more bufger overfmows
play

More Bufger Overfmows 1 on the homework due Friday + 1 week - PowerPoint PPT Presentation

Feb 02, 2024 •369 likes •1.36k views

More Bufger Overfmows 1 on the homework due Friday + 1 week questions? big hint in assignment: gets is what does bufger overfmow reading the assembly should be fairly straightforward probably easiest strategy in this case debugger can fjnd

  1. More Bufger Overfmows 1

  2. on the homework due Friday + 1 week questions? big hint in assignment: gets is what does bufger overfmow reading the assembly should be fairly straightforward probably easiest strategy in this case debugger can fjnd stack addresses you need 2

  3. 3

  4. techniques from Pincus and Baker arc injection AKA return-oriented programming more detail (+ assignment) later in semester overwriting data pointers overwriting function pointers overwriting pointers to function pointers (on heap) overwriting malloc ’s data structures 4

  5. other bufger overfmows? examples last time: luck: “ score ” for quiz on stack next to answer “arc injection” — return to existing code data pointer on stack 5

  6. techniques from Pincus and Baker arc injection AKA return-oriented programming more detail (+ assignment) later in semester overwriting data pointers overwriting function pointers overwriting pointers to function pointers (on heap) overwriting malloc ’s data structures 6

  7. return-to-somewhere increasing addresses highest address (stack started here) lowest address (stack grows here) return address for vulnerable : address of do_useful_stuff unused space (20 bytes) bufger (100 bytes) return address for scanf unused junk do_useful_stuff (already in program) code is already in program??? how often does this happen??? …turns out “usually” — more later in semester 7

  8. return-to-somewhere increasing addresses highest address (stack started here) lowest address (stack grows here) return address for vulnerable : address of do_useful_stuff unused space (20 bytes) bufger (100 bytes) return address for scanf unused junk do_useful_stuff (already in program) code is already in program??? how often does this happen??? …turns out “usually” — more later in semester 7

  9. techniques from Pincus and Baker arc injection AKA return-oriented programming more detail (+ assignment) later in semester overwriting data pointers overwriting function pointers overwriting pointers to function pointers (on heap) overwriting malloc ’s data structures 8

  10. pointer subterfuge void f2b( void *arg, size_t len) { char buffer[100]; long val = ...; /* assume on stack */ long *ptr = ...; /* assume on stack */ memcpy(buff, arg, len); /* overwrite ptr? */ *ptr = val; /* arbitrary memory write! */ } adapted from Pincus and Baker, Figure 2 9

  11. pointer subterfuge void f2b( void *arg, size_t len) { char buffer[100]; long val = ...; /* assume on stack */ long *ptr = ...; /* assume on stack */ memcpy(buff, arg, len); /* overwrite ptr? */ *ptr = val; /* arbitrary memory write! */ } adapted from Pincus and Baker, Figure 2 9

  12. arbitrary memory write bunch of scenarios that lead to single arbitrary memory write how can attacker exploit this? overwrite return address directly overwrite other function/code address pointer? overwrite existing machine code (insert jump?) overwrite another data pointer — copy more? 10

  13. arbitrary memory write bunch of scenarios that lead to single arbitrary memory write how can attacker exploit this? overwrite return address directly overwrite other function/code address pointer? overwrite existing machine code (insert jump?) overwrite another data pointer — copy more? 10

  14. arbitrary memory write bunch of scenarios that lead to single arbitrary memory write how can attacker exploit this? overwrite return address directly overwrite other function/code address pointer? overwrite existing machine code (insert jump?) overwrite another data pointer — copy more? 10

  15. skipping the canary increasing addresses highest address (stack started here) lowest address (stack grows here) return address for f2b stack canary ptr (8 bytes) val (8 bytes) bufger (100 bytes) return address for scanf machine code for the attacker to run 11

