more bufger overfmows
play

More Bufger Overfmows 1 midterm 1 kernel density plot; red lines: - PowerPoint PPT Presentation

Nov 05, 2022 •680 likes •1.4k views

More Bufger Overfmows 1 midterm 1 kernel density plot; red lines: 25/50/75th perecentile; green line: mean 2 50 60 70 80 90 100 last time stack smashing particular exploit technique for bufger overfmows bufger overfmow = out-of-bounds

  1. More Bufger Overfmows 1

  2. midterm 1 kernel density plot; red lines: 25/50/75th perecentile; green line: mean 2 50 60 70 80 90 100

  3. last time stack smashing particular exploit technique for bufger overfmows bufger overfmow = out-of-bounds access to array condition: bufger on the stack two steps: insert machine code overwrite return address to point there 3

  4. stack smashing: the tricky parts construct machine code that works in any executable same tricks as writing relocatable virus code usual idea: just execute shell (command prompt) construct machine code that’s valid input machine code usually fmexible enough fjnding location of return address fjxed ofgset from bufger fjnding location of inserted machine code 4

  5. stack smashing: the tricky parts construct machine code that works in any executable same tricks as writing relocatable virus code usual idea: just execute shell (command prompt) construct machine code that’s valid input machine code usually fmexible enough fjnding location of return address fjxed ofgset from bufger fjnding location of inserted machine code 5

  6. machine code that works anywhere need relocatable machine code relative addressing internally absolute addressing of program 6

  7. stack smashing: the tricky parts construct machine code that works in any executable same tricks as writing relocatable virus code usual idea: just execute shell (command prompt) construct machine code that’s valid input machine code usually fmexible enough fjnding location of return address fjxed ofgset from bufger fjnding location of inserted machine code 7

  8. valid input? common restrictions: no 0 bytes, no newlines machine code is fmexible enough, but tricky example: mov $0x100, %rax has 0 s in encoding of 0x100 xor %eax, %eax mov $0x100, %al 8

  9. stack smashing: the tricky parts construct machine code that works in any executable same tricks as writing relocatable virus code usual idea: just execute shell (command prompt) construct machine code that’s valid input machine code usually fmexible enough fjnding location of return address fjxed ofgset from bufger fjnding location of inserted machine code 9

  10. location of return address easiest part, but … depends on what compiler does variable number of saved registers … read assembly? 10

  11. stack smashing: the tricky parts construct machine code that works in any executable same tricks as writing relocatable virus code usual idea: just execute shell (command prompt) construct machine code that’s valid input machine code usually fmexible enough fjnding location of return address fjxed ofgset from bufger fjnding location of inserted machine code 11

  12. stack location? $ cat stackloc.c #include <stdio.h> int main(void) { int x; printf("%p\n", &x); } $ ./stackloc.exe 0x7ffe8859d964 $ ./stackloc.exe 0x7ffd4e26ac04 $ ./stackloc.exe 0x7ffc190af0c4 12

  13. address space layout randomization vary the location of things in memory including the stack designed to make exploiting memory errors harder will talk more about later 13

  14. disabling ASLR Switching on ADDR_COMPAT_LAYOUT. 0x7fffffffe064 $ ./stackloc.exe 0x7fffffffe064 $ ./stackloc.exe 0x7fffffffe064 $ ./stackloc.exe Switching on ADDR_NO_RANDOMIZE. $ cat stackloc.c $ setarch x86_64 -vRL bash } printf("%p\n", &x); int x; int main(void) { #include <stdio.h> 14

  15. fjnding stack location run program in a debugger (e.g., GDB) set breakpoint at relevant location b functionName b *0x12345678 (by address) output %rsp p $rsp info registers 15

  16. stack location? (take 2) Breakpoint 1, 0x00000000004005b6 in main () (gdb) [Inferior 1 (process 15441) exited normally] 0x7fffffffdfe4 (gdb) continue $1 = (void *) 0x7fffffffdff8 (gdb) p $rsp Starting program: /home/cr4bd/spring2017/cs4630/slides/20170307/stackloc.exe $ ./stackloc.exe (gdb) run Breakpoint 1 at 0x4005b6 (gdb) break main ... $ gdb ./stackloc.exe 0x7fffffffe064 16

