Lab 2: Buffer Overflows Fengwei Zhang Wayne State University CSC - - PowerPoint PPT Presentation

lab 2 buffer overflows
SMART_READER_LITE
LIVE PREVIEW

Lab 2: Buffer Overflows Fengwei Zhang Wayne State University CSC - - PowerPoint PPT Presentation

Feb 17, 2023 25 likes •198 views

Lab 2: Buffer Overflows Fengwei Zhang Wayne State University CSC 5991 Cyber Security PracCce 1 Buffer Overflows One of the most common vulnerabiliCes in soGware Programming languages commonly associated with buffer overflows including

slide-1
SLIDE 1

Lab 2: Buffer Overflows

Fengwei Zhang

Wayne State University CSC 5991 Cyber Security PracCce 1

slide-2
SLIDE 2

Buffer Overflows

  • One of the most common vulnerabiliCes in

soGware

  • Programming languages commonly associated

with buffer overflows including C and C++

  • OperaCng systems including Windows, Linux

and Mac OS X are wriOen in C or C++

Wayne State University CSC 5991 Cyber Security PracCce 2

slide-3
SLIDE 3

How It Works

  • ApplicaCons define buffers in the memory

– unsigned int char [10]

  • ApplicaCons use adjacent memory to store

variables, arguments, and return address of a funcCon.

  • Buffer Overflows occurs when data wriOen to

a buffer exceeds its size.

Wayne State University CSC 5991 Cyber Security PracCce 3

slide-4
SLIDE 4

Overflowing A Buffer

  • Defining a buffer in C

– char buf[10];

  • Overflowing the buffer

– Char buf [10] = ‘x’; – strcpy(buf, “AAAAAAAAAAAAAAAAAAAAAAA”)

Wayne State University CSC 5991 Cyber Security PracCce 4

slide-5
SLIDE 5

Why We Care

  • Because adjacent memory stores program

variables, parameters, and arguments

  • AOackers can change these values through
  • verflowing a buffer
  • AOackers can gain control over the program

flow to execute arbitrary code

Wayne State University CSC 5991 Cyber Security PracCce 5

slide-6
SLIDE 6

Process Memory Layout

Wayne State University CSC 5991 Cyber Security PracCce 6

Stack Heap Data Segment Text Segment High memory Low memory

slide-7
SLIDE 7

Memory Layout for 32-bit Linux

Wayne State University CSC 5991 Cyber Security PracCce 7

Kernel Space Stack Heap BSS Segment Data Segment Text Segment (ELF) 1GB 3GB Local variable: int a FuncCon malloc() UniniCalized staCc variables: staCc char *u staCc char *s = “Hello world” Binary of the program

slide-8
SLIDE 8

Virtual Memory Layout

Wayne State University CSC 5991 Cyber Security PracCce 8

slide-9
SLIDE 9

Stack Frame

Wayne State University CSC 5991 Cyber Security PracCce 9

  • The stack contains acCvaCon frames including

local variables, funcCon parameters, and return address

  • StarCng at the highest memory address and

growing downwards

  • Last in first out
slide-10
SLIDE 10

Wayne State University CSC 5991 Cyber Security PracCce 10

Add (2,3)

3 2 Ret Address EBP C High memory Low memory ESP int add (int a, int b) { int c; c = 1+b; return c; }

A Simple Program

slide-11
SLIDE 11

Another Program

int func (char * str) { char mybuff[512]; strcpy(myBuff, str); return 1; } int main (int argc, char ** argv) { func (argv[1]); return 1; }

Wayne State University CSC 5991 Cyber Security PracCce 11

Draw the Stack Frame!

slide-12
SLIDE 12

Overflowing “myBuff”

Wayne State University CSC 5991 Cyber Security PracCce 12

(A) str(A) Ret addr(A) EBP(A) A A A A A A High memory Low memory ESP

slide-13
SLIDE 13

Buffer Overflow Defenses

  • The aOack described is a classical stack smashing

aOack which execute the code on the stack

  • It does not work today

– NX – non-executable stack. Most compilers now default to a non-executable stack. Meaning a segmentaCon fault occurs if running code from the stack (i.e., Data ExecuCon PrevenCon - DEP)

  • Disable it with –zexecstack opCon
  • Check it with readelf –e <PROGRAM> | grep STACK

– StackGuard: Cannaries

  • Disable it with –fno-stack-protector opCon
  • Enable it with –fstack-protector opCon

Wayne State University CSC 5991 Cyber Security PracCce 13

slide-14
SLIDE 14

Stack Canaries

  • Stack smashing aOacks do two things

– Overwrite the return address – Wait for algorithm to complete and call RET

  • Stack Canaries: Stack Smashing Protector (SSP)

– Placing a integer value to stack just before the return address – To overwrite the return address, the canary value would also be modified – Checking this value before the funcCon returns

Wayne State University CSC 5991 Cyber Security PracCce 14

slide-15
SLIDE 15

Stack Canaries (cont’d)

Wayne State University CSC 5991 Cyber Security PracCce 15

(A) str(A) Ret addr(A) EBP(A) Canary(A) A A A A A High memory Low memory ESP

slide-16
SLIDE 16

Bypassing NX and Canaries

  • NX - non-executable stack

– ExecuCng code in the heap – Data ExecuCon PrevenCon (DEP) – Return Oriented Programming (ROP)

  • Stack Canaries

– OverwriCng the Canary with the same value – Brute force aOack (e.g., DynaGuard in ACSAC’15)

Wayne State University CSC 5991 Cyber Security PracCce 16

slide-17
SLIDE 17
  • Lab 0

– Turn in the class agreement

  • Lab 1

– Due today at 11:59pm – Late assignment policy – Submit it via Blackboard

  • Lab 2 instrucCons

Wayne State University CSC 5991 Cyber Security PracCce 17

Reminders