Lab 2: Buffer Overflows Fengwei Zhang Wayne State University - - PowerPoint PPT Presentation

lab 2 buffer overflows
SMART_READER_LITE
LIVE PREVIEW

Lab 2: Buffer Overflows Fengwei Zhang Wayne State University - - PowerPoint PPT Presentation

Sep 14, 2022 29 likes •200 views

Lab 2: Buffer Overflows Fengwei Zhang Wayne State University Course: Cyber Security Prac@ce 1 Buffer Overflows One of the most common vulnerabili@es in soEware Programming languages commonly associated with buffer overflows including

slide-1
SLIDE 1

Lab 2: Buffer Overflows

Fengwei Zhang

Wayne State University Course: Cyber Security Prac@ce 1

slide-2
SLIDE 2

Buffer Overflows

  • One of the most common vulnerabili@es in

soEware

  • Programming languages commonly associated

with buffer overflows including C and C++

  • Opera@ng systems including Windows, Linux

and Mac OS X are wriMen in C or C++

Wayne State University Course: Cyber Security Prac@ce 2

slide-3
SLIDE 3

How It Works

  • Applica@ons define buffers in the memory

– Unsigned char [10]

  • Applica@ons use adjacent memory to store

variables, arguments, and return address of a func@on.

  • Buffer Overflows occurs when data wriMen to

a buffer exceeds its size.

Wayne State University Course: Cyber Security Prac@ce 3

slide-4
SLIDE 4

Overflowing A Buffer

  • Defining a buffer in C

– char buf[10];

  • Overflowing the buffer

– Char buf [10] = ‘x’; – strcpy(buf, “AAAAAAAAAAAAAAAAAAAAAAA”)

Wayne State University Course: Cyber Security Prac@ce 4

slide-5
SLIDE 5

Why We Care

  • Because adjacent memory stores program

variables, parameters, and arguments

  • AMackers can change these values through
  • verflowing a buffer
  • AMackers can gain control over the program

flow to execute arbitrary code

Wayne State University Course: Cyber Security Prac@ce 5

slide-6
SLIDE 6

Process Memory Layout

Wayne State University Course: Cyber Security Prac@ce 6

Stack Heap Data Segment Text Segment High memory Low memory

slide-7
SLIDE 7

Memory Layout for 32-bit Linux

Wayne State University Course: Cyber Security Prac@ce 7

Kernel Space Stack Heap BSS Segment Data Segment Text Segment (ELF) 1GB 3GB Local variable: int a Func@on malloc() Unini@alized sta@c variables: sta@c char *u sta@c char *s = “Hello world” Binary of the program

slide-8
SLIDE 8

Virtual Memory Layout

Wayne State University Course: Cyber Security Prac@ce 8

slide-9
SLIDE 9

Stack Frame

Wayne State University Course: Cyber Security Prac@ce 9

  • The stack contains ac@va@on frames including

local variables, func@on parameters, and return address

  • Star@ng at the highest memory address and

growing downwards

  • Last in first out
slide-10
SLIDE 10

Wayne State University Course: Cyber Security Prac@ce 10

Add (2,3)

3 2 Ret Address EBP C High memory Low memory ESP int add (int a, int b) { int c; c = 1+b; return c; }

A Simple Program

slide-11
SLIDE 11

Another Program

int func (char * str) { char mybuff[512]; strcpy(myBuff, str); return 1; } int main (int argc, char ** argv) { func (argv[1]); return 1; }

Wayne State University Course: Cyber Security Prac@ce 11

Draw the Stack Frame!

slide-12
SLIDE 12

Overflowing “myBuff”

Wayne State University Course: Cyber Security Prac@ce 12

(A) str(A) Ret addr(A) EBP(A) A A A A A A High memory Low memory ESP

slide-13
SLIDE 13

Buffer Overflow Defenses

  • The aMack described is a classical stack smashing

aMack which execute the code on the stack

  • It does not work today

– NX – non-executable stack. Most compilers now default to a non-executable stack. Meaning a segmenta@on fault occurs if running code from the stack (i.e., Data Execu@on Preven@on - DEP)

  • Disable it with –zexecstack op@on
  • Check it with readelf –e <PROGRAM> | grep STACK

– StackGuard: Cannaries

  • Disable it with –fno-stack-protector op@on
  • Enable it with –fstack-protector op@on

Wayne State University Course: Cyber Security Prac@ce 13

slide-14
SLIDE 14

Stack Canaries

  • Stack smashing aMacks do two things

– Overwrite the return address – Wait for algorithm to complete and call RET

  • Stack Canaries: Stack Smashing Protector (SSP)

– Placing a integer value to stack just before the return address – To overwrite the return address, the canary value would also be modified – Checking this value before the func@on returns

Wayne State University Course: Cyber Security Prac@ce 14

slide-15
SLIDE 15

Stack Canaries (cont’d)

Wayne State University Course: Cyber Security Prac@ce 15

(A) str(A) Ret addr(A) EBP(A) Canary(A) A A A A A High memory Low memory ESP

slide-16
SLIDE 16

Bypassing NX and Canaries

  • NX - non-executable stack

– Execu@ng code in the heap – Data Execu@on Preven@on (DEP) – Return Oriented Programming (ROP)

  • Stack Canaries

– Overwri@ng the Canary with the same value – Brute force aMack (e.g., DynaGuard in ACSAC’15)

Wayne State University Course: Cyber Security Prac@ce 16

slide-17
SLIDE 17
  • Lab 0

– Turn in the class agreement

  • Lab 1

– Due today at 11:59pm – Late assignment policy – Submit it via Blackboard

  • Lab 2 instruc@ons

Wayne State University Course: Cyber Security Prac@ce 17

Reminders