security buffer overflows and defenses
play

Security: Buffer Overflows and Defenses CS 416: Operating Systems - PowerPoint PPT Presentation

Aug 16, 2023 •395 likes •950 views

Security: Buffer Overflows and Defenses CS 416: Operating Systems Design Department of Computer Science Rutgers University http://www.cs.rutgers.edu/~vinodg/416 Buffer Overflow a very common attack mechanism from 1988 Morris Worm to Code Red,

  1. Security: Buffer Overflows and Defenses CS 416: Operating Systems Design Department of Computer Science Rutgers University http://www.cs.rutgers.edu/~vinodg/416

  2. Buffer Overflow a very common attack mechanism from 1988 Morris Worm to Code Red, Slammer, Sasser and many others prevention techniques known still of major concern due to legacy of widely deployed buggy continued careless programming techniques Rutgers University 2 CS 416: Operating Systems

  3. Buffer Overflow Basics caused by programming error allows more data to be stored than capacity available in a fixed sized buffer buffer can be on stack, heap, global data overwriting adjacent memory locations corruption of program data unexpected transfer of control memory access violation execution of code chosen by attacker Rutgers University 3 CS 416: Operating Systems

  4. Buffer overflow example int int foo( foo(void void){ ){ char char buf[10]; buf[10]; … … strcpy strcpy(buf, “hello world”); (buf, “hello world”); } int int get_user_input( get_user_input(void void){ ){ char char buf[LEN]; buf[LEN]; … … gets gets(buf); (buf); } Rutgers University 4 CS 416: Operating Systems

  5. Buffer Overflow Example int main(int argc, char *argv[]) { int valid = FALSE; char str1[8]; char str2[8]; next_tag(str1); gets(str2); if (strncmp(str1, str2, 8) == 0) valid = TRUE; printf("buffer1: str1(%s), str2(%s), valid(%d)\n", str1, str2, valid); } $ cc -g -o buffer1 buffer1.c $ ./buffer1 START buffer1: str1(START), str2(START), valid(1) $ ./buffer1 EVILINPUTVALUE buffer1: str1(TVALUE), str2(EVILINPUTVALUE), valid(0) $ ./buffer1 BADINPUTBADINPUT buffer1: str1(BADINPUT), str2(BADINPUTBADINPUT), valid(1) Rutgers University 5 CS 416: Operating Systems

  6. Buffer Overflow Attacks to exploit a buffer overflow an attacker must identify a buffer overflow vulnerability in some program inspection, tracing execution, fuzzing tools understand how buffer is stored in memory and determine potential for corruption Rutgers University 6 CS 416: Operating Systems

  7. Why are they dangerous? Can trash memory, crashing the program Can be used to hijack the program. Spawn a shell or execute code with the privileges of the program ``setuid root’’ programs are particularly dangerous if exploited. Rutgers University 7 CS 416: Operating Systems

  8. A Little Programming Language History at machine level all data an array of bytes interpretation depends on instructions used modern high-level languages have a strong notion of type and valid operations not vulnerable to buffer overflows does incur overhead, some limits on use C and related languages have high-level control structures, but allow direct access to memory hence are vulnerable to buffer overflow have a large legacy of widely used, unsafe, and hence vulnerable code Rutgers University 8 CS 416: Operating Systems

  9. Programs and Processes Rutgers University 9 CS 416: Operating Systems

  10. Process memory layout High addresses Stack Pointers Heap Globals Text Low addresses Rutgers University 10 CS 416: Operating Systems

  11. Function Calls and Stack Frames Rutgers University 11 CS 416: Operating Systems

  12. The stack void void function( function(int a, int b, intc int a, int b, intc ){ ){ char char buf1[5]; buf1[5]; char buf2[10]; char buf2[10]; … … c } b ebp ebp a Void main() { Void main() { function(1, 2, 3) function(1, 2, 3); buf1 buf1 } buf2 buf2 esp esp Rutgers University 12 CS 416: Operating Systems

  13. The stack void main() { void main() { function(1, 2, 3) function(1, 2, 3); } c b ebp ebp pushl $3 pushl $3 a pushl $2 pushl $2 pushl $1 pushl $1 call function call function pushl $3 pushl $3 pushl $2 pushl $2 esp esp pushl $1 pushl $1 call function call function Rutgers University 13 CS 416: Operating Systems

