stack buffer overflows
play

Stack buffer overflows Deian Stefan Some slides adopted from Kirill - PowerPoint PPT Presentation

Sep 18, 2022 •569 likes •1.5k views

CSE 127: Computer Security Stack buffer overflows Deian Stefan Some slides adopted from Kirill Levchenko and Stefan Savage When is a program secure? Formal approach: When it does exactly what it should Not more Not less But how

  1. CSE 127: Computer Security Stack buffer overflows Deian Stefan Some slides adopted from Kirill Levchenko and Stefan Savage

  2. When is a program secure? • Formal approach: When it does exactly what it should ➤ Not more ➤ Not less • But how do we know what it is supposed to do? ➤ Somebody tells us? (Do we trust them?) ➤ We write the code ourselves? (What fraction of the software you use have you written?)

  3. When is a program secure? • Formal approach: When it does exactly what it should ➤ Not more ➤ Not less • But how do we know what it is supposed to do? ➤ Somebody tells us? (Do we trust them?) ➤ We write the code ourselves? (What fraction of the software you use have you written?)

  4. When is a program secure? • Pragmatic approach: When it doesn’t do bad things • Often easier to specify a list of “bad” things: ➤ Delete or corrupt important files ➤ Crash my system ➤ Send my password over the Internet ➤ Send threatening email to the professor

  5. 
 When is a program secure? But … what if the program doesn’t do bad things, but could? Is it secure? A: yes B: no

  6. 
 
 
 
 
 
 Weird machines • Complex systems contain unintended functionality 
 • Attackers can trigger this unintended functionality ➤ I.e., they are exploiting vulnerabilities

  7. What is a software vulnerability?

  8. What is a software vulnerability? • A bug in a program that allows an unprivileged user capabilities that should be denied to them

  9. What is a software vulnerability? • A bug in a program that allows an unprivileged user capabilities that should be denied to them • There are a lot of types of vulnerabilities ➤ Today: bugs that violate “control flow integrity” ➤ Why? Lets attacker run code on your computer!

  10. What is a software vulnerability? • A bug in a program that allows an unprivileged user capabilities that should be denied to them • There are a lot of types of vulnerabilities ➤ Today: bugs that violate “control flow integrity” ➤ Why? Lets attacker run code on your computer! • Typically these involve violating assumptions of the programming language or its run-time

  11. Exploiting vulnerabilities (the start) • Dive into low level details of how exploits work ➤ How can a remote attacker get victim program to execute their code? 
 • Threat model: Victim code is handling input that comes from across a security boundary ➤ What are some examples of this? 
 • Security policy: Want to protect integrity of execution and confidentiality of data from being compromised by malicious and highly skilled users of our system

  12. Today: stack buffer overflows Lecture objectives: ➤ Understand how buffer overflow vulns can be exploited ➤ Identify buffer overflows and assess their impact ➤ Avoid introducing buffer overflow vulnerabilities ➤ Correctly fix buffer overflow vulnerabilities

  13. Buffer overflows • Defn: an anomaly that occurs when a program writes data beyond the boundary of a buffer • Archetypal software vulnerability ➤ Ubiquitous in system software (C/C++) ➤ OSes, web servers, web browsers, etc. ➤ If your program crashes with memory faults, you probably have a buffer overflow vulnerability

  14. Why are they interesting? • Core concept → broad range of possible attacks ➤ Sometimes a single byte is all the attacker needs • Ongoing arms race between defenders and attackers ➤ Co-evolution of defenses and exploitation techniques

  15. How are they introduced?

  16. How are they introduced? • No automatic bounds checking in C/C++

  17. How are they introduced? • No automatic bounds checking in C/C++ • The problem is made more acute by the fact many C stdlib functions make it easy to go past bounds ➤ String manipulation functions like gets() , strcpy() , and strcat() all write to the destination buffer until they encounter a terminating ‘\0’ byte in the input

  18. How are they introduced? • No automatic bounds checking in C/C++ • The problem is made more acute by the fact many C stdlib functions make it easy to go past bounds ➤ String manipulation functions like gets() , strcpy() , and strcat() all write to the destination buffer until they encounter a terminating ‘\0’ byte in the input ➤ Whoever is providing the input (often from the other side of a security boundary) controls how much gets written

  19. Let's look at the finger daemon in BSD 4.3

  21. Morris worm • This fingerd vuln was one of several exploited by the Morris Worm in 1988 ➤ Created by Robert Morris 
 graduate student at Cornell • One of the first Internet worms ➤ Devastating effect on the Internet ➤ Took over hundreds of computers and shut down large chunks of the Internet • Aside: First use of the US CFAA https://en.wikipedia.org/wiki/Morris_worm

  22. That was over 30 years ago! Surely buffer overflows are no longer a problem…

  24. 
 
