introduction buffer overflows
play

Introduction Buffer Overflows Buffer overflows were the most common - PDF document

Oct 07, 2022 •605 likes •651 views

Introduction Buffer Overflows Buffer overflows were the most common form of security vulnerability in the 90s. Buffer overflows dominate in the area of remote network penetration vulnerabilities. CS 465 They represent one of the

  1. Introduction Buffer Overflows ♦ Buffer overflows were the most common form of security vulnerability in the 90’s. ♦ Buffer overflows dominate in the area of remote network penetration vulnerabilities. CS 465 ♦ They represent one of the most serious Dr. Kent E. Seamons classes of security threats. – An attacker can gain partial or total control of a Source: “Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade” Cowan et al. host CS 465 Fall 2001 1 CS 465 Fall 2001 2 Buffer Overflow Attacks Buffer Overflows ♦ Form the substantial portion of all security ♦ Goal of buffer overflow attacks – Subvert the function of a privileged program to – Common take control of the program – Easy to exploit ♦ Dominate remote penetration attacks – If the program is sufficiently privileged, thence control of the host – 1998 CERT advisories, 9 of 13 – Typically the attacker is attacking a root – 1999 CERT advisories, 50 % program, and immediately executes code – Bugtraq survey: 2/3 reported buffer overflows a similar to “exec(sh)” to get a root shell leading cause of security vulnerability CS 465 Fall 2001 3 CS 465 Fall 2001 4 Load Code in Program’s Address Buffer Overflows - Goals Space ♦ Arrange for suitable code to be available in the program’s address space ♦ Inject code ♦ Get the program to jump to that code, with ♦ Use code already in program’s address suitable parameters loaded into registers & space memory CS 465 Fall 2001 5 CS 465 Fall 2001 6 1

  2. Inject code in Address Space Use existing program code ♦ Attacker provides a string as input to the program, which the program stores in a buffer. ♦ Often, the code to do what the attacker ♦ The string contains bytes that are native CPU wants is already present in the program’s instructions address space (“exec(arg)”) – The attacker does not have to overflow any buffers to ♦ The attacker need only parameterize the do this code and jump to it – Buffer can be located anywhere • Stack (automatic variables) • Heap – (malloc’d variables) • Static data area (initialized or uninitialized) CS 465 Fall 2001 7 CS 465 Fall 2001 8 Ways to Cause the Program to Kind of Program State Jump to the Attacker’s Code Overflowed ♦ Alter the program’s control flow so that the ♦ Activation records program will jump to the attack code ♦ Function pointers ♦ Basic method: overflow a buffer that has weak or ♦ Longjmp pointers non-existent bounds checking on its input with a goal of corrupting the state of an adjacent part of the program’s state ♦ The attacker overwrites the adjacent program state with a near arbitrary sequence of bytes ♦ Bypass of C’s type system and the victim program’s logic CS 465 Fall 2001 9 CS 465 Fall 2001 10 Activation Records Function Pointers ♦ Created on the stack when a function is ♦ Function pointers can be allocated called anywhere ♦ Overflow automatic variables ♦ Attacker finds an overflowable buffer ♦ Corrupt the return address in the activation adjacent to a function pointer in any of these areas record ♦ Change the function pointer ♦ “Stack smashing attack” ♦ Majority of current buffer overflow attacks CS 465 Fall 2001 11 CS 465 Fall 2001 12 2

