cmpsc 497 other memory vulnerabilities
play

CMPSC 497 Other Memory Vulnerabilities Trent Jaeger Systems and - PowerPoint PPT Presentation

Oct 30, 2023 •374 likes •827 views

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Other Memory Vulnerabilities Trent Jaeger

  1. Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 � Other Memory � Vulnerabilities Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1

  2. Memory Error • A memory error allows a program statement to access memory beyond that allocated for the variables processed in the statement • Common case: Buffer overflow • But, there are other ways to exploit memory errors to access unauthorized memory No need to overflow a buffer ‣ • Two examples Use-after-free ‣ Type confusion ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 2

  3. Use After Free • Flaw: Program frees data on the heap, but then references that memory as if it were still valid • Accessible: Adversary can control data written using the freed pointer • Exploit: Another “write-what-where” vulnerability Systems and Internet Infrastructure Security (SIIS) Laboratory Page 3

  4. Use After Free • What happens here? int main(int argc, char **argv) { char *buf1R1; char *buf2R1; char *buf2R2; char *buf3R2; buf1R1 = (char *) malloc(BUFSIZER1); buf2R1 = (char *) malloc(BUFSIZER1); free(buf2R1); buf2R2 = (char *) malloc(BUFSIZER2); buf3R2 = (char *) malloc(BUFSIZER2); strncpy(buf2R1, argv[1], BUFSIZER1-1); free(buf1R1); free(buf2R2); free(buf3R2); } Systems and Internet Infrastructure Security (SIIS) Laboratory Page 4

  5. Use After Free • When the second R1 buffer (buf2R1) is freed that memory is available for reuse right away buf1R1 = (char *) malloc(BUFSIZER1); buf2R1 = (char *) malloc(BUFSIZER1); free(buf2R1); • Then, the R2 buffers are allocated within that memory region (buf2R1s) buf2R2 = (char *) malloc(BUFSIZER2); buf3R2 = (char *) malloc(BUFSIZER2); • Finally, the write using the freed pointer will overwrite the R2 buffers (and metadata between) strncpy(buf2R1, argv[1], BUFSIZER1-1); Systems and Internet Infrastructure Security (SIIS) Laboratory Page 5

  6. Use After Free • Most effective attacks exploit data of another type struct A { void (*fnptr)(char *arg); char buffer[40]; }; struct B { int B1; int B2; char info[32]; }; Systems and Internet Infrastructure Security (SIIS) Laboratory Page 6

  7. Use After Free • Free A, and allocate B does what? struct A { x = (struct A *)malloc(sizeof(struct A)); void (*fnptr)(char *arg); free(x); char buffer[40]; y = (struct B *)malloc(sizeof(struct B)); }; struct B { int B1; int B2; char info[32]; }; Systems and Internet Infrastructure Security (SIIS) Laboratory Page 7

  8. Use After Free • How do you think you exploit this? struct A { x = (struct A *)malloc(sizeof(struct A)); void (*fnptr)(char *arg); free(x); char buffer[40]; y = (struct B *)malloc(sizeof(struct B)); }; struct B { int B1; int B2; char info[32]; }; Systems and Internet Infrastructure Security (SIIS) Laboratory Page 8

  9. Use After Free • How do you think you exploit this? struct A { x = (struct A *)malloc(sizeof(struct A)); void (*fnptr)(char *arg); free(x); char buffer[40]; y = (struct B *)malloc(sizeof(struct B)); }; y->B1 = 0xDEADBEEF; x->fnptr(buf); struct B { int B1; int B2; char info[32]; }; Systems and Internet Infrastructure Security (SIIS) Laboratory Page 9

  10. Use After Free • Adversary chooses function pointer value • Adversary may also choose address for buf • To implement a write-what-where struct A { x = (struct A *)malloc(sizeof(struct A)); void (*fnptr)(char *arg); free(x); char buffer[40]; y = (struct B *)malloc(sizeof(struct B)); }; y->B1 = 0xDEADBEEF; x->fnptr(buf); struct B { int B1; int B2; char info[32]; }; Systems and Internet Infrastructure Security (SIIS) Laboratory Page 10

  11. Use After Free • Flaw: program frees data on the heap, but then references that memory as if it were still valid • Accessible: Adversary can control data written using the freed pointer • Exploit: Another “write-what-where” vulnerability • Become a popular vulnerability to exploit – over 60% of CVEs http://blog.tempest.com.br/breno-cunha/perspectives- ‣ on-exploit-development-and-cyber-attacks.html Systems and Internet Infrastructure Security (SIIS) Laboratory Page 11

