buffer
play

Buffer Overflow overflows Defenses and other memory safety - PowerPoint PPT Presentation

Jun 07, 2023 •273 likes •1.23k views

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

  1. This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities • Everything you’ve always wanted to know about gdb but were too afraid to ask • Overflow defenses • Other memory safety vulnerabilities

  2. What’s wrong with this code? Suppose that it has higher privilege than the user int main() { char buf[1024]; ... if(access(argv[1], R_OK) != 0) { printf(“cannot access file\n”); exit(-1); } file = open(argv[1], O_RDONLY); read(file, buf, 1023); close(file); printf(“%s\n”, buf); return 0; }

  3. What’s wrong with this code? Suppose that it has higher privilege than the user int main() { char buf[1024]; ... uid if(access(argv[1], R_OK) != 0) { printf(“cannot access file\n”); exit(-1); } euid file = open(argv[1], O_RDONLY); read(file, buf, 1023); close(file); printf(“%s\n”, buf); return 0; }

  4. What’s wrong with this code? Suppose that it has higher privilege than the user int main() { char buf[1024]; ~attacker/mystuff.txt ... uid if(access(argv[1], R_OK) != 0) { printf(“cannot access file\n”); exit(-1); } euid file = open(argv[1], O_RDONLY); read(file, buf, 1023); close(file); printf(“%s\n”, buf); return 0; }

  5. What’s wrong with this code? Suppose that it has higher privilege than the user int main() { char buf[1024]; ~attacker/mystuff.txt ... uid if(access(argv[1], R_OK) != 0) { printf(“cannot access file\n”); exit(-1); } euid file = open(argv[1], O_RDONLY); read(file, buf, 1023); close(file); printf(“%s\n”, buf); return 0; }

  6. What’s wrong with this code? Suppose that it has higher privilege than the user int main() { char buf[1024]; ~attacker/mystuff.txt ... uid if(access(argv[1], R_OK) != 0) { printf(“cannot access file\n”); exit(-1); } ln -s /usr/sensitive ~attacker/mystuff.txt euid file = open(argv[1], O_RDONLY); read(file, buf, 1023); close(file); printf(“%s\n”, buf); return 0; }

  7. What’s wrong with this code? Suppose that it has higher privilege than the user int main() { char buf[1024]; ~attacker/mystuff.txt ... uid if(access(argv[1], R_OK) != 0) { printf(“cannot access file\n”); exit(-1); } ln -s /usr/sensitive ~attacker/mystuff.txt euid file = open(argv[1], O_RDONLY); read(file, buf, 1023); close(file); printf(“%s\n”, buf); return 0; } “Time of Check/Time of Use” Problem (TOCTOU)

  8. Avoiding TOCTOU int main() { char buf[1024]; ... uid if(access(argv[1], R_OK) != 0) { printf(“cannot access file\n”); exit(-1); } euid file = open(argv[1], O_RDONLY); read(file, buf, 1023); close(file); printf(buf); }

  9. Avoiding TOCTOU int main() { char buf[1024]; ... uid if(access(argv[1], R_OK) != 0) { printf(“cannot access file\n”); exit(-1); } euid file = open(argv[1], O_RDONLY); read(file, buf, 1023); close(file); printf(buf); }

  10. Avoiding TOCTOU int main() { char buf[1024]; ... uid if(access(argv[1], R_OK) != 0) { printf(“cannot access file\n”); exit(-1); } euid = geteuid(); uid = getuid(); seteuid(uid); // Drop privileges euid file = open(argv[1], O_RDONLY); read(file, buf, 1023); close(file); printf(buf); }

  11. Avoiding TOCTOU int main() { char buf[1024]; ... uid if(access(argv[1], R_OK) != 0) { printf(“cannot access file\n”); exit(-1); } euid = geteuid(); uid = getuid(); seteuid(uid); // Drop privileges euid file = open(argv[1], O_RDONLY); read(file, buf, 1023); close(file); seteuid(euid); // Restore privileges printf(buf); }

  12. Memory safety attacks • Buffer overflows • Can be used to read/write data on stack or heap • Can be used to inject code (ultimately root shell) • Format string errors • Can be used to read/write stack data • Integer overflow errors • Can be used to change the control flow of a program • TOCTOU problem • Can be used to raise privileges

  13. General defenses against memory-safety

  14. Defensive coding practices • Think defensive driving • Avoid depending on anyone else around you • If someone does something unexpected, you won’t crash (or worse) • It’s about minimizing trust • Each module takes responsibility for checking the validity of all inputs sent to it • Even if you “know” your callers will never send a NULL pointer… • …Better to throw an exception (or even exit) than run malicious code http://nob.cs.ucdavis.edu/bishop/secprog/robust.html

