buffer overflows and defenses
play

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 - PowerPoint PPT Presentation

Feb 18, 2023 •333 likes •873 views

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a very common attack mechanism from 1988 Morris Worm to Code Red, Slammer, Sasser and many others prevention techniques known still of major concern

  1. Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11

  2. Buffer Overflow a very common attack mechanism from 1988 Morris Worm to Code Red, Slammer, Sasser and many others prevention techniques known still of major concern due to legacy of widely deployed buggy continued careless programming techniques 2

  3. Buffer Overflow Basics caused by programming error allows more data to be stored than capacity available in a fixed sized buffer buffer can be on stack, heap, global data overwriting adjacent memory locations corruption of program data unexpected transfer of control memory access violation execution of code chosen by attacker 3

  4. Buffer overflow example int int foo( foo(void void){ ){ char char buf[10]; buf[10]; … … strcpy strcpy(buf, “hello world”); (buf, “hello world”); } int int get_user_input( get_user_input(void void){ ){ char char buf[LEN]; buf[LEN]; … … gets gets(buf); (buf); } 4

  5. Buffer Overflow Example int main(int argc, char *argv[]) { int valid = FALSE; char str1[8]; char str2[8]; next_tag(str1); gets(str2); if (strncmp(str1, str2, 8) == 0) valid = TRUE; printf("buffer1: str1(%s), str2(%s), valid(%d)\n", str1, str2, valid); } $ cc -g -o buffer1 buffer1.c $ ./buffer1 START buffer1: str1(START), str2(START), valid(1) $ ./buffer1 EVILINPUTVALUE buffer1: str1(TVALUE), str2(EVILINPUTVALUE), valid(0) $ ./buffer1 BADINPUTBADINPUT buffer1: str1(BADINPUT), str2(BADINPUTBADINPUT), valid(1) 5

  6. Buffer Overflow Attacks to exploit a buffer overflow an attacker must identify a buffer overflow vulnerability in some program inspection, tracing execution, fuzzing tools understand how buffer is stored in memory and determine potential for corruption 6

  7. Why are they dangerous? Can trash memory, crashing the program Can be used to hijack the program. Spawn a shell or execute code with the privileges of the program ``setuid root’’ programs are particularly dangerous if exploited. 7

  8. A Little Programming Language History at machine level all data an array of bytes interpretation depends on instructions used modern high-level languages have a strong notion of type and valid operations not vulnerable to buffer overflows does incur overhead, some limits on use C and related languages have high-level control structures, but allow direct access to memory hence are vulnerable to buffer overflow have a large legacy of widely used, unsafe, and hence vulnerable code 8

  9. Programs and Processes 9

  10. Function Calls and Stack Frames 10

  11. The stack void void function( function(int a, int b, intc int a, int b, intc ){ ){ char char buf1[5]; buf1[5]; char buf2[10]; char buf2[10]; … … c } b ebp ebp a Void main() { Void main() { function(1, 2, 3) function(1, 2, 3); buf1 buf1 } buf2 buf2 esp esp 11

  12. The stack void main() { void main() { function(1, 2, 3) function(1, 2, 3); } c b ebp ebp pushl $3 pushl $3 a pushl $2 pushl $2 pushl $1 pushl $1 call function call function pushl $3 pushl $3 pushl $2 pushl $2 esp esp pushl $1 pushl $1 call function call function 12

  13. A function call ebp ebp void main() { void main() { function(1, 2, 3) function(1, 2, 3); esp esp } c b pushl $3 pushl $3 a pushl $2 pushl $2 return addr return addr pushl $1 pushl $1 ebp ebp ebp ebp call function call function pushl %ebp pushl %ebp movl %esp, %ebp movl %esp, %ebp subl $20, %esp subl $20, %esp esp esp 13

  14. Digression: x86 tutorial pushl %ebp: Pushes ebp onto the stack. pushl %ebp: movl %esp,%ebp: Moves the current value of esp to the register ebp. movl %esp,%ebp: subl $0x4,%esp: Subtract 4 (hex) from value of esp subl $0x4,%esp: call 0x8000470 <function>: Calls the function at address call 0x8000470 <function>: 0x8000470. Also pushes the return address onto the stack. movl $0x1,0xfffffffc(%ebp): Move 0x1 into the memory pointed to movl $0x1,0xfffffffc(%ebp): by ebp - 4 leal 0xfffffffc(%ebp),%eax: Load address of the memory location leal 0xfffffffc(%ebp),%eax: pointed to by ebp -4 into eax ret: Return. Jumps to return address saved on stack. ret: nop nop 14

