software security buffer overflow attacks
play

Software Security: Buffer Overflow Attacks (continued) Fall 2016 - PowerPoint PPT Presentation

Dec 01, 2022 •133 likes •577 views

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno,

  1. CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. Security Mindset Anecdotes 10/13/16 CSE 484 / CSE M 584 - Fall 2016 2

  3. Security Mindset Anecdotes • Ant farm 10/13/16 CSE 484 / CSE M 584 - Fall 2016 3

  4. Looking Forward • Today: More buffer overflows + defenses • Next week: Starting cryptography! 10/13/16 CSE 484 / CSE M 584 - Fall 2016 4

  5. Lab 1 • It’s hard! That’s normal. • Both the conceptual stuff AND the mechanics of it (acronyms, gdb, C hacking) are hard! 10/13/16 CSE 484 / CSE M 584 - Fall 2016 5

  6. Last Time: Basic Buffer Overflows • Many of you have done basic buffer overflows before • In this class, we go way deeper, exploring some much more sophisticated ways of exploiting systems from even small amounts of control 10/13/16 CSE 484 / CSE M 584 - Fall 2016 6

  7. Last Time: Basic Buffer Overflows • Memory pointed to by str is copied onto stack… void func(char *str) { char buf[126]; strcpy does NOT check whether the string at *str contains fewer than 126 characters strcpy(buf,str); } • If a string longer than 126 bytes is copied into buffer, it will overwrite adjacent stack locations. This will be interpreted as return address! buf Saved FP ret/IP str Caller’s frame Addr 0xFF...F Local variables Args 10/13/16 CSE 484 / CSE M 584 - Fall 2016 7

  8. Another Variant: Function Pointer Overflow • C uses function pointers for callbacks: if pointer to F is stored in memory location P, then another function G can call F as (*P)(…) Buffer with attacker-supplied Callback input string pointer Heap attack code overflow Legitimate function F (elsewhere in memory) 10/13/16 CSE 484 / CSE M 584 - Fall 2016 8

  9. Other Overflow Targets • Format strings in C – More details today • Heap management structures used by malloc() – More details in section • These are all attacks you can look forward to in Lab #1 J 10/13/16 CSE 484 / CSE M 584 - Fall 2016 9

  10. Variable Arguments in C • In C, can define a function with a variable number of arguments – Example: void printf(const char* format, …) • Examples of usage: Format specification encoded by special % characters %d,%i,%o,%u,%x,%X – integer argument %s – string argument %p – pointer argument (void *) Several others 10/13/16 CSE 484 / CSE M 584 - Fall 2016 10

  11. Format Strings in C • Proper use of printf format string: int foo = 1234; printf(“foo = %d in decimal, %X in hex”,foo,foo); This will print: foo = 1234 in decimal, 4D2 in hex What happens if buffer • Sloppy use of printf format string: contains format symbols char buf[14] = “Hello, world!”; starting with % ??? printf(buf); // should’ve used printf(“%s”, buf); 10/13/16 CSE 484 / CSE M 584 - Fall 2016 11

  12. Implementation of Variable Args • Special functions va_start, va_arg, va_end compute arguments at run-time printf has an internal stack pointer 10/13/16 CSE 484 / CSE M 584 - Fall 2016 12

  13. Format Strings in C • Proper use of printf format string: int foo=1234; printf(“foo = %d in decimal, %X in hex”,foo,foo); This will print: foo = 1234 in decimal, 4D2 in hex What happens if buffer • Sloppy use of printf format string: contains format symbols char buf[14] = “Hello, world!”; starting with % ??? printf(buf); // should’ve used printf(“%s”, buf); 10/13/16 CSE 484 / CSE M 584 - Fall 2016 13

  14. Format Strings in C • Proper use of printf format string: If the buffer contains format symbols starting with %, the location pointed to by printf’s internal stack pointer will be int foo=1234; interpreted as an argument of printf. printf(“foo = %d in decimal, %X in hex”,foo,foo); This will print: This can be exploited to move printf’s internal stack pointer! foo = 1234 in decimal, 4D2 in hex What happens if buffer • Sloppy use of printf format string: contains format symbols char buf[14] = “Hello, world!”; starting with % ??? printf(buf); // should’ve used printf(“%s”, buf); 10/13/16 CSE 484 / CSE M 584 - Fall 2016 14

