last words on buffer overflows
play

Last Words on Buffer Overflows 10/12/17 CSE 484 / CSE M 584 - Fall - PowerPoint PPT Presentation

Jul 13, 2023 •316 likes •596 views

CSE 484 / CSE M 584: Computer Security and Privacy Software Security (Misc) Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John

  1. CSE 484 / CSE M 584: Computer Security and Privacy Software Security (Misc) Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. Last Words on Buffer Overflows… 10/12/17 CSE 484 / CSE M 584 - Fall 2017 2

  3. ASLR Issues • NOP slides and heap spraying to increase likelihood for custom code (e.g., on heap) • Brute force attacks or memory disclosures to map out memory on the fly – Disclosing a single address can reveal the location of all code within a library 10/12/17 CSE 484 / CSE M 584 - Fall 2017 3

  4. Other Possible Solutions • Use safe programming languages, e.g., Java – What about legacy C code? – (Though Java doesn’t magically fix all security issues J ) • Static analysis of source code to find overflows • Dynamic testing: “fuzzing” • LibSafe: dynamically loaded library that intercepts calls to unsafe C functions and checks that there’s enough space before doing copies – Also doesn’t prevent everything 10/12/17 CSE 484 / CSE M 584 - Fall 2017 4

  5. Beyond Buffer Overflows… 10/12/17 CSE 484 / CSE M 584 - Fall 2017 5

  6. Another Type of Vulnerability • Consider this code: int openfile(char *path) { struct stat s; if (stat(path, &s) < 0) return -1; if (!S_ISRREG(s.st_mode)) { error("only allowed to regular files!"); return -1; } return open(path, O_RDONLY); } • Goal: Open only regular files (not symlink, etc) • What can go wrong? 10/12/17 CSE 484 / CSE M 584 - Fall 2017 6

  7. TOCTOU (Race Condition) • TOCTOU == Time of Check to Time of Use: int openfile(char *path) { struct stat s; if (stat(path, &s) < 0) return -1; if (!S_ISRREG(s.st_mode)) { error("only allowed to regular files!"); return -1; } return open(path, O_RDONLY); } • Goal: Open only regular files (not symlink, etc) • Attacker can change meaning of path between stat and open (and access files he or she shouldn’t) 10/12/17 CSE 484 / CSE M 584 - Fall 2017 7

  8. Another Type of Vulnerability • Consider this code: char buf[80]; void vulnerable() { int len = read_int_from_network(); char *p = read_string_from_network(); if (len > sizeof buf) { error("length too large, nice try!"); return; } memcpy(buf, p, len); } void *memcpy(void *dst, const void * src, size_t n); typedef unsigned int size_t; 10/12/17 CSE 484 / CSE M 584 - Fall 2017 8

  9. Implicit Cast If len is negative, may • Consider this code: copy huge amounts char buf[80]; of input into buf. void vulnerable() { int len = read_int_from_network(); char *p = read_string_from_network(); if (len > sizeof buf) { error("length too large, nice try!"); return; } memcpy(buf, p, len); } void *memcpy(void *dst, const void * src, size_t n); typedef unsigned int size_t; 10/12/17 CSE 484 / CSE M 584 - Fall 2017 9

  10. Another Example size_t len = read_int_from_network(); char *buf; buf = malloc(len+5); read(fd, buf, len); (from www-inst.eecs.berkeley.edu—implflaws.pdf) 10/12/17 CSE 484 / CSE M 584 - Fall 2017 10

  11. Integer Overflow size_t len = read_int_from_network(); char *buf; buf = malloc(len+5); read(fd, buf, len); • What if len is large (e.g., len = 0xFFFFFFFF)? • Then len + 5 = 4 (on many platforms) • Result: Allocate a 4-byte buffer, then read a lot of data into that buffer. (from www-inst.eecs.berkeley.edu—implflaws.pdf) 10/12/17 CSE 484 / CSE M 584 - Fall 2017 11

  12. Password Checker • Functional requirements – PwdCheck(RealPwd, CandidatePwd) should: • Return TRUE if RealPwd matches CandidatePwd • Return FALSE otherwise – RealPwd and CandidatePwd are both 8 characters long • Implementation (like TENEX system) PwdCheck(RealPwd, CandidatePwd) // both 8 chars for i = 1 to 8 do if (RealPwd[i] != CandidatePwd[i]) then return FALSE return TRUE • Clearly meets functional description 10/12/17 CSE 484 / CSE M 584 - Fall 2017 12

