secure software programming and vulnerability analysis
play

Secure Software Programming and Vulnerability Analysis Christopher - PDF document

Mar 16, 2024 •341 likes •520 views

Automation Systems Group Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Automation Systems Group Buffer Overflows Secure Software Programming 2

  1. Automation Systems Group Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Automation Systems Group Buffer Overflows Secure Software Programming 2

  2. Overview Automation Systems Group • Security issues at various stages of application life-cycle – mistakes, vulnerabilities, and exploits – avoidance, detection, and defense • Architecture – security considerations when designing the application • Implementation – security considerations when writing the application • Operation – security considerations when the application is in production Secure Software Programming 3 Implementation Stage Automation Systems Group • Mistakes done while writing code – coding flaws because of • unfamiliarity with language • ignorance about security issues • unwillingness to take extra effort • Often related to particular programming language • Buffer overflows – mostly relevant for C / C++ programs – not in languages with automatic memory management – these use • dynamic bounds checks (e.g., Java) • automatic resizing of buffers (e.g., Perl) Secure Software Programming 4

  3. Buffer Overflows Automation Systems Group • Goal – change flow of control (flow of execution), and – execute arbitrary code • Requirements 1. inject attack code or attack parameters 2. abuse vulnerability and modify memory such that control flow is redirected • Change of control flow – alter a code pointer (i.e., value that influences program counter) – change memory region that should not be accessed Secure Software Programming 5 Buffer Overflows Automation Systems Group • One of the most used attack techniques • Advantages – very effective • attack code runs with privileges of exploited process – can be exploited locally and remotely • interesting for network services • Disadvantages – architecture dependent • directly inject assembler code – operating system dependent • use call system functions – some guess work involved (correct addresses) Secure Software Programming 6

  4. Buffer Overflows Automation Systems Group • Process memory regions Top of Stack – Stack segment Memory • local variables • procedure calls – Data segment • global (static) variables (bss) • dynamic variables (heap) Heap – Code (Text) segment • program instructions BSS • usually read-only Code Secure Software Programming 7 Buffer Overflows Automation Systems Group • Overflow memory region on the stack – overflow function return address • Phrack 49 -- Aleph One: Smashing the Stack for Fun and Profit • Phrack 58 -- Nergel: The advanced return-into-lib(c) exploits – overflow function frame (base) pointer • Phrack 55 -- klog: The Frame Pointer Overflow – overflow longjump buffer • Overflow (dynamically allocated) memory region on the heap – Phrack 57 -- MaXX: Vudo malloc tricks -- anonymous: Once upon a free() ... • Overflow function pointers – stack, heap, BSS (e.g., PLT) Secure Software Programming 8

  5. Stack Automation Systems Group • Usually grows towards smaller memory addresses – Intel, Motorola, SPARC, MIPS • Processor register points to top of stack – stack pointer – SP – points to last stack element or first free slot • Composed of frames – pushed on top of stack as consequence of function calls – address of current frame stored in processor register • frame/base pointer – FP – used to conveniently reference local variables Secure Software Programming 9 Stack Automation Systems Group previous frame caller code function arguments 1. push arguments return address 2. call instruction current frame callee code previous frame pointer frame pointer 1. push frame pointer 2. move stack pointer to frame pointer local variables 3. increase stack pointer stack pointer Secure Software Programming 10

  6. Buffer Overflow Automation Systems Group • Code (or parameters) get injected because – program accepts more input than there is space allocated • In particular, an array (or buffer) has not enough space – especially easy with C strings (character arrays) – plenty of vulnerable library functions strcpy, strcat, gets, fgets, sprintf .. • Input spills to adjacent regions and modifies – code pointer or application data • all the possibilities that we have enumerated before – normally, this just crashes the program (e.g., sigsegv ) Secure Software Programming 11 Buffer Overflow Automation Systems Group • Simple buffer overflow 1. create executable content, and 2. set code pointer to point to this content • Effect – causes a jump to code under our control – successfully modifies execution flow – have this code executed with privileges of running process – difficult to generate correct “payload“ – different variations for different platforms, and • assembly instructions, alignment – different operating systems • system calls Secure Software Programming 12