  16. skipping the canary increasing addresses highest address (stack started here) lowest address (stack grows here) return address for f2b stack canary ptr (8 bytes) val (8 bytes) bufger (100 bytes) return address for scanf machine code for the attacker to run 11

  17. skipping the canary increasing addresses highest address (stack started here) lowest address (stack grows here) return address for f2b stack canary ptr (8 bytes) val (8 bytes) bufger (100 bytes) return address for scanf machine code for the attacker to run 11

  18. fragility problem: need to know exact address of return address discussed how stack location varies — this is tricky/unreliable 12

  19. arbitrary memory write bunch of scenarios that lead to single arbitrary memory write how can attacker exploit this? overwrite return address directly overwrite other function/code address pointer? overwrite existing machine code (insert jump?) overwrite another data pointer — copy more? 13

  20. function pointers? int (*compare)( char *, char *); if (sortCaseSensitive) { compare = compareStringsExactly; } else { compare = compareStringsInsensitive; } ... if ((*compare)(string1, string2) == CMP_LESS) { ... } 14

  21. function pointers are common? used in dynamic linking (stubs!) in large C projects used to implement C++ virtual functions 15

  22. dynamic linking stubs 00000000004004a0 <__printf_chk@plt>: if lazy binding — normally updated fjrst time printf called _GLOBAL_OFFSET_TABLE[5] is probably writeable jumps to _GLOBAL_OFFSET_TABLE[5] 400470 <_init+0x28> jmpq e9 c0 ff ff ff 4004ab: $0x2 pushq 68 02 00 00 00 4004a6: # 601028 <_GLOBAL_OFFSET_TABLE_+0x28> *0x200b82(%rip) jmpq ff 25 82 0b 20 00 4004a0: 16 _GLOBAL_OFFSET_TABLE[5] always at address 0x601028

  23. attacking the GOT increasing addresses highest address (stack started here) lowest address (stack grows here) return address for f2b stack canary ptr (8 bytes) val (8 bytes) bufger (100 bytes) return address for scanf global ofgset table GOT entry: printf GOT entry: fopen GOT entry: exit machine code for the attacker to run 17

  24. attacking the GOT increasing addresses highest address (stack started here) lowest address (stack grows here) return address for f2b stack canary ptr (8 bytes) val (8 bytes) bufger (100 bytes) return address for scanf global ofgset table GOT entry: printf GOT entry: fopen GOT entry: exit machine code for the attacker to run 17

  25. attacking the GOT increasing addresses highest address (stack started here) lowest address (stack grows here) return address for f2b stack canary ptr (8 bytes) val (8 bytes) bufger (100 bytes) return address for scanf global ofgset table GOT entry: printf GOT entry: fopen GOT entry: exit machine code for the attacker to run 17

  26. function pointers are common? used in dynamic linking (stubs!) in large C projects used to implement C++ virtual functions 18

  27. function pointer tables: Linux kernel (1) *f_op; }; ... f_count; atomic_long_t f_lock; spinlock_t */ * Must not be taken from IRQ context. * Protects f_ep_links, f_flags. /* const struct file_operations struct file { /* cached value */ *f_inode; struct inode f_path; struct path } f_u; fu_rcuhead; struct rcu_head fu_llist; struct llist_node union { 19

  28. function pointer tables: Linux kernel (2) struct file_operations { struct module *owner; loff_t (*llseek) ( struct file *, loff_t, int ); ssize_t (*read) ( struct file *, char __user *, size_t, loff_t *); ssize_t (*write) ( struct file *, const char __user *, size_t, loff_t *); ssize_t (*read_iter) ( struct kiocb *, struct iov_iter *); ssize_t (*write_iter) ( struct kiocb *, struct iov_iter *); int (*iterate) ( struct file *, struct dir_context *); ... }; 20

  29. function pointers are common? used in dynamic linking (stubs!) in large C projects used to implement C++ virtual functions 21

