cmpsc 497 buffer overflow vulnerabilities
play

CMPSC 497 Buffer Overflow Vulnerabilities Trent Jaeger Systems - PowerPoint PPT Presentation

Dec 19, 2023 •342 likes •739 views

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Buffer Overflow Vulnerabilities Trent Jaeger

  1. Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 � Buffer Overflow Vulnerabilities Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1

  2. Bu ff er Overflow • Early example of a method to exploit a “memory error” in a C program • Discovered in the 1970s • Leveraged by the Morris Worm in 1988 – first large scale exploit • Leveraged by subsequent attacks in the early 2000s that led to security rethink • Still a problem today – Check out CVEs for “buffer overflow” Systems and Internet Infrastructure Security (SIIS) Laboratory Page 2

  3. Memory Error • A memory error allows a program statement to access memory beyond that allocated for the variables processed in the statement • Common case: Buffer overflow The C language allows writes to memory addresses ‣ specified by pointers char buf[10] – buf can be used as a pointer • C functions enable writing based on the size of the ‣ input or a length value strcpy and strncpy • However, neither limits the write to the allocated buf ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 3

  4. Morris Worm • Robert Morris, a 23-year old Cornell PhD student Wrote a small (99 line) program ‣ Launched on November 3, 1988 ‣ Simply disabled the Internet ‣ • Used a buffer overflow in a program called fingerd To get adversary-controlled code running ‣ • Then spread to other hosts – cracked passwords and leveraged open LAN configurations • Covered its tracks (set is own process name to sh , prevented accurate cores, re-forked itself) Systems and Internet Infrastructure Security (SIIS) Laboratory Page 4

  5. Process Address Space higher • Text: static code memory Stack • Data: also called heap address static variables ‣ Data dynamically allocated data ‣ (malloc, new) lower Text • Stack: program memory execution stacks address Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  6. Program Stack • For implementing procedure calls and returns • Keep track of program execution and state by storing local variables ‣ arguments to the called procedure (callee) ‣ return address of the calling procedure (caller) ‣ ... ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  7. Program Stack *Slide by Robert Seacord Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  8. Stack Frames • Stack grows from high mem to low mem addresses • The stack pointer points to the top of the stack ESP in Intel architectures • • The frame pointer points to the end of the current frame also called the base pointer ‣ EBP in Intel architectures • • The stack is modified during function calls, function initializations, returning from ‣ a function Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  9. A Running Example void function(int a, int b) { char buffer[12]; gets(buffer); return; } void main() { Run “gcc –S –o example.s example.c” to see its assembly code int x; x = 0; function(1,2); x = 1; printf("%d\n",x); } Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  10. Function Calls function (1,2) push the 2 nd arg to stack pushl $2 push the 1 st arg to stack pushl $1 push the ret addr onto the stack, call function and jumps to the function 10 Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  11. Function Calls: Stacks Before After esp ret 1 2 esp stack frame stack frame for main for main ebp ebp Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  12. Function Initialization void function(int a, int b) { saves the frame pointer pushl %ebp sets the new frame pointer movl %esp, %ebp allocate space for local subl $12, %esp variables Procedure prologue Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  13. Function Initialization: Stacks Before After esp buffer ebp old ebp esp ret ret 1 1 2 2 stack frame stack frame for main for main ebp Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  14. Function Return return; restores the old stack pointer movl %ebp, %esp restores the old frame pointer popl %ebp gets the return address, and ret jumps to it Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  15. Function Return: Stacks Before After esp buffer buffer ebp old ebp old ebp esp ret ret 1 1 2 2 stack frame stack frame for main for main ebp Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  16. Return to Calling Function In main again – following return… pushl $2 pushl $1 call function restores the stack pointer addl $8, %esp Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  17. Return to Calling Function: Stacks Before After buffer buffer old ebp old ebp esp ret ret 1 1 2 2 esp stack frame stack frame for main for main ebp ebp Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  18. A Running Example void function(int a, int b) { char buffer[12]; esp gets(buffer); return; buffer } ebp old ebp ret void main() { 1 int x; 2 x = 0; stack frame function(1,2); x = 1; for main printf("%d\n",x); } Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  19. Overwriting the Return Address esp void function(int a, int b) { buffer char buffer[12]; ebp gets(buffer); old ebp ret int* ret = (int *)buffer+?; 1 2 *ret = ?; stack frame return; for main } Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  20. Overwriting the Return Address void function(int a, int b) { char buffer[12]; gets(buffer); int* ret = (int *) buffer+16; *ret = *ret + 10; // addl and store constant 1 return; The output will be 0 } void main() { int x; x = 0; the original return address function(1,2); x = 1; the new return address printf("%d\n",x); } Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  21. Previous Attack • Not very realistic Attackers are usually not allowed to modify code ‣ Threat model: the only thing they can affect is the input ‣ Can they still carry out similar attacks? ‣ YES, because of possible buffer overflows • Systems and Internet Infrastructure Security (SIIS) Laboratory Page 21

