CSC 495/583 Topics of Software Security Stack Overflows (2)

Slides:



Advertisements
Similar presentations
Smashing the Stack for Fun and Profit
Advertisements

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
Review: Software Security David Brumley Carnegie Mellon University.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
English Shellcode J. Mason, S. Small, F. Monrose, G. MacManus CCS ’09 Presented by: Eugenie Lee EE515/IS523: Security101: Think Like an Adversary.
Buffer Overflow. Process Memory Organization.
Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Buffer overflows.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Mitigation of Buffer Overflow Attacks
Brian E. Brzezicki. This tutorial just illustrates the underlying concepts of buffer overflows by way of an extremely simple stack overflow  Most buffer.
CSCD 303 Essential Computer Security Spring 2013 Lecture 17 Buffer Overflow Attacks.
Buffer Overflow CS461/ECE422 Spring Reading Material Based on Chapter 11 of the text.
Lecture 8: Buffer Overflow CS 436/636/736 Spring 2013 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Shellcode Development -Femi Oloyede -Pallavi Murudkar.
Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Söderström Presented.
Buffer overflow and stack smashing attacks Principles of application software security.
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
CNIT 127: Exploit Development Ch 8: Windows Overflows Part 1.
Analyzing C/C++ Vulnerabilities -- Mike Gerschefske.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.
Let’s look at an example
Secure Programming Dr. X
Shellcode COSC 480 Presentation Alison Buben.
Refs: rootshell, antionline, your favorite hacker site…
Buffer Overflows ...or How I Learned to Never Trust the User
Mitigation against Buffer Overflow Attacks
Remix: On-demand Live Randomization
Protecting Memory What is there to protect in memory?
CSC 495/583 Topics of Software Security Stack Overflows
Protecting Memory What is there to protect in memory?
Secure Programming Dr. X
Protecting Memory What is there to protect in memory?
Introduction to Information Security
CSC 495/583 Topics of Software Security Return-oriented programming
CMSC 414 Computer and Network Security Lecture 21
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
SEED Workshop Buffer Overflow Lab
Software Security Lesson Introduction
Format String.
Address Space Layout Randomization (ASLR) Dirk Gordon
Lecture 9: Buffer Overflow*
CSC 495/583 Topics of Software Security Format String Bug (2) & Heap
Smashing the Stack for Fun and Profit
CSC 495/583 Topics of Software Security StackGuard & Format String Bug
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2015.
CNT4704: Analysis of Computer Communication Network Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Fall 2011.
Week 2: Buffer Overflow Part 2.
CS5123 Software Validation and Quality Assurance
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.
Understanding and Preventing Buffer Overflow Attacks in Unix
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2013.
FIGURE Illustration of Stack Buffer Overflow
Several Tips on Project 1
Return-to-libc Attacks
Presentation transcript:

CSC 495/583 Topics of Software Security Stack Overflows (2) Class5 CSC 495/583 Topics of Software Security Stack Overflows (2) Dr. Si Chen (schen@wcupa.edu)

Review

Overflow.c

Overflow.c

Overflow.c

Bug  Vulnerability Step 1. Fine the vulnerability Read & read & read the code (code audit) Fuzz testing Crash Output some info that shouldn’t been output

Bug  Vulnerability Step 2. Control-flow Hijack Try to change the flow of the program Change the return address Change the function pointer, so the behavior of the will change when called Change the variable, change the behavior of the function (e.g. uid = 0)

Bug  Vulnerability Step 3. Execute Payload Launch the attack Open a shell Read/write file/data Implement backdoor…

Buffer Overflow Common Unsafe C Functions

Stack Buffer Overflow The local variable stored on Stack has overflow vulnerability. Use new value to cover the return address Other name: Stack smashing

Return Hijack The return address will be stored on stack when calling a new function. (EIP) The local valuable will be store on the low address If the variable is an array, and if we store too many data, it will cover the return address which store on the high address.

From Crash to Hack If the input is larger than the size of the array, normally, the program will crash. Need to craft special data to exploit this vulnerability. The general idea is to overflow a buffer so that it overwrites the return address. AAAA BBBB CCCC DDDD New Return Address

Jump to Shellcode When the function is done it will jump to whatever address is on the stack. We put some code in the buffer and set the return address to point to it! Small Program New Return Address

How? How do we know what value the pointer should have (the new “return address”). It’s the address of the buffer, but how do we know what address this is? How do we build the “small program” and put it in a string? Small Program New Return Address

Guessing Addresses Typically you need the source code so you can estimate the address of both the buffer and the return-address. An estimate is often good enough! (more on this in a bit).

Crafting Shellcode (the small program) Example: launch a shell shellcode.asm

Crafting Shellcode (the small program) Example: launch a shell To compile it use nasm: shellcode.asm Use objdump to get the shellcode bytes:

Crafting Shellcode (the small program) Extracting the bytes gives us the shellcode: \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80

Finding a possible place to inject shellcode \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80 Small Program New Return Address

Finding a possible place to inject shellcode \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80 Small Program Use GDB to figure out the memory address of the beginning of the buffer New Return Address

NOP slide

NOP slide Using NOPs Most CPUs have a No-Operation instruction – it does nothing but advance the instruction pointer. Usually we can put a bunch of these ahead of our program (in the string). As long as the new return-address points to a NOP we are OK.

NOP slide \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 Small Program \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80 New Return Address

Estimating the stack size We can also guess at the location of the return address relative to the overflowed buffer. Put in a bunch of new return addresses!

Estimating the Location \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80 Small Program New Return Address New Return Address New Return Address

Protection: ASLR, DEP, Stack Protector Shutdown ASLR (Address space layout randomization) -fno-stack-protector Shutdown stack protector -z execstack Shutdown DEP(Data Execution Prevention)

Protection: ASLR, DEP, Stack Protector Address Space Layout Randomization (ASLR) is a technology used to help prevent shellcode from being successful. It does this by randomly offsetting the location of modules and certain in-memory structures. 

Protection: ASLR, DEP, Stack Protector Data Execution Prevention (DEP) prevents certain memory sectors, e.g. the stack, from being executed. Stack protection will abort your program if it detects stack overflow. That’s why I failed last time …. Bypassing ASLR/DEP - exploit-db

Q & A

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.