vulnerabilities in c c programs part i
play

Vulnerabilities in C/C++ programs Part I TDDC90 Software Security - PowerPoint PPT Presentation

Feb 23, 2024 •43 likes •633 views

Vulnerabilities in C/C++ programs Part I TDDC90 Software Security Ulf Kargn Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Vulnerabilities in C-based languages

  1. Vulnerabilities in C/C++ programs – Part I TDDC90 – Software Security Ulf Kargén Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT)

  2. Vulnerabilities in C-based languages ▪ Programs compile directly to machine code ▪ Explicit control of memory given to programmers  Optimized for speed – not reliability  Subtle mistakes can have devastating security implications!  Understanding of low-level details necessary to take full advantage of language, and to avoid introducing vulnerabilities ▪ Easy to make mistakes when coming from e.g. Java! 2

  3. Outline of lectures First lecture ▪ Introduction and motivation ▪ Assembly language primer ▪ Vulnerabilities and exploits Second lecture ▪ More vulnerabilities and exploits ▪ Writing secure code ▪ Mitigations ▪ “Modern” exploit techniques 3

  4. Introduction and motivation

  5. Why look at vulnerabilities in C/C++ code? C and C++ are old languages with known security problems  Why not just implement everything in Java / C# / Python and be done with it? ▪ Some code need to run “close to the metal” (OS kernels, device drivers) ▪ Performance reasons: ▪ Web browsers, games, etc. ▪ Low-powered devices (little RAM, slow CPU): Phones, Tablets, TVs, etc. ▪ Ultra low- powered devices (“Internet of things”) ▪ “Green computing” 5

  6. Why look at vulnerabilities in C/C++ code? 6

  7. Why study attack techniques? ▪ “Know thy enemy” ▪ How could you possibly protect from attacks if you don’t know what techniques attackers use? ▪ Important to be able to tell if a bug has security implications ▪ Scheduling/prioritizing patches ▪ Decide what to publish on e.g. public bug trackers 7

  8. Assembly language primer Linux memory layout and x86 basics

  9. Memory layout of x86 Linux High memory (What you will use in the Pong lab) 0xFFFFFFFF ▪ All processes see 4GB of private continuous virtual memory. (Mapped by OS to RAM) Kernel memory ▪ The stack is located at high memory addresses and grows downwards in memory Stack ▪ Used for storing local variables of function calls, function call parameters, return addresses, etc. ▪ Main executable (Text), and its Data and BSS segment, is Shared library located in low memory Shared library ▪ The heap is located above the Text, Data, and BSS segment. Grows upwards in memory . Heap ▪ Used for dynamically allocated memory ( malloc , new ) BSS ▪ Note: x86 is a little-endian architecture: First byte of e.g. a (Un-initialized global variables) 4-byte word is the least significant byte. Data (Initialized global variables) Text (program code) Low memory 0x00000000 9

  10. Registers on the x86 ▪ Four general-purpose 4-byte registers AH AX EAX AL (EAX - EDX) ▪ BH BX Partial registers EBX BL • 2 least significant bytes of full register CH CX ECX CL ( n X) DH DX EDX • DL Bytes 1 and 2 of n X called respectively n L and n H ( L ow and H igh) EBP Base (frame) pointer Special registers ESP • ESP – points to topmost element of stack Stack pointer EIP • EBP – points to current frame (on the Instruction pointer stack), which contains local variables of one function call. Local variables accessed Additional registers relative to EBP. • ESI and EDI • EIP – points to the currently executing • CS, SS, DS, ES, FS, GS instruction • EFLAGS • … 10

  11. Assembly language mnemonics Intel style AT&T (gcc, gdb) style • • opcode destination , source opcode source , destination • • mov [esp+4], eax movl %eax, 4(%esp) mov dst , src Copy the data in src to dst add/sub dst , src Add/subtract the data in src to the data in dst and/xor dst , src Bitwise AND/XOR the data in src with the data in dst and store result in dst push target Push target onto the stack, decrementing ESP pop target Pop target from the stack, incrementing ESP lea dst , src Load the address of src into dst call address Push address of the next instruction onto stack and set EIP to address ret Pop EIP from the stack leave Exit a high-level function (copy EPB to ESP, pop EBP from stack) j cc address Jump to address if condition code cc (e.g. e, ne, ge) is set jmp address Jump to address int value Call interrupt of value (0x80 will perform a Linux system call)

