software security buffer overflow defenses
play

Software Security: Buffer Overflow Defenses Autumn 2020 Franziska - PowerPoint PPT Presentation

Apr 30, 2023 •14 likes •234 views

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Autumn 2020 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

  1. CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Autumn 2020 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. Admin • Assignments: – Homework 1: Due today at 11:59pm – Lab 1: Sign up, granting access ~once per day, see forum 10/9/2020 CSE 484 / CSE M 584 - Autumn 2020 2

  3. Summary of Printf Risks • Printf takes a variable number of arguments – E.g., printf (“Here’s an int : %d”, 10); • Assumptions about input can lead to trouble – E.g., printf(buf) when buf =“Hello world” versus when buf =“Hello world %d” – Can be used to advance printf’s internal stack pointer – Can read memory • E.g., printf (“%x”) will print in hex format whatever printf’s internal stack pointer is pointing to at the time – Can write memory • E.g., printf (“ Hello%n ”); will write “5” to the memory location specified by whatever printf’s internal SP is pointing to at the time 10/9/2020 CSE 484 / CSE M 584 - Autumn 2020 3

  4. How Can We Attack This? foo() { char buf[ …]; strncpy(buf, readUntrustedInput(), sizeof(buf)); printf(buf); //vulnerable } If format string contains % then printfwill expect to find arguments here … Saved FP ret/IP &buf buf Saved FP ret/IP Caller’s frame Addr 0xFF...F Printf’s frame Foo’s frame What should the string returned by readUntrustedInput() contain?? 10/9/2020 CSE 484 / CSE M 584 - Autumn 2020 4

  5. Saved FP ret/IP &buf buf Saved FP ret/IP Caller’s frame Printf’s frame Foo’s frame 10/9/2020 CSE 484 / CSE M 584 - Autumn 2020 5

  6. Using %n to Overwrite Return Address In foo()’s stack frame: This portion contains enough % symbols to advance printf’s internal stack pointer Buffer with attacker- supplied input “string” “ … attackString%n ” , attack code &RET SFP RET Number of characters in When %n happens, make sure the location Return attackString must be under printf’s stack pointer contains address execution to equal to … what? of RET; %n will write the number of characters this address in attackString into RET C allows you to concisely specify the “width” to print, causing printf to pad by printing additional blank characters without reading anything else off the stack. Example: printf (“%5d”, 10) will print three spaces followed by the integer: “ 10” That is, %n will print 5, not 2. Key idea: do this 4 times with the right numbers to overwrite the return address byte-by-byte. (4x %n to write into &RET, &RET+1, &RET+2, &RET+3) 10/9/2020 CSE 484 / CSE M 584 - Autumn 2020 6

  7. Recommended Reading • It will be hard to do Lab 1 without: – Reading (see course schedule): • Smashing the Stack for Fun and Profit • Exploiting Format String Vulnerabilities – Attending section next week 10/9/2020 CSE 484 / CSE M 584 - Autumn 2020 7

  8. Buffer Overflow: Causes and Cures • Typical memory exploit involves code injection – Put malicious code at a predictable location in memory, usually masquerading as data – Trick vulnerable program into passing control to it • Possible defenses: 1. Prevent execution of untrusted code 2. Stack “canaries” 3. Encrypt pointers 4. Address space layout randomization 5. Code analysis 6. … 10/9/2020 CSE 484 / CSE M 584 - Autumn 2020 8

  9. Executable Space Protection • Mark all writeable memory locations as non- executable – Example: Microsoft’s Data Execution Prevention (DEP) – This blocks many code injection exploits • Hardware support – AMD “NX” bit (no - execute), Intel “XD” bit (executed disable) (in post-2004 CPUs) – Makes memory page non-executable • Widely deployed – Windows XP SP2+ (2004), Linux since 2004 (check distribution), OS X 10.5+ (10.4 for stack but not heap), Android 2.3+ 10/9/2020 CSE 484 / CSE M 584 - Autumn 2020 9

  10. What Does “Executable Space Protection” Not Prevent? • Can still corrupt stack … – … or function pointers – … or critical data on the heap • As long as RET points into existing code, executable space protection will not block control transfer! → return-to-libc exploits 10/9/2020 CSE 484 / CSE M 584 - Autumn 2020 10