  15. Viewing Memory • %x format symbol tells printf to output data on stack printf(“Here is an int: %x”,i); • What if printf does not have an argument? char buf[16]=“Here is an int: %x”; printf(buf); – Stack location pointed to by printf’s internal stack pointer will be interpreted as an int. (What if crypto key, password, ...?) • Or what about: char buf[16]=“Here is a string: %s”; printf(buf); – Stack location pointed to by printf’s internal stack pointer will be interpreted as a pointer to a string 10/13/16 CSE 484 / CSE M 584 - Fall 2016 15

  16. Viewing Memory • %x format symbol tells printf to output data on stack printf(“Here is an int: %x”,i); • What if printf does not have an argument? char buf[16]=“Here is an int: %x”; printf(buf); – Stack location pointed to by printf’s internal stack pointer will be interpreted as an int. (What if crypto key, password, ...?) • Or what about: char buf[16]=“Here is a string: %s”; printf(buf); – Stack location pointed to by printf’s internal stack pointer will be interpreted as a pointer to a string 10/13/16 CSE 484 / CSE M 584 - Fall 2016 16

  17. Writing Stack with Format Strings • %n format symbol tells printf to write the number of characters that have been printed printf(“Overflow this!%n”,&myVar); – Argument of printf is interpeted as destination address – This writes 14 into myVar (“Overflow this!” has 14 characters) • What if printf does not have an argument? char buf[16]=“Overflow this!%n”; printf(buf); – Stack location pointed to by printf’s internal stack pointer will be interpreted as address into which the number of characters will be written. 10/13/16 CSE 484 / CSE M 584 - Fall 2016 17

  18. Using %n to Overwrite Return Address RET • Tools: – incrementing printf’s internal stack pointer – writing # characters printed to memory location 10/13/16 CSE 484 / CSE M 584 - Fall 2016 18

  19. Using %n to Overwrite Return Address This portion contains enough % symbols to advance printf’s Buffer with attacker-supplied internal stack pointer input string &RET “ … attackString%n ” , attack code RET Number of characters in When %n happens, make sure the location Return attackString must be under printf’s stack pointer contains address execution to equal to … what? of RET; %n will write the number of characters this address In attackString into RET C allows you to concisely specify the “width” to print, causing printf to pad by printing additional blank characters without reading anything else off the stack. Example: printf(“%5d”, 10) will print three spaces followed by the integer: “ 10” That is, %n will print 5, not 2. Key idea: do this 4 times with the right numbers to overwrite the return address byte-by-byte. (4x %n to write into &RET, &RET+1, &RET+2, &RET+3) 10/13/16 CSE 484 / CSE M 584 - Fall 2016 19

  20. Recommended Reading • It will be hard to do Lab 1 without reading: – Smashing the Stack for Fun and Profit – Exploiting Format String Vulnerabilities • Links to these readings are posted on the course schedule. 10/13/16 CSE 484 / CSE M 584 - Fall 2016 20

  21. Buffer Overflow: Causes and Cures • Typical memory exploit involves code injection – Put malicious code at a predictable location in memory, usually masquerading as data – Trick vulnerable program into passing control to it • Answer Q2 on your worksheet 10/13/16 CSE 484 / CSE M 584 - Fall 2016 21

  22. Buffer Overflow: Causes and Cures • Typical memory exploit involves code injection – Put malicious code at a predictable location in memory, usually masquerading as data – Trick vulnerable program into passing control to it • We’ll talk about a few defenses today: 1. Prevent execution of untrusted code 2. Stack “canaries” 3. Encrypt pointers 4. Address space layout randomization 10/13/16 CSE 484 / CSE M 584 - Fall 2016 22