  17. Linux, initial stack pointer to bar array of pointers to args (argv) array of pointers to env. vars. command-line arguments environment variables ./test.exe foo bar actual initial stack pointer pointer to ./test.exe pointer to foo NULL pointer (end of list) top of stack at pointer to PATH env. var. pointer to HOME env. var. NULL pointer (end of list) "./test.exe" "foo" "bar" "PATH=/usr/bin:/bin" "HOME=/home/cr4bd" 0x7ffffffff000 17

  18. on using GDB cheat sheet on website 18

  19. gdb demo 19

  20. trigger segfault mov $1 = (void *) 0x7fffffffdff8 (gdb) p $rsp End of assembler dump. retq => 0x000000000040053b <+21>: $0x18,%rsp add 0x0000000000400537 <+17>: 0x400410 <gets@plt> callq 0x0000000000400532 <+12>: $0x0,%eax 0x000000000040052d <+7>: gdb ./a.out %rsp,%rdi mov 0x000000000040052a <+4>: $0x18,%rsp sub 0x0000000000400526 <+0>: Dump of assembler code for function vulnerable: (gdb) disass 0x000000000040053b in vulnerable () Program received signal SIGSEGV, Segmentation fault. Starting program: /path/to/a.out (gdb) run <big-input.txt ... 20

  21. trigger segfault — stripped gdb ./a.out ... (gdb) run <big-input.txt Starting program: /path/to/a.out Program received signal SIGSEGV, Segmentation fault. 0x000000000040053b in ?? () (gdb) disassemble No function contains program counter for selected frame. (gdb) x/i $rip => 0x40053b: retq (gdb) 21

  22. stripping you can remove debugging information from executables Linux command: strip GCC option -s disassemble can’t tell where function starts 22

  23. disassembly attempts sbb (gdb) End of assembler dump. retq => 0x000000000040053b: $0x18,%rsp add 0x0000000000400537: Dump of assembler code from 0x400537 to 0x40053c: (gdb) disassemble $rip-4,$rip+1 End of assembler dump. %al,%bl 0x000000000040053a: gdb ./a.out (bad) 0x0000000000400539: -0x7d(%rax) decl 0x0000000000400536: Dump of assembler code from 0x400536 to 0x40053c: (gdb) disassemble $rip-5,$rip+1 0x000000000040053b in ?? () Program received signal SIGSEGV, Segmentation fault. Starting program: /path/to/a.out (gdb) run <big-input.txt ... 23

  24. other notable debugger commands b *0x12345 — set breakpoint at address can set breakpoint on machine code on stack watchpoints — like breakpoints but trigger on change to/read from value “when is return address overwritten” 24

  25. debugging demo 25

  26. stopping stack smashing? how can you stop stack smashing? stop overrun — bounds-checking stop return to attacker code stop execution of attacker code 26

  27. stopping stack smashing? how can you stop stack smashing? stop overrun — bounds-checking stop return to attacker code stop execution of attacker code 26

  28. exploit mitigations idea: turn vulnerablity to something less bad e.g. crash instead of machine code execution many of these targetted at bufger overfmows 27

  29. mitigation agenda we will look briefmy at one mitigation — stack canaries then look at exploits that don’t care about it then look at more fmexible mitigations then look at more fmexible exploits 28

  30. mitigation priorities efgective? does it actually stop the attacker? fast? how much does it hurt performance? generic? does it require a recompile? rewriting software? recurring theme: stop stack smashing, but not other bufger overfmows 29

  31. stopping stack smashing? how can you stop stack smashing? stop overrun — bounds-checking stop return to attacker code stop execution of attacker code 30