  14. A function call ebp ebp void main() { void main() { function(1, 2, 3) function(1, 2, 3); esp esp } c b pushl $3 pushl $3 a pushl $2 pushl $2 return addr return addr pushl $1 pushl $1 ebp ebp ebp ebp call function call function pushl %ebp pushl %ebp movl %esp, %ebp movl %esp, %ebp subl $20, %esp subl $20, %esp esp esp Rutgers University 14 CS 416: Operating Systems

  15. Digression: x86 tutorial pushl %ebp: Pushes ebp onto the stack. pushl %ebp: movl %esp,%ebp: Moves the current value of esp to the register ebp. movl %esp,%ebp: subl $0x4,%esp: Subtract 4 (hex) from value of esp subl $0x4,%esp: call 0x8000470 <function>: Calls the function at address call 0x8000470 <function>: 0x8000470. Also pushes the return address onto the stack. movl $0x1,0xfffffffc(%ebp): Move 0x1 into the memory pointed to movl $0x1,0xfffffffc(%ebp): by ebp - 4 leal 0xfffffffc(%ebp),%eax: Load address of the memory location leal 0xfffffffc(%ebp),%eax: pointed to by ebp -4 into eax ret: Return. Jumps to return address saved on stack. ret: nop nop Rutgers University 15 CS 416: Operating Systems

  16. Stack Buffer Overflow occurs when buffer is located on stack used by Morris Worm “Smashing the Stack” paper popularized it have local variables below saved frame pointer and return address hence overflow of a local buffer can potentially overwrite these key control items attacker overwrites return address with address of desired code program, system library or loaded in buffer Rutgers University 16 CS 416: Operating Systems

  17. A benign buffer overflow void void function( function(char *str char *str){ ){ char char buffer[16]; buffer[16]; strcpy (buffer, str); strcpy (buffer, str); str str } Return addr Return addr Saved ebp Saved ebp void main() { void main() { char largestr[256]; char largestr[256]; int i; int i; buffer buffer for (i=0;i<255;i++) { for (i=0;i<255;i++) { largestr[i] = ‘A’ largestr[i] = ‘A’ } function(largestr); function(largestr); } This program causes a segfault. Why? Rutgers University 17 CS 416: Operating Systems

  18. Stack Overflow Example void hello(char *tag) { char inp[16]; printf("Enter value for %s: ", tag); gets(inp); printf("Hello your %s is %s\n", tag, inp); } $ cc -g -o buffer2 buffer2.c $ ./buffer2 Enter value for name: Bill and Lawrie Hello your name is Bill and Lawrie buffer2 done $ ./buffer2 Enter value for name: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Segmentation fault (core dumped) $ perl -e 'print pack("H*", "414243444546474851525354555657586162636465666768 08fcffbf948304080a4e4e4e4e0a");' | ./buffer2 Enter value for name: Hello your Re?pyy]uEA is ABCDEFGHQRSTUVWXabcdefguyu Enter value for Kyyu: Hello your Kyyu is NNNN Segmentation fault (core dumped) Rutgers University 18 CS 416: Operating Systems

  19. Another Stack Overflow void getinp(char *inp, int siz) { puts("Input value: "); fgets(inp, siz, stdin); printf("buffer3 getinp read %s\n", inp); } void display(char *val) { char tmp[16]; sprintf(tmp, "read val: %s\n", val); puts(tmp); } int main(int argc, char *argv[]) { char buf[16]; getinp(buf, sizeof(buf)); display(buf); printf("buffer3 done\n"); } Rutgers University 19 CS 416: Operating Systems

  20. Another Stack Overflow $ cc -o buffer3 buffer3.c $ ./buffer3 Input value: SAFE buffer3 getinp read SAFE read val: SAFE buffer3 done $ ./buffer3 Input value: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX buffer3 getinp read XXXXXXXXXXXXXXX read val: XXXXXXXXXXXXXXX buffer3 done Segmentation fault (core dumped) Rutgers University 20 CS 416: Operating Systems

  21. Subverting control flow void void function( function(char *str char *str){ ){ char char buf1[5]; char buf2[10]; buf1[5]; char buf2[10]; int *ret; int *ret; ret = buf1 + 12; ret = buf1 + 12; *ret += 8; *ret += 8; } void main() { void main() { int x; int x; x = 0; x = 0; function(1, 2, 3); function(1, 2, 3); x = 1; x = 1; printf (“%d\n”, x); printf (“%d\n”, x); } Rutgers University 21 CS 416: Operating Systems