  23. W ⊕ X / DEP • Mark all writeable memory locations as non- executable – Example: Microsoft’s Data Execution Prevention (DEP) – This blocks (almost) all code injection exploits • Hardware support – AMD “NX” bit, Intel “XD” bit (in post-2004 CPUs) – Makes memory page non-executable • Widely deployed – Windows (since XP SP2), Linux (via PaX patches), OS X (since 10.5) 10/13/16 CSE 484 / CSE M 584 - Fall 2016 23

  24. What Does W ⊕ X Not Prevent? • Can still corrupt stack … – … or function pointers or critical data on the heap • As long as “saved EIP” points into existing code, W ⊕ X protection will not block control transfer • This is the basis of return-to-libc exploits – Overwrite saved EIP with address of any library routine, arrange stack to look like arguments • Does not look like a huge threat – Attacker cannot execute arbitrary code, especially if system() is not available 10/13/16 CSE 484 / CSE M 584 - Fall 2016 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Software Security: Buffer Overflow Attacks Autumn 2020 Franziska (Franzi) Roesner

Software Security: Buffer Overflow Attacks Autumn 2020 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks Autumn 2020 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

517 views • 29 slides
Software Security: Buffer Overflow Attacks Fall 2017 Franziska (Franzi) Roesner

Software Security: Buffer Overflow Attacks Fall 2017 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

703 views • 27 slides
Software Security: Buffer Overflow Attacks Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu

Software Security: Buffer Overflow Attacks Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John

559 views • 41 slides
Vulnerability Analysis Part 2 RK Shyamasundar IIT Bombay Outline Software Security

Vulnerability Analysis Part 2 RK Shyamasundar IIT Bombay Outline Software Security

Vulnerability Analysis Part 2 RK Shyamasundar IIT Bombay Outline Software Security Web Application Security Buffer Overflow Web content security: SSL Buffer Overflow Phishing attacks mitigation techniques

1.51k views • 84 slides
Software Security Explorative Lecture A brief history of security problems attacks on

Software Security Explorative Lecture A brief history of security problems attacks on

1/30/2020 Software Security Explorative Lecture A brief history of security problems attacks on multi-user UNIX systems for fun viruses & worms attacking operating systems due to buffer overflow, format string attacks, integer

477 views • 37 slides
Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Last time We continued By launching our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow fundamentals This time We will finish up By looking at Buffer Overflow overflows

1.33k views • 103 slides
Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner

Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

760 views • 23 slides
Software Security: Buffer Overflow Defenses Autumn 2020 Franziska (Franzi) Roesner

Software Security: Buffer Overflow Defenses Autumn 2020 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Autumn 2020 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

234 views • 22 slides
IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A

IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A

IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold.

221 views • 3 slides
Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a very common attack mechanism from 1988 Morris Worm to Code Red, Slammer, Sasser and many others prevention techniques known still of major concern

873 views • 53 slides
Buffer Software Security overflows and other memory safety vulnerabilities History

Buffer Software Security overflows and other memory safety vulnerabilities History

This time We will begin By investigating our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Software security Security is a form

2.11k views • 190 slides
History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood as early as 1972 Computer Security Technology Planning Study Morris Worm First

1.07k views • 42 slides
ECE590 Computer and Information Security Fall 2018 Buffer Overflows and Software Security Tyler

ECE590 Computer and Information Security Fall 2018 Buffer Overflows and Software Security Tyler

ECE590 Computer and Information Security Fall 2018 Buffer Overflows and Software Security Tyler Bletsch Duke University What is a Buffer Overflow? Intent Arbitrary code execution Spawn a remote shell or infect with worm/virus

1.26k views • 76 slides
Computer and Information Security Fall 2020 Buffer Overflows and Software Security Tyler Bletsch

Computer and Information Security Fall 2020 Buffer Overflows and Software Security Tyler Bletsch

ECE560 Computer and Information Security Fall 2020 Buffer Overflows and Software Security Tyler Bletsch Duke University What is a Buffer Overflow? Intent Arbitrary code execution Spawn a remote shell or infect with worm/virus

983 views • 75 slides
Buffer Software Security overflows and other memory safety vulnerabilities History

Buffer Software Security overflows and other memory safety vulnerabilities History

This time We will begin By investigating our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Analyzing security Security

