The future of Software Security Dr. Si Chen

Slides:

Advertisements

Similar presentations

Secure Coding in C and C++ Dynamic Memory Management

Advertisements

Dynamic memory allocation

Dynamic Memory Management

Introduction to Memory Management. 2 General Structure of Run-Time Memory.

Dynamic Memory Allocation I Topics Simple explicit allocators Data structures Mechanisms Policies CS 105 Tour of the Black Holes of Computing.

Dynamic Memory Allocation I Topics Basic representation and alignment (mainly for static memory allocation, main concepts carry over to dynamic memory.

Chris Riesbeck, Fall 2007 Dynamic Memory Allocation Today Dynamic memory allocation – mechanisms & policies Memory bugs.

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

User-Level Memory Management in Linux Programming

Pointer applications. Arrays and pointers Name of an array is a pointer constant to the first element whose value cannot be changed Address and name refer.

Week 7 - Friday.  What did we talk about last time?  Allocating 2D arrays.

1 Optimizing Malloc and Free Professor Jennifer Rexford COS 217 Reading: Section 8.7 in K&R book

DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.

Binghamton University CS-220 Spring 2015 Binghamton University CS-220 Spring 2015 Heap Management.

Stacks and HeapsCS-3013 A-term A Short Digression on Stacks and Heaps CS-3013 Operating Systems A-term 2008 (Slides include materials from Modern.

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Digression on Stack and Heaps CS-502 (EMC) Fall A Short Digression on Stacks and Heaps CS-502, Operating Systems Fall 2009 (EMC) (Slides include.

1 Optimizing Malloc and Free Professor Jennifer Rexford

Memory Layout C and Data Structures Baojian Hua

Software bugs (and security implications). Software security Code can have perfect design and algorithm, but still have implementation vulnerabilities.

Address Space Layout Permutation

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Outline Midterm results Static variables Memory model

Computer Security and Penetration Testing

Dynamic Memory Allocation The process of allocating memory at run time is known as dynamic memory allocation. C does not Inherently have this facility,

CIS 450 – Network Security Chapter 7 – Buffer Overflow Attacks.

Chapter 8 – Main Memory (Pgs ). Overview  Everything to do with memory is complicated by the fact that more than 1 program can be in memory.

University of Washington Today Finished up virtual memory On to memory allocation Lab 3 grades up HW 4 up later today. Lab 5 out (this afternoon): time.

CNIT 127: Exploit Development Ch 4: Introduction to Heap Overflows

Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.

Lecture 9: Buffer Ovefflows and ROP EEN 312: Processors: Hardware, Software, and Interfacing Department of Electrical and Computer Engineering Spring 2014,

What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.

CNIT 127: Exploit Development Ch 8: Windows Overflows Part 2.

Processes and Virtual Memory

Lecture 13 Page 1 CS 236 Online Major Problem Areas for Secure Programming Certain areas of programming have proven to be particularly prone to problems.

Consider Starting with 160 k of memory do: Starting with 160 k of memory do: Allocate p1 (50 k) Allocate p1 (50 k) Allocate p2 (30 k) Allocate p2 (30 k)

Sairajiv Burugapalli. This chapter covers three main categories of classic software vulnerability: Buffer overflows Integer vulnerabilities Format string.

Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.

Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

CSE 351 Dynamic Memory Allocation 1. Dynamic Memory Dynamic memory is memory that is “requested” at runtime Solves two fundamental dilemmas: How can.

Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.

Heap Overflow Attacks.

Chapter 17 Free-Space Management

Major Problem Areas for Secure Programming

Buffer Overflow Buffer overflows are possible because C doesn’t check array boundaries Buffer overflows are dangerous because buffers for user input are.

Protecting Memory What is there to protect in memory?

Jonathan Walpole Computer Science Portland State University

Protecting Memory What is there to protect in memory?

CSC 495/583 Topics of Software Security Heap Exploitation (2)

Protecting Memory What is there to protect in memory?

Chapter 9: Virtual Memory – Part I

CSC 495/583 Topics of Software Security Heap Exploitation

Dynamic Memory Allocation

C Programming Language Review and Dissection IV

Von Neumann model - Memory

The Hardware/Software Interface CSE351 Winter 2013

Optimizing Malloc and Free

CS Introduction to Operating Systems

Dynamic Memory Allocation

Software Security Lesson Introduction

CSC 495/583 Topics of Software Security Format String Bug (2) & Heap

Optimizing Dynamic Memory Management

Von Neumann model - Memory

CS703 - Advanced Operating Systems

Understanding and Preventing Buffer Overflow Attacks in Unix

Buddy Allocation CS 161: Lecture 5 2/11/19.

COMP755 Advanced Operating Systems

FIGURE Illustration of Stack Buffer Overflow

Week 7 - Friday CS222.