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a very common attack mechanism from 1988 Morris Worm to Code Red, Slammer, Sasser and many others prevention techniques known still of major concern

873 views • 53 slides
Introduction Buffer Overflows Buffer overflows were the most common form of security

Introduction Buffer Overflows Buffer overflows were the most common form of security

Introduction Buffer Overflows Buffer overflows were the most common form of security vulnerability in the 90s. Buffer overflows dominate in the area of remote network penetration vulnerabilities. CS 465 They represent one of the

651 views • 4 slides
Lab 2: Buffer Overflows Fengwei Zhang SUSTech CS 315 Computer Security 1 Buffer Overflows

Lab 2: Buffer Overflows Fengwei Zhang SUSTech CS 315 Computer Security 1 Buffer Overflows

Lab 2: Buffer Overflows Fengwei Zhang SUSTech CS 315 Computer Security 1 Buffer Overflows One of the most common vulnerabilities in software Programming languages commonly associated with buffer overflows including C and C++

1.14k views • 17 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Last time We finished up By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow defenses (and workarounds) Format string vulnerabilities Integer overflow vulnerabilities This time

1.29k views • 80 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

1.49k views • 117 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

1.23k views • 95 slides
Lab 2: Buffer Overflows Fengwei Zhang Wayne State University Course: Cyber Security Prac@ce 1

Lab 2: Buffer Overflows Fengwei Zhang Wayne State University Course: Cyber Security Prac@ce 1

Lab 2: Buffer Overflows Fengwei Zhang Wayne State University Course: Cyber Security Prac@ce 1 Buffer Overflows One of the most common vulnerabili@es in soEware Programming languages commonly associated with buffer overflows including

199 views • 17 slides
Lab 2: Buffer Overflows Fengwei Zhang Wayne State University CSC 5991 Cyber Security PracCce 1

Lab 2: Buffer Overflows Fengwei Zhang Wayne State University CSC 5991 Cyber Security PracCce 1

Lab 2: Buffer Overflows Fengwei Zhang Wayne State University CSC 5991 Cyber Security PracCce 1 Buffer Overflows One of the most common vulnerabiliCes in soGware Programming languages commonly associated with buffer overflows including

195 views • 17 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow

Last time We continued By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow attacks &amp; other vulnerabilities Overflow defenses Everything youve always wanted to know about

2.41k views • 197 slides
Prolog to Lecture 9 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Prolog to Lecture 9 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher

Prolog to Lecture 9 CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Lecture 9 Page 1 CS 236 Online Buffer Overflows Buffer overflows are a big problem One class of defenses concentrates on not allowing attacker

767 views • 8 slides
Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Last time We continued By launching our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow fundamentals This time We will finish up By looking at Buffer Overflow overflows

1.33k views • 103 slides
CSE 484 / CSE M 584 Computer Security: Buffer Overflows

CSE 484 / CSE M 584 Computer Security: Buffer Overflows

CSE 484 / CSE M 584 Computer Security: Buffer Overflows II TA: Viktor Farkas vfarkas@cs Original slides by Franzi Lab 1 Deadline Reminders Lab

373 views • 11 slides
Buffer overflow defenses Deian Stefan Some slides adopted from Nadia Heninger, Kirill Levchenko,

Buffer overflow defenses Deian Stefan Some slides adopted from Nadia Heninger, Kirill Levchenko,

CSE 127: Computer Security Buffer overflow defenses Deian Stefan Some slides adopted from Nadia Heninger, Kirill Levchenko, Stefan Savage, and Stephen Checkoway Today: mitigating buffer overflows Lecture objectives: Understand how to

1.33k views • 130 slides
Software In-Security Buffer overflows Overview Web Application security Malware OS

Software In-Security Buffer overflows Overview Web Application security Malware OS

Lecture overview Table of contents: Introduction to SW security Software In-Security Buffer overflows Overview Web Application security Malware OS security topics Code scanning Emmanuel Benoist Taught by Ulrich

479 views • 13 slides
ASLR &amp; DEP DAVID HEAVERN Problem Statement Security Issues Buffer Overflows

ASLR &amp; DEP DAVID HEAVERN Problem Statement Security Issues Buffer Overflows

ASLR &amp; DEP DAVID HEAVERN Problem Statement Security Issues Buffer Overflows Buffer overflows are the source of many of the common vulnerabilities in modern software Caused by not checking the source length when writing to a