  13. Attacker Model PwdCheck(RealPwd, CandidatePwd) // both 8 chars for i = 1 to 8 do if (RealPwd[i] != CandidatePwd[i]) then return FALSE return TRUE • Attacker can guess CandidatePwds through some standard interface • Naive: Try all 256 8 = 18,446,744,073,709,551,616 possibilities • Better: Time how long it takes to reject a CandidatePasswd. Then try all possibilities for first character, then second, then third, .... – Total tries: 256*8 = 2048 10/12/17 CSE 484 / CSE M 584 - Fall 2017 13

  14. Timing Attacks • Assume there are no “typical” bugs in the software – No buffer overflow bugs – No format string vulnerabilities – Good choice of randomness – Good design • The software may still be vulnerable to timing attacks – Software exhibits input-dependent timings • Complex and hard to fully protect against 10/12/17 CSE 484 / CSE M 584 - Fall 2017 14

  15. Other Examples • Plenty of other examples of timings attacks – AES cache misses • AES is the “Advanced Encryption Standard” • It is used in SSH, SSL, IPsec, PGP, ... – RSA exponentiation time • RSA is a famous public-key encryption scheme • It’s also used in many cryptographic protocols and products 10/12/17 CSE 484 / CSE M 584 - Fall 2017 15

  16. Software Security: So what do we do? 10/12/17 CSE 484 / CSE M 584 - Fall 2017 16

  17. Fuzz Testing • Generate “random” inputs to program – Sometimes conforming to input structures (file formats, etc.) • See if program crashes – If crashes, found a bug – Bug may be exploitable • Surprisingly effective • Now standard part of development lifecycle 10/12/17 CSE 484 / CSE M 584 - Fall 2017 17

  18. General Principles • Check inputs 10/12/17 CSE 484 / CSE M 584 - Fall 2017 18

  19. Shellshock • Check inputs: not just to prevent buffer overflows • Example: Shellshock (September 2014) – Vulnerable servers processed input from web requests – Passed (user-provided) environment variables (like user agent, cookies…) to CGI scripts – Maliciously crafted environment variables exploited a bug in bash to execute arbitrary code env x='() { :;}; echo Vulnerable' bash -c "echo Real Command" 10/12/17 CSE 484 / CSE M 584 - Fall 2017 19

  20. General Principles • Check inputs • Check all return values • Least privilege • Securely clear memory (passwords, keys, etc.) • Failsafe defaults • Defense in depth – Also: prevent, detect, respond • NOT: security through obscurity 10/12/17 CSE 484 / CSE M 584 - Fall 2017 20

  21. General Principles • Reduce size of trusted computing base (TCB) • Simplicity, modularity – But: Be careful at interface boundaries! • Minimize attack surface • Use vetted component • Security by design – But: tension between security and other goals • Open design? Open source? Closed source? – Different perspectives 10/12/17 CSE 484 / CSE M 584 - Fall 2017 21

  22. Does Open Source Help? • Different perspectives… • Happy example: – Linux kernel backdoor attempt thwarted (2003) (http://www.freedom-to-tinker.com/?p=472) • Sad example: – Heartbleed (2014) • Vulnerability in OpenSSL that allowed attackers to read arbitrary memory from vulnerable servers (including private keys) 10/12/17 CSE 484 / CSE M 584 - Fall 2017 22

  23. http://xkcd.com/1354/ 10/12/17 CSE 484 / CSE M 584 - Fall 2017 23

  24. http://xkcd.com/1354/ 10/12/17 CSE 484 / CSE M 584 - Fall 2017 24

  25. http://xkcd.com/1354/ 10/12/17 CSE 484 / CSE M 584 - Fall 2017 25

  26. Vulnerability Analysis and Disclosure • What do you do if you’ve found a security problem in a real system? • Say – A commercial website? – UW grade database? – Boeing 787? – TSA procedures? 10/12/17 CSE 484 / CSE M 584 - Fall 2017 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Introduction Buffer Overflows Buffer overflows were the most common form of security

Introduction Buffer Overflows Buffer overflows were the most common form of security

Introduction Buffer Overflows Buffer overflows were the most common form of security vulnerability in the 90s. Buffer overflows dominate in the area of remote network penetration vulnerabilities. CS 465 They represent one of the