  15. How to program defensively • Code reviews, real or imagined • Organize your code so it is obviously correct • Re-write until it would be self-evident to a reviewer “Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it. • Remove the opportunity for programmer mistakes with better languages and libraries • Java performs automatic bounds checking • C++ provides a safe std::string class

  16. Secure coding practices char digit_to_char(int i) { char convert[] = “0123456789”; return convert[i]; } Think about all potential inputs, no matter how peculiar

  17. Secure coding practices char digit_to_char(int i) { char convert[] = “0123456789”; return convert[i]; } Think about all potential inputs, no matter how peculiar char digit_to_char(int i) { char convert[] = “0123456789”; if(i < 0 || i > 9) return ‘?’; return convert[i]; }

  18. Secure coding practices char digit_to_char(int i) { char convert[] = “0123456789”; return convert[i]; } Think about all potential inputs, no matter how peculiar char digit_to_char(int i) { char convert[] = “0123456789”; if(i < 0 || i > 9) return ‘?’; return convert[i]; } Enforce rule compliance at runtime

  19. Rule: Use safe string functions • Traditional string library routines assume target buffers have sufficient length

  20. Rule: Use safe string functions • Traditional string library routines assume target buffers have sufficient length char str[4]; char buf[10] = “good”; strcpy(str,”hello”); // overflows str strcat(buf,” day to you”); // overflows buf

  21. Rule: Use safe string functions • Traditional string library routines assume target buffers have sufficient length char str[4]; char buf[10] = “good”; strcpy(str,”hello”); // overflows str strcat(buf,” day to you”); // overflows buf • Safe versions check the destination length char str[4]; char buf[10] = “good”; strlcpy (str,”hello”, sizeof(str) ); //fails strlcat (buf,” day to you”, sizeof(buf) );//fails

  22. Rule: Use safe string functions • Traditional string library routines assume target buffers have sufficient length char str[4]; char buf[10] = “good”; strcpy(str,”hello”); // overflows str strcat(buf,” day to you”); // overflows buf • Safe versions check the destination length char str[4]; char buf[10] = “good”; strlcpy (str,”hello”, sizeof(str) ); //fails strlcat (buf,” day to you”, sizeof(buf) );//fails Again: know your system’s/language’s semantics

  23. Replacements • … for string-oriented functions • strcat ⟹ strlcat • strcpy ⟹ strlcpy strncpy/strncat do not 
 • strncat ⟹ strlcat NUL-terminate if they run • strncpy ⟹ strlcpy up against the size limit • sprintf ⟹ snprintf • vsprintf ⟹ vsnprintf • gets ⟹ fgets • Microsoft versions different strcpy_s , strcat_s , … •

  24. Replacements • … for string-oriented functions • strcat ⟹ strlcat • strcpy ⟹ strlcpy strncpy/strncat do not 
 • strncat ⟹ strlcat NUL-terminate if they run • strncpy ⟹ strlcpy up against the size limit • sprintf ⟹ snprintf • vsprintf ⟹ vsnprintf • gets ⟹ fgets • Microsoft versions different strcpy_s , strcat_s , … • Note: None of these in and of themselves are “insecure.” 
 They are just commonly misused.

  25. (Better) Rule : Use safe string library • Libraries designed to ensure strings used safely • Safety first , despite some performance loss • Example: Very Secure FTP ( vsftp ) string library struct mystr; // impl hidden http://vsftpd.beasts.org/ void str_alloc_text(struct mystr* p_str, const char* p_src); void str_append_str(struct mystr* p_str, const struct mystr* p_other); int str_equal(const struct mystr* p_str1, const struct mystr* p_str2); int str_contains_space(const struct mystr* p_str); … • Another example: C ++ std :: string safe string library

  26. Rule: Understand pointer arithmetic

  27. Rule: Understand pointer arithmetic int x; int *pi = &x; char *pc = (char*) &x;

  28. Rule: Understand pointer arithmetic int x; (pi + 1) == (pc + 1) ??? int *pi = &x; char *pc = (char*) &x;

  29. Rule: Understand pointer arithmetic int x; (pi + 1) == (pc + 1) ??? int *pi = &x; char *pc = (char*) &x; 1 2 3 4 5 6 7 8 x

  30. Rule: Understand pointer arithmetic int x; (pi + 1) == (pc + 1) ??? int *pi = &x; char *pc = (char*) &x; 1 2 3 4 5 6 7 8 x

  31. Rule: Understand pointer arithmetic int x; (pi + 1) == (pc + 1) ??? int *pi = &x; char *pc = (char*) &x; 1 2 3 4 5 6 7 8 x

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Buffer Manager Each relation is can be mapped onto many files (each file containing data from one

Buffer Manager Each relation is can be mapped onto many files (each file containing data from one

