Preventing Buffer Overflows (for C programmers)

Slides:



Advertisements
Similar presentations
What is a pointer? First of all, it is a variable, just like other variables you studied So it has type, storage etc. Difference: it can only store the.
Advertisements

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Buffer Overflow Intro. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Preventing Buffer Overflows (for C programmers)
Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Causes Author: Jedidiah.
Buffer Overflow Exploits CS-480b Dick Steflik. What is a buffer overflow? Memory global static heap malloc( ), new Stack non-static local variabled value.
Teaching Buffer Overflow Ken Williams NC A&T State University.
Teaching Buffer Overflow Ken Williams NC A&T State University.
Building Secure Software Chapter 9 Race Conditions.
Software Engineering Lifecycle. ©2002. Jan G. Hogle, Susan L. Gerhart. Software Engineering Lifecycle Authors: Jan G. Hogle,
C Programmer Quiz. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Quiz: For C Programmers Author: Jedidiah.
1 - buttons Click “Step Forward” to execute one line of the program. Click “Reset” to start over. “Play,” “Stop,” and “Step Back” are disabled in this.
Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Defenses Author:
Introduction to Buffer Overflows Author: Jedidiah R. Crandall, Distributed: 14 July 2002 Embry-Riddle Aeronautical University in Prescott,
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
Computer Security and Penetration Testing
Buffer Overflow Intro. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Introduction to Buffer Overflows Author:
Embry-Riddle Aeronautical University Prescott, Arizona
IT253: Computer Organization Lecture 3: Memory and Bit Operations Tonga Institute of Higher Education.
Buffer Overflow Causes Quiz. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Quiz: Buffer Overflow Causes Author:
Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Defenses Author:
Buffer Overflow Defenses Quiz. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Quiz: Buffer Overflow Defenses.
Buffer Overflow Group 7Group 8 Nathaniel CrowellDerek Edwards Punna ChalasaniAxel Abellard Steven Studniarz.
How to Use BO Demos. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. How to Use Buffer Overflow Demos (applets)
Lecture 14 Page 1 CS 236 Online Variable Initialization Some languages let you declare variables without specifying their initial values And let you use.
Lecture 13 Page 1 CS 236 Online Major Problem Areas for Secure Programming Certain areas of programming have proven to be particularly prone to problems.
Intro to Buffer Overflow Quiz. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Quiz: Buffer Overflow Intro Author:
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 9: Designing Exceptionally.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Embedding Assembly Code in C Programs תרגול 7 שילוב קוד אסמבלי בקוד C.
Announcements Assignment 1 due Wednesday at 11:59PM Quiz 1 on Thursday 1.
1988 Morris Worm … estimated 10% penetration 2001 Code Red … 300,00 computers breached 2003 Slammer/Sapphire … 75,00 infections in 10 min Zotob …
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
1988 Morris Worm … estimated 10% penetration 2001 Code Red … 300,00 computers breached 2003 Slammer/Sapphire … 75,00 infections in 10 min Zotob …
Cases Study: Code Red. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Case Study: Code Red Author: Jedidiah.
Dynamic Allocation in C
Buffer Overflow Defenses
Shellcode COSC 480 Presentation Alison Buben.
Major Problem Areas for Secure Programming
Sabrina Wilkes-Morris CSCE 548 Student Presentation
SE-1021 Software Engineering II
Computer Organization and Design Pointers, Arrays and Strings in C
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
Protecting Memory What is there to protect in memory?
Buffer Overflow Defenses
Introduction to Information Security
Strings CSCI 112: Programming in C.
Protecting Memory What is there to protect in memory?
Secure Programming Dr. X
Module 30 (Unix/Linux Security Issues II)
Protecting Memory What is there to protect in memory?
Quiz 11/15/16 – C functions, arrays and strings
ENEE150 Discussion 06 Section 0101 Adam Wang.
Secure Software Development: Theory and Practice
Arrays in C.
CMSC 414 Computer and Network Security Lecture 21
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Quiz: Buffer Overflow Causes
Software Security Lesson Introduction
Format String.
File I/O in C Lecture 7 Narrator: Lecture 7: File I/O in C.
Smashing the Stack for Fun and Profit
Case Study: Code Red Author: Jedidiah R. Crandall,
File Input and Output.
Buffer Overflow Defenses
Introduction to Computer Science
Understanding and Preventing Buffer Overflow Attacks in Unix
Testing & Security Dr. X.
Format String Vulnerability
Presentation transcript:

Preventing Buffer Overflows (for C programmers) Author: Jedidiah R. Crandall, crandaj@erau.edu This Document was Funded by the National Science Foundation Federal Cyber Service Scholarship For Service Program: Grant No. 0113627 Distributed July 2002 Embry-Riddle Aeronautical University • Prescott, Arizona • USA Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. http://sfsecurity.pr.erau.edu