  7. Buffer Overflow Automation Systems Group • Advanced buffer overflow 1. set up function parameters, and 2. set code pointer to point to existing code • Effect – causes a jump to existing code with chosen arguments – also successfully modifies execution flow, but – cannot execute arbitrary code Secure Software Programming 13 Buffer Overflow Automation Systems Group • Executable content (called shell code) – usually, a shell should be started • for remote exploits - input/output redirection via socket – use system call ( execve ) to spawn shell • System calls – mechanism to ask operating system for services – transition from user mode to kernel mode – different implementations • Linux system calls – invoked by • passing arguments in registers (or on the stack) and • calling 0x80 interrupt Secure Software Programming 14

  8. Shell Code Automation Systems Group void main(int argc, char **argv) { char *name[2]; name[0] = “/bin/sh“; name[1] = NULL; execve(name[0], &name[0], &name[1]); exit(0); } int execve(char *file, char *argv[], char *env[]) file is name of program to be executed • “/bin/sh“ argv is address of null-terminated argument array • “/bin/sh“, NULL env is address of null-terminated environment array • NULL Secure Software Programming 15 Shell Code Automation Systems Group file parameter • – we need the null terminated string /bin/sh somewhere in memory argv parameter • – we need the address of the string /bin/sh somewhere in memory, – followed by a NULL word env parameter • – we need a NULL word somewhere in memory – we will reuse the null pointer at the end of argv Secure Software Programming 16

  9. Shell Code Automation Systems Group execve arguments • located at address addr /bin/sh0addr0000 env -- pointer to null-word arg -- pointer to address of null-terminated string file -- null-terminated string Secure Software Programming 17 Shell Code Automation Systems Group • Spawning the shell in assembly 1. move system call number (0x0b) into %eax 2. move address of string /bin/sh into %ebx 3. move address of the address of /bin/sh into %ecx (using lea ) 4. move address of null word into %edx 5. execute the interrupt 0x80 instruction Secure Software Programming 18

  10. Shell Code Automation Systems Group • Problem – position of code in memory is unknown – how to determine address of string address of string – we can make use of instructions using relative addressing call instruction saves IP on the stack and jumps • • Idea jmp instruction at beginning of shell code to call instruction – call instruction right before /bin/sh string – call jumps back to first instruction after jump – – now address of /bin/sh is on the stack Secure Software Programming 19 Shell Code Automation Systems Group call_addr jmp call_addr %esi holds address popl %esi of string /bin/sh Shell Code jmp_addr call jmp_addr + 1 /bin/sh0000 Secure Software Programming 20

  11. Pulling It All Together Automation Systems Group new code pointer previous frame function arguments shell code return address previous frame pointer local variables char buffer[] Secure Software Programming 21 Pulling It All Together Automation Systems Group new code pointer previous frame function arguments shell code return address previous frame pointer local variables Overflow Overflow char buffer[] Secure Software Programming 22

  12. Pulling It All Together Automation Systems Group previous frame function arguments new code pointer shell code Secure Software Programming 23 Shell Code Automation Systems Group • Shell code is usually copied into a string buffer • Problem – any null byte would stop copying � null bytes must be eliminated � Substitution mov 0x0, reg � xor reg, reg mov 0x1, reg � xor reg, reg inc reg e.g. movl 0x0, %eax � xor %eax, %eax Secure Software Programming 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Secure Programming with Static Analysis Brian Chess brian@fortify.com Software Systems that

Secure Programming with Static Analysis Brian Chess brian@fortify.com Software Systems that

Secure Programming with Static Analysis Brian Chess brian@fortify.com Software Systems that are Ubiquitous Connected Dependable Complexity Unforeseen Consequences Software Security Today The line between secure/insecure is

624 views • 48 slides
Common Vulnerability Scoring System Engineering Secure Software Last Revised: November 13, 2020

Common Vulnerability Scoring System Engineering Secure Software Last Revised: November 13, 2020

Common Vulnerability Scoring System Engineering Secure Software Last Revised: November 13, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 How Bad is Bad? Weve seen many vulnerabilities Many of them can do catastrophic

541 views • 35 slides
Meltdown Overview of a security vulnerability Stefano Ottolenghi @ Binary Analysis and Secure

Meltdown Overview of a security vulnerability Stefano Ottolenghi @ Binary Analysis and Secure

Meltdown Overview of a security vulnerability Stefano Ottolenghi @ Binary Analysis and Secure Coding Universit degli Studi di Genova December 3rd, 2018 Overview Meltdown breaks memory isolation and allows a process to read the entire

