cmpsc 497 more on overflow vulnerabilities
play

CMPSC 497 More on Overflow Vulnerabilities Trent Jaeger Systems - PowerPoint PPT Presentation

Oct 01, 2022 •176 likes •634 views

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 More on Overflow Vulnerabilities Trent Jaeger

  1. Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 � More on Overflow Vulnerabilities Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1

  2. Overflow Vulnerabilities • Despite knowledge of buffer overflows for over 40 years, they have not been eliminated • This is partly due to the wide variety of exploit options • Variety of targets: can exploit more than return addresses – any code addresses or data • Variety of uses: can exploit on read and write • Variety of exploits: can inject or reuse code • Variety of workarounds: current defenses are incomplete Systems and Internet Infrastructure Security (SIIS) Laboratory Page 2

  3. Available Defenses • Available defenses do not prevent all options Stackguard: A canary before return address on stack ‣ DEP or W xor X: Stack memory is not executable ‣ • This combination of defenses prevents the classic buffer overflow attack, but there are many options • Plus, both defenses may be disabled by other attacks Systems and Internet Infrastructure Security (SIIS) Laboratory Page 3

  4. StackGuard Limitations • Obvious limitation: only protects the return address What about other local variables? ‣ int authenticated = 0; char packet[1000]; while (!authenticated) { PacketRead(packet); if (Authenticate(packet)) authenticated = 1; } if (authenticated) ProcessPacket(packet); Systems and Internet Infrastructure Security (SIIS) Laboratory Page 4

  5. Function Initialization: Stacks • Packet overflows overwrite the authenticated value packet authenticated old ebp CANARY ret stack frame Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  6. StackGuard Limitations • Obvious limitation: only protects the return address What is the exploit? ‣ int authenticated = 0; char packet[1000]; while (!authenticated) { PacketRead(packet); if (Authenticate(packet)) authenticated = 1; } if (authenticated) ProcessPacket(packet); Systems and Internet Infrastructure Security (SIIS) Laboratory Page 6

  7. StackGuard Limitations • Obvious limitation: only protects the return address What about other local variables? ‣ Of course, there are also other data on the stack that ‣ may also require protection Code addresses – function pointers • Data that impacts control flow – as in example • Data that may impact operation of program • • Any ways to address this limitation? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 7

  8. StackGuard Limitations • Big limitation: Disclosure attacks By performing a buffer “overread” ‣ Example is the famous Heartbleed attack against SSL ‣ Why is this a problem for Stackguard canaries? ‣ char packet[10]; … // suppose len is adversary controlled strncpy(buf, packet, len); send(fd, buf, len2); Systems and Internet Infrastructure Security (SIIS) Laboratory Page 8

  9. StackGuard Limitations • Big limitation: Disclosure attacks By performing a buffer “overread” ‣ Example is the famous Heartbleed ‣ attack against SSL Why is this a problem for Stackguard? ‣ packet old ebp char packet[10]; canary … ret addr // suppose len is adversary controlled arg strncpy(buf, packet, len); previous send(fd, buf, len); stack frame Systems and Internet Infrastructure Security (SIIS) Laboratory Page 9

  10. StackGuard Limitations • Big limitation: disclosure attacks By performing a buffer “overread” ‣ One may extract the canary values by reading beyond ‣ the end of stack buffers Which would enable the adversary to learn the ‣ (supposedly secret) canary value How would you exploit this? ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 10

  11. DEP Limitations • Big limitation: code injection is not necessary to construct adversary-controlled exploit code Code reuse attacks ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 11

  12. Vs. Injecting Shell Code • Remember this exploit execve • The adversary’s goal is (“/bin/sh”) to get execve to run to generate a command ret shell 1 • To do this the adversary 2 uses execve from libc – i.e., reuses code that is stack frame already there for main 12 Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  13. Code Reuse • How can we invoke execve without code injection? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 13

  14. Code Reuse • How can we invoke execve without code injection? Call execve directly from return value ‣ • The difference is subtle, but significant In the original exploit, we wrote the address of execve ‣ into buffer on the stack and modified return address to start executing at buffer I.e., we are executing in the stack memory region • Instead, we can modify the return address to point to ‣ execve directly, so we continue to execute code Reusing available code to do what the adversary wants • Systems and Internet Infrastructure Security (SIIS) Laboratory Page 14

  15. Code Reuse • How can we invoke execve without code injection? Use the code directly ‣ • The difference is subtle, but significant execve buffer (“/bin/sh”) ret execve 1 “/bin/sh” 2 2 stack frame stack frame for main for main Systems and Internet Infrastructure Security (SIIS) Laboratory Page 15

  16. Code Reuse • How would we use code reuse to disable DEP? • Goal is to allow execution of stack memory Systems and Internet Infrastructure Security (SIIS) Laboratory Page 16

  17. Code Reuse • How would we use code reuse to disable DEP? • Goal is to allow execution of stack memory There’s a system call for that ‣ int mprotect(void *addr, size_t len, int prot); Sets protection for region of memory starting at address ‣ Invoke this system call to allow execution on stack and ‣ then start executing from the injected code Systems and Internet Infrastructure Security (SIIS) Laboratory Page 17

