Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.

Slides:



Advertisements
Similar presentations
ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Advertisements

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Framing Signals— A Return to Portable Shellcode
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
CS 153 Design of Operating Systems Spring 2015 Lecture 19: Page Replacement and Memory War.
Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
A survey of Buffer overflow exploitation on HTC touch mobile phone Advanced Defense Lab CSIE NCU Chih-Wen Ou.
Host and Application Security Lesson 10: Code Injection.
Mitigation of Buffer Overflow Attacks
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 10 “Buffer Overflow”.
CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.
Buffer Overflow CS461/ECE422 Spring Reading Material Based on Chapter 11 of the text.
Exploitation possibilities of memory related vulnerabilities
Overflows & Exploits. In the beginning 11/02/1988 Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating,
Part II Let’s make it real Memory Layout of a Process.
Buffer Overflow Group 7Group 8 Nathaniel CrowellDerek Edwards Punna ChalasaniAxel Abellard Steven Studniarz.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.
Part I The Basic Idea software sequence of instructions in memory logically divided in functions that call each other – function ‘IE’ calls function.
Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Söderström Presented.
Lecture 13 Page 1 CS 236 Online Major Problem Areas for Secure Programming Certain areas of programming have proven to be particularly prone to problems.
On the Effectiveness of Address-Space Randomization Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, Dan Boneh.
Buffer Overflows Taught by Scott Coté.-. _ _.-. / \.-. ((___)).-. / \ /.ooM \ / \.-. [ x x ].-. / \ /.ooM \ -/ \ /-----\-----/---\--\ /--/---\-----/-----\ / \-
CNIT 127: Exploit Development Ch 14: Protection Mechanisms.
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2013.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.
Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Crispin Cowan SANS 2000.
1 Introduction to Information Security , Spring 2016 Lecture 2: Control Hijacking (2/2) Avishai Wool.
Introduction to Information Security
Secure Programming Dr. X
Major Problem Areas for Secure Programming
Mitigation against Buffer Overflow Attacks
Remix: On-demand Live Randomization
Return Oriented Programming
Protecting Memory What is there to protect in memory?
Protecting Memory What is there to protect in memory?
Secure Programming Dr. X
Protecting Memory What is there to protect in memory?
Introduction to Information Security
Jump Over ASLR: Attacking Branch Predictors to Bypass ASLR
CSC 495/583 Topics of Software Security Stack Overflows (2)
CSC 495/583 Topics of Software Security Return-oriented programming
CMSC 414 Computer and Network Security Lecture 21
Software Security.
Summary by - Bo Zhang and Shuang Guo [Date: 03/31/2014]
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Advanced Buffer Overflow: Pointer subterfuge
Software Security Lesson Introduction
Address Space Layout Randomization (ASLR) Dirk Gordon
Foundations of Network and Computer Security
CSC 495/583 Topics of Software Security Format String Bug (2) & Heap
CSC 495/583 Topics of Software Security StackGuard & Format String Bug
Machine Level Representation of Programs (IV)
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2009.
Week 2: Buffer Overflow Part 2.
CS5123 Software Validation and Quality Assurance
Return-to-libc Attacks
Presentation transcript:

Part III Counter measures

The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any system defenses that can help? HOW DO WE STOP THE ATTACKS?

A variety of tricks in combination NX bit Canaries ASLR fin

III.A Canaries

Goal: make sure we detect overflow of return address – The functions' prologues insert a canary on the stack – The canary is a 32-bit value inserted between the return address and local variables Types of canaries: 1.Terminator 2.Random 3.Random XOR The epilogue checks if the canary has been altered Drawback: requires recompilation Compiler-level techniques Canaries

Canaries

How good are they? Assume random canaries protect the stack

Can you still exploit this?

Another example

III.B “DEP”

DEP / NX bit / W ⊕ X Idea: separate executable memory locations from writable ones – A memory page cannot be both writable and executable at the same time “Data Execution Prevention (DEP)”

Bypassing W ⊕ X Return into libc Three assumptions: – We can manipulate a code pointer – The stack is writable – We know the address of a “suitable" library function (e.g., system())

Stack Why the “ret address”? What could we do with it? 0x buf System() 0xbfffeedc 0xbfffeeb0 0xbfffeeb4 0xbfffeeb8 0xbfffeebc 0xbfffeec0 0xbfffeec4 0xbfffeec8 0xbfffeecc 0xbfffeed0 0xbfffeed4 0xbfffeed8 0xbfffeea4 0xbfffeea8 0xbfffeeac “ret address” arg 0xbfffeee8 0xbfffeee0 0xbfffeee4

Return Oriented Programming ROP chains: – Small snippets of code ending with a RET – Can be chained together

Return Oriented Programming ROP chains – Small snippets of code ending with a RET – Can be chained together &gadget1 &gadget2 &gadget3 -- … ret … ret stack

How good are they? Assume random canaries protect the stack Assume DEP prevents execution of the stack

Can you still exploit this?

III.C ASLR

Let us make it a little harder still…

Address Space Layout Randomisation Idea: – Re-arrange the position of key data areas randomly (stack,.data,.text, shared libraries,... ) – Buffer overflow: the attacker does not know the address of the shellcode – Return-into-libc: the attacker can't predict the address of the library function – Implementations: Linux kernel > , Windows Vista,...

ASLR: Problems 32-bit implementations use few randomisation bits An attacker can still exploit non-randomised areas, or rely on other information leaks (e.g., format bug) So… (I bet you saw this one coming)….

How good are they? Assume random canaries protect the stack Assume DEP prevents execution of the stack Assume ASLR randomized the stack and the start address of the code – but let us assume that all functions are still at the same relative offset from start address of code – (in other words: need only a single code pointer)

Can you still exploit this?

Finally

We constructed “weird machines” New spin on fundamental questions:  “What is computable?” Shellcode, ROP, Ret2Libc  Turing Complete

That is all folks! We have covered quite a lot: – Simple buffer overflows – Counter measures – Counter counter measures Research suggests that buffer overflows will be with us for quite some time Best avoid them in your code!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.