  30. C++ inheritence }; }; ... int tell(); void seek( int offset); int get(); public : class FileInputStream : public InputStream { virtual int tell() = 0; class InputStream { virtual void seek( int offset) = 0; public : class SeekableInputStream : public InputStream { }; ... // Java: abstract int get(); virtual int get() = 0; public : 22

  31. C++ inheritence: memory layout vtable pointer InputStream vtable pointer SeekableInputStream vtable pointer file_pointer FileInputStream slot for get slot for get slot for seek slot for tell FileInputStream::get FileinputStream::seek FileInputStream::tell 23

  32. C++ implementation (pseudo-code) struct InputStream_vtable { int (*get)(InputStream* this); }; struct InputStream { InputStream_vtable *vtable; }; ... InputStream *s = ...; 24 int c = (s − >vtable − >get)(s);

  33. C++ implementation (pseudo-code) struct SeekableInputStream_vtable { struct InputStream_vtable as_InputStream; void (*seek)(SeekableInputStream* this, int offset); int (*tell)(SeekableInputStream* this); }; struct FileInputStream { SeekableInputStream_vtable *vtable; FILE *file_pointer; }; ... FileInputStream file_in = { the_FileInputStream_vtable, ... }; InputStream *s = (InputStream*) &file_in; 25

  34. C++ implementation (pseudo-code) SeekableInputStream_vtable the_FileInputStream_vtable = { &FileInputStream_get, &FileInputStream_seek, &FileInputStream_tell, }; ... FileInputStream file_in = { the_FileInputStream_vtable, ... }; InputStream *s = (InputStream*) &file_in; 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

13 - Computer Security Bufger Overfmows 1 Context

13 - Computer Security Bufger Overfmows 1 Context

13 - Computer Security Bufger Overfmows 1 Context General problem : unsanitized user input Low level language (eg C): overfmow a local array (bufger) Write over the stack! Overwrite

641 views • 24 slides
More Bufger Overfmows 1 midterm 1 kernel density plot; red lines: 25/50/75th perecentile; green

More Bufger Overfmows 1 midterm 1 kernel density plot; red lines: 25/50/75th perecentile; green

More Bufger Overfmows 1 midterm 1 kernel density plot; red lines: 25/50/75th perecentile; green line: mean 2 50 60 70 80 90 100 last time stack smashing particular exploit technique for bufger overfmows bufger overfmow = out-of-bounds

1.4k views • 71 slides
Yet More Bufger Overfmows 1 Changelog Corrections made in this version not in fjrst posting: 1

Yet More Bufger Overfmows 1 Changelog Corrections made in this version not in fjrst posting: 1

Yet More Bufger Overfmows 1 Changelog Corrections made in this version not in fjrst posting: 1 April 2017: slide 41: a few more %cs would be needed to skip format string part 1 last time: pointer subterfuge pointer subterfuge

1.25k views • 78 slides
Software Security (I): Bufger-overfmow Attacks Dawn Song 1 Logistics New offjce hour

Software Security (I): Bufger-overfmow Attacks Dawn Song 1 Logistics New offjce hour

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Software Security (I): Bufger-overfmow Attacks Dawn Song 1 Logistics New offjce hour Webcast Calcentral: select cs161 Dawn Song 2 Intro HTTP REQUEST

1.74k views • 41 slides
I/O / Filesystems 1 1 last time when LRU fails special-case for single-access fjle data

I/O / Filesystems 1 1 last time when LRU fails special-case for single-access fjle data

I/O / Filesystems 1 1 last time when LRU fails special-case for single-access fjle data readahead handle scans by predicting reads device driver halfs top: from system call, use bufger, request data, wait for data bottom: from interrupt,

1.13k views • 84 slides
CS 251 Fall 2019 x86-64 Linux memory layout CS 240 Spring 2020 Principles of Programming

CS 251 Fall 2019 x86-64 Linux memory layout CS 240 Spring 2020 Principles of Programming