  3. Combining Code Injection and Longjmp Buffers Control Flow Corruption ♦ Checkpoint/rollback facility in C ♦ The simplest and most common form of overflow combines an injection technique and activation ♦ Checkpoint – “setjmp(buffer)” record corruption in a single string –stack ♦ Rollback – “longjmp(buffer)” smashing attack ♦ The injection and corruption do not have to ♦ Attacker can corrupt the state of the buffer happen in one action so that longjmp will jump to the attacker’s – An overflowable buffer may have incorrect bounds code checking, so there is a limit on the overflow that does not give the attacker enough room to store the code – The attacker is using already-resident code • libc code fragments (exec(something)) CS 465 Fall 2001 13 CS 465 Fall 2001 14 Buffer Overflow Defenses Write Correct Code ♦ Write correct code ♦ A laudable but expensive proposition – C language has error-prone idioms such as null- ♦ Non-executable buffers terminated strings and a culture that favors performance ♦ Array Bounds checking over correctness ♦ Automatic search of source code for highly ♦ Code pointer integrity checking vulnerable library calls ♦ Program linking warning messages ♦ Audit teams that review code by hand – lprm program had an error following a code audit CS 465 Fall 2001 15 CS 465 Fall 2001 16 Non-executable buffers Array Bounds Checking ♦ Completely stops buffer overflows ♦ Make the data segment of a program’s address ♦ All reads and writes to arrays must be checked space non-executable ♦ Compaq C compiler – Older computing systems followed this design – Limited bounds checking – Unix and MS -Windows depend on the ability to emit ♦ Gcc patch dynamic code into program data segments – Not mature, complex programs fail ♦ One can make the stack segment non-executable ♦ Purify and preserve most program compatibility – Code instrumentation – Kernel patches available for Linux and Solaris – Imposes a 3 to 5 times slowdown ♦ Linux exceptions to executable code on the stack ♦ Type safe languages – Signal delivery – gcc trampolines – fallen into disuse CS 465 Fall 2001 17 CS 465 Fall 2001 18 3

  4. Type Safe Languages Code pointer integrity checking ♦ All buffer overflows result from a lack of ♦ Instead of preventing corruption of code pointers, type safety in C try to detect a code pointer has been corrupted ♦ Recommendation: write new security before it is de-referenced sensitive code in a type safe language such ♦ Disadvantages as Java or ML – Does not perfectly solve the buffer overflow problem ♦ Advantages – Millions of lines of legacy code – Performance – The JVM is a C program, subject to buffer – Compatibility overflow vulnerabilities – Implementation effort CS 465 Fall 2001 19 CS 465 Fall 2001 20 Code Pointer Integrity StackGuard ♦ Hand-coded stack inspection ♦ Compiler technique implemented as a small patch to gcc that enhances code generation for the code ♦ Compiler-generated activation record to setup and tear down functions integrity checking ♦ Places a canary word next to the return address on ♦ Compiler-generated code pointer integrity the stack ♦ The code checks to see that the canary word is checking intact before jumping to the return address ♦ Invariant – the return address should not change while a function is active CS 465 Fall 2001 21 CS 465 Fall 2001 22 Canary Forgery Prevention PointGuard ♦ Generalizes the StackGuard approach to ♦ Terminator canary defend against alterations to any code – Canary word contains common termination pointer symbols ♦ Places a canary word next to all code ♦ Random canary pointers – The canary is a 32-bit random number chosen ♦ The code checks to see that the canary word at run-time. is intact whenever a code pointer is dereferenced CS 465 Fall 2001 23 CS 465 Fall 2001 24 4

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lab 2: Buffer Overflows Fengwei Zhang SUSTech CS 315 Computer Security 1 Buffer Overflows

Lab 2: Buffer Overflows Fengwei Zhang SUSTech CS 315 Computer Security 1 Buffer Overflows

Lab 2: Buffer Overflows Fengwei Zhang SUSTech CS 315 Computer Security 1 Buffer Overflows One of the most common vulnerabilities in software Programming languages commonly associated with buffer overflows including C and C++

1.14k views • 17 slides
Lab 2: Buffer Overflows Fengwei Zhang Wayne State University Course: Cyber Security Prac@ce 1

Lab 2: Buffer Overflows Fengwei Zhang Wayne State University Course: Cyber Security Prac@ce 1

Lab 2: Buffer Overflows Fengwei Zhang Wayne State University Course: Cyber Security Prac@ce 1 Buffer Overflows One of the most common vulnerabili@es in soEware Programming languages commonly associated with buffer overflows including

199 views • 17 slides
Lab 2: Buffer Overflows Fengwei Zhang Wayne State University CSC 5991 Cyber Security PracCce 1

