buffer overflows a security interlude
play

Buffer overflows (a security interlude) Address space layout the - PowerPoint PPT Presentation

Dec 05, 2022 •158 likes •325 views

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM x86-64 Linux Memory Layout ... ... 0x00007fffffffffff Stack not drawn to scale Caller Frame Extra Arguments

  1. Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM

  2. x86-64 Linux Memory Layout ... ... 0x00007fffffffffff Stack not drawn to scale Caller Frame Extra Arguments Optional Return Addr Frame pointer %rbp Old %rbp Saved Registers + Local Variables Heap Data Setup Extra Stack pointer Arguments Text %rsp 0x0000000000400000 0x0000000000000000 2

  3. String Library Code C standard libray function gets() /* Get string from stdin */ char* gets(char* dest) { int c = getchar(); char* p = dest; while (c != EOF && c != '\n') { pointer to start of an array *p++ = c; c = getchar(); } *p = '\0'; same as: return dest; *p = c; } p = p + 1; What could go wrong in this code? Same problem in many functions: strcpy : Copies string of arbitrary length scanf , fscanf , sscanf , when given %s conversion specification 3

  4. Vulnerable Buffer Code /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ gets(buf); puts(buf); } int main() { printf("Type a string:"); echo(); return 0; $ ./bufdemo } Type a string: 1234567 1234567 $ ./bufdemo Type a string: 12345678 Segmentation Fault $ ./bufdemo Type a string: 123456789ABC Segmentation Fault 4

  5. Buffer Overflow Disassembly 00000000004006cf <echo>: 4006cf: 48 83 ec 18 sub $0x24 ,%rsp echo code 4006d3: 48 89 e7 mov %rsp,%rdi 4006d6: e8 a5 ff ff ff callq 400680 <gets> 4006db: 48 89 e7 mov %rsp,%rdi 4006de: e8 3d fe ff ff callq 400520 <puts@plt> 4006e3: 48 83 c4 18 add $0x24,%rsp 4006e7: c3 retq caller code 4006e8: 48 83 ec 08 sub $0x8,%rsp 4006ec: b8 00 00 00 00 mov $0x0,%eax 4006f1: e8 d9 ff ff ff callq 4006cf <echo> 4006f6 : 48 83 c4 08 add $0x8,%rsp 4006fa: c3 retq 5

  6. Buffer Overflow Stack Before call to gets /* Echo Line */ void echo() { Stack frame for char buf[4]; /* Way too small! */ call_echo gets(buf); puts(buf); } Return address (8 bytes) echo: subq $24, %rsp movq %rsp, %rdi call gets 20 bytes unused . . . [3] [2] [1] [0] buf ⟵ %rsp 6

  7. Buffer Overflow Stack Example Before call to gets void echo() { echo: char buf[4]; subq $24, %rsp Stack frame for gets(buf); movq %rsp, %rdi call_echo . . . call gets } . . . 00 00 00 00 Return Address call_echo: 00 40 06 f6 . . . 4006f1: callq 4006cf <echo> 4006f6 : add $0x8,%rsp 20 bytes unused . . . [3] [2] [1] [0] buf ⟵ %rsp 7

  8. Buffer Overflow Stack Example #1 After call to gets void echo() echo: { subq $24, %rsp Stack frame for char buf[4]; movq %rsp, %rdi call_echo gets(buf); call gets . . . . . . } 00 00 00 00 Return Address call_echo: 00 40 06 f6 00 32 31 30 . . . 4006f1: callq 4006cf <echo> 39 38 37 36 4006f6 : add $0x8,%rsp 35 34 33 32 . . . 31 30 39 38 37 36 35 34 buf ⟵ %rsp 33 32 31 30 $ ./bufdemo Null Terminator Type a string: 01234567890123456789012 01234567890123456789012 Overflowed buffer, but did not corrupt state 8

  9. Buffer Overflow Stack Example #2 After call to gets void echo() echo: { subq $24, %rsp Stack frame for char buf[4]; movq %rsp, %rdi call_echo gets(buf); call gets . . . . . . } 00 00 00 00 Return Address call_echo: 00 40 00 34 33 32 31 30 . . . 4006f1: callq 4006cf <echo> 39 38 37 36 4006f6 : add $0x8,%rsp 35 34 33 32 . . . 31 30 39 38 37 36 35 34 buf ⟵ %rsp 33 32 31 30 unix> ./bufdemo Type a string: 01234567890123456789012 34 Segmentation Fault Overflowed buffer and corrupted return pointer 9