526 views • 25 slides
Meltdown Overview of a security vulnerability Stefano Ottolenghi @ Binary Analysis and Secure

Meltdown Overview of a security vulnerability Stefano Ottolenghi @ Binary Analysis and Secure

Meltdown Overview of a security vulnerability Stefano Ottolenghi @ Binary Analysis and Secure Coding Universit degli Studi di Genova December 3rd, 2018 Overview Meltdown breaks memory isolation and allows a process to read the entire

335 views • 18 slides
Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust Boundary Attacks Threats Application Attacker Exploit Vulnerability : a software defect with security consequences Threat : a potential danger to

1.54k views • 80 slides
INOSSEM i nsti tut de recherche Guillaume Bouffard (SSD) Vulnerability Analysis on Smart Cards

INOSSEM i nsti tut de recherche Guillaume Bouffard (SSD) Vulnerability Analysis on Smart Cards

Introduction Fault Tree Analysis An API to Mitigate the Undesirable Events Conclusion Vulnerability Analysis on Smart Cards using Fault Tree Guillaume Bouffard Bhagyalekshmy N Thampi Jean-Louis Lanet Smart Secure Devices (SSD) Team

705 views • 39 slides
CSE 291 Building Secure Systems using Programming Languages and Analysis Fall 2016 Tue/Thurs

CSE 291 Building Secure Systems using Programming Languages and Analysis Fall 2016 Tue/Thurs

CSE 291 Building Secure Systems using Programming Languages and Analysis Fall 2016 Tue/Thurs 5:00-6:20PM Deian Stefan UC San Diego Who am I? New assistant professor PhD at Stanford (Mazieres & Mitchell) I like to build secure

896 views • 50 slides
SECURE PROGRAMMING A.A. 2018/2019 TERMINOLOGY System, Social and Mobile Security SECURITY FLAWS

SECURE PROGRAMMING A.A. 2018/2019 TERMINOLOGY System, Social and Mobile Security SECURITY FLAWS

SECURE PROGRAMMING A.A. 2018/2019 TERMINOLOGY System, Social and Mobile Security SECURITY FLAWS Software engineering has long been concerned with the elimination of software defects. A software defect is the encoding of a human error into

1.75k views • 156 slides
Vulnerability Analysis Part 2 RK Shyamasundar IIT Bombay Outline Software Security

Vulnerability Analysis Part 2 RK Shyamasundar IIT Bombay Outline Software Security

Vulnerability Analysis Part 2 RK Shyamasundar IIT Bombay Outline Software Security Web Application Security Buffer Overflow Web content security: SSL Buffer Overflow Phishing attacks mitigation techniques

1.51k views • 84 slides
Programming Languages and Analyses for Reliable, Available, and Secure Software Michael Hicks

Programming Languages and Analyses for Reliable, Available, and Secure Software Michael Hicks

Programming Languages and Analyses for Reliable, Available, and Secure Software Michael Hicks University of Maryland, College Park Tuesday, September 25, 2012 Software runs the world 2 Tuesday, September 25, 2012 Software runs the world

1.89k views • 132 slides
Secure C Programming: Memory Management Lucas Cordeiro Department of Computer Science

Secure C Programming: Memory Management Lucas Cordeiro Department of Computer Science

Systems and Software Verification Laboratory Secure C Programming: Memory Management Lucas Cordeiro Department of Computer Science lucas.cordeiro@manchester.ac.uk Secure C Programming Lucas Cordeiro (Formal Methods Group)

1.63k views • 144 slides
What is Secure? Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering

What is Secure? Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering

What is Secure? Engineering Secure Software Last Revised: August 19, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Recent Security Incidents Garmin Ransomware -- $10 million Sync servers down for many days

506 views • 21 slides
Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1

Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1

Vulnerability Analysis and Food Aid W orking Group Chaired by W FP/ VAM Unit Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1 Overview 1 . Methodology of the VA 2 0 0 4 2 . Highlights of

703 views • 28 slides
Defensive Coding Techniques (Pt. 1) Engineering Secure Software Last Revised: September 21, 2020

Defensive Coding Techniques (Pt. 1) Engineering Secure Software Last Revised: September 21, 2020

Defensive Coding Techniques (Pt. 1) Engineering Secure Software Last Revised: September 21, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 Defensive Coding vs. Risk Analysis Risk Analysis All about domain, assets,