  22. Bu ff er Overflows • A buffer overflow occurs when data is written outside of the boundaries of the memory allocated to a particular data structure (buffer) • Happens when buffer boundaries are neglected and unchecked • Can be exploited to modify memory after buffer Stack: return address, local variables, function pointers, ‣ etc. Heap: data structures and metadata (next time) ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 22

  23. Smashing the Stack • Occurs when a buffer overflow overwrites other data in the program stack • Successful exploits can overwrite the return address on the stack enabling the execution of arbitrary code on the targeted machine • What happens if we input a large string? ./example • ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ‣ • Segmentation fault – why is that? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 23

  24. What Happened? The Stack is Smashed void function(int a, int b) { char buffer[12]; gets(buffer); f buffer return; ⁞ } old ebp f ret f 1 2 If the input is large, then gets(buffer) will write outside the bound of buffer, stack frame and the return address is overwritten for main – with “ffff” (in ASCII), which likely is not a legal code address – seg fault 24 Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  25. Figure Out A Nasty Input void function (int a, int b) { char buffer[12]; gets(buffer); return; } ret 1 void main() { 2 int x; stack frame x = 0; for main function(1,2); x = 1; A nasty input puts the return printf("%d\n",x); address after x=1. } Arc injection 25 Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  26. Injecting Code void function (int a, int b) { Injected char buffer[12]; gets(buffer); code return; } ret 1 void main() { 2 int x; stack frame x = 0; for main function(1,2); x = 1; The injected code can do anything. printf("%d\n",x); E.g., download and install a worm } 26 Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  27. Code Injection • Attacker creates a malicious argument—a specially crafted string that contains a pointer to malicious code provided by the attacker • When the function returns, control is transferred to the malicious code Injected code runs with the permission of the ‣ vulnerable program when the function returns. Programs running as root or other elevated ‣ privileges are normally targeted Programs with the setuid bit on • 27 Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Last time We finished up By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow defenses (and workarounds) Format string vulnerabilities Integer overflow vulnerabilities This time

1.29k views • 80 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow

Last time We continued By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow attacks & other vulnerabilities Overflow defenses Everything youve always wanted to know about

2.41k views • 197 slides
Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Last time We continued By launching our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow fundamentals This time We will finish up By looking at Buffer Overflow overflows

1.33k views • 103 slides
More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester Rebeiro Indian Institute of Technology Madras Buffer Overreads 2 Buffer Overread Example 3 Buffer Overread Example len read from command line

906 views • 76 slides
CMPSC 497 More on Overflow Vulnerabilities Trent Jaeger Systems and Internet Infrastructure

CMPSC 497 More on Overflow Vulnerabilities Trent Jaeger Systems and Internet Infrastructure

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 More on Overflow Vulnerabilities Trent Jaeger

634 views • 45 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

1.49k views • 117 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

1.23k views • 95 slides
Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Integer Overflow Vulnerabilities * slides adapted from those by Seacord 3 Integer Overflows An integer overflow occurs

639 views • 52 slides
Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter

Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter

Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter Buchlovsky 8. March 2004 University of Birmingham 1 Contents 1. Call-stacks, shellcode, gets 2. Exploits stack-based, heap-based 3. Defensive

1.56k views • 123 slides
Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by the Morris Worm in 1988 Prevention techniques known NX bit, stack canaries, ASLR Still of major concern Recent examples:

354 views • 21 slides
Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

1 Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed in buffer overflow exploits to create backdoors Execution of additional network services via the INETD daemon The addition of new users

497 views • 30 slides
Buffer Overflow CS461/ECE422 Spring 2012 Reading Material

Buffer Overflow CS461/ECE422 Spring 2012 Reading Material

Buffer Overflow CS461/ECE422 Spring 2012 Reading Material Based on Chapter 11 of the text Outline Buffer Overflow Stack Buffer Overflow Shell

783 views • 28 slides
Buffer Software Security overflows and other memory safety vulnerabilities History

