software security buffer overflow attacks
play

Software Security: Buffer Overflow Attacks Autumn 2020 Franziska - PowerPoint PPT Presentation

Aug 28, 2022 •211 likes •517 views

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks Autumn 2020 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

  1. CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks Autumn 2020 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. Announcements • Things Due: – Ethics form: Due Wednesday – Homework #1: Due Friday • Office Hours: – Now scheduled, see course website – Via Zoom � find links on Canvas – Mine are right after class today (and all Mondays) • Lab 1 coming up! – We will be sending out a sign-up form today – Section this week will be very important for lab 1 • Zoom Breakouts – You can join self- �elec�ed �Zoom Breako��� gro�p� in Can�a�� I �ill ��ar� using them Wednesday � keep scrolling in Canvas until that group set loads 10/5/2020 CSE 484 / CSE M 584 - Autumn 2020 2

  3. TOWARDS DEFENSES 10/5/2020 CSE 484 / CSE M 584 - Autumn 2020 3

  4. Approaches to Security • Prevention – Stop an attack • Detection – Detect an ongoing or past attack • Response – Respond to attacks • The threat of a response may be enough to deter some attackers 10/5/2020 CSE 484 / CSE M 584 - Autumn 2020 4

  5. Whole System is Critical • Securing a system involves a whole-system view – Cryptography – Implementation – People – Physical security – Everything in between • Thi� i� beca��e ��ec�ri�� i� onl� a� ��rong a� �he �eake�� link�� and �ec�ri�� can fail in man� place� – No reason to attack the strongest part of a system if you can walk right around it. 10/5/2020 CSE 484 / CSE M 584 - Autumn 2020 5

  6. Whole System is Critical • Securing a system involves a whole-system view – Cryptography – Implementation – People – Physical security – Everything in between • Thi� i� beca��e ��ec�ri�� i� onl� a� ��rong a� �he �eake�� link�� and �ec�ri�� can fail in man� place� – No reason to attack the strongest part of a system if you can walk right around it. 10/5/2020 CSE 484 / CSE M 584 - Autumn 2020 6

  7. Whole System is Critical • Securing a system involves a whole-system view – Cryptography – Implementation – People – Physical security – Everything in between • Thi� i� beca��e ��ec�ri�� i� onl� a� ��rong a� �he �eake�� link�� and �ec�ri�� can fail in man� place� – No reason to attack the strongest part of a system if you can walk right around it. 10/5/2020 CSE 484 / CSE M 584 - Autumn 2020 7

  8. Attacker�s As�mmetric Advantage 10/5/2020 CSE 484 / CSE M 584 - Autumn 2020 8

  9. Attacker�s As�mmetric Advantage • Attacker only needs to win in one place • Defender�� re�pon�e� Defense in depth 10/5/2020 CSE 484 / CSE M 584 - Autumn 2020 9

  10. From Policy to Implementation • Af�er �o���e fig�red o�� �ha� �ec�ri�� mean� �o your application, there are still challenges: – Requirements bugs • Incorrect or problematic goals – Design bugs • Poor use of cryptography • Poor sources of randomness • ... – Implementation bugs • Buffer overflow attacks • ... – Is the system usable ? 10/5/2020 CSE 484 / CSE M 584 - Autumn 2020 10

  11. Many Participants • Many parties involved – System developers – Companies deploying the system – The end users – The adversaries (possibly one of the above) • Different parties have different goals – System developers and companies may wish to optimize cost – End users may desire security, privacy, and usability – But the relationship between these goals is quite complex (will customers choose features or security?) 10/5/2020 CSE 484 / CSE M 584 - Autumn 2020 11

  12. Better News • There are a lot of defense mechanisms – We�ll ���d� �ome� b�� b� no mean� all� in �hi� course • I��� impor�an� �o �nder��and �heir limi�a�ion� – �If �o� �hink cr�p�ograph� �ill �ol�e �o�r problem� �hen �o� don�� �nder��and cr�p�ograph�� and �o� don�� �nder��and �o�r problem� -- Bruce Schneier 10/5/2020 CSE 484 / CSE M 584 - Autumn 2020 12