561 views • 24 slides
Vulnerability Analysis Chapter 24 Computer Security: Art and Science , 2 nd Edition Version 1.0

Vulnerability Analysis Chapter 24 Computer Security: Art and Science , 2 nd Edition Version 1.0

Vulnerability Analysis Chapter 24 Computer Security: Art and Science , 2 nd Edition Version 1.0 Slide 24-1 Overview What is a vulnerability? Penetration studies Flaw Hypothesis Methodology Other methodologies Vulnerability

1.76k views • 148 slides
Software Vulnerability I Presenter: Yinzhi Cao Lehigh University Overview Buffer Overflow

Software Vulnerability I Presenter: Yinzhi Cao Lehigh University Overview Buffer Overflow

CSE350/450 Lehigh University Fall 2016 Software Vulnerability I Presenter: Yinzhi Cao Lehigh University Overview Buffer Overflow Shellcode Heap Overflow Format Strings Return-oriented Programming Metasploit 101 Anatomy of the Stack

1.83k views • 124 slides
CS 241 Data Organization Buffer Overflows December 4, 2018 The Problem Exploitation Use

CS 241 Data Organization Buffer Overflows December 4, 2018 The Problem Exploitation Use

CS 241 Data Organization Buffer Overflows December 4, 2018 The Problem Exploitation Use large strings (or other datatypes) to overflow a buffer Craft input to make the server do whatever you want Easy to crash a program Harder

256 views • 11 slides
Lecture 05 Integer overflow Stephen Checkoway University of Illinois at Chicago Unsafe

Lecture 05 Integer overflow Stephen Checkoway University of Illinois at Chicago Unsafe

Lecture 05 Integer overflow Stephen Checkoway University of Illinois at Chicago Unsafe functions in libc strcpy strcat gets scanf family (fscanf, sscanf, etc.) (rare) printf family (more about these later) memcpy (need

573 views • 18 slides
Part II Lets make it real Memory Layout of a Process In reality Addresses are written in

Part II Lets make it real Memory Layout of a Process In reality Addresses are written in

Part II Lets make it real Memory Layout of a Process In reality Addresses are written in hexadecimal: For instance, consider the assembly code for IE(): 0x08048428 <+0>: push %ebp 0x08048429 <+1>: mov %esp,%ebp

582 views • 31 slides
Vulnerabilities in C/C++ programs Part I TDDC90 Software Security Ulf Kargn Department

Vulnerabilities in C/C++ programs Part I TDDC90 Software Security Ulf Kargn Department

Vulnerabilities in C/C++ programs Part I TDDC90 Software Security Ulf Kargn Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Vulnerabilities in C-based languages

633 views • 59 slides
References Smashing the stack for fun and profit http://phrack.org/issues/49/14.html

References Smashing the stack for fun and profit http://phrack.org/issues/49/14.html

References Smashing the stack for fun and profit http://phrack.org/issues/49/14.html Exploiting format string vulnerabilities https://crypto.stanford.edu/cs155/papers/for matstring-1.2.pdf Once upon a free()

427 views • 19 slides
Reorder Buffer Implementation (Pentium Pro) Hardware data structures retirement register

Reorder Buffer Implementation (Pentium Pro) Hardware data structures retirement register

Reorder Buffer Implementation (Pentium Pro) Hardware data structures retirement register file (RRF) (~ IBM 360/91 physical registers) physical register file that is the same size as the architectural registers holds values of

403 views • 12 slides
Register Renaming & Out-of-Order Execution Nima Honarmand Spring 2016 :: CSE 502

Register Renaming & Out-of-Order Execution Nima Honarmand Spring 2016 :: CSE 502

Spring 2016 :: CSE 502 Computer Architecture Register Renaming & Out-of-Order Execution Nima Honarmand Spring 2016 :: CSE 502 Computer Architecture OoO Execution (1/3) Dynamic scheduling Totally in the hardware Also

681 views • 37 slides
Introduc>on to MARIE 2 Schedule Today and Monday 13

Introduc>on to MARIE 2 Schedule Today and Monday 13

Computer Systems and Networks ECPE 170 Jeff Shafer University of the Pacific Introduc>on to MARIE 2 Schedule Today and Monday

964 views • 28 slides

More recommend