  15. Stack Buffer Overflow occurs when buffer is located on stack used by Morris Worm “Smashing the Stack” paper popularized it have local variables below saved frame pointer and return address hence overflow of a local buffer can potentially overwrite these key control items attacker overwrites return address with address of desired code program, system library or loaded in buffer 15

  16. A benign buffer overflow void void function( function(char *str char *str){ ){ char char buffer[16]; buffer[16]; strcpy (buffer, str); strcpy (buffer, str); str str } Return addr Return addr Saved ebp Saved ebp void main() { void main() { char largestr[256]; char largestr[256]; int i; int i; buffer buffer for (i=0;i<255;i++) { for (i=0;i<255;i++) { largestr[i] = ‘A’ largestr[i] = ‘A’ } function(largestr); function(largestr); } This program causes a segfault. Why? 16

  17. Stack Overflow Example void hello(char *tag) { char inp[16]; printf("Enter value for %s: ", tag); gets(inp); printf("Hello your %s is %s\n", tag, inp); } $ cc -g -o buffer2 buffer2.c $ ./buffer2 Enter value for name: Bill and Lawrie Hello your name is Bill and Lawrie buffer2 done $ ./buffer2 Enter value for name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Segmentation fault (core dumped) $ perl -e 'print pack("H*", "414243444546474851525354555657586162636465666768 08fcffbf948304080a4e4e4e4e0a");' | ./buffer2 Enter value for name: Hello your Re?pyy]uEA is ABCDEFGHQRSTUVWXabcdefguyu Enter value for Kyyu: Hello your Kyyu is NNNN Segmentation fault (core dumped) 17

  18. Another Stack Overflow void getinp(char *inp, int siz) { puts("Input value: "); fgets(inp, siz, stdin); printf("buffer3 getinp read %s\n", inp); } void display(char *val) { char tmp[16]; sprintf(tmp, "read val: %s\n", val); puts(tmp); } int main(int argc, char *argv[]) { char buf[16]; getinp(buf, sizeof(buf)); display(buf); printf("buffer3 done\n"); } 18

  19. Another Stack Overflow $ cc -o buffer3 buffer3.c $ ./buffer3 Input value: SAFE buffer3 getinp read SAFE read val: SAFE buffer3 done $ ./buffer3 Input value: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX buffer3 getinp read XXXXXXXXXXXXXXX read val: XXXXXXXXXXXXXXX buffer3 done Segmentation fault (core dumped) 19

  20. Subverting control flow void void function( function(char *str char *str){ ){ char char buf1[5]; char buf2[10]; buf1[5]; char buf2[10]; int *ret; int *ret; ret = buf1 + 12; ret = buf1 + 12; *ret += 8; *ret += 8; } void main() { void main() { int x; int x; x = 0; x = 0; function(1, 2, 3); function(1, 2, 3); x = 1; x = 1; printf (“%d\n”, x); printf (“%d\n”, x); } 20

  21. Code of “main” 0x8000490 <main>: pushl %ebp 0x8000490 <main>: pushl %ebp 0x8000491 <main+1>: movl %esp,%ebp 0x8000491 <main+1>: movl %esp,%ebp 0x8000493 <main+3>: subl $0x4,%esp 0x8000493 <main+3>: subl $0x4,%esp 0x8000496 <main+6>: movl $0x0,0xfffffffc(%ebp) 0x8000496 <main+6>: movl $0x0,0xfffffffc(%ebp) 0x800049d <main+13>: pushl $0x3 0x800049d <main+13>: pushl $0x3 0x800049f <main+15>: pushl $0x2 0x800049f <main+15>: pushl $0x2 0x80004a1 <main+17>: pushl $0x1 0x80004a1 <main+17>: pushl $0x1 0x80004a3 <main+19>: call 0x8000470 <function> 0x80004a3 <main+19>: call 0x8000470 <function> 0x80004a8 <main+24>: addl $0xc,%esp 0x80004a8 <main+24>: addl $0xc,%esp 0x80004ab <main+27>: movl $0x1,0xfffffffc(%ebp) 0x80004ab <main+27>: movl $0x1,0xfffffffc(%ebp) 0x80004b2 <main+34>: movl 0xfffffffc(%ebp),%eax 0x80004b2 <main+34>: movl 0xfffffffc(%ebp),%eax 0x80004b5 <main+37>: pushl %eax 0x80004b5 <main+37>: pushl %eax 0x80004b6 <main+38>: pushl $0x80004f8 0x80004b6 <main+38>: pushl $0x80004f8 0x80004bb <main+43>: call 0x8000378 <printf> 0x80004bb <main+43>: call 0x8000378 <printf> 0x80004c0 <main+48>: addl $0x8,%esp 0x80004c0 <main+48>: addl $0x8,%esp 0x80004c3 <main+51>: movl %ebp,%esp 0x80004c3 <main+51>: movl %ebp,%esp 0x80004c5 <main+53>: popl %ebp 0x80004c5 <main+53>: popl %ebp 0x80004c6 <main+54>: ret 0x80004c6 <main+54>: ret 0x80004c7 <main+55>: nop 0x80004c7 <main+55>: nop 21