  11. return-to-libc • Overwrite saved EIP with address of any library routine – Arrange stack to look like arguments • Does not look like a huge threat – Attacker cannot execute arbitrary code – But … ? • Can still call critical functions, like exec • See lab 1, sploit 8 (extra credit) 10/9/2020 CSE 484 / CSE M 584 - Autumn 2020 11

  12. return-to-libc on Steroids • Insight: Overwritten saved EIP need not point to the beginning of a library routine • Any existing instruction in the code image is fine – Will execute the sequence starting from this instruction • What if instruction sequence contains RET? – Execution will be transferred… to where? – Read the word pointed to by stack pointer (ESP) • Guess what? Its value is under attacker’s control! – Use it as the new value for EIP • Now control is transferred to an address of attacker’s choice! – Increment ESP to point to the next word on the stack 10/9/2020 CSE 484 / CSE M 584 - Autumn 2020 12

  13. Chaining RETs for Fun and Profit • Can chain together sequences ending in RET – Krahmer , “x86 -64 buffer overflow exploits and the borrowed code chunks exploitation technique” (2005) • What is this good for? • Answer [Shacham et al.]: everything – Turing-complete language – Build “gadgets” for load -store, arithmetic, logic, control flow, system calls – Attack can perform arbitrary computation using no injected code at all – return-oriented programming 10/9/2020 CSE 484 / CSE M 584 - Autumn 2020 13

  14. Return-Oriented Programming 10/9/2020 CSE 484 / CSE M 584 - Autumn 2020 14

  15. Run-Time Checking: StackGuard • Embed “canaries” (stack cookies) in stack frames and verify their integrity prior to function return – Any overflow of local variables will damage the canary ret Top of Frame of the canary buf sfp addr calling function stack Return Pointer to Local variables execution to previous this address frame 10/9/2020 CSE 484 / CSE M 584 - Autumn 2020 15

  16. Run-Time Checking: StackGuard • Embed “canaries” (stack cookies) in stack frames and verify their integrity prior to function return – Any overflow of local variables will damage the canary ret Top of Frame of the canary buf sfp addr calling function stack Return Pointer to Local variables execution to previous this address frame • Choose random canary string on program start – Attacker can’t guess what the value of canary will be • Terminator canary: “ \0 ” , newline, linefeed, EOF – String functions like strcpy won’t copy beyond “ \0 ” 10/9/2020 CSE 484 / CSE M 584 - Autumn 2020 16

  17. StackGuard Implementation • StackGuard requires code recompilation • Checking canary integrity prior to every function return causes a performance penalty – For example, 8% for Apache Web server at one point in time • StackGuard can be defeated – A single memory write where the attacker controls both the value and the destination is sufficient 10/9/2020 CSE 484 / CSE M 584 - Autumn 2020 17

  18. Defeating StackGuard • Suppose program contains strcpy(dst,buf) where attacker controls both dst and buf – Example: dst is a local pointer variable canary buf &dst sfp RET Return execution to this address canary BadPointer, attack code &RET sfp RET Overwrite destination of strcpy with RET position strcpy will copy BadPointer here 10/9/2020 CSE 484 / CSE M 584 - Autumn 2020 18

  19. ASLR: Address Space Randomization • Randomly arrange address space of key data areas for a process – Base of executable region – Position of stack – Position of heap – Position of libraries • Introduced by Linux PaX project in 2001 • Adopted by OpenBSD in 2003 • Adopted by Linux in 2005 10/9/2020 CSE 484 / CSE M 584 - Autumn 2020 23

  20. ASLR: Address Space Randomization • Deployment (examples) – Linux kernel since 2.6.12 (2005+) – Android 4.0+ – iOS 4.3+ ; OS X 10.5+ – Microsoft since Windows Vista (2007) • Attacker goal: Guess or figure out target address (or addresses) • ASLR more effective on 64-bit architectures 10/9/2020 CSE 484 / CSE M 584 - Autumn 2020 24

