Overflow Format Strings Return-oriented Programming Metasploit 101 Anatomy of the Stack

1.83k views • 124 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

1.49k views • 117 slides
Discrete Mathematics in Computer Science B2. Countable Sets Malte Helmert, Gabriele R oger

Discrete Mathematics in Computer Science B2. Countable Sets Malte Helmert, Gabriele R oger

Discrete Mathematics in Computer Science B2. Countable Sets Malte Helmert, Gabriele R oger University of Basel September 30, 2020 Malte Helmert, Gabriele R oger (University of Basel) Discrete Mathematics in Computer Science September

415 views • 29 slides
Parallelism ! Multiple processes concurrently Parallelism CPU1 CPU1 CPU1 Pseudo- Process 1

Parallelism ! Multiple processes concurrently Parallelism CPU1 CPU1 CPU1 Pseudo- Process 1

Parallelism ! Multiple processes concurrently Parallelism CPU1 CPU1 CPU1 Pseudo- Process 1 CPU1 CPU1 CPU1 Operating Systems Process 2 Parallelism CPU1 Parallel Systems Process 1 True (Soon to be basic OS knowledge) CPU2 Process 2

381 views • 3 slides
Techniques to lower bound extension complexity Thomas Rothvoss UW Seattle Known lower bounds on

Techniques to lower bound extension complexity Thomas Rothvoss UW Seattle Known lower bounds on

Techniques to lower bound extension complexity Thomas Rothvoss UW Seattle Known lower bounds on extended formulation Kaibel, Razborovs Inform. SA Weltge symmetry arg. theory + Fourier COR/ yes yes yes ? TSP [KW13]

1.25k views • 108 slides
Checking Two Structural Properties of Vector Addition Systems with States Florent Avellaneda

Checking Two Structural Properties of Vector Addition Systems with States Florent Avellaneda

Checking Two Structural Properties of Vector Addition Systems with States Florent Avellaneda & Rmi Morin Universit dAix Marseille 6 dcembre 2012 Florent Avellaneda MOVEP 2012 1 / 19 VASS Definition A vector addition system

608 views • 37 slides
13 - Computer Security Bufger Overfmows 1 Context

13 - Computer Security Bufger Overfmows 1 Context

13 - Computer Security Bufger Overfmows 1 Context General problem : unsanitized user input Low level language (eg C): overfmow a local array (bufger) Write over the stack! Overwrite

641 views • 24 slides
Searching for sterile antineutrinos with SciBooNE & MiniBooNE M.O. Wascko Imperial College

Searching for sterile antineutrinos with SciBooNE & MiniBooNE M.O. Wascko Imperial College

Joint Search for Disappearance at m 2 ~ 1 eV 2 Searching for sterile antineutrinos with SciBooNE & MiniBooNE M.O. Wascko Imperial College London Birmingham HEP Seminar 2013 01 16 Wednesday, 16 January 13 1 Outline

992 views • 82 slides
Lecture 5: Introduction to JavaScript Scripts, Variables and Expressions, predefined functions,

Lecture 5: Introduction to JavaScript Scripts, Variables and Expressions, predefined functions,

Lecture 5: Introduction to JavaScript Scripts, Variables and Expressions, predefined functions, event-driven programming CIS 1.0 Lecture 5, by Yuqing Tang Example of JavaScript <html> <head> <title> An JavaScript example

680 views • 22 slides
F BLAS: Streaming Linear Algebra Kernels on FPGA 5 TH International Workshop on Heterogeneous

F BLAS: Streaming Linear Algebra Kernels on FPGA 5 TH International Workshop on Heterogeneous

spcl.inf.ethz.ch @spcl_eth T IZIANO D E M ATTEIS , J OHANNES DE F INE L ICHT AND T ORSTEN H OEFLER F BLAS: Streaming Linear Algebra Kernels on FPGA 5 TH International Workshop on Heterogeneous High-performance Reconfigurable Computing

242 views • 10 slides

More recommend