Process Address Spaces and Binary Formats

Presentation transcript:

The future of Software Security Dr. Si Chen (schen@wcupa.edu) Class22 CSC 495/583 Topics of Software Security Heap Exploitation (3): , House of Force The future of Software Security Dr. Si Chen (schen@wcupa.edu)

glibc source code https://code.woboq.org/userspace/glibc/malloc/malloc.c.html

free(buffer); Heap Chunk (freed) Forward Pointer Backwards Pointer Heap Chunks – Freed unsigned int * buffer = NULL; buffer = malloc(0x100); free(buffer); Forward Pointer A pointer to the next freed chunk Backwards Pointer A pointer to the previous freed chunk Heap Chunk (freed) Previous Chunk Size (4 bytes) Chunk Size (4 bytes) FD (4 bytes) BK (4 bytes) Flags *(buffer-2) *(buffer-1) *buffer *(buffer+1)

unsigned int * buffer = NULL; buffer = malloc(0x100); Heap Chunks unsigned int * buffer = NULL; buffer = malloc(0x100); //Out comes a heap chunk Heap Chunk Previous Chunk Size (4 bytes) Chunk Size (4 bytes) Data (8 + (n / 8)*8 bytes) Flags *(buffer-2) *(buffer-1) *buffer

Heap Allocations Runtime Memory Heap Segment Previous Chunk Size 0x00000000 Runtime Memory Libraries (libc) ELF Executable .text segment .data segment Heap Stack Heap Segment ---------------------------------> Grows towards higher memory Previous Chunk Size Chunk Size Data 0xFFFFFFFF

Heap Allocations Runtime Memory Heap Segment Previous Chunk Size 0x00000000 Runtime Memory Libraries (libc) ELF Executable .text segment .data segment Heap Stack Heap Segment ---------------------------------> Grows towards higher memory Previous Chunk Size Chunk Size Data 0xFFFFFFFF

The truth

The Malloc Maleficarum (2004) In late 2001, "Vudo Malloc Tricks" and "Once Upon A free()" defined the exploitation of overflowed dynamic memory chunks on Linux. In late 2004, a series of patches to GNU libc malloc implemented over a dozen mandatory integrity assertions, effectively rendering the existing techniques obsolete. It is for this reason, a small suggestion of impossibility, that they present the Malloc Maleficarum: The House of Prime The House of Mind The House of Force The House of Lore The House of Spirit The House of Chaos

The Malloc Maleficarum (2004) In late 2001, "Vudo Malloc Tricks" and "Once Upon A free()" defined the exploitation of overflowed dynamic memory chunks on Linux. In late 2004, a series of patches to GNU libc malloc implemented over a dozen mandatory integrity assertions, effectively rendering the existing techniques obsolete. It is for this reason, a small suggestion of impossibility, that they present the Malloc Maleficarum: The House of Prime The House of Mind The House of Force The House of Lore The House of Spirit The House of Chaos https://dl.packetstormsecurity.net/papers/attack/MallocMaleficarum.txt

House of Force House of Force: In this technique, attacker abuses top chunk size and tricks ‘glibc malloc’ to service a very large memory request (greater than heap system memory size) using top chunk. Now when a new malloc request is made, GOT entry of free would be overwritten with shellcode address. Hence from now on whenever free is called, shellcode gets executed!!

Mechanism of glibc malloc Allocated chunk Free chunk Top chunk

Top Chunk Top Chunk: Chunk which is at the top border of an arena is called top chunk. It doesn't belong to any bin. Top chunk is used to service user request when there is NO free blocks, in any of the bins. If top chunk size is greater than user requested size top chunk is split into two: User chunk (of user requested size) Remainder chunk (of remaining size) The remainder chunk becomes the new top. If top chunk size is lesser than user requested size, top chunk is extended using sbrk (main arena) or mmap (thread arena) syscall.

House of Force

House of Force This attack assumes an overflow into the top chunk's header. The size is modified to a very large value (-1 in this example). This ensures that all initial requests will be services using the top chunk, instead of relying on mmap. On a 64 bit system, -1 evaluates to 0xFFFFFFFFFFFFFFFF. A chunk with this size can cover the entire memory space of the program.

House of Force Let us assume that the attacker wishes 'malloc' to return address P. Now, any malloc call with the size of: &top_chunk - P will be serviced using the top chunk. Note that P can be after or before the top_chunk.

House of Force Prerequisites: Three malloc calls are required to successfully apply house of force as listed below: Malloc 1: Attacker should be able to control the size of top chunk. Hence heap overflow should be possible on this allocated chunk which is physically located previous to top chunk. Malloc 2: Attacker should be able to control the size of this malloc request. Malloc 3: User input should be copied to this allocated chunk.

Exercise: House_of_force.c Source Code: https://heap-exploitation.dhavalkapil.com/assets/files/house_of_force.c Solution: https://heap-exploitation.dhavalkapil.com/attacks/house_of_force.html

Exercise: BambooBox Source Code: https://github.com/ctf-wiki/ctf-challenges/blob/master/pwn/heap/house-of-force/hitcontraning_lab11/bamboobox.c Solution: https://github.com/ctf-wiki/ctf-challenges/blob/master/pwn/heap/house-of-force/hitcontraning_lab11/exp.py

The future …

Unsustainable Complexity Exploits are getting more and more complex More bugs More time More money

Unsustainable Complexity $$$$$ Exploit Complexity $ 2017 Years 20?? At what point do hobbyists have to draw the line? Companies? Contractors? Nation States?

Unsustainable Complexity $$$$$ nation states sec firms the hobbyist Exploit Complexity $ 2017 Years 20??

Systems and applications will never be perfectly secure. Period. The Security Mindset Systems and applications will never be perfectly secure. Period. They just have to be hard enough to break that nobody can afford it anymore

The Weakest Link - Humans https://xkcd.com/538/

The Future of Security Memory corruption based exploits will no longer be feasible to produce for the average desktop or server In the immediate 10-20 years (?) Embedded devices are further behind

Implementation & logic flaws will probably always exist The Future of Security Implementation & logic flaws will probably always exist – You can’t really fix stupid What we will see and discover more of: Sponsored backdoors, ‘cheating’ Hardware backdoors, flaws, supply chain trust Crypto backdoors, subtle design flaws

Q & A