  13. SOFTWARE SECURITY 10/5/2020 CSE 484 / CSE M 584 - Autumn 2020 13

  14. Adversarial Failures • Software bugs are bad – Consequences can be serious • Even worse when an intelligent adversary wishes to exploit them! – In�elligen� ad�er�arie�� Force b�g� in�o � worst possible � conditions/states – Intelligent adversaries: Pick their targets • Buffer overflows bugs: Big class of bugs – Normal conditions: Can sometimes cause systems to fail – Adversarial conditions: Attacker able to violate security of your system (control, obtain private information, ...) 10/5/2020 CSE 484 / CSE M 584 - Autumn 2020 14

  15. BUFFER OVERFLOWS 10/5/2020 CSE 484 / CSE M 584 - Autumn 2020 15

  16. A Bit of History: Morris Worm • Worm was released in 1988 by Robert Morris – Graduate student at Cornell, son of NSA chief scientist – Convicted under Computer Fraud and Abuse Act, 3 years probation and 400 hours of community service – Now an EECS professor at MIT • Worm was intended to propagate slowly and harmlessly measure the size of the Internet • Due to a coding error, it created new copies as fast as it could and overloaded infected machines • $10-100M worth of damage 10/5/2020 CSE 484 / CSE M 584 - Autumn 2020 16

  17. Morris Worm and Buffer Overflow • One of �he �orm�� propaga�ion �echniq�e� �a� a buffer overflow attack against a vulnerable version of fingerd on VAX systems – By sending special string to finger daemon, worm caused it to execute code creating a new worm copy Buffer overflows remain a common source of vulnerabilities and exploits today! (Especially in embedded systems.) 10/5/2020 CSE 484 / CSE M 584 - Autumn 2020 17

  18. Attacks on Memory Buffers • Buffer is a pre-defined data storage area inside computer memory (stack or heap) • Typical situation: – A function takes some input that it writes into a pre- allocated buffer. – The developer forgets to check that the size of the input i�n�� larger �han �he �i�e of �he b�ffer� – Uh oh. • �Normal� bad inp��� cra�h • �Ad�er�arial� bad inp�� � �ake con�rol of e�ec��ion 10/5/2020 CSE 484 / CSE M 584 - Autumn 2020 20

  19. Stack Buffers buf uh oh! • Suppose Web server contains this function void func(char *str) { char buf[126]; ... strcpy(buf,str); ... } • No bounds checking on strcpy() • If str is longer than 126 bytes – Program may crash – Attacker may change program behavior 10/5/2020 CSE 484 / CSE M 584 - Autumn 2020 21

  20. Example: Changing Flags buf authenticated 1 ( :-) ! ) 1 • Suppose Web server contains this function void func(char *str) { char buf[126]; ... strcpy(buf,str); ... } • Authenticated variable non-zero when user has extra privileges • Morris worm also overflowed a buffer to overwrite an authenticated flag in fingerd 10/5/2020 CSE 484 / CSE M 584 - Autumn 2020 22

  21. Memory Layout • Text region: Executable code of the program • Heap: Dynamically allocated data • Stack: Local variables, function return addresses; grows and shrinks as functions are called and return Top Bottom Text region Heap Stack Addr 0x00...0 Addr 0xFF...F 10/5/2020 CSE 484 / CSE M 584 - Autumn 2020 23

  22. Stack Buffers • Suppose Web server contains this function: void func(char *str) { Allocate local buffer (126 bytes reserved on stack) char buf[126]; strcpy(buf,str); Copy argument into local buffer } • When this function is invoked, a new frame (activation record) is pushed onto the stack. buf Saved FP ret/IP str Caller�s frame Addr 0xFF...F Local variables Args Execute code at this address after func() finishes 10/5/2020 CSE 484 / CSE M 584 - Autumn 2020 24

  23. What if Buffer is Overstuffed? • Memory pointed to by str i� copied on�o ��ack� void func(char *str) { char buf[126]; strcpy does NOT check whether the string strcpy(buf,str); at *str contains fewer than 126 characters } • If a string longer than 126 bytes is copied into buffer, it will overwrite adjacent stack locations. This will be interpreted as return address! buf Saved FP ret/IP str Caller�s frame Addr 0xFF...F Local variables Args 10/5/2020 CSE 484 / CSE M 584 - Autumn 2020 25