 
 How does a buffer overflow let you take over a machine? • Your program manipulates data • Data manipulates your program 


  25. What we need to know • How C arrays work • How memory is laid out • How the stack and function calls work • How to turn an array overflow into an exploit

  26. How do C arrays work • What does a[idx] get compiled to? ➤ *((a)+(idx)) • What does the the spec say? ➤ 6.5.2.1 Array subscripting in ISO/IEC 9899:2017

  27. Linux process memory layout 0xFFFFFFFF kernel 0xC0000000 user stack • Stack %esp • Heap • Data segment shared libs 0x40000000 • Text sement brk runtime heap static data ➤ binary instructions segment text segment 0x08048000 unused 0x00000000

  28. The Stack • Stack divided into frames ➤ Frame stores locals and args to called functions • Stack pointer points to top of stack ➤ x86: Stack grows down (from high to low addresses) ➤ x86: Stored in %esp register • Frame pointer points to caller’s stack frame ➤ Also called base pointer ➤ x86: Stored in %ebp register

  29. Stack frame arg2 to previous arg1 to instruction 
 frame pointer return %eip that follows the call of this function old %ebp callee-saved regs local variables stack growth

  30. 
 
 
 
 
 Brief review of x86 assembly • Two syntaxes ➤ Intel syntax: op dst, src ➤ ATT/gasm syntax: op src, dst • Examples: 
 movl %eax, %edx -> edx = eax movl $0x123, %edx -> edx = 0x123 movl (%ebx), %edx -> edx= *((int32_t*) ebx) movl 4(%ebx), %edx -> edx= *((int32_t*) (ebx+4)) Slide adopted from David Mazières

  31. 
 
 
 
 
 Brief review of x86 assembly • Two syntaxes ➤ Intel syntax: op dst, src ➤ ATT/gasm syntax: op src, dst • Examples: 
 movl %eax, %edx -> edx = eax movl $0x123, %edx -> edx = 0x123 movl (%ebx), %edx -> edx= *((int32_t*) ebx) movl 4(%ebx), %edx -> edx= *((int32_t*) (ebx+4)) Slide adopted from David Mazières

  32. Brief review of stack instructions -> subl $4, %esp pushl %eax movl %eax, (%esp) -> movl (%esp), %eax popl %eax addl $3, %esp -> pushl %eip call $0x12345 movl $0x12345, %eip ret -> popl %eip -> movl %ebp, %esp leave pop %ebp Slide adopted from David Mazières

  33. Brief review of stack instructions -> subl $4, %esp pushl %eax movl %eax, (%esp) -> movl (%esp), %eax popl %eax addl $3, %esp -> pushl %eip call $0x12345 movl $0x12345, %eip ret -> popl %eip -> movl %ebp, %esp leave pop %ebp Slide adopted from David Mazières

  34. Example 0 int foobar( int a, int b, int c) { int xx = a + 2; int yy = b + 3; int zz = c + 4; int sum = xx + yy + zz; return xx * yy * zz + sum; } int main() { return foobar(77, 88, 99); }

  35. Compiled to x86 https://godbolt.org/z/3iFhjy

  36. old %ebp %esp, %ebp 0xffffd0d8

  37. old %ebp %esp, %ebp 0xffffd0d8

  38. old %ebp %ebp 0xffffd0d8 $99 %esp

  39. old %ebp %ebp 0xffffd0d8 $99 $88 $77 %esp

  40. old %ebp %ebp 0xffffd0d8 $99 $88 $77 0x08049bbc %esp %eip = 0x08049ba7

  41. old %ebp %ebp 0xffffd0d8 $99 $88 $77 0x08049bbc 0xffffd0d8 %esp

  42. old %ebp 0xffffd0d8 $99 $88 $77 0x08049bbc 0xffffd0d8 %esp, %ebp

  43. old %ebp 0xffffd0d8 $99 $88 $77 0x08049bbc 0xffffd0d8 %ebp %esp

  44. old %ebp 0xffffd0d8 $99 $88 $77 0x08049bbc 0xffffd0d8 %ebp %esp

  45. old %ebp 0xffffd0d8 $99 $88 $77 0x08049bbc 0xffffd0d8 %ebp $79 %esp

  46. old %ebp 0xffffd0d8 $99 $88 $77 0x08049bbc 0xffffd0d8 %ebp $79 %esp

  47. old %ebp 0xffffd0d8 $99 $88 $77 0x08049bbc 0xffffd0d8 %ebp $79 $91 %esp

  48. old %ebp 0xffffd0d8 $99 $88 $77 0x08049bbc 0xffffd0d8 %ebp $79 $91 %esp

  49. old %ebp 0xffffd0d8 $99 $88 $77 0x08049bbc 0xffffd0d8 %ebp $79 $91 $103 %esp

  50. old %ebp 0xffffd0d8 $99 $88 $77 0x08049bbc 0xffffd0d8 %ebp $79 $91 $103 %esp

  51. old %ebp 0xffffd0d8 $99 $88 $77 0x08049bbc 0xffffd0d8 %ebp $79 $91 $103 $293 %esp

