software security buffer overflow attacks
play

Software Security: Buffer Overflow Attacks Fall 2017 Franziska - PowerPoint PPT Presentation

Feb 13, 2023 •429 likes •703 views

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

  1. CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. Announcements • Sections moved to MEB 246 • Remember to sign the ethics form ( today )! • Office hours start this week – Me: Mon 11am-12pm – TAs: Thu 11:30am-1pm; Fri11:30-12:30pm • Lab 1 out now! – Groups of up to 3 – Sign up via Google form for access to lab – Section will cover the lab 10/4/17 CSE 484 / CSE M 584 - Fall 2017 2

  3. SOFTWARE SECURITY 10/4/17 CSE 484 / CSE M 584 - Fall 2017 3

  4. Software Problems are Ubiquitous 10/4/17 CSE 484 / CSE M 584 - Fall 2017 4

  5. Software Problems are Ubiquitous 10/4/17 CSE 484 / CSE M 584 - Fall 2017 5

  6. Adversarial Failures • Software bugs are bad – Consequences can be serious • Even worse when an intelligent adversary wishes to exploit them! – Intelligent adversaries: Force bugs into “worst possible” conditions/states – Intelligent adversaries: Pick their targets • Buffer overflows bugs: Big class of bugs – Normal conditions: Can sometimes cause systems to fail – Adversarial conditions: Attacker able to violate security of your system (control, obtain private information, ...) 10/4/17 CSE 484 / CSE M 584 - Fall 2017 6

  7. BUFFER OVERFLOWS 10/4/17 CSE 484 / CSE M 584 - Fall 2017 7

  8. A Bit of History: Morris Worm • Worm was released in 1988 by Robert Morris – Graduate student at Cornell, son of NSA chief scientist – Convicted under Computer Fraud and Abuse Act, sentenced to 3 years of probation and 400 hours of community service – Now an EECS professor at MIT • Worm was intended to propagate slowly and harmlessly measure the size of the Internet • Due to a coding error, it created new copies as fast as it could and overloaded infected machines • $10-100M worth of damage 10/4/17 CSE 484 / CSE M 584 - Fall 2017 8

  9. Morris Worm and Buffer Overflow • One of the worm’s propagation techniques was a buffer overflow attack against a vulnerable version of fingerd on VAX systems – By sending special string to finger daemon, worm caused it to execute code creating a new worm copy 10/4/17 CSE 484 / CSE M 584 - Fall 2017 9

  10. Famous Internet Worms • Buffer overflows: very common cause of attacks – Still today! • Morris worm (1988): overflow in fingerd – 6,000 machines infected • CodeRed (2001): overflow in MS-IIS server – 300,000 machines infected in 14 hours • SQL Slammer (2003): overflow in MS-SQL server – 75,000 machines infected in 10 minutes (!!) • Sasser (2005): overflow in Windows LSASS – Around 500,000 machines infected 10/4/17 CSE 484 / CSE M 584 - Fall 2017 10

  11. … And More • Conficker (2008-09): overflow in Windows RPC – Around 10 million machines infected (estimates vary) • Stuxnet (2009-10): several zero-day overflows + same Windows RPC overflow as Conficker – Windows print spooler service – Windows LNK shortcut display – Windows task scheduler • Flame (2010-12): same print spooler and LNK overflows as Stuxnet – Targeted cyperespionage virus • Still ubiquitous, especially in embedded systems 10/4/17 CSE 484 / CSE M 584 - Fall 2017 11

  12. Attacks on Memory Buffers • Buffer is a pre-defined data storage area inside computer memory (stack or heap) • Typical situation: – A function takes some input that it writes into a pre- allocated buffer. – The developer forgets to check that the size of the input isn’t larger than the size of the buffer. – Uh oh. • “Normal” bad input: crash • “Adversarial” bad input : take control of execution 10/4/17 CSE 484 / CSE M 584 - Fall 2017 12

  13. Stack Buffers buf uh oh! • Suppose Web server contains this function void func(char *str) { char buf[126]; ... strcpy(buf,str); ... } • No bounds checking on strcpy() • If str is longer than 126 bytes – Program may crash – Attacker may change program behavior 10/4/17 CSE 484 / CSE M 584 - Fall 2017 13