  10. Buffer Overflow Stack Example #3 After call to gets void echo() echo: { subq $24, %rsp Stack frame for char buf[4]; movq %rsp, %rdi call_echo gets(buf); call gets . . . . . . } 00 00 00 00 Return Address call_echo: 00 40 06 00 33 32 31 30 . . . 4006f1: callq 4006cf <echo> 39 38 37 36 4006f6 : add $0x8,%rsp 35 34 33 32 . . . 31 30 39 38 37 36 35 34 buf ⟵ %rsp 33 32 31 30 unix> ./bufdemo-nsp Type a string: 01234567890123456789012 3 012345678901234567890123 Overflowed buffer, corrupted return pointer, but program seems to work! 10

  11. Buffer Overflow Stack Example #3 Explained After call to gets Some other place in .text Stack frame for call_echo . . . 400600 : mov %rsp,%rbp 400603: mov %rax,%rdx 00 00 00 00 Return 400606: shr $0x3f,%rdx Address 00 40 06 00 40060a: add %rdx,%rax 33 32 31 30 40060d: sar %rax 400610: jne 400614 39 38 37 36 400612: pop %rbp 35 34 33 32 400613: retq 31 30 39 38 37 36 35 34 buf ⟵ %rsp 33 32 31 30 “Returns” to unrelated code Lots of things happen, without modifying critical state Eventually executes retq back to main 11

  12. Malicious Use of Buffer Overflow Stack after call to gets() void foo(){ foo stack frame bar(); ... return address A } B (was A) int bar() { pad data written char buf[64]; by gets() gets(buf); exploit bar stack frame ... code return ...; B } Input string contains byte representation of executable code Overwrite return address A with address of buffer (need to know B) When bar() executes ret , will jump to exploit code (instead of A) 17

  13. Exploiting Buffer Overflows Buffer overflow bugs allow remote attackers to execute arbitrary code on machines running vulnerable software. 1988: Internet worm Early versions of the finger server daemon (fingerd) used gets() to read the argument sent by the client: finger somebody@cs.wellesley.edu commandline facebook of the 80s! Attack by sending phony argument: finger “exploit-code padding new-return-address” ... Still happening "Ghost:" 2015 gethostname() 18

  14. Heartbleed (2014) Buffer over-read in OpenSSL Widely used encryption library (https) “Heartbeat” packet Specifies length of message Server echoes that much back Library just “trusted” this length Allowed attackers to read contents of memory anywhere they wanted ~17% of Internet affected “Catastrophic” Github, Yahoo, Stack Overflow, Amazon AWS, ... By FenixFeather - Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=32276981 19

  15. Avoiding Overrun Vulnerabilities 1. Use a memory-safe language (not C)! 2. If you have to use C, use library functions that limit string lengths. fgets instead of gets /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ fgets (buf, 4 , stdin); puts(buf); } strncpy instead of strcpy Don’t use scanf with %s conversion specification Use fgets to read the string Or use %ns where n is a suitable integer Other ideas? 21

  16. Modern System-Level Protections Available in modern OSs/compilers/hardware (We disabled these for buffer assignment.) not drawn to scale Stack 1. Randomize stack base, maybe frame padding 2. Detect stack corruption save and check stack "canary" values 3. Non-executable memory segments stack, heap, data, … everything except text hardware support Heap Data Helpful, not foolproof! Text Return-oriented programming, over-reads, etc. 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction Buffer Overflows Buffer overflows were the most common form of security

Introduction Buffer Overflows Buffer overflows were the most common form of security

Introduction Buffer Overflows Buffer overflows were the most common form of security vulnerability in the 90s. Buffer overflows dominate in the area of remote network penetration vulnerabilities. CS 465 They represent one of the

651 views • 4 slides
Buffer overflows (a security interlude) IA32 Linux Memory Layout ...

Buffer overflows (a security interlude) IA32 Linux Memory Layout ...