  52. old %ebp 0xffffd0d8 $99 $88 $77 0x08049bbc 0xffffd0d8 %ebp $79 $91 $103 $293 %esp

  53. old %ebp 0xffffd0d8 $99 $88 $77 0x08049bbc 0xffffd0d8 %esp, %ebp $79 $91 $103 $293

  54. old %ebp %ebp 0xffffd0d8 $99 $88 $77 0x08049bbc 0xffffd0d8 %esp $79 $91 $103 $293

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for

Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for

Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit by Aleph One Summer 2017 Roadmap 1 Process Memory Organization Text Fixed by program Includes code and read-only data

257 views • 22 slides
Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

1 Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed in buffer overflow exploits to create backdoors Execution of additional network services via the INETD daemon The addition of new users

497 views • 30 slides
On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector

On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector

On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco On the effectiveness of NX, SSP, RenewSSP and ASLR against stack buffer overflows Hector Marco-Gisbert , Ismael Ripoll Universit` at Polit` ecnica

528 views • 35 slides
Introduction Buffer Overflows Buffer overflows were the most common form of security

Introduction Buffer Overflows Buffer overflows were the most common form of security

Introduction Buffer Overflows Buffer overflows were the most common form of security vulnerability in the 90s. Buffer overflows dominate in the area of remote network penetration vulnerabilities. CS 465 They represent one of the

651 views • 4 slides
Lab 2: Buffer Overflows Fengwei Zhang SUSTech CS 315 Computer Security 1 Buffer Overflows

Lab 2: Buffer Overflows Fengwei Zhang SUSTech CS 315 Computer Security 1 Buffer Overflows

Lab 2: Buffer Overflows Fengwei Zhang SUSTech CS 315 Computer Security 1 Buffer Overflows One of the most common vulnerabilities in software Programming languages commonly associated with buffer overflows including C and C++

1.14k views • 17 slides
Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of

Buffer overflows (a security interlude) Address space layout the stack discipline + C's lack of bounds-checking HUGE PROBLEM x86-64 Linux Memory Layout ... ... 0x00007fffffffffff Stack not drawn to scale Caller Frame Extra Arguments

325 views • 16 slides
ECS 153 Discussion Section April 6, 2015 1 What Well Cover Goal : To

ECS 153 Discussion Section April 6, 2015 1 What Well Cover Goal : To

ECS 153 Discussion Section April 6, 2015 1 What Well Cover Goal : To discuss buffer overflows in detail Stack-based buffer overflows Smashing the stack: execution from the stack

620 views • 37 slides
Computer Security Buffer Overflows Denial of Service MIE456 Joseph Kong Overview Program

Computer Security Buffer Overflows Denial of Service MIE456 Joseph Kong Overview Program

Computer Security Buffer Overflows Denial of Service MIE456 Joseph Kong Overview Program Exploitation Buffer Overflows Memory Declaration Smashing The Stack TCP/IP Three Way Handshake Denial of Service SYN Flooding

403 views • 13 slides
Buffer overflows (a security interlude) IA32 Linux Memory Layout ...

Buffer overflows (a security interlude) IA32 Linux Memory Layout ...

11/20/15 Buffer overflows (a security interlude) IA32 Linux Memory Layout ... FF ... How address space layout, the stack discipline, and C's lack of Stack

726 views • 4 slides
Lab 2: Buffer Overflows Fengwei Zhang Wayne State University Course: Cyber Security Prac@ce 1

Lab 2: Buffer Overflows Fengwei Zhang Wayne State University Course: Cyber Security Prac@ce 1

Lab 2: Buffer Overflows Fengwei Zhang Wayne State University Course: Cyber Security Prac@ce 1 Buffer Overflows One of the most common vulnerabili@es in soEware Programming languages commonly associated with buffer overflows including

199 views • 17 slides
Stack Buffer Overflows Deian Stefan Some slides adopted from Kirill Levchenko and Stefan Savage

Stack Buffer Overflows Deian Stefan Some slides adopted from Kirill Levchenko and Stefan Savage

CSE 127: Computer Security Stack Buffer Overflows Deian Stefan Some slides adopted from Kirill Levchenko and Stefan Savage When is a program secure? When it does exactly what it should? Not more Not less But how do we know what

1.42k views • 119 slides
Lab 2: Buffer Overflows Fengwei Zhang Wayne State University CSC 5991 Cyber Security PracCce 1

Lab 2: Buffer Overflows Fengwei Zhang Wayne State University CSC 5991 Cyber Security PracCce 1