  14. Example: Changing Flags buf authenticated 1 ( :-) ! ) 1 • Suppose Web server contains this function void func(char *str) { char buf[126]; ... strcpy(buf,str); ... } • Authenticated variable non-zero when user has extra privileges • Morris worm also overflowed a buffer to overwrite an authenticated flag in fingerd 10/4/17 CSE 484 / CSE M 584 - Fall 2017 14

  15. Memory Layout • Text region: Executable code of the program • Heap: Dynamically allocated data • Stack: Local variables, function return addresses; grows and shrinks as functions are called and return Top Bottom Text region Heap Stack Addr 0x00...0 Addr 0xFF...F 10/4/17 CSE 484 / CSE M 584 - Fall 2017 15

  16. Stack Buffers • Suppose Web server contains this function: void func(char *str) { Allocate local buffer (126 bytes reserved on stack) char buf[126]; strcpy(buf,str); Copy argument into local buffer } • When this function is invoked, a new frame (activation record) is pushed onto the stack. buf Saved FP ret/IP str Caller’s frame Addr 0xFF...F Local variables Args Execute code at this address after func() finishes 10/4/17 CSE 484 / CSE M 584 - Fall 2017 16

  17. What if Buffer is Overstuffed? • Memory pointed to by str is copied onto stack… void func(char *str) { char buf[126]; strcpy does NOT check whether the string strcpy(buf,str); at *str contains fewer than 126 characters } • If a string longer than 126 bytes is copied into buffer, it will overwrite adjacent stack locations. This will be interpreted as return address! buf Saved FP ret/IP str Caller’s frame Addr 0xFF...F Local variables Args 10/4/17 CSE 484 / CSE M 584 - Fall 2017 17

  18. Executing Attack Code • Suppose buffer contains attacker-created string – For example, str points to a string received from the network as the URL exec(“/bin/sh”) buf Saved FP ret/IP Caller’s stack frame str Caller’s frame Addr 0xFF...F Attacker puts actual assembly In the overflow, a pointer back into the instructions into his input string, e.g., buffer appears in the location where the binary code of execve(“/bin/sh”) system expects to find return address • When function exits, code in the buffer will be executed, giving attacker a shell (“shellcode”) – Root shell if the victim program is setuid root 10/4/17 CSE 484 / CSE M 584 - Fall 2017 18

  19. Buffer Overflows Can Be Tricky… • Overflow portion of the buffer must contain correct address of attack code in the RET position – The value in the RET position must point to the beginning of attack assembly code in the buffer • Otherwise application will (probably) crash with segfault – Attacker must correctly guess in which stack position his/her buffer will be when the function is called 10/4/17 CSE 484 / CSE M 584 - Fall 2017 19

  20. Problem: No Bounds Checking • strcpy does not check input size – strcpy(buf, str) simply copies memory contents into buf starting from *str until “\0” is encountered, ignoring the size of area allocated to buf • Many C library functions are unsafe – strcpy(char *dest, const char *src) – strcat(char *dest, const char *src) – gets(char *s) – scanf(const char *format, …) – printf(const char *format, …) 10/4/17 CSE 484 / CSE M 584 - Fall 2017 20

  21. Does Bounds Checking Help? • strncpy(char *dest, const char *src, size_t n) – If strncpy is used instead of strcpy, no more than n characters will be copied from *src to *dest • Programmer has to supply the right value of n • Potential overflow in htpasswd.c (Apache 1.3): strcpy(record,user); Copies username (“user”) into buffer strcat(record,”:”); (“record”), then appends “:” and strcat(record,cpw); hashed password (“cpw”) • Published fix: strncpy(record,user,MAX_STRING_LEN-1); strcat(record,”:”) strncat(record,cpw,MAX_STRING_LEN-1); 10/4/17 CSE 484 / CSE M 584 - Fall 2017 21

  22. Misuse of strncpy in htpasswd “Fix” • Published “fix” for Apache htpasswd overflow: strncpy(record,user,MAX_STRING_LEN-1); strcat(record,”:”) strncat(record,cpw,MAX_STRING_LEN-1); MAX_STRING_LEN bytes allocated for record buffer : contents of *user contents of *cpw Put “:” Again put up to MAX_STRING_LEN-1 Put up to MAX_STRING_LEN-1 characters into buffer characters into buffer 10/4/17 CSE 484 / CSE M 584 - Fall 2017 22