651 views • 4 slides
Lab 2: Buffer Overflows Fengwei Zhang SUSTech CS 315 Computer Security 1 Buffer Overflows

Lab 2: Buffer Overflows Fengwei Zhang SUSTech CS 315 Computer Security 1 Buffer Overflows

Lab 2: Buffer Overflows Fengwei Zhang SUSTech CS 315 Computer Security 1 Buffer Overflows One of the most common vulnerabilities in software Programming languages commonly associated with buffer overflows including C and C++

1.14k views • 17 slides
Lab 2: Buffer Overflows Fengwei Zhang Wayne State University Course: Cyber Security Prac@ce 1

Lab 2: Buffer Overflows Fengwei Zhang Wayne State University Course: Cyber Security Prac@ce 1

Lab 2: Buffer Overflows Fengwei Zhang Wayne State University Course: Cyber Security Prac@ce 1 Buffer Overflows One of the most common vulnerabili@es in soEware Programming languages commonly associated with buffer overflows including

199 views • 17 slides
Lab 2: Buffer Overflows Fengwei Zhang Wayne State University CSC 5991 Cyber Security PracCce 1

Lab 2: Buffer Overflows Fengwei Zhang Wayne State University CSC 5991 Cyber Security PracCce 1

Lab 2: Buffer Overflows Fengwei Zhang Wayne State University CSC 5991 Cyber Security PracCce 1 Buffer Overflows One of the most common vulnerabiliCes in soGware Programming languages commonly associated with buffer overflows including

195 views • 17 slides
Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Last time We continued By launching our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow fundamentals This time We will finish up By looking at Buffer Overflow overflows

1.33k views • 103 slides
Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a very common attack mechanism from 1988 Morris Worm to Code Red, Slammer, Sasser and many others prevention techniques known still of major concern

873 views • 53 slides
Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

1 Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed in buffer overflow exploits to create backdoors Execution of additional network services via the INETD daemon The addition of new users

497 views • 30 slides
ASLR &amp; DEP DAVID HEAVERN Problem Statement Security Issues Buffer Overflows

ASLR &amp; DEP DAVID HEAVERN Problem Statement Security Issues Buffer Overflows

ASLR &amp; DEP DAVID HEAVERN Problem Statement Security Issues Buffer Overflows Buffer overflows are the source of many of the common vulnerabilities in modern software Caused by not checking the source length when writing to a

1.88k views • 130 slides
CSE 484 / CSE M 584 Computer Security: Buffer Overflows

CSE 484 / CSE M 584 Computer Security: Buffer Overflows

CSE 484 / CSE M 584 Computer Security: Buffer Overflows II TA: Viktor Farkas vfarkas@cs Original slides by Franzi Lab 1 Deadline Reminders Lab

373 views • 11 slides
More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester Rebeiro Indian Institute of Technology Madras Buffer Overreads 2 Buffer Overread Example 3 Buffer Overread Example len read from command line

906 views • 76 slides
CS 241 Data Organization Buffer Overflows December 4, 2018 The Problem Exploitation Use

CS 241 Data Organization Buffer Overflows December 4, 2018 The Problem Exploitation Use

CS 241 Data Organization Buffer Overflows December 4, 2018 The Problem Exploitation Use large strings (or other datatypes) to overflow a buffer Craft input to make the server do whatever you want Easy to crash a program Harder

256 views • 11 slides
Computer Security Buffer Overflows Denial of Service MIE456 Joseph Kong Overview Program

Computer Security Buffer Overflows Denial of Service MIE456 Joseph Kong Overview Program

Computer Security Buffer Overflows Denial of Service MIE456 Joseph Kong Overview Program Exploitation Buffer Overflows Memory Declaration Smashing The Stack TCP/IP Three Way Handshake Denial of Service SYN Flooding

403 views • 13 slides
On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector

On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector

On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco-Gisbert , Ismael Ripoll Universit` at Polit` ecnica

528 views • 35 slides
Security: Buffer Overflows and Defenses CS 416: Operating Systems Design Department of Computer

Security: Buffer Overflows and Defenses CS 416: Operating Systems Design Department of Computer

Security: Buffer Overflows and Defenses CS 416: Operating Systems Design Department of Computer Science Rutgers University http://www.cs.rutgers.edu/~vinodg/416 Buffer Overflow a very common attack mechanism from 1988 Morris Worm to Code Red,

950 views • 55 slides
Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for

Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for

Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit by Aleph One Summer 2017 Roadmap 1 Process Memory Organization Text Fixed by program Includes code and read-only data