1.41k views • 107 slides
VOTD: Buffer Overflow Engineering Secure Software Last Revised: August 17, 2020 SWEN-331:

VOTD: Buffer Overflow Engineering Secure Software Last Revised: August 17, 2020 SWEN-331:

VOTD: Buffer Overflow Engineering Secure Software Last Revised: August 17, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 What is Buffer Overflow? Writing data outside of the intended buffer (memory space) SWEN-331:

298 views • 6 slides
CPSC 213 for Java and C programs you will trace, write, read load code into Eclipse

CPSC 213 for Java and C programs you will trace, write, read load code into Eclipse

The Big Picture Languages and Tools Lab/Assignment 1 Build machine model of execution SM213 Assembly SimpleMachine simulator CPSC 213 for Java and C programs you will trace, write, read load code into Eclipse and get it

9.69k views • 3 slides
Fundamentals of Programming Lecture 2 Hamed Rasifard Outline Numerical Systems

Fundamentals of Programming Lecture 2 Hamed Rasifard Outline Numerical Systems

Fundamentals of Programming Lecture 2 Hamed Rasifard Outline Numerical Systems Converting Numbers Summation and Subtraction of Binary Numbers Numerical Systems Binary (base 2) Octal (base 8) Decimal (Base 10)

560 views • 13 slides
Numbers Genome 373 Genomic Informatics Elhanan Borenstein Numbers Python defines various

Numbers Genome 373 Genomic Informatics Elhanan Borenstein Numbers Python defines various

Numbers Genome 373 Genomic Informatics Elhanan Borenstein Numbers Python defines various types of numbers: Integer (1234) Floating point number (12.34) Octal and hexadecimal number (0177, 0x9gff) Complex number (3.0+4.1j)

255 views • 7 slides
Beginning C Programming for Engineers Lecture 6: Bit Operations R. Lindsay Todd Bit Operations

Beginning C Programming for Engineers Lecture 6: Bit Operations R. Lindsay Todd Bit Operations

Beginning C Programming for Engineers Lecture 6: Bit Operations R. Lindsay Todd Bit Operations p. 1/19 Place Value Numerals A numeral represents a number using some notation. Normal place value numerals: each place represents a power of

235 views • 19 slides
Programming in C 1 Reserved Words and Identifiers Reserved word Word that has a specific

Programming in C 1 Reserved Words and Identifiers Reserved word Word that has a specific

Programming in C 1 Reserved Words and Identifiers Reserved word Word that has a specific meaning in C Ex: int, return Identifier Word used to name and refer to a data element or object manipulated by the program. 2 Valid

806 views • 67 slides
Digital Circuits and Systems Number Systems Shankar Balachandran* Associate Professor, CSE

Digital Circuits and Systems Number Systems Shankar Balachandran* Associate Professor, CSE

Spring 2015 Week 2 Module 12 Digital Circuits and Systems Number Systems Shankar Balachandran* Associate Professor, CSE Department Indian Institute of Technology Madras *Currently a Visiting Professor at IIT Bombay Digits vs. bits

1.29k views • 15 slides
GEM Detector Development for MAGIX 6 th Apr 2016 LEPP Mainz Pepe Glker 1 Requirements &

GEM Detector Development for MAGIX 6 th Apr 2016 LEPP Mainz Pepe Glker 1 Requirements &

GEM Detector Development for MAGIX 6 th Apr 2016 LEPP Mainz Pepe Glker 1 Requirements & Challenges for the detector-system Spatial Resolution < 50 m Many Channels ~10k High Rate Capability ~1MHz (Luminosity: 10 35 cm

341 views • 19 slides
Model-driven Design & Synthesis of the SHA-256 Cryptographic Hash Function in ReWire Bill

Model-driven Design & Synthesis of the SHA-256 Cryptographic Hash Function in ReWire Bill

Model-driven Design & Synthesis of the SHA-256 Cryptographic Hash Function in ReWire Bill Harrison University of Missouri Adam Procter Intel Corp. Gerard Allwein US Naval Research Laboratory October 7, 2016 Challenge: High Assurance Hardware

495 views • 14 slides

More recommend