  12. Prevent Use After Free • Difficult to detect because these often occur in complex runtime states Allocate in one function ‣ Free in another function ‣ Use in a third function ‣ Are all uses accessing a valid (not freed) reference? • In all possible runtime states • • It is not fun to check source code for all possible pointers Systems and Internet Infrastructure Security (SIIS) Laboratory Page 12

  13. Prevent Use After Free • What can you do that is not too complex? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 13

  14. Prevent Use After Free • What can you do that is not too complex? You can set all freed pointers to NULL ‣ Then, no one can use them after they are freed ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 14

  15. Related Problem: Double Free • What is going on here? main(int argc, char **argv) { … buf1R1 = (char *) malloc(BUFSIZE2); buf2R1 = (char *) malloc(BUFSIZE2); free(buf1R1); free(buf2R1); buf1R2 = (char *) malloc(BUFSIZE1); strncpy(buf1R2, argv[1], BUFSIZE1-1); free(buf2R1); free(buf1R2); } Systems and Internet Infrastructure Security (SIIS) Laboratory Page 15

  16. Double Free • Free the R1 buffers free(buf1R1); free(buf2R1); • Allocate a new buffer R2 and supply data buf1R2 = (char *) malloc(BUFSIZE1); strncpy(buf1R2, argv[1], BUFSIZE1-1); • Free the R1 again, which uses R2 data as metadata free(buf2R1); • Then, free R2 which uses really messed up metadata enabling a write-what-where attack (like heap overflow) free(buf1R2); Systems and Internet Infrastructure Security (SIIS) Laboratory Page 16

  17. Double Free • So, “double free” achieves the same effect as the heap overflow vulnerabilities So, can be addressed in the same way ‣ But, you can also save yourself some headache by setting ‣ freed pointers to NULL But, we are only still talking about this • https://wiki.sei.cmu.edu/confluence/pages/viewpage.action? • pageId=87152148 Hopefully, will be part of systems in the near future, but ‣ people don’t like to tinker with the C language spec Systems and Internet Infrastructure Security (SIIS) Laboratory Page 17

  18. Type Confusion • Cause the program to process data of one type when it expects data of another type Provides same affect as we did with use-after-free ‣ But, without the “free” – just need an ambiguous “use” ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 18

  19. Type Confusion • Cause the program to process data of one type when it expects data of another type Provides same affect as we did with use-after-free ‣ But, without the “free” – just need an ambiguous “use” ‣ Where’s the error below? • class Ancestor { int x; } class Descendent : Ancestor { int y; } Ancestor *A = new A; Descendant *D = static cast <Ancestor *> A; D->y = 7; HexType – Jeon et al. ACM CCS 2017 Systems and Internet Infrastructure Security (SIIS) Laboratory Page 19

  20. Type Confusion • Cause the program to process data of one type when it expects data of another type Provides same affect as we did with use-after-free ‣ But, without the “free” – just need an ambiguous “use” ‣ Where’s the error below? • class Ancestor { int x; } class Descendent : Ancestor { int y; } Ancestor *A = new A; Descendant *D = static cast <Ancestor *> A; D->y = 7; // not part of memory referenced by D cast from A HexType – Jeon et al. ACM CCS 2017 Systems and Internet Infrastructure Security (SIIS) Laboratory Page 20

  21. Type Hierarchies • C++ allows you to construct type hierarchies Upcast Downcast HexType – Jeon et al. ACM CCS 2017 Systems and Internet Infrastructure Security (SIIS) Laboratory Page 21

  22. Type Hierarchies • C++ allows you to construct type hierarchies Which type of cast is safe and why? ‣ Upcast Downcast HexType – Jeon et al. ACM CCS 2017 Systems and Internet Infrastructure Security (SIIS) Laboratory Page 22

  23. Type Confusion Safety • Upcasts are always safe because they only reduce the type structure That is, subtypes extend the structure definitions only ‣ • Thus, downcasts (as in the example) and arbitrary casts (that do not follow the hierarchy) are unsafe However, programming environments trust ‣ programmers to do the right thing Systems and Internet Infrastructure Security (SIIS) Laboratory Page 23