Buffer Management The database buffer is the mediator between the basic file system and the tuple-oriented file system. The buffer managers task is to make the pages addressable in main memory and to coordinate the writing of pages to disk

1.12k views • 8 slides
Introduction Buffer Overflows Buffer overflows were the most common form of security

Introduction Buffer Overflows Buffer overflows were the most common form of security

Introduction Buffer Overflows Buffer overflows were the most common form of security vulnerability in the 90s. Buffer overflows dominate in the area of remote network penetration vulnerabilities. CS 465 They represent one of the

651 views • 4 slides
Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

1 Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed in buffer overflow exploits to create backdoors Execution of additional network services via the INETD daemon The addition of new users

497 views • 30 slides
External buffer Raslan Darawsheh Mellanox External buffer First was introduced by Olivier

External buffer Raslan Darawsheh Mellanox External buffer First was introduced by Olivier

x External buffer Raslan Darawsheh Mellanox External buffer First was introduced by Olivier in his presentation in 2016. The support for External buffer has been there since DPDK 18.05 2 External buffer: Contd 3 External

544 views • 12 slides
Lab 2: Buffer Overflows Fengwei Zhang SUSTech CS 315 Computer Security 1 Buffer Overflows

Lab 2: Buffer Overflows Fengwei Zhang SUSTech CS 315 Computer Security 1 Buffer Overflows

Lab 2: Buffer Overflows Fengwei Zhang SUSTech CS 315 Computer Security 1 Buffer Overflows One of the most common vulnerabilities in software Programming languages commonly associated with buffer overflows including C and C++

1.14k views • 17 slides
Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a very common attack mechanism from 1988 Morris Worm to Code Red, Slammer, Sasser and many others prevention techniques known still of major concern

873 views • 53 slides
TinyOS Determine when Fill message Specify Pass buffer message buffer Network Communication

TinyOS Determine when Fill message Specify Pass buffer message buffer Network Communication

Inter-Node Communication General idea: Sender: TinyOS Determine when Fill message Specify Pass buffer message buffer Network Communication buffer with data Recipients to OS can be reused Computer Network Receiver:

176 views • 3 slides
Week 03 Lectures PostgreSQL Buffer Manager 1/95 PostgreSQL buffer manager: provides a shared

Week 03 Lectures PostgreSQL Buffer Manager 1/95 PostgreSQL buffer manager: provides a shared

Week 03 Lectures PostgreSQL Buffer Manager 1/95 PostgreSQL buffer manager: provides a shared pool of memory buffers for all backends all access methods get data from disk via buffer manager Buffers are located in a large region of shared

505 views • 25 slides
Riparian Buffer or Riparian Forest Buffer Equivalency Demonstration and Offsetting Water

Riparian Buffer or Riparian Forest Buffer Equivalency Demonstration and Offsetting Water

Implementation of Act 162 of 2014 Riparian Buffer or Riparian Forest Buffer Equivalency Demonstration and Offsetting Water Resources Advisory Committee August 12, 2015 Tom Wolf, Governor John Quigley, Secretary Agenda 1. Overview of Act 162

530 views • 37 slides
Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by the Morris Worm in 1988 Prevention techniques known NX bit, stack canaries, ASLR Still of major concern Recent examples:

354 views • 21 slides
Buffer Trees Lars Arge. The Buffer Tree: A New Technique for Optimal I/O Algorithms . In

Buffer Trees Lars Arge. The Buffer Tree: A New Technique for Optimal I/O Algorithms . In

Buffer Trees Lars Arge. The Buffer Tree: A New Technique for Optimal I/O Algorithms . In Proceedings of Fourth Workshop on Algorithms and Data Structures (WADS), Lecture Notes in Computer Science Vol. 955, Springer-Verlag, 1995, 334-345. 1

518 views • 27 slides
AKC Education Webinar Series: Social Media Resources Buffer: What Is It? Buffer is a software

AKC Education Webinar Series: Social Media Resources Buffer: What Is It? Buffer is a software

AKC Education Webinar Series: Social Media Resources Buffer: What Is It? Buffer is a software application for the web and mobile, designed to manage accounts in social networks, by providing the means for a user to schedule posts to Twitter,

506 views • 35 slides
More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester Rebeiro Indian Institute of Technology Madras Buffer Overreads 2 Buffer Overread Example 3 Buffer Overread Example len read from command line

906 views • 76 slides
Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Last time We continued By launching our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow fundamentals This time We will finish up By looking at Buffer Overflow overflows