  12. Semantics of some important x86 instructions ▪ ▪ push < op > call <function address> Equivalent to: Instruction for performing a function call. esp = esp – 4 Pushes return address to stack and [esp] = <op> jumps to start of called function. Equivalent to: Access push < address of next instruction > memory ▪ pop <op> eip = < function address > pointed to Equivalent to: by esp < op > = [esp] ▪ esp = esp + 4 ret Used to return from function. Pops return address from stack and jumps back to the calling function. Equivalent to: pop eip

  13. Direct vs indirect branches Direct branches Indirect branches Addresses are hardcoded offsets Addresses are stored in a register relative to current instruction pointer or memory, i.e. decided at runtime Examples: Examples: ▪ ▪ call 0x123 call eax Equivalent to: Equivalent to: push <address of next instruction> push <address of next instruction> eip = eip + 0x123 (291 decimal) eip = eax Used to ▪ ▪ jmp 0x123 jmp eax implement calls Equivalent to: Equivalent to: via function eip = eip + 0x123 eip = eax pointers ▪ ▪ j cc 0x123 ret Conditional branches are Target address stored on stack always direct

  14. Function calls on x86 (stdcall) 1. Caller pushes arguments from right to left onto stack Caller issues a ‘call’ instruction – pushes return address and jumps to function start. 2. 3. Function prologue executes a. Pushes old value of EBP to stack, updates EBP to point to saved EBP on stack b. Subtracts ESP to allocate space for local variables 4. Function main logic executes 5. Function epilogue executes a. Puts return value (if any) into EAX register “ Deallocates ” local variables on stack by increasing ESP b. c. Pops saved EBP into EBP Issues a ‘ret’ instruction – pops return address of stack and jumps to that address d. 6. Caller removes arguments from stack 14

  15. Function calls on x86 (stdcall) Example EBP . . foo(user_data); Caller’s stack frame . ESP . void foo(char* input) { unsigned int len; char buffer[16]; len = strlen(input); strcpy(buffer, input); printf( “%s: %d \ n” , buffer, len); }

  16. Function calls on x86 (stdcall) Example EBP . . foo(user_data); Caller’s stack frame . . input (argument to foo) ESP void foo(char* input) { unsigned int len; char buffer[16]; len = strlen(input); strcpy(buffer, input); printf( “%s: %d \ n” , buffer, len); }

  17. Function calls on x86 (stdcall) Example EBP . . foo(user_data); Caller’s stack frame . . input (argument to foo) ESP Return address void foo(char* input) { unsigned int len; char buffer[16]; len = strlen(input); strcpy(buffer, input); printf( “%s: %d \ n” , buffer, len); }

  18. Function calls on x86 (stdcall) Example . . foo(user_data); Caller’s stack frame . . input (argument to foo) Return address void foo(char* input) { Saved EBP ESP, EBP unsigned int len; char buffer[16]; len = strlen(input); strcpy(buffer, input); printf( “%s: %d \ n” , buffer, len); }

  19. Function calls on x86 (stdcall) Example . . foo(user_data); Caller’s stack frame . . input (argument to foo) Return address void foo(char* input) { Saved EBP EBP unsigned int len; len char buffer[16]; len = strlen(input); strcpy(buffer, input); buffer printf( “%s: %d \ n” , buffer, len); ESP }

  20. Function calls on x86 (stdcall) Example . . foo(user_data); Caller’s stack frame . . input (argument to foo) Return address void foo(char* input) { Saved EBP EBP unsigned int len; len char buffer[16]; len = strlen(input); A A NUL strcpy(buffer, input); buffer A A A A printf( “%s: %d \ n” , buffer, len); A A A A ESP }

  21. Function calls on x86 (stdcall) Example . . foo(user_data); Caller’s stack frame . . input (argument to foo) Return address void foo(char* input) { Saved EBP ESP, EBP unsigned int len; char buffer[16]; len = strlen(input); strcpy(buffer, input); printf( “%s: %d \ n” , buffer, len); }

  22. Function calls on x86 (stdcall) Example EBP . . foo(user_data); Caller’s stack frame . . input (argument to foo) ESP Return address void foo(char* input) { unsigned int len; char buffer[16]; len = strlen(input); strcpy(buffer, input); printf( “%s: %d \ n” , buffer, len); }

  23. Function calls on x86 (stdcall) Example EBP . . foo(user_data); Caller’s stack frame . . ESP input (argument to foo) void foo(char* input) { unsigned int len; char buffer[16]; len = strlen(input); strcpy(buffer, input); printf( “%s: %d \ n” , buffer, len); }

  24. Function calls on x86 (stdcall) Example EBP . . foo(user_data); Caller’s stack frame ESP . . void foo(char* input) { unsigned int len; char buffer[16]; len = strlen(input); strcpy(buffer, input); printf( “%s: %d \ n” , buffer, len); }