11/20/15 Buffer overflows (a security interlude) IA32 Linux Memory Layout ... FF ... How address space layout, the stack discipline, and C's lack of Stack

726 views • 4 slides
Lab 2: Buffer Overflows Fengwei Zhang SUSTech CS 315 Computer Security 1 Buffer Overflows

Lab 2: Buffer Overflows Fengwei Zhang SUSTech CS 315 Computer Security 1 Buffer Overflows

Lab 2: Buffer Overflows Fengwei Zhang SUSTech CS 315 Computer Security 1 Buffer Overflows One of the most common vulnerabilities in software Programming languages commonly associated with buffer overflows including C and C++

1.14k views • 17 slides
Lab 2: Buffer Overflows Fengwei Zhang Wayne State University Course: Cyber Security Prac@ce 1

Lab 2: Buffer Overflows Fengwei Zhang Wayne State University Course: Cyber Security Prac@ce 1

Lab 2: Buffer Overflows Fengwei Zhang Wayne State University Course: Cyber Security Prac@ce 1 Buffer Overflows One of the most common vulnerabili@es in soEware Programming languages commonly associated with buffer overflows including

199 views • 17 slides
Lab 2: Buffer Overflows Fengwei Zhang Wayne State University CSC 5991 Cyber Security PracCce 1

Lab 2: Buffer Overflows Fengwei Zhang Wayne State University CSC 5991 Cyber Security PracCce 1

Lab 2: Buffer Overflows Fengwei Zhang Wayne State University CSC 5991 Cyber Security PracCce 1 Buffer Overflows One of the most common vulnerabiliCes in soGware Programming languages commonly associated with buffer overflows including

195 views • 17 slides
Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a very common attack mechanism from 1988 Morris Worm to Code Red, Slammer, Sasser and many others prevention techniques known still of major concern

873 views • 53 slides
Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Last time We continued By launching our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow fundamentals This time We will finish up By looking at Buffer Overflow overflows

1.33k views • 103 slides
CSE 484 / CSE M 584 Computer Security: Buffer Overflows

CSE 484 / CSE M 584 Computer Security: Buffer Overflows

CSE 484 / CSE M 584 Computer Security: Buffer Overflows II TA: Viktor Farkas vfarkas@cs Original slides by Franzi Lab 1 Deadline Reminders Lab

373 views • 11 slides
Software In-Security Buffer overflows Overview Web Application security Malware OS

Software In-Security Buffer overflows Overview Web Application security Malware OS

Lecture overview Table of contents: Introduction to SW security Software In-Security Buffer overflows Overview Web Application security Malware OS security topics Code scanning Emmanuel Benoist Taught by Ulrich

479 views • 13 slides
ASLR &amp; DEP DAVID HEAVERN Problem Statement Security Issues Buffer Overflows

ASLR &amp; DEP DAVID HEAVERN Problem Statement Security Issues Buffer Overflows

ASLR &amp; DEP DAVID HEAVERN Problem Statement Security Issues Buffer Overflows Buffer overflows are the source of many of the common vulnerabilities in modern software Caused by not checking the source length when writing to a

1.88k views • 130 slides
Computer and Information Security Fall 2020 Buffer Overflows and Software Security Tyler Bletsch

Computer and Information Security Fall 2020 Buffer Overflows and Software Security Tyler Bletsch

ECE560 Computer and Information Security Fall 2020 Buffer Overflows and Software Security Tyler Bletsch Duke University What is a Buffer Overflow? Intent Arbitrary code execution Spawn a remote shell or infect with worm/virus

983 views • 75 slides
ECE590 Computer and Information Security Fall 2018 Buffer Overflows and Software Security Tyler

ECE590 Computer and Information Security Fall 2018 Buffer Overflows and Software Security Tyler

ECE590 Computer and Information Security Fall 2018 Buffer Overflows and Software Security Tyler Bletsch Duke University What is a Buffer Overflow? Intent Arbitrary code execution Spawn a remote shell or infect with worm/virus

1.26k views • 76 slides
Buffer Software Security overflows and other memory safety vulnerabilities History

Buffer Software Security overflows and other memory safety vulnerabilities History

This time We will begin By investigating our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Analyzing security Security

1.41k views • 107 slides
Buffer Software Security overflows and other memory safety vulnerabilities History

Buffer Software Security overflows and other memory safety vulnerabilities History