  22. str str 0xffff1234 0xffff1234 Saved ebp Saved ebp buffer buffer 22

  23. Writing an exploit program #include <stdio.h> #include <stdio.h> void main() { void main() { char *name[2]; char *name[2]; name[0] = "/bin/sh"; name[0] = "/bin/sh"; name[1] = NULL; name[1] = NULL; execve(name[0], name, NULL); execve(name[0], name, NULL); } } 23

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Security: Buffer Overflows and Defenses CS 416: Operating Systems Design Department of Computer

Security: Buffer Overflows and Defenses CS 416: Operating Systems Design Department of Computer

Security: Buffer Overflows and Defenses CS 416: Operating Systems Design Department of Computer Science Rutgers University http://www.cs.rutgers.edu/~vinodg/416 Buffer Overflow a very common attack mechanism from 1988 Morris Worm to Code Red,

950 views • 55 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Last time We finished up By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow defenses (and workarounds) Format string vulnerabilities Integer overflow vulnerabilities This time

1.29k views • 80 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

1.49k views • 117 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

1.23k views • 95 slides
Introduction Buffer Overflows Buffer overflows were the most common form of security

Introduction Buffer Overflows Buffer overflows were the most common form of security

Introduction Buffer Overflows Buffer overflows were the most common form of security vulnerability in the 90s. Buffer overflows dominate in the area of remote network penetration vulnerabilities. CS 465 They represent one of the

651 views • 4 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow

Last time We continued By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow attacks &amp; other vulnerabilities Overflow defenses Everything youve always wanted to know about

2.41k views • 197 slides
Lab 2: Buffer Overflows Fengwei Zhang SUSTech CS 315 Computer Security 1 Buffer Overflows

Lab 2: Buffer Overflows Fengwei Zhang SUSTech CS 315 Computer Security 1 Buffer Overflows

Lab 2: Buffer Overflows Fengwei Zhang SUSTech CS 315 Computer Security 1 Buffer Overflows One of the most common vulnerabilities in software Programming languages commonly associated with buffer overflows including C and C++

1.14k views • 17 slides
Buffer overflow defenses Deian Stefan Some slides adopted from Nadia Heninger, Kirill Levchenko,

Buffer overflow defenses Deian Stefan Some slides adopted from Nadia Heninger, Kirill Levchenko,

CSE 127: Computer Security Buffer overflow defenses Deian Stefan Some slides adopted from Nadia Heninger, Kirill Levchenko, Stefan Savage, and Stephen Checkoway Today: mitigating buffer overflows Lecture objectives: Understand how to

1.33k views • 130 slides
Lab 2: Buffer Overflows Fengwei Zhang Wayne State University Course: Cyber Security Prac@ce 1

Lab 2: Buffer Overflows Fengwei Zhang Wayne State University Course: Cyber Security Prac@ce 1

Lab 2: Buffer Overflows Fengwei Zhang Wayne State University Course: Cyber Security Prac@ce 1 Buffer Overflows One of the most common vulnerabili@es in soEware Programming languages commonly associated with buffer overflows including

199 views • 17 slides
Lab 2: Buffer Overflows Fengwei Zhang Wayne State University CSC 5991 Cyber Security PracCce 1

Lab 2: Buffer Overflows Fengwei Zhang Wayne State University CSC 5991 Cyber Security PracCce 1

Lab 2: Buffer Overflows Fengwei Zhang Wayne State University CSC 5991 Cyber Security PracCce 1 Buffer Overflows One of the most common vulnerabiliCes in soGware Programming languages commonly associated with buffer overflows including

195 views • 17 slides
Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Last time We continued By launching our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow fundamentals This time We will finish up By looking at Buffer Overflow overflows

1.33k views • 103 slides
Prolog to Lecture 9 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Prolog to Lecture 9 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Prolog to Lecture 9 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 9 Page 1 CS 236 Online Buffer Overflows Buffer overflows are a big problem One class of defenses concentrates on not allowing attacker

767 views • 8 slides
Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

1 Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed in buffer overflow exploits to create backdoors Execution of additional network services via the INETD daemon The addition of new users

497 views • 30 slides
ASLR &amp; DEP DAVID HEAVERN Problem Statement Security Issues Buffer Overflows