Lab 2: Buffer Overflows Fengwei Zhang Wayne State University CSC 5991 Cyber Security PracCce 1

Lab 2: Buffer Overflows Fengwei Zhang Wayne State University CSC 5991 Cyber Security PracCce 1 Buffer Overflows One of the most common vulnerabiliCes in soGware Programming languages commonly associated with buffer overflows including

195 views • 17 slides
Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Last time We continued By launching our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow fundamentals This time We will finish up By looking at Buffer Overflow overflows

1.33k views • 103 slides
Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a very common attack mechanism from 1988 Morris Worm to Code Red, Slammer, Sasser and many others prevention techniques known still of major concern

873 views • 53 slides
Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

1 Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed in buffer overflow exploits to create backdoors Execution of additional network services via the INETD daemon The addition of new users

497 views • 30 slides
ASLR & DEP DAVID HEAVERN Problem Statement Security Issues Buffer Overflows

ASLR & DEP DAVID HEAVERN Problem Statement Security Issues Buffer Overflows

ASLR & DEP DAVID HEAVERN Problem Statement Security Issues Buffer Overflows Buffer overflows are the source of many of the common vulnerabilities in modern software Caused by not checking the source length when writing to a

1.88k views • 130 slides
CSE 484 / CSE M 584 Computer Security: Buffer Overflows

CSE 484 / CSE M 584 Computer Security: Buffer Overflows

CSE 484 / CSE M 584 Computer Security: Buffer Overflows II TA: Viktor Farkas vfarkas@cs Original slides by Franzi Lab 1 Deadline Reminders Lab

373 views • 11 slides
More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester Rebeiro Indian Institute of Technology Madras Buffer Overreads 2 Buffer Overread Example 3 Buffer Overread Example len read from command line

906 views • 76 slides
CS 241 Data Organization Buffer Overflows December 4, 2018 The Problem Exploitation Use

CS 241 Data Organization Buffer Overflows December 4, 2018 The Problem Exploitation Use

CS 241 Data Organization Buffer Overflows December 4, 2018 The Problem Exploitation Use large strings (or other datatypes) to overflow a buffer Craft input to make the server do whatever you want Easy to crash a program Harder

256 views • 11 slides
CPSC 213 2.8 Textbook Procedures, Out-of-Bounds Memory References and Buffer Overflows

CPSC 213 2.8 Textbook Procedures, Out-of-Bounds Memory References and Buffer Overflows

Reading Companion CPSC 213 2.8 Textbook Procedures, Out-of-Bounds Memory References and Buffer Overflows 3.7, 3.12 Introduction to Computer Systems Unit 1e Procedures and the Stack 1 2 Local Variables of a Procedure

248 views • 7 slides
Computer Security Buffer Overflows Denial of Service MIE456 Joseph Kong Overview Program

Computer Security Buffer Overflows Denial of Service MIE456 Joseph Kong Overview Program

Computer Security Buffer Overflows Denial of Service MIE456 Joseph Kong Overview Program Exploitation Buffer Overflows Memory Declaration Smashing The Stack TCP/IP Three Way Handshake Denial of Service SYN Flooding

403 views • 13 slides
Software In-Security Buffer overflows Overview Web Application security Malware OS

Software In-Security Buffer overflows Overview Web Application security Malware OS

Lecture overview Table of contents: Introduction to SW security Software In-Security Buffer overflows Overview Web Application security Malware OS security topics Code scanning Emmanuel Benoist Taught by Ulrich

479 views • 13 slides
On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector

On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector

On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco-Gisbert , Ismael Ripoll Universit` at Polit` ecnica

528 views • 35 slides
Security: Buffer Overflows and Defenses CS 416: Operating Systems Design Department of Computer

Security: Buffer Overflows and Defenses CS 416: Operating Systems Design Department of Computer

Security: Buffer Overflows and Defenses CS 416: Operating Systems Design Department of Computer Science Rutgers University http://www.cs.rutgers.edu/~vinodg/416 Buffer Overflow a very common attack mechanism from 1988 Morris Worm to Code Red,