Buffer Software Security overflows and other memory safety vulnerabilities History

This time We will begin By investigating our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Analyzing security Security

1.41k views • 107 slides
History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood as early as 1972 Computer Security Technology Planning Study Morris Worm First

1.07k views • 42 slides
CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking

CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking

CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking & Loading, continued Buffer Overflow Read: CSAPP2: section 3.12: out-of-bounds memory references & buffer overflow K&R:

775 views • 43 slides
Buffer Software Security overflows and other memory safety vulnerabilities History

Buffer Software Security overflows and other memory safety vulnerabilities History

This time We will begin By investigating our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Software security Security is a form

2.11k views • 190 slides
Keeping the slaves buffer pool warm for failover with Percona Playback Peter Boros

Keeping the slaves buffer pool warm for failover with Percona Playback Peter Boros

Keeping the slaves buffer pool warm for failover with Percona Playback Peter Boros Consultant @ Percona FOSDEM 2013 First of all, thanks to... Kyle Oppenheim (Groupon) Director of Engineering engineering.groupon.com Fernando Ipar

697 views • 30 slides
CheapandLargeCAMsforHighPerformance Data-Intensive NetworkedSystems-TheBufferhashKVStore

CheapandLargeCAMsforHighPerformance Data-Intensive NetworkedSystems-TheBufferhashKVStore

CheapandLargeCAMsforHighPerformance Data-Intensive NetworkedSystems-TheBufferhashKVStore Xingsheng Zhao The goalof the paper is to build cheap Introduction and large CAMs, or CLAMs , using a combination of DRAM and flash memory. These are

848 views • 27 slides
High-speed Data Acquisition using the Linux Industrial IO framework Lars-Peter Clausen, Analog

High-speed Data Acquisition using the Linux Industrial IO framework Lars-Peter Clausen, Analog

High-speed Data Acquisition using the Linux Industrial IO framework Lars-Peter Clausen, Analog Devices What is High-Speed > ~100k samples per second Applications RF communication, Software Defined Radio, Direct RF Radar

487 views • 36 slides
Condition Synchronization People are still trying to figure that out. Compromises: between

Condition Synchronization People are still trying to figure that out. Compromises: between

Synchronization Now that you have seen locks, is that all there is? No, but what is the right way to build a parallel program. Condition Synchronization People are still trying to figure that out. Compromises: between making it

212 views • 3 slides
Graphics and Framebuffers Baremetal on the Pi Raspberry Pi A+ ARM processor and memory

Graphics and Framebuffers Baremetal on the Pi Raspberry Pi A+ ARM processor and memory

Graphics and Framebuffers Baremetal on the Pi Raspberry Pi A+ ARM processor and memory Peripherals: GPIO, timers, UART (gpio, uart), keyboard Assembly and machine language (as) C and pointers (gcc) Functions and the stack (gdb) Serial

1.54k views • 44 slides
CS 356: Introduction to Computer Networks Lecture 16: Transmission Control Protocol (TCP) Chap.

CS 356: Introduction to Computer Networks Lecture 16: Transmission Control Protocol (TCP) Chap.

CS 356: Introduction to Computer Networks Lecture 16: Transmission Control Protocol (TCP) Chap. 5.2, 6.3 Xiaowei Yang xwy@cs.duke.edu Overview TCP Connection management Flow control When to transmit a segment Adaptive

1.02k views • 65 slides
Synchronization Chi Zhang czhang@cs.fiu.edu 1 Cooperating Processes Independent process

Synchronization Chi Zhang czhang@cs.fiu.edu 1 Cooperating Processes Independent process

COP 4225 Advanced Unix Programming Synchronization Chi Zhang czhang@cs.fiu.edu 1 Cooperating Processes Independent process cannot affect or be affected by the execution of another process. Cooperating process can affect or be affected

657 views • 19 slides
DATA ANALYTICS USING DEEP LEARNING GT 8803 // FALL 2019 // JOY ARULRAJ L E C T U R E # 0 6 : D

DATA ANALYTICS USING DEEP LEARNING GT 8803 // FALL 2019 // JOY ARULRAJ L E C T U R E # 0 6 : D

DATA ANALYTICS USING DEEP LEARNING GT 8803 // FALL 2019 // JOY ARULRAJ L E C T U R E # 0 6 : D I S K - C E N T R I C A N D I N - M E M O R Y D A T A B A S E S Y S T E M S administrivia Project ideas List shared on Piazza Start

1.22k views • 80 slides

More recommend