  32. recall: RE xor %fs:0x28, %rdi call __stack_chk_fail call_stack_chk_fail: ret add $0x28, %rsp jne call_stack_chk_fail mov 0x18(%rsp), %rdi /* copy value from stack */ ... ... ... mov %rax, 0x18(%rsp) /* ... on to stack, before return address */ mov %fs:0x28, %rax 31 /* copy value from thread − local storage */ /* xor with value in thread − local storage */ /* if result non − zero, do not return */

  33. recall: RE xor %fs:0x28, %rdi call __stack_chk_fail call_stack_chk_fail: ret add $0x28, %rsp jne call_stack_chk_fail mov 0x18(%rsp), %rdi /* copy value from stack */ ... ... ... mov %rax, 0x18(%rsp) /* ... on to stack, before return address */ 31 /* copy value from thread − local storage */ mov %fs:0x28, %rax /* xor with value in thread − local storage */ /* if result non − zero, do not return */

  34. recall: RE xor %fs:0x28, %rdi call __stack_chk_fail call_stack_chk_fail: ret add $0x28, %rsp jne call_stack_chk_fail 31 /* copy value from stack */ ... ... ... mov %rax, 0x18(%rsp) /* ... on to stack, before return address */ mov %fs:0x28, %rax /* copy value from thread − local storage */ mov 0x18(%rsp), %rdi /* xor with value in thread − local storage */ /* if result non − zero, do not return */

  35. stack canary increasing addresses highest address (stack started here) lowest address (stack grows here) return address for vulnerable : 37 fd 40 00 00 00 00 00 (0x40fd37) canary: b1 ab bd e8 31 15 df 31 unused space (12 bytes) bufger (100 bytes) return address for scanf machine code for the attacker to run 32

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

13 - Computer Security Bufger Overfmows 1 Context

13 - Computer Security Bufger Overfmows 1 Context

13 - Computer Security Bufger Overfmows 1 Context General problem : unsanitized user input Low level language (eg C): overfmow a local array (bufger) Write over the stack! Overwrite

641 views • 24 slides
More Bufger Overfmows 1 on the homework due Friday + 1 week questions? big hint in assignment:

More Bufger Overfmows 1 on the homework due Friday + 1 week questions? big hint in assignment:

More Bufger Overfmows 1 on the homework due Friday + 1 week questions? big hint in assignment: gets is what does bufger overfmow reading the assembly should be fairly straightforward probably easiest strategy in this case debugger can fjnd

1.36k views • 98 slides
Yet More Bufger Overfmows 1 Changelog Corrections made in this version not in fjrst posting: 1

Yet More Bufger Overfmows 1 Changelog Corrections made in this version not in fjrst posting: 1

Yet More Bufger Overfmows 1 Changelog Corrections made in this version not in fjrst posting: 1 April 2017: slide 41: a few more %cs would be needed to skip format string part 1 last time: pointer subterfuge pointer subterfuge

1.25k views • 78 slides
Software Security (I): Bufger-overfmow Attacks Dawn Song 1 Logistics New offjce hour

Software Security (I): Bufger-overfmow Attacks Dawn Song 1 Logistics New offjce hour

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Software Security (I): Bufger-overfmow Attacks Dawn Song 1 Logistics New offjce hour Webcast Calcentral: select cs161 Dawn Song 2 Intro HTTP REQUEST

1.74k views • 41 slides
I/O / Filesystems 1 1 last time when LRU fails special-case for single-access fjle data

I/O / Filesystems 1 1 last time when LRU fails special-case for single-access fjle data

I/O / Filesystems 1 1 last time when LRU fails special-case for single-access fjle data readahead handle scans by predicting reads device driver halfs top: from system call, use bufger, request data, wait for data bottom: from interrupt,

1.13k views • 84 slides
Pre-GDB, GDB, and IRIS-HEP Retreat: Updates from Recent Meetings Brian Bockelman OSG Technology

Pre-GDB, GDB, and IRIS-HEP Retreat: Updates from Recent Meetings Brian Bockelman OSG Technology

Pre-GDB, GDB, and IRIS-HEP Retreat: Updates from Recent Meetings Brian Bockelman OSG Technology Area Coordinator Associate Scientist, Morgridge Institute for Research Recent Meetings Involving OSG The week of Sept 9 featured three