950 views • 55 slides
Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for

Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for

Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit by Aleph One Summer 2017 Roadmap 1 Process Memory Organization Text Fixed by program Includes code and read-only data

257 views • 22 slides
Smart Card Attacks: Enter the Matrix Tiana Razafindralambo Guillaume Bouffard Julien

Smart Card Attacks: Enter the Matrix Tiana Razafindralambo Guillaume Bouffard Julien

Introduction Logical attacks Combined attacks Conclusion Smart Card Attacks: Enter the Matrix Tiana Razafindralambo Guillaume Bouffard Julien Iguchi-Cartigny Jean-Louis Lanet Smart Secure Devices (SSD) Team Xlim Labs Universit e

902 views • 53 slides
ECS 153 Discussion Section April 6, 2015 1 What Well Cover Goal : To

ECS 153 Discussion Section April 6, 2015 1 What Well Cover Goal : To

ECS 153 Discussion Section April 6, 2015 1 What Well Cover Goal : To discuss buffer overflows in detail Stack-based buffer overflows Smashing the stack: execution from the stack

620 views • 37 slides
Info formation Leaks Kyriakos Kyriakou kkyria16@cs.ucy.ac.cy University of Cyprus EPL 682:

Info formation Leaks Kyriakos Kyriakou kkyria16@cs.ucy.ac.cy University of Cyprus EPL 682:

Info formation Leaks Kyriakos Kyriakou kkyria16@cs.ucy.ac.cy University of Cyprus EPL 682: Advanced Security Topics 1 Ju Just st-in in-tim time Code Reuse On the effectiveness of Fine-Grained Address Space Layout Randomization Kevin Z.

1.82k views • 180 slides
15-213 Recitation: Attack Lab Jenna MacCarley 28 Sep 2015 Carnegie Mellon Reminder Bomb lab

15-213 Recitation: Attack Lab Jenna MacCarley 28 Sep 2015 Carnegie Mellon Reminder Bomb lab

Carnegie Mellon 15-213 Recitation: Attack Lab Jenna MacCarley 28 Sep 2015 Carnegie Mellon Reminder Bomb lab is due tomorrow! Attack lab is released tomorrow!! Carnegie Mellon Agenda Stack review Attack lab overview Phases

882 views • 19 slides
History of Format String Attacks Format String Attacks

History of Format String Attacks Format String Attacks

History of Format String Attacks Format String Attacks First noted in 1990 as a result of fuzz testing on csh First used as an attack

488 views • 28 slides
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and

Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and

Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR Presentation by Eric Newberry and Youssef Tobah Paper by Dmitry Evtyushkin, Dmitry Ponomarev, and Nael Abu-Ghazaleh 1 Motivation Buffer overflow attacks modify the control flow of a

1.6k views • 17 slides
Detecting Stack Based kernel Information Leaks. S. Peir o , M. Mu noz, M. Masmano, A. Crespo

Detecting Stack Based kernel Information Leaks. S. Peir o , M. Mu noz, M. Masmano, A. Crespo

Detecting Stack Based kernel Information Leaks. S. Peir o , M. Mu noz, M. Masmano, A. Crespo Instituto de Autom atica e Inform atica Industrial Universitat Polit` ecnica de Val` encia, Spain { speiro, mmu noz, mmasmano, acrespo }

379 views • 18 slides
Lecture 12: ROP & Review January 27, 2020 Chris Stone Lab 3 (Bomb) Due 1:15pm Tomorrow Lab

Lecture 12: ROP & Review January 27, 2020 Chris Stone Lab 3 (Bomb) Due 1:15pm Tomorrow Lab

Lecture 12: ROP & Review January 27, 2020 Chris Stone Lab 3 (Bomb) Due 1:15pm Tomorrow Lab 4 (Attack) Starts Tomorrow New Partner! Take-Home Midterm available by 5pm Tomorrow Afternoon (75-minute exam due 5pm next Friday) Security:

317 views • 19 slides

More recommend