  24. Type Confusion (Flash) • Flash is notorious for type confusion vulnerabilities • From reading https://googleprojectzero.blogspot.com/2015/07/one- ‣ perfect-bug-exploiting-type_20.html var filter = new flash.filters.BlurFilter(); object.filters = [filter]; flash.filters.BlurFilter = flash.filters.ConvolutionFilter; var f = object.filters; var d = f[0]; Systems and Internet Infrastructure Security (SIIS) Laboratory Page 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Integer Overflow Vulnerabilities * slides adapted from those by Seacord 3 Integer Overflows An integer overflow occurs

639 views • 52 slides
Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Some Terminology Software error A programming mistake that make the software not meet its expectation Software

726 views • 59 slides
Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * some slides adapted from those by Trent Jaeger Overflow Vulnerabilities Despite

901 views • 46 slides
NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

1 NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2 Memory safety attacks Buffer overruns Format string vulnerabilities Web application vulnerabilities SQL injections Cross-site

901 views • 39 slides
CMPSC 497 More on Overflow Vulnerabilities Trent Jaeger Systems and Internet Infrastructure

CMPSC 497 More on Overflow Vulnerabilities Trent Jaeger Systems and Internet Infrastructure

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 More on Overflow Vulnerabilities Trent Jaeger

634 views • 45 slides
CMPSC 497 Buffer Overflow Vulnerabilities Trent Jaeger Systems and Internet Infrastructure

CMPSC 497 Buffer Overflow Vulnerabilities Trent Jaeger Systems and Internet Infrastructure

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Buffer Overflow Vulnerabilities Trent Jaeger

739 views • 38 slides
Operating Systems Operating Systems CMPSC 473 CMPSC 473 Virtual Memory Virtual Memory March

Operating Systems Operating Systems CMPSC 473 CMPSC 473 Virtual Memory Virtual Memory March

Operating Systems Operating Systems CMPSC 473 CMPSC 473 Virtual Memory Virtual Memory March 18, 2008 - Lecture 16 16 March 18, 2008 - Lecture Instructor: Trent Jaeger Instructor: Trent Jaeger Last class: Paging Today:

672 views • 39 slides
Operating Systems Operating Systems CMPSC 473 CMPSC 473 Memory Management Memory Management

Operating Systems Operating Systems CMPSC 473 CMPSC 473 Memory Management Memory Management

Operating Systems Operating Systems CMPSC 473 CMPSC 473 Memory Management Memory Management March 4, 2008 - Lecture 14 14 March 4, 2008 - Lecture Instructor: Trent Jaeger Instructor: Trent Jaeger Last class: Deadlocks

562 views • 33 slides
Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to

Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to

Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to Computer Security Logistics announcements Day 3: Low-level vulnerabilities Basic memory-safety problems Stephen McCamant Where overflows come from

521 views • 9 slides
Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to

Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to

Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to Computer Security Intermission: gdb demo Day 3: Low-level vulnerabilities Basic memory-safety problems Stephen McCamant Where overflows come from

401 views • 8 slides
CMPSC 311- Introduction to Systems Programming Module: Strings Professor Patrick McDaniel Fall

CMPSC 311- Introduction to Systems Programming Module: Strings Professor Patrick McDaniel Fall

CMPSC 311- Introduction to Systems Programming Module: Strings Professor Patrick McDaniel Fall 2016 CMPSC 311 - Introduction to Systems Programming Copying memory memcpy copies one memory region to another Copy from source buffer

501 views • 21 slides
Pr Preve venting exploits against memo memory-co corruption vulnerabilities Chengyu Song

Pr Preve venting exploits against memo memory-co corruption vulnerabilities Chengyu Song

Pr Preve venting exploits against memo memory-co corruption vulnerabilities Chengyu Song Georgia Tech Agenda Memory corruption vulnerability Thesis Statement Approaches SDCG Kenali HDFI Conclusion Memory

737 views • 72 slides
Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory

Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory

Cling: A Memory Allocator to Mitigate Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory Through Dangling Pointers Techniques : Heap Spraying, Feng Shui Manual memory management is error prone

574 views • 35 slides
Exploiting Memory Corruption Vulnerabilities in the Java Runtime Joshua J. Drake Inaugural

Exploiting Memory Corruption Vulnerabilities in the Java Runtime Joshua J. Drake Inaugural

Exploiting Memory Corruption Vulnerabilities in the Java Runtime Joshua J. Drake Inaugural DerbyCon October 2 nd 2011 About the Presenter Joshua J. Drake, aka jduck Employed with Accuvant LABS Research Vulnerabilities &amp;

750 views • 45 slides
Operating Systems Operating Systems CMPSC 473 CMPSC 473 Virtual Memory - Multiprogramming -