Lab 2: Buffer Overflows Fengwei Zhang Wayne State University CSC 5991 Cyber Security PracCce 1 Buffer Overflows One of the most common vulnerabiliCes in soGware Programming languages commonly associated with buffer overflows including

195 views • 17 slides
CPSC 213 2.8 Textbook Procedures, Out-of-Bounds Memory References and Buffer Overflows

CPSC 213 2.8 Textbook Procedures, Out-of-Bounds Memory References and Buffer Overflows

Reading Companion CPSC 213 2.8 Textbook Procedures, Out-of-Bounds Memory References and Buffer Overflows 3.7, 3.12 Introduction to Computer Systems Unit 1e Procedures and the Stack 1 2 Local Variables of a Procedure

248 views • 7 slides
Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Last time We continued By launching our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow fundamentals This time We will finish up By looking at Buffer Overflow overflows

1.33k views • 103 slides
Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a very common attack mechanism from 1988 Morris Worm to Code Red, Slammer, Sasser and many others prevention techniques known still of major concern

873 views • 53 slides
ASLR & DEP DAVID HEAVERN Problem Statement Security Issues Buffer Overflows

ASLR & DEP DAVID HEAVERN Problem Statement Security Issues Buffer Overflows

ASLR & DEP DAVID HEAVERN Problem Statement Security Issues Buffer Overflows Buffer overflows are the source of many of the common vulnerabilities in modern software Caused by not checking the source length when writing to a

1.88k views • 130 slides
Lecture 04 Control Flow II Stephen Checkoway CS 343 Fall 2020 Based on Michael

Lecture 04 Control Flow II Stephen Checkoway CS 343 Fall 2020 Based on Michael

Lecture 04 Control Flow II Stephen Checkoway CS 343 Fall 2020 Based on Michael Baileys ECE 422 32-bit x86 architecture overview 8 general purpose registers eax, ebx, ecx, edx, esi, edi, ebp, esp esp is the stack pointer

368 views • 23 slides
The Hardware/So<ware Interface CSE351 Winter 2013 Procedures and

The Hardware/So<ware Interface CSE351 Winter 2013 Procedures and

University of Washington The Hardware/So<ware Interface CSE351 Winter 2013 Procedures and Stacks I University of Washington Roadmap Data & addressing

909 views • 61 slides
3. Tablo algoritms 16.12 Tablo (tableaux) metodi 1955.gad izgudroja Evert Willem Beth

3. Tablo algoritms 16.12 Tablo (tableaux) metodi 1955.gad izgudroja Evert Willem Beth

3. Tablo algoritms 16.12 Tablo (tableaux) metodi 1955.gad izgudroja Evert Willem Beth (1908-1964), plaka biogrfija un portrets. Sk. ar Method of analytic tableaux (Wikipedia). metode risina to pau uzdevumu, ko rezolciju metode

494 views • 27 slides
i 1 > H ; ~ I I 1

i 1 > H ; ~ I I 1

t t i 1 > H ; ~ I I 1 I

964 views • 16 slides
CISC vs. RISC x86 is the epitome of a Complex Instruction x86 or Set Computer Hundreds of

CISC vs. RISC x86 is the epitome of a Complex Instruction x86 or Set Computer Hundreds of

CISC vs. RISC x86 is the epitome of a Complex Instruction x86 or Set Computer Hundreds of instructions Oh No! Not Another Assembler F2XM1 Compute 2 x 1 Jonathan Misurda Computes the exponential value of 2 to the power of

417 views • 3 slides
#include <ctype.h> // tolower #include <string.h> // strcmp sfp main() #include

#include <ctype.h> // tolower #include <string.h> // strcmp sfp main() #include

#include <ctype.h> // tolower #include <string.h> // strcmp sfp main() #include <stdio.h> // fgets, fputs void reveal_secret() login { fputs("SUPER SECRET = 42\n", stdout); } login int verify(const char*

641 views • 15 slides
Marrying U-Boot, UEFI and grub About Me Alexander Graf KVM and QEMU developer for SUSE

Marrying U-Boot, UEFI and grub About Me Alexander Graf KVM and QEMU developer for SUSE

Marrying U-Boot, UEFI and grub About Me Alexander Graf KVM and QEMU developer for SUSE Server class PowerPC KVM port Nested SVM Founding member of SUSE ARM team Booting on ARM Booting on ARM Boot ROM Booting on ARM Boot

2.09k views • 160 slides
CS453 Intro and PA1 1 Nested Procedures Example Nested Procedures Suggested Exercise int

CS453 Intro and PA1 1 Nested Procedures Example Nested Procedures Suggested Exercise int

Plan for Today Another example: where does each variable go? class A { Finish accesses to member variables public static void main(String[] a){ System.out.println(42); in general, how do we determine variable locations } how will the

178 views • 3 slides

More recommend