1.33k views • 103 slides
k + -buffer: Fragment Synchronized k-buffer I3D 2014 Andreas A. Vasilakis &amp; Ioannis Fudos {

k + -buffer: Fragment Synchronized k-buffer I3D 2014 Andreas A. Vasilakis &amp; Ioannis Fudos {

k + -buffer: Fragment Synchronized k-buffer I3D 2014 Andreas A. Vasilakis &amp; Ioannis Fudos { abasilak,fudos } @cs.uoi.gr Department of Computer Science &amp; Engineering, University of Ioannina, Greece 16 March 2014 Introduction

782 views • 44 slides
Database Systems IIB: DBMS-Implementation Chapter 5: The Buffer Cache Prof. Dr. Stefan Brass

Database Systems IIB: DBMS-Implementation Chapter 5: The Buffer Cache Prof. Dr. Stefan Brass

Storage Hierarchy, Buffer Manager Disk/Buffer Performance in Oracle Database Systems IIB: DBMS-Implementation Chapter 5: The Buffer Cache Prof. Dr. Stefan Brass Martin-Luther-Universit at Halle-Wittenberg Wintersemester 2019/20

623 views • 50 slides
Testing and Fuzzing Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security *

Testing and Fuzzing Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security *

Testing and Fuzzing Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some slides adapted from those by Trent Jaeger Our Goal Develop techniques to detect vulnerabilities automatically before they are exploited

1.17k views • 61 slides
Summer 2012 August 6, 2012 CSE 332 Data Abstractions, Summer 2012 1 *ominous music* THE FINAL

Summer 2012 August 6, 2012 CSE 332 Data Abstractions, Summer 2012 1 *ominous music* THE FINAL

CSE 332 Data Abstractions: Data Races and Memory, Reordering, Deadlock, Readers/Writer Locks, and Condition Variables (oh my!) Kate Deibel Summer 2012 August 6, 2012 CSE 332 Data Abstractions, Summer 2012 1 *ominous music* THE FINAL EXAM

826 views • 80 slides
2012-08-07 CSE 332 Data Abstractions: Data Races and Memory, Reordering, Deadlock,

2012-08-07 CSE 332 Data Abstractions: Data Races and Memory, Reordering, Deadlock,

2012-08-07 CSE 332 Data Abstractions: Data Races and Memory, Reordering, Deadlock, Readers/Writer Locks, and Condition Variables (oh my!) *ominous music* THE FINAL EXAM Kate Deibel Summer 2012 August 6, 2012 CSE 332 Data Abstractions,

339 views • 14 slides
Amortised Resource Analysis using Separation Logic Robert Atkey University of Strathclyde 20th

Amortised Resource Analysis using Separation Logic Robert Atkey University of Strathclyde 20th

Robert.Atkey@strath.ac.uk Amortised Resource Analysis using Separation Logic Robert Atkey University of Strathclyde 20th July 2017 Dagstuhl Seminar 17291 Resource Specification and Verification Programs execute. But not for free. How much

754 views • 61 slides
Grap aphQL hQL forget (the) REST? Christian Schwendtner

Grap aphQL hQL forget (the) REST? Christian Schwendtner

Grap aphQL hQL forget (the) REST? Christian Schwendtner https://www.pexels.com/photo/man-person-people-emotions-1990/ https://www.pexels.com/photo/man-person-people-emotions-1990/ REST Feelings Im lovin it Well, What else?

482 views • 46 slides
Thread synchronization David Hovemeyer 2 December 2019 David Hovemeyer Computer Systems

Thread synchronization David Hovemeyer 2 December 2019 David Hovemeyer Computer Systems

Thread synchronization David Hovemeyer 2 December 2019 David Hovemeyer Computer Systems Fundamentals: Thread synchronization 2 December 2019 A program 1 const int NUM_INCR=100000000, NTHREADS=2; typedef struct { volatile int count; }

658 views • 36 slides
The No Gap Conjecture: Proof by Pictures Stephen Hermes Wellesley College, Wellesley, MA

The No Gap Conjecture: Proof by Pictures Stephen Hermes Wellesley College, Wellesley, MA

The No Gap Conjecture: Proof by Pictures Stephen Hermes Wellesley College, Wellesley, MA Maurice Auslander Distinguished Lectures and International Conference Woods Hole May, 2016 Preliminaries Joint With Kiyoshi Igusa. arXiv:1601.04054

515 views • 35 slides
Mutation Testing of Memory- Related Operators Jay Nanavati, Fan Wu, Mark Harman, Yue Jia, Jens

Mutation Testing of Memory- Related Operators Jay Nanavati, Fan Wu, Mark Harman, Yue Jia, Jens

Mutation Testing of Memory- Related Operators Jay Nanavati, Fan Wu, Mark Harman, Yue Jia, Jens Krinke UCL, UK Mutation Testing Test case Test case Test case Test case Test case Test case Test case Jay Nanavati, Fan Wu, Mark

606 views • 28 slides

More recommend