  18. Heap Overflows • Another region of memory that may be vulnerable to overflows is heap memory A buffer overflow of a buffer allocated on the heap is ‣ called a heap overflow int authenticated = 0; char *packet = (char *)malloc(1000); while (!authenticated) { PacketRead(packet); if (Authenticate(packet)) authenticated = 1; } if (authenticated) ProcessPacket(packet); Systems and Internet Infrastructure Security (SIIS) Laboratory Page 18

  19. Heap Overflows Morris Worm • Robert Morris, a 23 doctoral student from Cornell Overflows on heap also possible • Wrote a small (99 line) program ‣ char *packet = malloc(1000) ptr[1000] = ‘M’; Launched on November 3, 1988 ‣ “Classical” heap overflow • Simply disabled the Internet ‣ corrupts metadata • Used a buffer overflow in a program called fingerd Heap metadata maintains chunk ‣ size, previous and next pointers, ... To get adversary-controlled code running ‣ • Heap metadata is inline with • Then spread to other hosts – cracked passwords heap data and leverage open LAN configurations And waits for heap management ‣ functions ( malloc, free ) to • Covered its tracks (set is own process name to sh, write corrupted metadata to target locations prevented accurate cores, re-forked itself) � X Systems and Internet Infrastructure Security (SIIS) Laboratory CSE543 - Introduction to Computer and Network Security Page 19 Page

  20. Heap Overflows Process Address Space • Heap allocators maintain a doubly-linked list of allocated and free chunks higher • Text: static code • malloc () and free () modify this list memory Stack • Data: also called heap address static variables ‣ Data dynamically allocated data ‣ (malloc, new) lower Text • Stack: program memory execution stacks address http://www.sans.edu/student-files/presentations/heap_overflows_notes.pdf • � X Systems and Internet Infrastructure Security (SIIS) Laboratory CSE543 - Introduction to Computer and Network Security Page Page

  21. Heap Overflows Program Stack • free() removes a chunk from allocated list chunk2-> bk->fd = chunk2-> fd chunk2->bk->fd = chunk2->fd • For implementing procedure calls and returns chunk2-> fd->bk = chunk2-> bk chunk2->fd->bk = chunk2->bk • Keep track of program execution and state by • By overflowing chunk2, attacker controls bk and fd storing ‣ Controls both where and what data is written! Arbitrarily change memory (e.g., function pointers) • local variables ‣ arguments to the called procedure (callee) ‣ return address of the calling procedure (caller) ‣ ... ‣ � X Systems and Internet Infrastructure Security (SIIS) Laboratory CSE543 - Introduction to Computer and Network Security Page Page

  22. Heap Overflows Program Stack • By overflowing chunk2, attacker controls bk and fd Controls both where and what data is written! ‣ Assign chunk2->fd to value to want to write • Assign chunk2->bk to address X (where you want to write) • Less an offset of the fd field in the structure • • Free() removes a chunk from allocated list chunk2-> bk->fd = chunk2-> fd chunk2-> fd->bk = chunk2-> bk • What’s the result? *Slide by Robert Seacord � X Systems and Internet Infrastructure Security (SIIS) Laboratory CSE543 - Introduction to Computer and Network Security Page Page

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CMPSC 497 Buffer Overflow Vulnerabilities Trent Jaeger Systems and Internet Infrastructure

CMPSC 497 Buffer Overflow Vulnerabilities Trent Jaeger Systems and Internet Infrastructure

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Buffer Overflow Vulnerabilities Trent Jaeger

739 views • 38 slides
Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Integer Overflow Vulnerabilities * slides adapted from those by Seacord 3 Integer Overflows An integer overflow occurs

639 views • 52 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Last time We finished up By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow defenses (and workarounds) Format string vulnerabilities Integer overflow vulnerabilities This time

1.29k views • 80 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow

Last time We continued By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow attacks & other vulnerabilities Overflow defenses Everything youve always wanted to know about

2.41k views • 197 slides
Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * some slides adapted from those by Trent Jaeger Overflow Vulnerabilities Despite

901 views • 46 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

1.49k views • 117 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

1.23k views • 95 slides
CMPSC 497 Other Memory Vulnerabilities Trent Jaeger Systems and Internet Infrastructure

CMPSC 497 Other Memory Vulnerabilities Trent Jaeger Systems and Internet Infrastructure

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Other Memory Vulnerabilities Trent Jaeger

827 views • 44 slides
Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Last time We continued By launching our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow fundamentals This time We will finish up By looking at Buffer Overflow overflows

1.33k views • 103 slides
Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Some Terminology Software error A programming mistake that make the software not meet its expectation Software

726 views • 59 slides
Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter

Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter

Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter Buchlovsky 8. March 2004 University of Birmingham 1 Contents 1. Call-stacks, shellcode, gets 2. Exploits stack-based, heap-based 3. Defensive

1.56k views • 123 slides
More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester Rebeiro Indian Institute of Technology Madras Buffer Overreads 2 Buffer Overread Example 3 Buffer Overread Example len read from command line