Purpose of this Section This section is intended for the experienced C programmer who would like to learn more about the causes and consequences of various kinds of buffer overflows. It is not intended to be a complete list of every known type of buffer overflow. This section should give the reader a broad enough view of buffer overflows that they appreciate the complexity of the problem and don’t assume that their code is safe just because they do bounds checking. Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. http://sfsecurity.pr.erau.edu

What can cause buffer overflows? Careless use of buffers without bounds checking. Formatting and logical errors. Unsafe library function calls. Off-by-one errors. Old code used for new purposes (like UNICODE international characters). All sorts of other far-fetched but deadly-serious things you should think about. Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. http://sfsecurity.pr.erau.edu

Careless use of buffers without bounds checking - Problem. This is the classic case and the easiest to prevent. Remember that C/C++ doesn’t do automatic bounds checking for you. If you declare an array as int A[100] there is nothing in the C language to stop you from executing a statement like A[555] = 1234; You don’t need to access an array with an invalid index to have a buffer overflow. Pointer arithmetic is an equally likely culprit. Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. http://sfsecurity.pr.erau.edu

Careless use of buffers without bounds checking - Consequences. If the buffer overflow is big enough the attacker can hijack the machine. For example, in UNIX a buffer overflow of less than 50 bytes in a process that has root privileges can be used to “spin a shell.” This means that the attacker obtains a command shell with root privileges. Hijacking the machine can also be done by a worm as it spreads. But never assume that small buffers, even if it’s a two byte buffer, are safe because attack code can be placed in another buffer, beyond the return pointer, or on the heap. Any security sensitive data that follows the buffer can be overwritten, such as passwords or variables that designate privileges. The software might crash. This can cause a core dump giving the attacker access to any security-sensitive data that was in the program’s memory at the time of the core dump. Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. http://sfsecurity.pr.erau.edu

Careless use of buffers without bounds checking - Recommendations. Before you copy to, format, or send input to a buffer make sure it is big enough to hold whatever might be thrown at it. Testing should catch most of this kind of buffer overflows. If there is a buffer overflow, the software should crash or data should get corrupted if a very long string is given for input. Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. http://sfsecurity.pr.erau.edu

Formatting and logical errors – Problem. The size in bytes of the input might not be what causes the buffer overflow, it might be the input itself. For example, if you’re converting a large integer to a string (maybe in ternary) make sure the buffer is long enough to hold all possible outputs. Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. http://sfsecurity.pr.erau.edu

Formatting and logical errors – Consequences. Even if the attacker has very little control of the data that overwrites a return pointer, they can always crash the program by sending the program control to random places in memory. Crashing the program is a security risk for many reasons, including denial-of-service attacks and core dumps of security-sensitive data. It’s never safe to assume that a clever attacker can’t find a way to give input that causes the output he wants. Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. http://sfsecurity.pr.erau.edu

Formatting and logical errors – Recommendations. Always test a variety of inputs to make sure the program behavior is what you expect. Code inspection is likely to catch buffer overflow errors that testing doesn’t. Assume that ALL buffer overflows are security problems. Don’t assume that all buffer overflows are caused by long strings. Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. http://sfsecurity.pr.erau.edu

Unsafe library function calls - Problem. Unsafe library functions are one of the main constituents of the buffer overflow problem. Even simple ones like printf() have caused buffer overflow security problems. The problem is that many library functions don’t do bounds checking unless explicitly told to, and also many stdio.h functions use format strings which opens the door to all sorts of weird exploits. Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. http://sfsecurity.pr.erau.edu

Unsafe library function calls - Consequences. Most library function call buffer overflows allow the attacker to hijack the machine using stack smashing. They also can corrupt security-sensitive data or crash the program. Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. http://sfsecurity.pr.erau.edu

Unsafe library function calls - Recommendations. Never, ever, ever use gets(). Only under freak conditions will it NOT cause a buffer overflow. Also avoid functions like strcpy() and strcat(). Use strncpy() and strncat() instead. Use precision specifiers with the scanf() family of functions (scanf(), fscanf(), sscanf(), etc.). Otherwise they will not do any bounds checking for you. Be careful with sprintf(). Use precision specifiers or use snprintf() instead. Never use variable format strings with the printf() family of functions. Every file or path handling library function has its own quirks, so be careful. Functions like fgets(), strncpy(), and memcpy() are okay, but make sure your buffer is the size you say it is. Be careful of off-by-one errors. When using streadd() or strecpy(), make sure the destination buffer is four times the size of the source buffer. A very useful tool to aid with finding unsafe library function calls during code inspection are static analyzers such as ITS4. Testing will catch many, but not all, buffer overflows. Code inspection in combination with testing will produce the best results. Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. http://sfsecurity.pr.erau.edu