CS 251 Fall 2019 x86-64 Linux memory layout CS 240 Spring 2020 Principles of Programming Languages Foundations of Computer Systems Ben Wood ... ... Ben Wood 0x00007fffffffffff Stack not drawn to scale Caller Buffer Overflows Frame

335 views • 4 slides
Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM x86-64 Linux Memory Layout ... ... 0x00007fffffffffff Stack not drawn to scale Caller Frame Extra Arguments

325 views • 16 slides
Buffer Overrun Review Process Layout in Memory IA-32

Buffer Overrun Review Process Layout in Memory IA-32

Buffer Overrun Review Process Layout in Memory IA-32 Nota=on Format : inst src dst registers prefixed with a %, constants with $

756 views • 31 slides
Natural Language Processing: Traditional Processing Pipeline Roman Kern &lt;rkern@tugraz.at&gt;

Natural Language Processing: Traditional Processing Pipeline Roman Kern &lt;rkern@tugraz.at&gt;

Natural Language Processing: Traditional Processing Pipeline SCIENCE PASSION TECHNOLOGY Natural Language Processing: Traditional Processing Pipeline Roman Kern &lt;rkern@tugraz.at&gt; 2020-03-19 Roman Kern &lt;rkern@tugraz.at&gt;, Institute

1.36k views • 114 slides
NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

1 NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2 Memory safety attacks Buffer overruns Format string vulnerabilities Web application vulnerabilities SQL injections Cross-site

901 views • 39 slides
Assignments Homework 1 due Friday Lab1 due next Wednesday Section - will talk

Assignments Homework 1 due Friday Lab1 due next Wednesday Section - will talk

Assignments Homework 1 due Friday Lab1 due next Wednesday Section - will talk about gdb, etc. Approaches to Fin inding Security Bugs 2 Runtime Monitoring Black-box Testing Static Analysis From Coverity 3

613 views • 33 slides
vMPCP: A Synchronization Framework for Multi-Core Virtual Machines Hyoseung Kim * Shige Wang

vMPCP: A Synchronization Framework for Multi-Core Virtual Machines Hyoseung Kim * Shige Wang

RTSS 2014 vMPCP: A Synchronization Framework for Multi-Core Virtual Machines Hyoseung Kim * Shige Wang Raj Rajkumar * shige.wang@gm.com raj@ece.cmu.edu hyoseung@cmu.edu * General Motors R&amp;D RTSS 2014 Benefits of Multi-Core

538 views • 24 slides
History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood as early as 1972 Computer Security Technology Planning Study Morris Worm First

1.07k views • 42 slides
Capacity Access Review Transmission Workgroup 9 th January 2020 CAR Plan for todays Workgroup

Capacity Access Review Transmission Workgroup 9 th January 2020 CAR Plan for todays Workgroup

Capacity Access Review Transmission Workgroup 9 th January 2020 CAR Plan for todays Workgroup December Workgroups aims; - Long-term ambition - Specific issues caused by the short-term problems - Agree Workplan January

656 views • 14 slides
Using the Linux Tracing Infrastructure Jan Altenberg Linutronix GmbH Jan Altenberg Linutronix

Using the Linux Tracing Infrastructure Jan Altenberg Linutronix GmbH Jan Altenberg Linutronix

Using the Linux Tracing Infrastructure Jan Altenberg Linutronix GmbH Jan Altenberg Linutronix GmbH 1 Overview . Linutronix GmbH Jan Altenberg 9 Tracecompass . . 8 Kernelshark . . 7 trace-cmd . . 6 uprobes . 5 kprobes . . . 4

944 views • 52 slides
Injection and a Proven Countermeasure PROOFS2015, Saint Malo, France Shoei Nashimoto, Naofumi

Injection and a Proven Countermeasure PROOFS2015, Saint Malo, France Shoei Nashimoto, Naofumi