1.88k views • 130 slides
Computer and Information Security Fall 2020 Buffer Overflows and Software Security Tyler Bletsch

Computer and Information Security Fall 2020 Buffer Overflows and Software Security Tyler Bletsch

ECE560 Computer and Information Security Fall 2020 Buffer Overflows and Software Security Tyler Bletsch Duke University What is a Buffer Overflow? Intent Arbitrary code execution Spawn a remote shell or infect with worm/virus

983 views • 75 slides
CENG4480 Lecture 06: Sound Record Bei Yu byu@cse.cuhk.edu.hk (Latest update: October 18, 2017)

CENG4480 Lecture 06: Sound Record Bei Yu byu@cse.cuhk.edu.hk (Latest update: October 18, 2017)

CENG4480 Lecture 06: Sound Record Bei Yu byu@cse.cuhk.edu.hk (Latest update: October 18, 2017) Fall 2017 1 / 21 Overview Timer Configuration UART Configuration ADC Configuration Autocorrelation Supplementary 2 / 21 Overview Timer

712 views • 27 slides
Lecture notes for CS 433 - Chapter 2, part 2 9/26/18 Branch Prediction Buffer Strategies:

Lecture notes for CS 433 - Chapter 2, part 2 9/26/18 Branch Prediction Buffer Strategies:

Lecture notes for CS 433 - Chapter 2, part 2 9/26/18 Branch Prediction Buffer Strategies: Limitations Chapter 3 Instruction-Level Parallelism and Limitations its Exploitation (Part 3) May use bit from wrong PC Target must be known when

436 views • 4 slides
CS422 Computer Architecture Spring 2004 Lecture 13, 17 Feb 2004 Bhaskaran Raman Department of

CS422 Computer Architecture Spring 2004 Lecture 13, 17 Feb 2004 Bhaskaran Raman Department of

CS422 Computer Architecture Spring 2004 Lecture 13, 17 Feb 2004 Bhaskaran Raman Department of CSE IIT Kanpur http://web.cse.iitk.ac.in/~cs422/index.html Dynamic Scheduling Better than static scheduling Scoreboarding: Used by the

883 views • 13 slides
Computer System Overview Chapter 1 Operating System Exploits the hardware resources of one

Computer System Overview Chapter 1 Operating System Exploits the hardware resources of one

1 Computer System Overview Chapter 1 Operating System Exploits the hardware resources of one or more processors Provides a set of services to system users Manages secondary memory and I/O devices 2 Basic Elements Processor

697 views • 52 slides
Prevalent in Unit Testing? Wes Masri American University of Beirut Electrical and Computer

Prevalent in Unit Testing? Wes Masri American University of Beirut Electrical and Computer

Is Coincidental Correctness Less Prevalent in Unit Testing? Wes Masri American University of Beirut Electrical and Computer Engineering Department Outline Definitions Weak CC vs. Strong CC Causes of Coincidental Correctness

821 views • 44 slides
Symstra: A Framework for Generating Object-Oriented Unit Tests using Symbolic Execution 1 3 1

Symstra: A Framework for Generating Object-Oriented Unit Tests using Symbolic Execution 1 3 1

Symstra: A Framework for Generating Object-Oriented Unit Tests using Symbolic Execution 1 3 1 Tao Xie, Darko Marinov, Wolfram Schulte, and David Notkin 2 1 University of Washington 2 University of Illinois at Urbana-Champaign 3

709 views • 31 slides
Evolution-Aware Monitoring-Oriented Programming (eMOP) Owolabi Legunsen, Darko Marinov , and

Evolution-Aware Monitoring-Oriented Programming (eMOP) Owolabi Legunsen, Darko Marinov , and

Evolution-Aware Monitoring-Oriented Programming (eMOP) Owolabi Legunsen, Darko Marinov , and Grigore Rou ICSE 2015 (NIER Track) Florence, Italy May 21, 2015 CCF-1439957 ITI RPS #28 CCF-1012759 Monitoring-Oriented Programming (MOP)

279 views • 13 slides
What is Smoke Test? Empirical Evaluation of the Fault-detection Effectiveness of Smoke Regression

What is Smoke Test? Empirical Evaluation of the Fault-detection Effectiveness of Smoke Regression

What is Smoke Test? Empirical Evaluation of the Fault-detection Effectiveness of Smoke Regression Test Cases Smoke test for GUI-based Software Borrowed from hardware testing Qing Xie A relatively simple check to see whether the

499 views • 5 slides

More recommend