Operating Systems Operating Systems CMPSC 473 CMPSC 473 Virtual Memory - Multiprogramming -

Operating Systems Operating Systems CMPSC 473 CMPSC 473 Virtual Memory - Multiprogramming - Multiprogramming Virtual Memory March 25, 2008 - Lecture 17 17 March 25, 2008 - Lecture Instructor: Trent Jaeger Instructor: Trent Jaeger

249 views • 22 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Last time We finished up By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow defenses (and workarounds) Format string vulnerabilities Integer overflow vulnerabilities This time

1.29k views • 80 slides
Agenda Getting started Drawing Charting Images Interaction Animation Using

Agenda Getting started Drawing Charting Images Interaction Animation Using

Agenda Getting started Drawing Charting Images Interaction Animation Using the Canvas Tag &lt;canvas id=&quot;chart&quot; width=&quot;150&quot; height=&quot;150&quot;&gt; Current stock price: $3.15 +0.15 &lt;/canvas&gt;

929 views • 55 slides
Queer supercrystals in SageMath Wencin Poh and Anne Schilling Department of Mathematics, UC Davis

Queer supercrystals in SageMath Wencin Poh and Anne Schilling Department of Mathematics, UC Davis

Queer supercrystals in SageMath Wencin Poh and Anne Schilling Department of Mathematics, UC Davis Trac ticket: trac.sagemath.org/ticket/25918 based on joint work with Maria Gillespie and Graham Hawkes preprint arXiv:1809.04647 July 4, 2019

721 views • 15 slides
Trajectory correction algorithms for a 3D underwater vehicle using affine transformations

Trajectory correction algorithms for a 3D underwater vehicle using affine transformations

Trajectory correction algorithms for a 3D underwater vehicle using affine transformations Quang-Cuong Pham and Yoshihiko Nakamura Nakamura-Takano Laboratory Department of Mechano-Informatics University of Tokyo Trajectory deformation

754 views • 47 slides
CS-184: Computer Graphics Lecture #9: Scan Conversion Prof. James OBrien University of

CS-184: Computer Graphics Lecture #9: Scan Conversion Prof. James OBrien University of

1 CS-184: Computer Graphics Lecture #9: Scan Conversion Prof. James OBrien University of California, Berkeley With additional slides based on those of Maneesh Agrawala and Ren Ng 2 Today 2D Scan Conversion Drawing Lines

491 views • 34 slides
Computer Graphics - Rasterization - Philipp Slusallek Rasterization Definition Given

Computer Graphics - Rasterization - Philipp Slusallek Rasterization Definition Given

Computer Graphics - Rasterization - Philipp Slusallek Rasterization Definition Given some 2D geometry (point, line, circle, triangle, polygon , ), specify which pixels of a raster display each primitive covers Often also called

814 views • 22 slides
Dont trust the HiPPOs: A/B Testing Online Games Steve Collins CTO / Swrve Me, me, me.

Dont trust the HiPPOs: A/B Testing Online Games Steve Collins CTO / Swrve Me, me, me.

Dont trust the HiPPOs: A/B Testing Online Games Steve Collins CTO / Swrve Me, me, me. 1986 1998 2007 2010 The HiPPO Highest Paid Persons Opinion http://www.kaushik.net - Occams Razor Blog Example #1 A B

920 views • 52 slides
Georgia Tech NASA Flight Readiness Review Teleconference Agenda 1. 2. 3. 4. 5. 6. 7. 8.

Georgia Tech NASA Flight Readiness Review Teleconference Agenda 1. 2. 3. 4. 5. 6. 7. 8.

Georgia Tech NASA Flight Readiness Review Teleconference Agenda 1. 2. 3. 4. 5. 6. 7. 8. Project KRIOS - FRR TEAM OVERVIEW Georgia Tech Team Overview Work Breakdown Structure Project KRIOS - FRR CHANGES

854 views • 43 slides
Computing Mitered Offset Curves Based on Straight Skeletons Peter Palfrader Martin Held

Computing Mitered Offset Curves Based on Straight Skeletons Peter Palfrader Martin Held

Computing Mitered Offset Curves Based on Straight Skeletons Peter Palfrader Martin Held Universitt Salzburg FB Computerwissenschaften Salzburg, Austria UNIVERSIT AT SALZBURG Computational Geometry and Applications Lab Straight Skeletons

1.46k views • 97 slides

More recommend