  23. What About This? • Home-brewed range-checking string copy void mycopy(char *input) { char buffer[512]; int i; for (i=0; i<=512; i++) buffer[i] = input[i]; } void main(int argc, char *argv[]) { if (argc==2) mycopy(argv[1]); } • 1-byte overflow: can’t change RET, but can change pointer to previous stack frame – On little-endian architecture, make it point into buffer – RET for previous function will be read from buffer! 10/4/17 CSE 484 / CSE M 584 - Fall 2017 23

  24. Off-By-One Overflow • Home-brewed range-checking string copy void mycopy(char *input) { This will copy 513 char buffer[512]; int i; characters into for (i=0; i<=512; i++) buffer. Oops! buffer[i] = input[i]; } void main(int argc, char *argv[]) { if (argc==2) mycopy(argv[1]); } • 1-byte overflow: can’t change RET, but can change pointer to previous stack frame… – On little-endian architecture, make it point into buT for previous function will be read from buffer 10/4/17 CSE 484 / CSE M 584 - Fall 2017 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Software Security: Buffer Overflow Attacks Autumn 2020 Franziska (Franzi) Roesner

Software Security: Buffer Overflow Attacks Autumn 2020 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks Autumn 2020 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

517 views • 29 slides
Software Security: Buffer Overflow Attacks (continued) Fall 2016 Ada (Adam) Lerner

Software Security: Buffer Overflow Attacks (continued) Fall 2016 Ada (Adam) Lerner

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno,

577 views • 43 slides
Software Security: Buffer Overflow Attacks Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu

Software Security: Buffer Overflow Attacks Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John

559 views • 41 slides
Vulnerability Analysis Part 2 RK Shyamasundar IIT Bombay Outline Software Security

Vulnerability Analysis Part 2 RK Shyamasundar IIT Bombay Outline Software Security

Vulnerability Analysis Part 2 RK Shyamasundar IIT Bombay Outline Software Security Web Application Security Buffer Overflow Web content security: SSL Buffer Overflow Phishing attacks mitigation techniques

1.51k views • 84 slides
Software Security Explorative Lecture A brief history of security problems attacks on

Software Security Explorative Lecture A brief history of security problems attacks on

1/30/2020 Software Security Explorative Lecture A brief history of security problems attacks on multi-user UNIX systems for fun viruses &amp; worms attacking operating systems due to buffer overflow, format string attacks, integer

477 views • 37 slides
Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Last time We continued By launching our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow fundamentals This time We will finish up By looking at Buffer Overflow overflows

1.33k views • 103 slides
Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner

Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

760 views • 23 slides
Software Security: Buffer Overflow Defenses Autumn 2020 Franziska (Franzi) Roesner

Software Security: Buffer Overflow Defenses Autumn 2020 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Autumn 2020 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

234 views • 22 slides
IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A

IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A

IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold.

221 views • 3 slides
Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a very common attack mechanism from 1988 Morris Worm to Code Red, Slammer, Sasser and many others prevention techniques known still of major concern

873 views • 53 slides
Buffer Software Security overflows and other memory safety vulnerabilities History

Buffer Software Security overflows and other memory safety vulnerabilities History

This time We will begin By investigating our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Software security Security is a form

2.11k views • 190 slides
History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood as early as 1972 Computer Security Technology Planning Study Morris Worm First

1.07k views • 42 slides
ECE590 Computer and Information Security Fall 2018 Buffer Overflows and Software Security Tyler

ECE590 Computer and Information Security Fall 2018 Buffer Overflows and Software Security Tyler

ECE590 Computer and Information Security Fall 2018 Buffer Overflows and Software Security Tyler Bletsch Duke University What is a Buffer Overflow? Intent Arbitrary code execution Spawn a remote shell or infect with worm/virus

1.26k views • 76 slides
Computer and Information Security Fall 2020 Buffer Overflows and Software Security Tyler Bletsch

Computer and Information Security Fall 2020 Buffer Overflows and Software Security Tyler Bletsch

ECE560 Computer and Information Security Fall 2020 Buffer Overflows and Software Security Tyler Bletsch Duke University What is a Buffer Overflow? Intent Arbitrary code execution Spawn a remote shell or infect with worm/virus

983 views • 75 slides
Buffer Software Security overflows and other memory safety vulnerabilities History