  21. Attacking ASLR • NOP slides and heap spraying to increase likelihood for custom code (e.g., on heap) • Brute force attacks or memory disclosures to map out memory on the fly – Disclosing a single address can reveal the location of all code within a library, depending on the ASLR implementation 10/9/2020 CSE 484 / CSE M 584 - Autumn 2020 25

  22. Other Possible Solutions • Use safe programming languages, e.g., Java – What about legacy C code? – (Though Java doesn’t magically fix all security issues ☺ ) • Static analysis of source code to find overflows • Dynamic testing: “fuzzing” 10/9/2020 CSE 484 / CSE M 584 - Autumn 2020 26

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a very common attack mechanism from 1988 Morris Worm to Code Red, Slammer, Sasser and many others prevention techniques known still of major concern

873 views • 53 slides
Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner

Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

760 views • 23 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Last time We finished up By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow defenses (and workarounds) Format string vulnerabilities Integer overflow vulnerabilities This time

1.29k views • 80 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow

Last time We continued By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow attacks & other vulnerabilities Overflow defenses Everything youve always wanted to know about

2.41k views • 197 slides
Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Last time We continued By launching our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow fundamentals This time We will finish up By looking at Buffer Overflow overflows

1.33k views • 103 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

1.23k views • 95 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

1.49k views • 117 slides
Buffer overflow defenses Deian Stefan Some slides adopted from Nadia Heninger, Kirill Levchenko,

Buffer overflow defenses Deian Stefan Some slides adopted from Nadia Heninger, Kirill Levchenko,

CSE 127: Computer Security Buffer overflow defenses Deian Stefan Some slides adopted from Nadia Heninger, Kirill Levchenko, Stefan Savage, and Stephen Checkoway Today: mitigating buffer overflows Lecture objectives: Understand how to

1.33k views • 130 slides
Security: Buffer Overflows and Defenses CS 416: Operating Systems Design Department of Computer

Security: Buffer Overflows and Defenses CS 416: Operating Systems Design Department of Computer

Security: Buffer Overflows and Defenses CS 416: Operating Systems Design Department of Computer Science Rutgers University http://www.cs.rutgers.edu/~vinodg/416 Buffer Overflow a very common attack mechanism from 1988 Morris Worm to Code Red,

950 views • 55 slides
Buffer Overflow Attacks & Defenses Slides are borrowed from Franziska Roesner @UW and Dawn

Buffer Overflow Attacks & Defenses Slides are borrowed from Franziska Roesner @UW and Dawn

Buffer Overflow Attacks & Defenses Slides are borrowed from Franziska Roesner @UW and Dawn Song @Berkeley Linux (32-bit) process memory layout -0xFFFFFFFF Reserved for Kernal -0xC0000000 user stack %esp shared libraries -0x40000000

994 views • 85 slides
BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018 RECALL OUR CHALLENGES

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018 RECALL OUR CHALLENGES

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Finding the return address (guess the raw address)

1.12k views • 94 slides
Software Security: Buffer Overflow Attacks Autumn 2020 Franziska (Franzi) Roesner

Software Security: Buffer Overflow Attacks Autumn 2020 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks Autumn 2020 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

517 views • 29 slides
Software Security: Buffer Overflow Attacks (continued) Fall 2016 Ada (Adam) Lerner

Software Security: Buffer Overflow Attacks (continued) Fall 2016 Ada (Adam) Lerner

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks (continued) Fall 2016 Ada (Adam) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno,

577 views • 43 slides
Software Security: Buffer Overflow Attacks Fall 2017 Franziska (Franzi) Roesner

Software Security: Buffer Overflow Attacks Fall 2017 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

703 views • 27 slides
Vulnerability Analysis Part 2 RK Shyamasundar IIT Bombay Outline Software Security

Vulnerability Analysis Part 2 RK Shyamasundar IIT Bombay Outline Software Security

Vulnerability Analysis Part 2 RK Shyamasundar IIT Bombay Outline Software Security Web Application Security Buffer Overflow Web content security: SSL Buffer Overflow Phishing attacks mitigation techniques

1.51k views • 84 slides
IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A

IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A

IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold.

