CSC 495/583 Topics of Software Security Format String Bug (2) & Heap

Slides:



Advertisements
Similar presentations
Dynamic Memory Management
Advertisements

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Review: Software Security David Brumley Carnegie Mellon University.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2012.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2013.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
1 - buttons Click “Step Forward” to execute one line of the program. Click “Reset” to start over. “Play,” “Stop,” and “Step Back” are disabled in this.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CS 11 C track: lecture 5 Last week: pointers This week: Pointer arithmetic Arrays and pointers Dynamic memory allocation The stack and the heap.
Outline Midterm results Static variables Memory model
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
Mitigation of Buffer Overflow Attacks
1 C - Memory Simple Types Arrays Pointers Pointer to Pointer Multi-dimensional Arrays Dynamic Memory Allocation.
Pointers and Arrays Beyond Chapter Pointers and Arrays What are the real differences? Pointer Holds the address of a variable Can be pointed.
Stack and Heap Memory Stack resident variables include:
Brian E. Brzezicki. This tutorial just illustrates the underlying concepts of buffer overflows by way of an extremely simple stack overflow  Most buffer.
CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.
Programming for Beginners Martin Nelson Elizabeth FitzGerald Lecture 15: More-Advanced Concepts.
Buffer Overflow CS461/ECE422 Spring Reading Material Based on Chapter 11 of the text.
1 Dynamic Memory Allocation –The need –malloc/free –Memory Leaks –Dangling Pointers and Garbage Collection Today’s Material.
Overflow Examples 01/13/2012. ACKNOWLEDGEMENTS These slides where compiled from the Malware and Software Vulnerabilities class taught by Dr Cliff Zou.
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
Memory Layout, File I/O Bryce Boe 2013/06/27 CS24, Summer 2013 C.
CNIT 127: Exploit Development Ch 8: Windows Overflows Part 2.
+ Dynamic memory allocation. + Introduction We often face situations in programming where the data is dynamics in nature. Consider a list of customers.
Buffer overflow and stack smashing attacks Principles of application software security.
1 Lecture07: Memory Model 5/2/2012 Slides modified from Yin Lou, Cornell CS2022: Introduction to C.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
Advanced Pointer Topics. Pointers to Pointers u A pointer variable is a variable that takes some memory address as its value. Therefore, you can have.
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
DYNAMIC MEMORY ALLOCATION. Disadvantages of ARRAYS MEMORY ALLOCATION OF ARRAY IS STATIC: Less resource utilization. For example: If the maximum elements.
Variables Bryce Boe 2012/09/05 CS32, Summer 2012 B.
CSC 482/582: Computer Security
Heap Overflow Attacks.
Mitigation against Buffer Overflow Attacks
Buffer Overflow Buffer overflows are possible because C doesn’t check array boundaries Buffer overflows are dangerous because buffers for user input are.
CMSC 341 Lecture 2 – Dynamic Memory and Pointers (Review)
Protecting Memory What is there to protect in memory?
Introduction to Information Security
The Hardware/Software Interface CSE351 Winter 2013
CSC 495/583 Topics of Software Security Stack Overflows
CSC 495/583 Topics of Software Security Heap Exploitation (2)
CSC 495/583 Topics of Software Security Heap Exploitation
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2016.
CSC 495/583 Topics of Software Security Stack Overflows (2)
Checking Memory Management
CSC 495/583 Topics of Software Security Return-oriented programming
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Memory Management III: Perils and pitfalls Mar 13, 2001
Dynamic Memory Allocation
Memory Allocation CS 217.
Software Security Lesson Introduction
Format String.
Dr. Si Chen Class15 CSC 495/583 Topics of Software Security Bypassing ASLR/NX with GOT Overwrite Dr. Si Chen
CSC 495/583 Topics of Software Security StackGuard & Format String Bug
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2011.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2015.
The future of Software Security Dr. Si Chen
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2009.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.
Understanding and Preventing Buffer Overflow Attacks in Unix
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2013.
CNT4704: Analysis of Computer Communication Network Special Topic: Buffer Overflow II: Defense Techniques Cliff Zou Fall 2011.
Format String Vulnerability
CSE 303 Concepts and Tools for Software Development
Return-to-libc Attacks
Presentation transcript:

CSC 495/583 Topics of Software Security Format String Bug (2) & Heap Class19 CSC 495/583 Topics of Software Security Format String Bug (2) & Heap Dr. Si Chen (schen@wcupa.edu)

StackGuard turn off stack guard Insert Canary before the function being called. Check this value to see if it been tweaked Cowan, Crispan, et al. "Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks." USENIX Security Symposium. Vol. 98. 1998. https://www.usenix.org/legacy/publications/library/proceedings/sec98/full_papers/cowan/cowan.pdf

StackGuard: Stack Reading Overflow one more byte and try every possible value If no crash  success Crash  wrong guess

Format String Bug

Format String Bug What is a Format String? A Format String is an ASCII string that contains text and format parameters printf("%s %d\n", str, a); fprintf(stderr, "%s %d\n", str, a); sprintf(buffer, "%s %d\n", str, a); E.g. My name is Chen

Format String Bug

Advanced Usage: Format String Direct Access

fmt_write.c In C printf(), %n is a special format specifier which instead of printing something causes printf() to load the variable pointed by the corresponding argument with a value equal to the number of characters that have been printed by printf() before the occurrence of %n.

Write data in any memory address: %n  DWORD %hn  WORD %hhn  BYTE

What is this BUG used for? Read data in any memory address: %s to read data in an arbitrary memory address Write data in any memory address: printf not only allows you to read but also write %n

Read data in any memory address: Exercise: fmt_test.c Read data in any memory address: %s to read data in an arbitrary memory address Dump the whole program!