ASLR &amp; DEP DAVID HEAVERN Problem Statement Security Issues Buffer Overflows

ASLR &amp; DEP DAVID HEAVERN Problem Statement Security Issues Buffer Overflows Buffer overflows are the source of many of the common vulnerabilities in modern software Caused by not checking the source length when writing to a

1.88k views • 130 slides
CSE 484 / CSE M 584 Computer Security: Buffer Overflows

CSE 484 / CSE M 584 Computer Security: Buffer Overflows

CSE 484 / CSE M 584 Computer Security: Buffer Overflows II TA: Viktor Farkas vfarkas@cs Original slides by Franzi Lab 1 Deadline Reminders Lab

373 views • 11 slides
More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester Rebeiro Indian Institute of Technology Madras Buffer Overreads 2 Buffer Overread Example 3 Buffer Overread Example len read from command line

906 views • 76 slides
Buffer Overflow CS461/ECE422 Spring 2012 Reading Material

Buffer Overflow CS461/ECE422 Spring 2012 Reading Material

Buffer Overflow CS461/ECE422 Spring 2012 Reading Material Based on Chapter 11 of the text Outline Buffer Overflow Stack Buffer Overflow Shell

783 views • 28 slides
Optimal and Adaptive Filtering Murat ney M.Uney@ed.ac.uk Institute for Digital Communications

Optimal and Adaptive Filtering Murat ney M.Uney@ed.ac.uk Institute for Digital Communications

Optimal and Adaptive Filtering Murat ney M.Uney@ed.ac.uk Institute for Digital Communications (IDCOM) 20/07/2015 Murat ney (IDCOM) Optimal and Adaptive Filtering 20/07/2015 1 / 62 Table of Contents Optimal Filtering 1 Optimal filter

1.01k views • 72 slides
Lecture 3: Typed Lambda Calculus and Curry-Howard H. Geuvers Radboud University Nijmegen, NL

Lecture 3: Typed Lambda Calculus and Curry-Howard H. Geuvers Radboud University Nijmegen, NL

Lecture 3: Typed Lambda Calculus and Curry-Howard H. Geuvers Radboud University Nijmegen, NL 21st Estonian Winter School in Computer Science Winter 2016 H. Geuvers - Radboud Univ. EWSCS 2016 Typed -calculus 1 / 65 Outline H. Geuvers -

566 views • 42 slides
Interspecific strategic effects Interspecific strategic effects Interspecific strategic effects

Interspecific strategic effects Interspecific strategic effects Interspecific strategic effects

Interspecific strategic effects Interspecific strategic effects Interspecific strategic effects Interspecific strategic effects of mobility in predator of mobility in predator- -prey systems prey systems Fei Xu F i X Joint work with Dr.

787 views • 54 slides
Singular Perturbations in Stochastic Control and Hamilton-Jacobi-Bellman Equation Hicham Kouhkouh

Singular Perturbations in Stochastic Control and Hamilton-Jacobi-Bellman Equation Hicham Kouhkouh

Singular Perturbations in Stochastic Control and Hamilton-Jacobi-Bellman Equation Hicham Kouhkouh joint work with Martino Bardi Dipartimento di Matematica Tullio Levi-Civita Universit` a di Padova kouhkouh@math.unipd.it IPAM Workshop

523 views • 13 slides
Synthesis of Ranking Functions and Synthesis of Inductive Invariants and Synthesis of

Synthesis of Ranking Functions and Synthesis of Inductive Invariants and Synthesis of

Synthesis of Ranking Functions and Synthesis of Inductive Invariants and Synthesis of Recurrence Sets via Constraint Solving Andreas Podelski January 17, 2012 1 Program Verification and Constraints Reasoning about program

422 views • 28 slides
Implied Volatility, Fundamental solutions, asymptotic analysis and symmetry methods, Linz, Ricam

Implied Volatility, Fundamental solutions, asymptotic analysis and symmetry methods, Linz, Ricam

Implied Volatility, Fundamental solutions, asymptotic analysis and symmetry methods, Linz, Ricam kick-off Workshop, September 11, 2008 Peter Laurence Dipartimento di Matematica e Facolt a di Statistica, Uni. Roma 1 Implied Volatility,

897 views • 57 slides
Missing-data methods with cepstral data Summary of work done at IDIAP Main achievements

Missing-data methods with cepstral data Summary of work done at IDIAP Main achievements

morris,bourlard@idiap.ch http://www.idiap.ch/ Missing-data methods with cepstral data Summary of work done at IDIAP Main achievements RESPITE meeting, 7-8 June 2002, Page 1 DUMA - Data Utility Maps from MLPs Cant

296 views • 11 slides

More recommend