This time We will begin By investigating our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Software security Security is a form

2.11k views • 190 slides
Computer Security Sec4on Week 2: Buffer Overflows TA:

Computer Security Sec4on Week 2: Buffer Overflows TA:

CSE 484 / CSE M 584 Computer Security Sec4on Week 2: Buffer Overflows TA: Thomas Crosley tcrosley@cs Thanks to Franzi Roesner, Adrian

502 views • 14 slides
Computer Security Buffer Overflows Denial of Service MIE456 Joseph Kong Overview Program

Computer Security Buffer Overflows Denial of Service MIE456 Joseph Kong Overview Program

Computer Security Buffer Overflows Denial of Service MIE456 Joseph Kong Overview Program Exploitation Buffer Overflows Memory Declaration Smashing The Stack TCP/IP Three Way Handshake Denial of Service SYN Flooding

403 views • 13 slides
Buffer Overrun Review Process Layout in Memory IA-32

Buffer Overrun Review Process Layout in Memory IA-32

Buffer Overrun Review Process Layout in Memory IA-32 Nota=on Format : inst src dst registers prefixed with a %, constants with $

756 views • 31 slides
Natural Language Processing: Traditional Processing Pipeline Roman Kern &lt;rkern@tugraz.at&gt;

Natural Language Processing: Traditional Processing Pipeline Roman Kern &lt;rkern@tugraz.at&gt;

Natural Language Processing: Traditional Processing Pipeline SCIENCE PASSION TECHNOLOGY Natural Language Processing: Traditional Processing Pipeline Roman Kern &lt;rkern@tugraz.at&gt; 2020-03-19 Roman Kern &lt;rkern@tugraz.at&gt;, Institute

1.36k views • 114 slides
Ambition Bravery Kindness Ambition Bravery Kindness Ambition Bravery

Ambition Bravery Kindness Ambition Bravery Kindness Ambition Bravery

Welcome to Year 7 Information Evening Ambition Bravery Kindness Ambition Bravery Kindness Ambition Bravery Kindness Tonights Agenda 1) Welcome and our new normal. 2) Head of Year 7. The Year ahead, form time and

245 views • 20 slides
Office of Global Affairs 2018 Spring KAO AOHSIUNG MED EDIC ICAL L UNIV IVER ERSITY TY

Office of Global Affairs 2018 Spring KAO AOHSIUNG MED EDIC ICAL L UNIV IVER ERSITY TY

Office of Global Affairs 2018 Spring KAO AOHSIUNG MED EDIC ICAL L UNIV IVER ERSITY TY OFFIC ICE of of GLO LOBAL L AFF AFFAIR IRS Our Team Members Director of Student Exchange Division Robin Kuo Associate Professor , Department

695 views • 35 slides
CS 251 Fall 2019 x86-64 Linux memory layout CS 240 Spring 2020 Principles of Programming

CS 251 Fall 2019 x86-64 Linux memory layout CS 240 Spring 2020 Principles of Programming

CS 251 Fall 2019 x86-64 Linux memory layout CS 240 Spring 2020 Principles of Programming Languages Foundations of Computer Systems Ben Wood ... ... Ben Wood 0x00007fffffffffff Stack not drawn to scale Caller Buffer Overflows Frame

335 views • 4 slides
More Bufger Overfmows 1 on the homework due Friday + 1 week questions? big hint in assignment:

More Bufger Overfmows 1 on the homework due Friday + 1 week questions? big hint in assignment:

More Bufger Overfmows 1 on the homework due Friday + 1 week questions? big hint in assignment: gets is what does bufger overfmow reading the assembly should be fairly straightforward probably easiest strategy in this case debugger can fjnd

1.36k views • 98 slides
NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

1 NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2 Memory safety attacks Buffer overruns Format string vulnerabilities Web application vulnerabilities SQL injections Cross-site

901 views • 39 slides
Assignments Homework 1 due Friday Lab1 due next Wednesday Section - will talk

Assignments Homework 1 due Friday Lab1 due next Wednesday Section - will talk

Assignments Homework 1 due Friday Lab1 due next Wednesday Section - will talk about gdb, etc. Approaches to Fin inding Security Bugs 2 Runtime Monitoring Black-box Testing Static Analysis From Coverity 3

613 views • 33 slides

More recommend