Find offset Offset is 11

Data stored in that Memory Address Leak Data MemoryAddress%11$x Data stored in that Memory Address 0xFFFFFFFF%11$x  0xDEADBEEF Address Data 0xFFFFFFFF 0xDEADBEEF

Another Issue printf use \x00 to judge the end of the string Solution: add some dummy characters to avoid truncate:

Dump the whole program!

What is this BUG used for? Disclose sensitive information: Variable(s) EBP value The correct location for putting Shellcode

What is this BUG used for? Disclose StackGuard Canary: By pass stack checking

What is this BUG used for? Disclose Library Address When enable ASLR, the library address will change each time It’s impossible to call these functions in your shellcode (e.g. system()) Use this bug to disclose one function’s address in a given library. you can use it to deduce other function’s address

What is this BUG used for? Disclose Library Address When enable ASLR, the library address will change each time It’s impossible to call these functions in your shellcode (e.g. system()) Use this bug to disclose one function’s address in a given library. you can use it to deduce other function’s address

GOT Overwrite Attack with Format String Bug

The Heap

It’s just another segment in runtime memory The Heap 0x00000000 Runtime Memory Libraries (libc) ELF Executable .text segment .data segment Heap Stack It’s just another segment in runtime memory 0xFFFFFFFF

Basics of Dynamic Memory int main() { char * buffer = NULL; /* allocate a 0x100 byte buffer */ buffer = malloc(0x100); /* read input and print it */ fgets(stdin, buffer, 0x100); printf(“Hello %s!\n”, buffer); /* destroy our dynamically allocated buffer */ free(buffer); return 0; }

Heap vs Stack Heap Dynamic memory allocations at runtime Objects, big buffers, structs, persistence, larger things Slower, Manual Done by the programmer malloc/calloc/recalloc/free new/delete Stack Fixed memory allocations known at compile time Local variables, return addresses, function args Fast, Automatic Done by the compiler Abstracts away any concept of allocating/de-allocating

malloc in glibc ptmalloc

unsigned int * buffer = NULL; buffer = ptmalloc(0x100); Heap Chunks unsigned int * buffer = NULL; buffer = ptmalloc(0x100); //Out comes a heap chunk Heap Chunk Previous Chunk Size (4 bytes) Chunk Size (4 bytes) Data (8 + (n / 8)*8 bytes) Flags *(buffer-2) *(buffer-1) *buffer

Pseudo Memory Map Runtime Memory Runtime Memory MBE - 04/07/2015 2727 0x00000000 – Start of memory 0x00000000 – Start of memory Runtime Memory Libraries (libc) ELF Executable .text segment .data segment Heap Stack Runtime Memory Libraries (libc) ELF Executable .text segment .data segment Heap Stack 0x08048000 – Start of .text Segment 0x08048000 – Start of .text Segment 0xb7ff0000 – Top of heap 0xbfff0000 – Top of stack 0xFFFFFFFF – End of memory MBE - 04/07/2015 Heap Exploitation 2727

Heap Allocations Runtime Memory Heap Segment Previous Chunk Size 0x00000000 Runtime Memory Libraries (libc) ELF Executable .text segment .data segment Heap Stack Heap Segment ---------------------------------> Grows towards higher memory Previous Chunk Size Chunk Size Data 0xFFFFFFFF

Heap Allocations Runtime Memory Heap Segment Previous Chunk Size 0x00000000 Runtime Memory Libraries (libc) ELF Executable .text segment .data segment Heap Stack Heap Segment ---------------------------------> Grows towards higher memory Previous Chunk Size Chunk Size Data 0xFFFFFFFF

Heap Allocations Runtime Memory Heap Segment Previous Chunk Size 0x00000000 Runtime Memory Libraries (libc) ELF Executable .text segment .data segment Heap Stack Heap Segment ---------------------------------> Grows towards higher memory Previous Chunk Size Chunk Size Data 0xFFFFFFFF

Heap chunks exist in two states Heap Chunks – In Use Heap chunks exist in two states in use (malloc’d) free’d Heap Chunk Previous Chunk Size (4 bytes) Chunk Size (4 bytes) Data (8 + (n / 8)*8 bytes) Flags *(buffer-2) *(buffer-1) *buffer

free(buffer); Heap Chunk (freed) Forward Pointer Backwards Pointer Heap Chunks – Freed free(buffer); Forward Pointer A pointer to the next freed chunk Backwards Pointer A pointer to the previous freed chunk Heap Chunk (freed) Previous Chunk Size (4 bytes) Chunk Size (4 bytes) FD (4 bytes) BK (4 bytes) Flags *(buffer-2) *(buffer-1) *buffer *(buffer+1)

Heap Overflows Runtime Memory Heap Segment Previous Chunk Size 0x00000000 Runtime Memory Libraries (libc) ELF Executable .text segment .data segment Heap Stack Heap Segment ---------------------------------> Grows towards higher memory Previous Chunk Size Chunk Size Data 0xFFFFFFFF

Heap Overflows Buffer overflows are basically the same on the heap as they are on the stack 0x00000000 Runtime Memory Libraries (libc) ELF Executable .text segment .data segment Heap Stack Heap Segment ---------------------------------> Grows towards higher memory Previous Chunk Size Chunk Size AAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAA AAAAAAAAAAAAAA … heap overflow Data Previous Chunk Size Chunk Size Data 0xFFFFFFFF

Heap Overflows In the real world, lots of cool and complex things like objects/structs end up on the heap Anything that handles the data you just corrupted is now viable attack surface in the application It’s common to put function pointers in structs which generally are malloc’d on the heap Overwrite a function pointer on the heap, and force a codepath to call that object’s function!

Q & A

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.