221 views • 3 slides
Vector space of continuous periodic functions Fourier series Mathematical Tools for ITS (11MAI)

Vector space of continuous periodic functions Fourier series Mathematical Tools for ITS (11MAI)

Vector space of continuous periodic functions Fourier series Mathematical Tools for ITS (11MAI) Mathematical tools, 2020 Jan Pikryl 11MAI, lecture 2 Monday, October 5, 2020 version: 2020-09-30 16:45 Department of Applied Mathematics, CTU

995 views • 82 slides
SOME NUMERICAL FUNCTIONS ASSOCIATED TO THE MASLOV INDEX Andrew Ranicki (Edinburgh)

SOME NUMERICAL FUNCTIONS ASSOCIATED TO THE MASLOV INDEX Andrew Ranicki (Edinburgh)

1 SOME NUMERICAL FUNCTIONS ASSOCIATED TO THE MASLOV INDEX Andrew Ranicki (Edinburgh) http://www.maths.ed.ac.uk/ aar The Many Facets of the Maslov Index American Institute of Mathematics, Palo Alto 11th April, 2014 2 Introduction Want

768 views • 38 slides
Fourier Bases on Fractals Keri Kornelson University of Oklahoma - Norman February Fourier Talks

Fourier Bases on Fractals Keri Kornelson University of Oklahoma - Norman February Fourier Talks

Fourier Bases on Fractals Keri Kornelson University of Oklahoma - Norman February Fourier Talks February 21, 2013 K. Kornelson (U. Oklahoma) Fractal Fourier Bases FFT 02/21/2013 1 / 21 Coauthors This is joint work with Palle Jorgensen

703 views • 55 slides
Juggling with representations Matrix representation of Symmetry Point Groups C2v Irreducible

Juggling with representations Matrix representation of Symmetry Point Groups C2v Irreducible

Juggling with representations Matrix representation of Symmetry Point Groups C2v Irreducible Representation E C2 ( z ) v ( zx ) v ( yz ) Basis O 1 1 1 1 a 1 0 0 1 1 0 0 1 b 0 1 1 0 0

860 views • 40 slides
The State of PTXdist Roland Hieber <rhi@pengutronix.de> FOSDEM 2020 What is PTXdist?

The State of PTXdist Roland Hieber <rhi@pengutronix.de> FOSDEM 2020 What is PTXdist?

https://pengutronix.de The State of PTXdist Roland Hieber <rhi@pengutronix.de> FOSDEM 2020 What is PTXdist? Build system geared towards Embedded Linux Building blocks: GNU Make Kconfjg Bash some AWK First

375 views • 26 slides
Return-to-libc Attacks Instructor: Fengwei Zhang 1 SUSTech CS 315 Computer Security Outline

Return-to-libc Attacks Instructor: Fengwei Zhang 1 SUSTech CS 315 Computer Security Outline

Return-to-libc Attacks Instructor: Fengwei Zhang 1 SUSTech CS 315 Computer Security Outline Non-executable Stack countermeasure How to defeat the countermeasure Tasks involved in the attack Function Prologue and Epilogue

266 views • 22 slides
pn -junctonJ under dark conditons No Bias Forward Bias Reverse Bias Model - + Circuit P N

pn -junctonJ under dark conditons No Bias Forward Bias Reverse Bias Model - + Circuit P N

2.626/2.627 Lecture 5 (9/22/2011) pn -junctonJ under dark conditons No Bias Forward Bias Reverse Bias Model - + Circuit P N P N P N - + - + E E E p-type n-type p-type n-type p-type n-type Band Diagram x x x e - difusion: e

80 views • 3 slides
MTLE-6120: Advanced Electronic Properties of Materials Semiconductor p-n junction diodes Reading:

MTLE-6120: Advanced Electronic Properties of Materials Semiconductor p-n junction diodes Reading:

1 MTLE-6120: Advanced Electronic Properties of Materials Semiconductor p-n junction diodes Reading: Kasap 6.1 - 6.5, 6.9 - 6.12 2 Metal-semiconductor contact potential p -type n -type p -type n -type Same semiconductor on both sides,

293 views • 16 slides

More recommend