257 views • 22 slides
Buffer Overflows: What They Are, and How to Avoid Them Ricardo J. Rodr guez All wrongs

Buffer Overflows: What They Are, and How to Avoid Them Ricardo J. Rodr guez All wrongs

Buffer Overflows: What They Are, and How to Avoid Them Ricardo J. Rodr guez All wrongs reversed rj.rodriguez@unileon.es @RicardoJRdez www.ricardojrodriguez.es Research Institute of Applied Sciences in Cybersecurity University of

825 views • 50 slides
Natural Language Processing with Deep Learning CS224N/Ling284 Christopher Manning Lecture 3:

Natural Language Processing with Deep Learning CS224N/Ling284 Christopher Manning Lecture 3:

Natural Language Processing with Deep Learning CS224N/Ling284 Christopher Manning Lecture 3: Word Window Classification, Neural Networks, and Matrix Calculus 1. Course plan: coming up Week 2: We learn neural net fundamentals We

1.39k views • 76 slides
1099 compliance in 2020: Prepare by year-end 2019 December 11, 2019 Webinar starts at noon CT

1099 compliance in 2020: Prepare by year-end 2019 December 11, 2019 Webinar starts at noon CT

1099 compliance in 2020: Prepare by year-end 2019 December 11, 2019 Webinar starts at noon CT Presented by Cindy McSwain Senior Vice President Outsourcing Services Administration If you need CPE or HR credit, please participate in all

795 views • 64 slides
The Bro Network Security Monitor Bro Integrations: Some Misc. Bro Related Stuff Jon Schipp, NCSA

The Bro Network Security Monitor Bro Integrations: Some Misc. Bro Related Stuff Jon Schipp, NCSA

The Bro Network Security Monitor Bro Integrations: Some Misc. Bro Related Stuff Jon Schipp, NCSA BroCon15 MIT, Cambridge, Massachusetts Agenda Outlining a few things Ive worked on ISLET - Software that can be used for Bro training

584 views • 20 slides
Object Intro and Miscellaneous Checkout ObjectIntroAndMisc project from SVN Writing clean code

Object Intro and Miscellaneous Checkout ObjectIntroAndMisc project from SVN Writing clean code

Object Intro and Miscellaneous Checkout ObjectIntroAndMisc project from SVN Writing clean code Comments are only the last resort Functions Give functions descriptive names Dont make functions too long Rather than commenting an

736 views • 21 slides
Computer Science &amp; Engineering 150A Introduction Problem Solving Using Computers Basics

Computer Science &amp; Engineering 150A Introduction Problem Solving Using Computers Basics

CSCE150A Computer Science &amp; Engineering 150A Introduction Problem Solving Using Computers Basics String Library Lecture 07 - Strings Substrings Line Scanning Sorting Stephen Scott Command Line (Adapted from Christopher M. Bourke)

707 views • 51 slides
Miscellaneous Capabilities Negotiation in the Session Description Protocol

Miscellaneous Capabilities Negotiation in the Session Description Protocol

Miscellaneous Capabilities Negotiation in the Session Description Protocol draft-mmusic-sdp-misc-cap-00 IETF77 Anaheim, CA, USA March 23, 2010 Miguel A. Garcia-Martin Robert R. Gilman Simo Veikkolainen simo.veikkolainen@nokia.com 1 MMUSIC

364 views • 7 slides
&amp;6

&amp;6

,QWURGXFWLRQ &amp;6 'RQRWSODQDEULGJHFDSDFLW\E\FRXQWLQJWKHQXPEHURISHRSOHZKR 0RGHOLQJDQG3HUIRUPDQFH VZLPDFURVVWKHULYHUWRGD\ +HDUGDWDSUHVHQWDWLRQ

718 views • 4 slides
2014 1099-MISC Processing Webinar 1 D E CE M B E R 3 , 2 0 14 P R E S E N TE R : D ON H E

2014 1099-MISC Processing Webinar 1 D E CE M B E R 3 , 2 0 14 P R E S E N TE R : D ON H E

2014 1099-MISC Processing Webinar 1 D E CE M B E R 3 , 2 0 14 P R E S E N TE R : D ON H E M W ALL Q&amp;A: W I LL H OE H N 1099 Processing Release Overview 2 The 1099 software is updated annually. The release of the Tax Reporting

1.16k views • 68 slides

More recommend