17 September 2015 Buffer Overflow Attack with Multiple Fault Injection and a Proven Countermeasure PROOFS2015, Saint Malo, France Shoei Nashimoto, Naofumi Homma, Yu-ichi Hayashi and Takafumi Aoki Tohoku University, Japan GSIS, TOHOKU

535 views • 27 slides
C and C++ vulnerability exploits and countermeasures Frank Piessens

C and C++ vulnerability exploits and countermeasures Frank Piessens

C and C++ vulnerability exploits and countermeasures Frank Piessens (Frank.Piessens@cs.kuleuven.be) These slides are based on the paper: Low-level Software Security by Example by Erlingsson, Younan and Piessens KATHOLIEKE Secappdev

1.03k views • 77 slides
Preservation of Timing Properties with the Ada Ravenscar Profile Enrico Mezzetti, Marco Panunzio,

Preservation of Timing Properties with the Ada Ravenscar Profile Enrico Mezzetti, Marco Panunzio,

Preservation of Timing Properties with the Ada Ravenscar Profile Enrico Mezzetti, Marco Panunzio, Tullio Vardanega Department of Pure and Applied Mathematics University of Padova, Italy {emezzett, panunzio, tullio.vardanega}@math.unipd.it 15th

470 views • 17 slides
Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter

Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter

Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter Buchlovsky 8. March 2004 University of Birmingham 1 Contents 1. Call-stacks, shellcode, gets 2. Exploits stack-based, heap-based 3. Defensive

1.56k views • 123 slides
The Rio File Cache: Surviving Operating System Crashes Peter M. Chen, Wee Teck Ng, Subhachandra

The Rio File Cache: Surviving Operating System Crashes Peter M. Chen, Wee Teck Ng, Subhachandra

The Rio File Cache: Surviving Operating System Crashes Peter M. Chen, Wee Teck Ng, Subhachandra Chandra, Christopher Aycock, Gurushankar Rajamani, David Lowell Computer Science and Engineering Division Electrical Engineering and Computer

311 views • 10 slides
PAStime: Progress-aware Scheduling for Time-critical Computing Soham Sinha , Richard West, Ahmad

PAStime: Progress-aware Scheduling for Time-critical Computing Soham Sinha , Richard West, Ahmad

PAStime: Progress-aware Scheduling for Time-critical Computing Soham Sinha , Richard West, Ahmad Golchin Department of Computer Science, Boston University, USA Introduction - Mixed-criticality Systems Traffic sign detection Object

569 views • 20 slides
Abstract Interpretation Harry Xu CS 253/INF 212 Spring 2013 Acknowledgements Many slides in

Abstract Interpretation Harry Xu CS 253/INF 212 Spring 2013 Acknowledgements Many slides in

Abstract Interpretation Harry Xu CS 253/INF 212 Spring 2013 Acknowledgements Many slides in this file were taken from the tutorial slides that Patrick Cousot used in VMCAI05 Abstract Interpretation A theory of sound approximation of

946 views • 92 slides
Smashing the Buffer Smashing the Buffer Miroslav tampar Miroslav tampar (mstampar@zsis.hr )

Smashing the Buffer Smashing the Buffer Miroslav tampar Miroslav tampar (mstampar@zsis.hr )

Smashing the Buffer Smashing the Buffer Miroslav tampar Miroslav tampar (mstampar@zsis.hr ) (mstampar@zsis.hr ) Summary BSidesVienna 2014, Vienna (Austria) November 22nd, 2014 2 Buffer overflow (a.k.a.)

462 views • 35 slides
Programming with Time for Mixed Criticality Systems Dagstuhl Seminar, March 16-20, 2015 Mixed

Programming with Time for Mixed Criticality Systems Dagstuhl Seminar, March 16-20, 2015 Mixed

Programming with Time for Mixed Criticality Systems Dagstuhl Seminar, March 16-20, 2015 Mixed Criticality on Multicore/Manycore Platforms David Broman Associate Professor, KTH Royal Institute of Technology Assistant Research Engineer,

202 views • 6 slides

More recommend