Off-by-one errors - Problem. Off-by-one errors occur when a programmer takes the proper precautions in terms of bounds checking, but maybe puts a 512 where she should have put a 511. Can happen to the best programmers no matter how well-informed they are about buffer overflows. Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. http://sfsecurity.pr.erau.edu

Off-by-one errors - Consequences. Usually off-by-one errors can do no more than crash the program. They can be made to compromise security-sensitive data. But any buffer overflow is a security risk. Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. http://sfsecurity.pr.erau.edu

Off-by-one errors - Recommendations. If you have a 512 byte buffer you can only store 511 characters in the string (the last character is a NULL). If you use scanf() to read into a buffer you also have to account for the NULL: use scanf(“%511s”, &My512ByteBuffer) instead of scanf(“%512s”, &My512ByteBuffer) which is unsafe. If you declare an array as int A[100], remember that you can’t access A[100], the highest index you can access is A[99] and the lowest is A[0]. The best defense against off-by-one errors of any kind is a thorough combination of testing and code inspection. Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. http://sfsecurity.pr.erau.edu

Old code used for new purposes - Problem. Often old code is reused in new projects. Even if the old code was thoroughly tested and written in a safe manner, it might not have accounted for things that the new code expects it to support, like international character sets. Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. http://sfsecurity.pr.erau.edu

Old code used for new purposes - Consequences. “HELLO” in ASCII is 0x48-0x45-0x4C-0x4C-0x4F “HELLO” in UNICODE (supports international character sets) is 0x00-0x48- 0x00-0x45-0x00-0x4C-0x00-0x4C-0x00-0x4F The old code might tell the new code to give it no more than 5 characters because it uses a 5-byte buffer. The new code gives it 5 characters, but in UNICODE instead of ASCII, so they fill 10 bytes. (The assumption that 5 characters = 5 bytes is a dangerous one.) This is more common and more easily exploitable than you might think. The Venetian exploit can hijack a program with a reasonably sized buffer overflow even if UNICODE format forces the attacker to have half of his attack code bytes be zeros. Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. http://sfsecurity.pr.erau.edu

Old code used for new purposes - Recommendations. Enumerate and challenge all assumptions you’ve made about the interaction between old code and new. Test thoroughly. Test old code when you’re using it for new purposes, even if you tested it before. If your software allows the user to use UNICODE then do all of the testing you did for ASCII with UNICODE as well. Include the old code in code inspection, even if you inspected it before. Test code on every type of platform it will likely be used on. Depending on how the processor arranges memory you might have an off-by-one error of a single byte that has no effect on program execution for a Sun processor but would have a noticeable effect on program execution for an Intel processor. Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. http://sfsecurity.pr.erau.edu

All sorts of other far-fetched but deadly-serious things you should think about - Problem. Sometimes seemingly reasonable assumptions are just not true. Attackers have plenty of time and infinite creativity. A thoroughly tested and inspected piece of software might still be vulnerable through a series of a half dozen or so clever tricks. Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. http://sfsecurity.pr.erau.edu

All sorts of other far-fetched but deadly-serious things you should think about - Consequences. Your software might be a UNIX utility that spawns two processes. One sets an environment variable to either “CHUCKY” or “CHEESE”, and the second reads it. The reading process doesn’t bother to check the size before it puts it in a buffer because it is just an environment variable you made up and is guaranteed to have six characters, right? There is no user I/O involved. But an attacker can force a race condition that changes the environment variable between when one process writes it and when the other process reads it. They give the environment variable more than six characters causing a buffer overflow. (Add getenv() to the long list of dangerous library functions.) Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. http://sfsecurity.pr.erau.edu

Challenge all of your assumptions like an attacker would. All sorts of other far-fetched but deadly-serious things you should think about - Recommendations. Challenge all of your assumptions like an attacker would. Never assume that a well inspected and thoroughly tested piece of software is absolutely defect free. As long as programmers use C there will always be buffer overflows, hopefully just not as many. Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. http://sfsecurity.pr.erau.edu

About this Project This presentation is part of a larger package of materials on buffer overflow vulnerabilities, defenses, and software practices. For more information, go to: http://nsfsecurity.pr.erau.edu Also available are: Demonstrations of how buffer overflows occur (Java applets) PowerPoint lecture-style presentations on an introduction to buffer overflows, preventing buffer overflows (for C programmers), and a case study of Code Red Checklists and Points to Remember for C Programmers An interactive module and quiz set with alternative paths for journalists/analysts and IT managers as well as programmers and testers A scavenger hunt on implications of the buffer overflow vulnerability Please complete a feedback form at http://nsfsecurity.pr.erau.edu/feedback.html to tell us how you used this material and to offer suggestions for improvements. Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. http://sfsecurity.pr.erau.edu