  24. Executing Attack Code • Suppose buffer contains attacker-created string – For example, str points to a string received from the network as the URL e�ec���bin�sh�� buf Saved FP ret/IP Caller�s stack frame str Caller�s frame Addr 0xFF...F Attacker puts actual assembly In the overflow, a pointer back into the instructions into his input string, e.g., buffer appears in the location where the binary code of e�ec�e���bin��h�� system expects to find return address • When function exits, code in the buffer will be executed, giving attacker a shell �“shellcode�� – Root shell if the victim program is setuid root 10/5/2020 CSE 484 / CSE M 584 - Autumn 2020 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Software Security: Buffer Overflow Attacks Fall 2017 Franziska (Franzi) Roesner

Software Security: Buffer Overflow Attacks Fall 2017 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

703 views • 27 slides
Software Security: Buffer Overflow Attacks (continued) Fall 2016 Ada (Adam) Lerner

Software Security: Buffer Overflow Attacks (continued) Fall 2016 Ada (Adam) Lerner

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno,

577 views • 43 slides
Software Security: Buffer Overflow Attacks Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu

Software Security: Buffer Overflow Attacks Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John

559 views • 41 slides
Vulnerability Analysis Part 2 RK Shyamasundar IIT Bombay Outline Software Security

Vulnerability Analysis Part 2 RK Shyamasundar IIT Bombay Outline Software Security

Vulnerability Analysis Part 2 RK Shyamasundar IIT Bombay Outline Software Security Web Application Security Buffer Overflow Web content security: SSL Buffer Overflow Phishing attacks mitigation techniques

1.51k views • 84 slides
Software Security Explorative Lecture A brief history of security problems attacks on

Software Security Explorative Lecture A brief history of security problems attacks on

1/30/2020 Software Security Explorative Lecture A brief history of security problems attacks on multi-user UNIX systems for fun viruses & worms attacking operating systems due to buffer overflow, format string attacks, integer

477 views • 37 slides
Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Last time We continued By launching our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow fundamentals This time We will finish up By looking at Buffer Overflow overflows

1.33k views • 103 slides
Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner

Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

760 views • 23 slides
Software Security: Buffer Overflow Defenses Autumn 2020 Franziska (Franzi) Roesner

Software Security: Buffer Overflow Defenses Autumn 2020 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Autumn 2020 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

234 views • 22 slides
IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A

IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A

IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold.

221 views • 3 slides
Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a very common attack mechanism from 1988 Morris Worm to Code Red, Slammer, Sasser and many others prevention techniques known still of major concern

873 views • 53 slides
Buffer Software Security overflows and other memory safety vulnerabilities History

Buffer Software Security overflows and other memory safety vulnerabilities History

This time We will begin By investigating our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Software security Security is a form

2.11k views • 190 slides
History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood as early as 1972 Computer Security Technology Planning Study Morris Worm First

1.07k views • 42 slides
ECE590 Computer and Information Security Fall 2018 Buffer Overflows and Software Security Tyler

ECE590 Computer and Information Security Fall 2018 Buffer Overflows and Software Security Tyler

ECE590 Computer and Information Security Fall 2018 Buffer Overflows and Software Security Tyler Bletsch Duke University What is a Buffer Overflow? Intent Arbitrary code execution Spawn a remote shell or infect with worm/virus

1.26k views • 76 slides
Computer and Information Security Fall 2020 Buffer Overflows and Software Security Tyler Bletsch

Computer and Information Security Fall 2020 Buffer Overflows and Software Security Tyler Bletsch

ECE560 Computer and Information Security Fall 2020 Buffer Overflows and Software Security Tyler Bletsch Duke University What is a Buffer Overflow? Intent Arbitrary code execution Spawn a remote shell or infect with worm/virus

983 views • 75 slides
Buffer Software Security overflows and other memory safety vulnerabilities History

Buffer Software Security overflows and other memory safety vulnerabilities History

This time We will begin By investigating our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Analyzing security Security

1.41k views • 107 slides
VOTD: Buffer Overflow Engineering Secure Software Last Revised: August 17, 2020 SWEN-331:

VOTD: Buffer Overflow Engineering Secure Software Last Revised: August 17, 2020 SWEN-331:

VOTD: Buffer Overflow Engineering Secure Software Last Revised: August 17, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 What is Buffer Overflow? Writing data outside of the intended buffer (memory space) SWEN-331:

298 views • 6 slides
ERP Plenary July 2015 CO 2 Enhanced Oil Recovery Richard Heap July 2015 Energy Research

ERP Plenary July 2015 CO 2 Enhanced Oil Recovery Richard Heap July 2015 Energy Research

ERP Plenary July 2015 CO 2 Enhanced Oil Recovery Richard Heap July 2015 Energy Research Partnership Energy Research Partnership Outline Technical challenges CO 2 -EOR is not easy, and expensive Synchronisation issue Timing of

1.41k views • 16 slides
(Partially Specified) Secure Channels Tom Shrimpton University of Florida Summer School on Real

(Partially Specified) Secure Channels Tom Shrimpton University of Florida Summer School on Real

(Partially Specified) Secure Channels Tom Shrimpton University of Florida Summer School on Real World Crypto and Privacy (June 14, 2018) Prologue: Review of AE Authenticated Encryption M M Prologue: Review of AE Probabilistic or

925 views • 60 slides
Lecture 14 Lecture 14 2. B inary R epresentation What is a file? 3. H ardw are and S

Lecture 14 Lecture 14 2. B inary R epresentation What is a file? 3. H ardw are and S

1. Introduction Lecture 14 Lecture 14 2. B inary R epresentation What is a file? 3. H ardw are and S oftw are 4. H igh Level Languages 5. S tandard input and output A file is data stored in secondary storage 6. Operators,

216 views • 3 slides
Compilers Nikos Papaspyrou Kostis Sagonas nickie@softlab.ntua.gr kostis@cs.ntua.gr National

Compilers Nikos Papaspyrou Kostis Sagonas nickie@softlab.ntua.gr kostis@cs.ntua.gr National

Compilers Nikos Papaspyrou Kostis Sagonas nickie@softlab.ntua.gr kostis@cs.ntua.gr National Technical University of Athens School of Electrical and Computer Engineering Software Engineering Laboratory Polytechnioupoli, 15780 Zografou,

1.3k views • 79 slides
The Mode Decision INST 154 Apollo at 50 Lunar Orbit Rendezvous Four Bad Ideas Direct Ascent

The Mode Decision INST 154 Apollo at 50 Lunar Orbit Rendezvous Four Bad Ideas Direct Ascent

The Mode Decision INST 154 Apollo at 50 Lunar Orbit Rendezvous Four Bad Ideas Direct Ascent Required an enormous rocket and made the landing much more difficult Earth Orbit Rendezvous, then Direct Ascent Required salvo launches

131 views • 12 slides
FCoE over TRILL draft-mme-trill-fcoe-00 http://tools.ietf.org/html/draft-mme-trill-fcoe-00

FCoE over TRILL draft-mme-trill-fcoe-00 http://tools.ietf.org/html/draft-mme-trill-fcoe-00

FCoE over TRILL draft-mme-trill-fcoe-00 http://tools.ietf.org/html/draft-mme-trill-fcoe-00 Informational David Melman Marvell Tal Mizrahi Marvell Donald Eastlake, 3rd Huawei IETF Meeting 81, July 2011 Background } FCoE Fibre

198 views • 9 slides
Assembly Language Programming Cracking and security Zbigniew Jurkiewicz, Instytut Informatyki UW

Assembly Language Programming Cracking and security Zbigniew Jurkiewicz, Instytut Informatyki UW

Assembly Language Programming Cracking and security Zbigniew Jurkiewicz, Instytut Informatyki UW January 21, 2018 Zbigniew Jurkiewicz, Instytut Informatyki UW Assembly Language Programming Cracking and security Memory page protection The

723 views • 17 slides
EPIMORPHISMS IN CERTAIN VARIETIES OF PARTIALLY ORDERED SEMIGROUPS SOHAIL NASIR Dedicated to my

EPIMORPHISMS IN CERTAIN VARIETIES OF PARTIALLY ORDERED SEMIGROUPS SOHAIL NASIR Dedicated to my

EPIMORPHISMS IN CERTAIN VARIETIES OF PARTIALLY ORDERED SEMIGROUPS SOHAIL NASIR Dedicated to my school teacher, Mr. N.M. Kazmi. 1. Priliminaries A partially ordered semigroup, briey posemigroup , is a semigroup S endowed with a partial order

185 views • 6 slides

More recommend