906 views • 76 slides
Testing and Fuzzing Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security *

Testing and Fuzzing Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security *

Testing and Fuzzing Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some slides adapted from those by Trent Jaeger Our Goal Develop techniques to detect vulnerabilities automatically before they are exploited

1.17k views • 61 slides
Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack

Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack

Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack Overflow for Teams Roberta Arcoverde 1 /whois /whois recifense programadora h 15 anos principal software developer na stack overflow

711 views • 52 slides
History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood as early as 1972 Computer Security Technology Planning Study Morris Worm First

1.07k views • 42 slides
Evolution of Stack Overflow Discussions Using Sentimental Analysis on Comments in Stack Overflow

Evolution of Stack Overflow Discussions Using Sentimental Analysis on Comments in Stack Overflow

Evolution of Stack Overflow Discussions Using Sentimental Analysis on Comments in Stack Overflow Posts Presented by Norbert Eke and Saraj Manes Motivation SOTorrent 2018 : Reconstructing and Analyzing the Evolution of Stack Overflow

547 views • 17 slides
OF M OF MARR ARRIA IAGE GE Eph Ephesia esians ns 5 HOW DO YOU DECIDE WHO TO MARRY? No

OF M OF MARR ARRIA IAGE GE Eph Ephesia esians ns 5 HOW DO YOU DECIDE WHO TO MARRY? No

THE THE M MYSTER TERY OF M OF MARR ARRIA IAGE GE Eph Ephesia esians ns 5 HOW DO YOU DECIDE WHO TO MARRY? No person really decides before they grow up who they're going to marry. God decides it all way before, and you get to find

600 views • 27 slides
15-251 Great Theoretical Ideas in Computer Science Lecture 1: Introduction to the course

15-251 Great Theoretical Ideas in Computer Science Lecture 1: Introduction to the course

15-251 Great Theoretical Ideas in Computer Science Lecture 1: Introduction to the course Instructors: Ariel Procaccia Anil Ada September 1st, 2015 What is theoretical computer science? What is computer science? Writing computer programs

730 views • 55 slides
LIFTING THE VEIL FROM GODS WORD HI HIDDE DDEN N IN IN THE HE UN UNAPPE PEALING ALING

LIFTING THE VEIL FROM GODS WORD HI HIDDE DDEN N IN IN THE HE UN UNAPPE PEALING ALING

II Timothy 3:16-17 LIFTING THE VEIL FROM GODS WORD HI HIDDE DDEN N IN IN THE HE UN UNAPPE PEALING ALING Every Scripture (II Timothy 3:16) If you were to write the Bible, would you have made it more appealing to

198 views • 4 slides
Breaking down the communication barrier: : How to talk lk about Scope 3 effectively Carbon

Breaking down the communication barrier: : How to talk lk about Scope 3 effectively Carbon

Breaking down the communication barrier: : How to talk lk about Scope 3 effectively Carbon Credentials 19/09/2019 www.carboncredentials.com www.carboncredentials.com www.carboncredentials.com Speakers Chair Sam Ca Sa Carson Emma Wats

1.02k views • 35 slides
Towards a Robust Edge-Native Storage System Presenter: Nikhil Sreekumar Authors: Nikhil

Towards a Robust Edge-Native Storage System Presenter: Nikhil Sreekumar Authors: Nikhil

Towards a Robust Edge-Native Storage System Presenter: Nikhil Sreekumar Authors: Nikhil Sreekumar, Abhishek Chandra, Jon Weissman Nov 12 th , 2020 Lets go to a State Fair Cloud solution Latency Bandwidth Cost Cloud Privacy Data

1.23k views • 17 slides
Principles of Software Construction: Objects, Design, and Concurrency Concurrency Part III:

Principles of Software Construction: Objects, Design, and Concurrency Concurrency Part III:

Principles of Software Construction: Objects, Design, and Concurrency Concurrency Part III: Structuring Applications (Design Patterns for Parallel Computation) Michael Hilton Bogdan Vasilescu 17-214 1 Learning Goals Reuse

1.17k views • 70 slides
Parallel Programming Practice Threads and Tasks Susanne Cech Previtali Thomas Gross Last

Parallel Programming Practice Threads and Tasks Susanne Cech Previtali Thomas Gross Last

Parallel Programming Practice Threads and Tasks Susanne Cech Previtali Thomas Gross Last update: 2009-10-29, 09:12 Wednesday, January 20, 2010 Thread objects java.lang.Thread Each thread is associated with an instance of the class Thread

682 views • 47 slides
LHD: Optimising Linked Data Query Processing Using Parallelisation Xin Wang, Thanassis

LHD: Optimising Linked Data Query Processing Using Parallelisation Xin Wang, Thanassis

LHD: Optimising Linked Data Query Processing Using Parallelisation Xin Wang, Thanassis Tiropanis, Hugh C. Davis Electronics and Computer Science University of Southampton Motivations High growth rate of Linked Data demands faster query

433 views • 10 slides

More recommend