410 views • 15 slides
Introduction to writing and debugging micro- services mwan@diceresearch.org 1 Micro-service

Introduction to writing and debugging micro- services mwan@diceresearch.org 1 Micro-service

Introduction to writing and debugging micro- services mwan@diceresearch.org 1 Micro-service Input/output parameters Prototype of a micro-service int findObjType ( msParam_t *objInput , msParam_t *typeOutput , ruleExecInfo_t *rei );

498 views • 16 slides
Introduction to GDB Python Usage examples Conclusion Pierre-Marie de Rodat

Introduction to GDB Python Usage examples Conclusion Pierre-Marie de Rodat

Introduction to GDB Python Pierre-Marie de Rodat Introduction Introduction to GDB Python Usage examples Conclusion Pierre-Marie de Rodat pmderodat@lse.epita.fr PM @ {rezosup, freenode, geeknode, . . . } http://lse.epita.fr February 12,

1.01k views • 44 slides
CSCI 2132 Software Development Lab 5: gcc and gdb tools Instructor: Vlado Keselj Faculty of

CSCI 2132 Software Development Lab 5: gcc and gdb tools Instructor: Vlado Keselj Faculty of

CSCI 2132 Software Development Lab 5: gcc and gdb tools Instructor: Vlado Keselj Faculty of Computer Science Dalhousie University 10-Oct-2018 (5) CSCI 2132 1 Lab Overview Learning more about gcc and about gdb Using a program as an

260 views • 12 slides
Project 1 Notes and Demo Overview Youll be given the

Project 1 Notes and Demo Overview Youll be given the

Project 1 Notes and Demo Overview Youll be given the source code for 7 short buggy programs (target[1-7].c). These programs will be installed

632 views • 38 slides
rt Pr t

rt Pr t

s t r t r s r s t r r t r rtrs

1.06k views • 87 slides
Execute My Packet David Barksdale, Jordan Gruskovnjak, and Alex Wheeler Jordan Gruskovnjak

Execute My Packet David Barksdale, Jordan Gruskovnjak, and Alex Wheeler Jordan Gruskovnjak

Execute My Packet David Barksdale, Jordan Gruskovnjak, and Alex Wheeler Jordan Gruskovnjak Currently Working at Crowdstrike, Inc. Reverse Engineering &amp; Malware Analysis Exploitation &amp; Mitigation Research Previously worked

789 views • 48 slides
BRUCE DAWSON VALVE GETTING STARTED DEBUGGING ON LINUX (MAKING IT EASY IN LESS THAN AN HOUR)

BRUCE DAWSON VALVE GETTING STARTED DEBUGGING ON LINUX (MAKING IT EASY IN LESS THAN AN HOUR)

BRUCE DAWSON VALVE GETTING STARTED DEBUGGING ON LINUX (MAKING IT EASY IN LESS THAN AN HOUR) Linux Debugging Challenges: Default debugger is intimidating to new users Tough to get symbols and source to show up Many tricks needed

544 views • 40 slides
DebugAllYourCode: PortableMixedEnvironmentDebugging

DebugAllYourCode: PortableMixedEnvironmentDebugging

DebugAllYourCode: PortableMixedEnvironmentDebugging ByeongcheolLee Mar:nHirzel RobertGrimm KathrynMcKinley OOPSLA 2009 B. Lee, M. Hirzel, R. Grimm, and K. S. McKinley 1

1.12k views • 52 slides
Introduction to GDB Here We Start Crashes, errors and warnings are part of a C programmers

Introduction to GDB Here We Start Crashes, errors and warnings are part of a C programmers

Introduction to GDB Here We Start Crashes, errors and warnings are part of a C programmers life Debugger allows the programmer to take a look at the program in execution to deduce the cause of crashes and erroneous results Debugger

595 views • 13 slides
gdb or sws1 gdb g Gnu debugger, for several languages, incl. C and C++ It It

gdb or sws1 gdb g Gnu debugger, for several languages, incl. C and C++ It It

1 what to do when my program segfaults? gdb or sws1 gdb g Gnu debugger, for several languages, incl. C and C++ It It allows you to inspect what a program is doing at points during ll t i t h t i d i t i t d i execution