Buffer Software Security overflows and other memory safety vulnerabilities History

This time We will begin By investigating our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Analyzing security Security

1.41k views • 107 slides
VOTD: Buffer Overflow Engineering Secure Software Last Revised: August 17, 2020 SWEN-331:

VOTD: Buffer Overflow Engineering Secure Software Last Revised: August 17, 2020 SWEN-331:

VOTD: Buffer Overflow Engineering Secure Software Last Revised: August 17, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 What is Buffer Overflow? Writing data outside of the intended buffer (memory space) SWEN-331:

298 views • 6 slides
FLST: Linguistic Foundations Francesca Delogu delogu@coli.uni-saarland.de

FLST: Linguistic Foundations Francesca Delogu delogu@coli.uni-saarland.de

FLST: Linguistic Foundations Francesca Delogu delogu@coli.uni-saarland.de http://www.coli.uni-saarland.de/courses/FLST/2014/ FLST: Linguistics Foundation Morphology ! The study of the internal structure of words, and of the rules by which

1.78k views • 55 slides
Computational Morphology FOU17 Harald Hammarstr om Uppsala University

Computational Morphology FOU17 Harald Hammarstr om Uppsala University

Computational Morphology FOU17 Harald Hammarstr om Uppsala University harald.hammarstrom@lingfil.uu.se 30 Aug 2017 Uppsala Hammarstrom Computational Morphology 2017 Uppsala 1 / 11 Computational Morphology Break words into meaningful

1.23k views • 14 slides
The Contribution of Domain-independent Robust Pronominal Anaphora Resolution to Open-Domain

The Contribution of Domain-independent Robust Pronominal Anaphora Resolution to Open-Domain

The Contribution of Domain-independent Robust Pronominal Anaphora Resolution to Open-Domain Question-Answering Rebecca Watson, Judita Preiss, Ted Briscoe Computer Laboratory University of Cambridge OD QA and Anaphora Baseline QA System

680 views • 11 slides
Data-induced Domain Models for Information Extraction from Patients Clinical Data Agnieszka

Data-induced Domain Models for Information Extraction from Patients Clinical Data Agnieszka

Data-induced Domain Models for Information Extraction from Patients Clinical Data Agnieszka Mykowiecka and Magorzata Marciniak Institute of Computer Science, Polish Academy of Sciences, Warszawa, Poland agn@ipipan.waw.pl, mm@ipipan.waw.pl

94 views • 7 slides
Years Guri Sohi University of Wisconsin-Madison Outline Speculation infancy performance

Years Guri Sohi University of Wisconsin-Madison Outline Speculation infancy performance

Still Speculating After All These Years Guri Sohi University of Wisconsin-Madison Outline Speculation infancy performance Speculation adolescence energy Speculation maturity security 2 Speculation Infancy

1.02k views • 23 slides
a single gadget weird machine Highlights of Dutch Cyber Security Research Framing Signals a

a single gadget weird machine Highlights of Dutch Cyber Security Research Framing Signals a

a single gadget weird machine Highlights of Dutch Cyber Security Research Framing Signals a return to portable shellcode Erik Bosman and Herbert Bos memory corruption, the problem that just won't go away 25+ years after the morris worm and

879 views • 62 slides
TO SEE OR BECOME AWARE OF SOMETHING THAT HAS NOT YET HAPPENED TRAINING THE CRISIS IN CRISIS

TO SEE OR BECOME AWARE OF SOMETHING THAT HAS NOT YET HAPPENED TRAINING THE CRISIS IN CRISIS

TO SEE OR BECOME AWARE OF SOMETHING THAT HAS NOT YET HAPPENED TRAINING THE CRISIS IN CRISIS MANAGEMENT Klas Lindstrm Managing Director 4C Strategies Understand what you need to do to achieve your desired end state Understand Build your

521 views • 30 slides
Managing Ancestral Land through Mortuary Ceremonies: The experiences of Nalik People in northern

Managing Ancestral Land through Mortuary Ceremonies: The experiences of Nalik People in northern

Managing Ancestral Land through Mortuary Ceremonies: The experiences of Nalik People in northern New Ireland, Papua New Guinea 1 / 15 00001 - 00:00:01 Managing Ancestral Land through Mortuary Ceremonies: The experiences of Nalik People in

366 views • 15 slides

More recommend