  25. Vulnerabilities and exploits

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Vulnerabilities in C/C++ programs Part II TDDC90 Software Security Ulf Kargn Department

Vulnerabilities in C/C++ programs Part II TDDC90 Software Security Ulf Kargn Department

Vulnerabilities in C/C++ programs Part II TDDC90 Software Security Ulf Kargn Department of Computer and Information Science (IDA) Division for Database and Information Techniques (ADIT) Integer overflows and sign errors Adding,

756 views • 42 slides
Jonathan Pollet conference Part 1: Control System Vulnerabilities control system vulnerabilities

Jonathan Pollet conference Part 1: Control System Vulnerabilities control system vulnerabilities

Rome, May 31, 2011 Jonathan Pollet conference Part 1: Control System Vulnerabilities control system vulnerabilities &gt; analysis of 5 years of field data Jonathan Pollet, CISSP , CAP , PCIP Red Tiger Security [on behalf of the DHS CSSP

413 views • 20 slides
The S2E Platform Finding vulnerabilities in Linux and Windows programs Vitaly Chipounov

The S2E Platform Finding vulnerabilities in Linux and Windows programs Vitaly Chipounov

The S2E Platform Finding vulnerabilities in Linux and Windows programs Vitaly Chipounov https://s2e.systems Ready-for-use docker image, demos, tutorials, source code, documentation Vitaly Chipounov Ph.D. in 2014 at EPFL, Switzerland

827 views • 57 slides
Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Integer Overflow Vulnerabilities * slides adapted from those by Seacord 3 Integer Overflows An integer overflow occurs

639 views • 52 slides
Name your programs hw2a.cpp for part A and hw2b.cpp for part B. Program must be able to compile or

Name your programs hw2a.cpp for part A and hw2b.cpp for part B. Program must be able to compile or

CS111 Homework 2 (Due Oct 4, 2018) Name your programs hw2a.cpp for part A and hw2b.cpp for part B. Program must be able to compile or you will get at most 1 out of 2 points for the assignment. Part A: BMI The following exercise is taken from p.238

42 views • 3 slides
Detection of Software Vulnerabilities: Static Analysis (Part II) Lucas Cordeiro Department of

Detection of Software Vulnerabilities: Static Analysis (Part II) Lucas Cordeiro Department of

Systems and Software Verification Laboratory Detection of Software Vulnerabilities: Static Analysis (Part II) Lucas Cordeiro Department of Computer Science lucas.cordeiro@manchester.ac.uk Static Analysis (Part II) Lucas Cordeiro (Formal

2.24k views • 169 slides
NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

1 NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2 Memory safety attacks Buffer overruns Format string vulnerabilities Web application vulnerabilities SQL injections Cross-site

901 views • 39 slides
vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration

Security &amp; Knowledge Management a.a. 2019/20 There are a set of sources that provide updated information about security vulnerabilities CVE, Common Vulnerabilities and Exposures CWE, Common Weakness Enumeration CAPEC,

197 views • 8 slides
Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Some Terminology Software error A programming mistake that make the software not meet its expectation Software

726 views • 59 slides
Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different

Operating System Hardening Vulnerabilities Unique vulnerabilities for: Different operating systems Different vendors Client and server systems Vendors try to correct Attackers try to exploit Security professionals must

620 views • 11 slides
Detection of Software Vulnerabilities: Static Analysis (Part I) Lucas Cordeiro Department of

Detection of Software Vulnerabilities: Static Analysis (Part I) Lucas Cordeiro Department of

Systems and Software Verification Laboratory Detection of Software Vulnerabilities: Static Analysis (Part I) Lucas Cordeiro Department of Computer Science lucas.cordeiro@manchester.ac.uk Static Analysis Lucas Cordeiro (Formal Methods

1.9k views • 188 slides
HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel

HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel

HOWTO Basic Vulnerabilities and their Exploitation Samuel Angebault HOWTO Reminders Basic Vulnerabilities and their Vulnerabilities Exploitation Security Samuel Angebault staphylo@lse.epita.fr http://lse.epita.fr/ July 18, 2013 Table

969 views • 57 slides
Interactive Programs and Technology Part 2: Interactive Programs and Technology In this workshop

Interactive Programs and Technology Part 2: Interactive Programs and Technology In this workshop

Interactive Programs and Technology Part 2: Interactive Programs and Technology In this workshop portion well: Make the case for technology Introduce podcasts, blogs, and visual storytelling Visual storytelling walkthrough

328 views • 28 slides
Researching Current Programs and Policies Know Your Issue Modules (Part 2) Workshop Goals:

Researching Current Programs and Policies Know Your Issue Modules (Part 2) Workshop Goals:

Bonner Education Curriculum Researching Current Programs and Policies Know Your Issue Modules (Part 2) Workshop Goals: Understand the following: Theory of change, Logic Models, and how they relate to Evidence-Based Programs Skills:

590 views • 32 slides
TRENDS IN WEB VULNERABILITIES MICHEL CHAMBERLAND Introduction Agenda Introduction

TRENDS IN WEB VULNERABILITIES MICHEL CHAMBERLAND Introduction Agenda Introduction

TRENDS IN WEB VULNERABILITIES MICHEL CHAMBERLAND Introduction Agenda Introduction Session Goals Presenter and Trustwave SpiderLabs background Analysis Overview Data Source Most frequently found SEVERE vulnerabilities

907 views • 62 slides
The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security

CS 640: Introduction to Computer Networks Aditya Akella Lecture 25 Network Security The Road Ahead Security Vulnerabilities DoS and D-DoS Firewalls Security Vulnerabilities Security Problems in the TCP/IP Protocol

1.29k views • 13 slides
PWNING 101 - p.1 spritzers - CTF team spritz.math.unipd.it/spritzers.html Disclaimer All

PWNING 101 - p.1 spritzers - CTF team spritz.math.unipd.it/spritzers.html Disclaimer All

PWNING 101 - p.1 spritzers - CTF team spritz.math.unipd.it/spritzers.html Disclaimer All information presented here has the only purpose to teach how vulnerabilities work. Use them to win CTFs and to build secure systems. Do not hack your

957 views • 50 slides
ECE590 Computer and Information Security Fall 2018 Buffer Overflows and Software Security Tyler

ECE590 Computer and Information Security Fall 2018 Buffer Overflows and Software Security Tyler

ECE590 Computer and Information Security Fall 2018 Buffer Overflows and Software Security Tyler Bletsch Duke University What is a Buffer Overflow? Intent Arbitrary code execution Spawn a remote shell or infect with worm/virus

1.26k views • 76 slides
Buffer Overflow Attack Outline Understanding of Stack Layout Vulnerable code

Buffer Overflow Attack Outline Understanding of Stack Layout Vulnerable code

Buffer Overflow Attack Outline Understanding of Stack Layout Vulnerable code Challenges in exploitation Shellcode Countermeasures Program Memory Stack a,b, ptr ptr points to the memory here y x Order of the function

368 views • 36 slides
Ausgewhlte Betriebssysteme Memory 1 Memory Management Kernel Page Frames Buddy

Ausgewhlte Betriebssysteme Memory 1 Memory Management Kernel Page Frames Buddy

Ausgewhlte Betriebssysteme Memory 1 Memory Management Kernel Page Frames Buddy Allocator Slab Allocators Buffer Cache Page Cache Process Memory Regions 2 Memory Map 3 Page Frame kernel must keep track of

878 views • 43 slides
Part II Lets make it real Memory Layout of a Process In reality Addresses are written in

Part II Lets make it real Memory Layout of a Process In reality Addresses are written in

Part II Lets make it real Memory Layout of a Process In reality Addresses are written in hexadecimal: For instance, consider the assembly code for IE(): 0x08048428 &lt;+0&gt;: push %ebp 0x08048429 &lt;+1&gt;: mov %esp,%ebp

582 views • 31 slides
Lecture 05 Integer overflow Stephen Checkoway University of Illinois at Chicago Unsafe

Lecture 05 Integer overflow Stephen Checkoway University of Illinois at Chicago Unsafe

Lecture 05 Integer overflow Stephen Checkoway University of Illinois at Chicago Unsafe functions in libc strcpy strcat gets scanf family (fscanf, sscanf, etc.) (rare) printf family (more about these later) memcpy (need

573 views • 18 slides
CS 241 Data Organization Buffer Overflows December 4, 2018 The Problem Exploitation Use

CS 241 Data Organization Buffer Overflows December 4, 2018 The Problem Exploitation Use

CS 241 Data Organization Buffer Overflows December 4, 2018 The Problem Exploitation Use large strings (or other datatypes) to overflow a buffer Craft input to make the server do whatever you want Easy to crash a program Harder

256 views • 11 slides
Secure Software Programming and Vulnerability Analysis Christopher Kruegel

Secure Software Programming and Vulnerability Analysis Christopher Kruegel

Automation Systems Group Secure Software Programming and Vulnerability Analysis Christopher Kruegel chris@auto.tuwien.ac.at http://www.auto.tuwien.ac.at/~chris Automation Systems Group Buffer Overflows Secure Software Programming 2

520 views • 17 slides

More recommend