537 views • 12 slides
Linux Kernel Debugging Linux Kernel Debugging Advanced Operating Systems 2018/2019

Linux Kernel Debugging Linux Kernel Debugging Advanced Operating Systems 2018/2019

Linux Kernel Debugging Linux Kernel Debugging Advanced Operating Systems 2018/2019 http://d3s.mff.cuni.cz CHARLES UNIVERSITY IN PRAGUE faculty of mathematjcs and physics faculty of mathematjcs and physics Vlastimil Babka vbabka@suse.cz

1.6k views • 62 slides
C, Pointers, gdb 6.S081 Lecture 2 Fall 2020 My First Memory Bug one = 1 abc = [a,

C, Pointers, gdb 6.S081 Lecture 2 Fall 2020 My First Memory Bug one = 1 abc = [a,

C, Pointers, gdb 6.S081 Lecture 2 Fall 2020 My First Memory Bug one = 1 abc = [a, b, c] two = one abcdef = abc two += 1 abcdef += [d, e, f] print(one) print(abc) print(two) print(abcdef)

370 views • 17 slides
Multithreading in Qt Doing it wrong, debugging it, doing it right David Faure

Multithreading in Qt Doing it wrong, debugging it, doing it right David Faure

Multithreading in Qt Doing it wrong, debugging it, doing it right David Faure &lt;david.faure@kdab.com&gt; Outline QThread Debugging race conditions Debugging deadlocks Unit-testing for thread-safety How to use QThread A busy

167 views • 16 slides
Cyber@UC Meeting 90 MBE: Basic Binary Exploitation If Youre New! Join our Slack:

Cyber@UC Meeting 90 MBE: Basic Binary Exploitation If Youre New! Join our Slack:

Cyber@UC Meeting 90 MBE: Basic Binary Exploitation If Youre New! Join our Slack: cyberatuc.slack.com Check out our website: cyberatuc.org Organization Resources on our Wiki: wiki.cyberatuc.org SIGN IN! (Slackbot will post

442 views • 14 slides
gRPC Python, C Extensions, and AsyncIO Discord channel: #talk-grpc-and-asyncio About us

gRPC Python, C Extensions, and AsyncIO Discord channel: #talk-grpc-and-asyncio About us

gRPC Python, C Extensions, and AsyncIO Discord channel: #talk-grpc-and-asyncio About us Lidi Zheng Software Engineer at Google Maintainer of gRPC Python Pau Freixes Former Senior Software Engineer at Skyscanner

348 views • 24 slides
Puppy Raising Community: Raisers, Sitters and Volunteers What is a Community? Online

Puppy Raising Community: Raisers, Sitters and Volunteers What is a Community? Online

Puppy Raising Community: Raisers, Sitters and Volunteers What is a Community? Online platform using the internet browser of your choice. Log in anywhere using a computer, tablet or smartphone- no app required! Get access to

942 views • 22 slides
User Level DB: a Debugging API for User- Level Thread Libraries Kevin Pouget, Marc Prache,

User Level DB: a Debugging API for User- Level Thread Libraries Kevin Pouget, Marc Prache,

User Level DB: a Debugging API for User- Level Thread Libraries Kevin Pouget, Marc Prache, Patrick Carribault, and Herv Jourdren kevin.pouget@gmail.com, {marc.perache,patrick.carribault,herve.jourdren}@cea.fr CEA, DAM, DIF, F-91297 Arpajon,

895 views • 34 slides
Control flow Condition codes Conditional and unconditional jumps Loops Switch statements 1

Control flow Condition codes Conditional and unconditional jumps Loops Switch statements 1

Control flow Condition codes Conditional and unconditional jumps Loops Switch statements 1 Conditionals and Control Flow Two key pieces 1. Comparisons and tests: check conditions 2. Transfer control: choose next instruction Processor

2.09k views • 36 slides

More recommend