Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Slides:



Advertisements
Similar presentations
Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Advertisements

1/1/ / faculty of Electrical Engineering eindhoven university of technology Memory Management and Protection Part 3:Virtual memory, mode switching,
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Buffer Overflows By Tim Peterson Joel Miller Dan Block.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Teaching Buffer Overflow Ken Williams NC A&T State University.
Run-Time Storage Organization
Teaching Buffer Overflow Ken Williams NC A&T State University.
Lecture 16 Buffer Overflow
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Fall 2008CS 334: Computer SecuritySlide #1 Program Security Buffer Overflows Incomplete Access Control.
Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
Computer Security and Penetration Testing
Buffer Overflow Detection Stuart Pickard CSCI 297 June 14, 2005.
Mitigation of Buffer Overflow Attacks
CIS 450 – Network Security Chapter 7 – Buffer Overflow Attacks.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 10 “Buffer Overflow”.
CSCD 303 Essential Computer Security Spring 2013 Lecture 17 Buffer Overflow Attacks.
© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Memory: Relocation.
Buffer Overflow Attack-proofing by Transforming Code Binary Gopal Gupta Parag Doshi, R. Reghuramalingam The University of Texas at Dallas 11/15/2004.
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
Operating Systems Lecture 14 Segments Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing Liu School of Software Engineering.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
1 A Secure Access Control Mechanism against Internet Crackers Kenichi Kourai* Shigeru Chiba** *University of Tokyo **University of Tsukuba.
What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.
CNIT 127: Exploit Development Ch 8: Windows Overflows Part 2.
Processes and Virtual Memory
Buffer overflow and stack smashing attacks Principles of application software security.
On the Effectiveness of Address-Space Randomization Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, Dan Boneh.
A Survey on Runtime Smashed Stack Detection 坂井研究室 M 豊島隆志.
Buffer Overflows Taught by Scott Coté.-. _ _.-. / \.-. ((___)).-. / \ /.ooM \ / \.-. [ x x ].-. / \ /.ooM \ -/ \ /-----\-----/---\--\ /--/---\-----/-----\ / \-
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.
Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Crispin Cowan SANS 2000.
Chapter 10 Chapter 10 Implementing Subprograms. Implementing Subprograms  The subprogram call and return operations are together called subprogram linkage.
Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing.
Chapter 10 Buffer Overflow 1. A very common attack mechanism o First used by the Morris Worm in 1988 Still of major concern o Legacy of buggy code in.
Shellcode COSC 480 Presentation Alison Buben.
Mitigation against Buffer Overflow Attacks
Buffer Overflow Buffer overflows are possible because C doesn’t check array boundaries Buffer overflows are dangerous because buffers for user input are.
ENERGY 211 / CME 211 Lecture 25 November 17, 2008.
CSC 495/583 Topics of Software Security Stack Overflows (2)
CMSC 414 Computer and Network Security Lecture 21
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Software Security Lesson Introduction
Format String.
CSC 495/583 Topics of Software Security Format String Bug (2) & Heap
Smashing the Stack for Fun and Profit
Buffer Overflows.
RUN-TIME STORAGE Chuen-Liang Chen Department of Computer Science
Understanding and Preventing Buffer Overflow Attacks in Unix
FIGURE Illustration of Stack Buffer Overflow
Run-time environments
Return-to-libc Attacks
Presentation transcript:

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security

Breno de MedeirosFlorida State University Fall 2005 Buffer overflows  One of the most common vulnerabilities in software  Particularly problematic when present in system libraries and other code that runs with high execution privileges.

Breno de MedeirosFlorida State University Fall 2005 How it works  Application reserves adjacent memory locations (buffer) to store arguments to a function, or variable values.  Attacker gives an argument too long to fit in the buffer.  The application copies the whole argument, overflowing the buffer and overwriting memory space.  If the conditions are “just right” this will enable to attacker to gain control over the program flow and execute arbitrary code, with the same privileges of the original application.

Breno de MedeirosFlorida State University Fall 2005 Stack smashing  Function (sub- routine) calls results in an activation frame being pushed onto a memory area called the stack. function arguments return address previous frame pointer local variables local buffer variables Direction of stack growth

Breno de MedeirosFlorida State University Fall 2005 Memory management  The stack, which contains activation frames, starts at the highest memory address allocated for the process, and grows downwards  Variable-length data (e.g., strings) that are read dynamically, are kept in the heap, which grows upwards  This arrangement maximizes flexibility of virtual memory management Stack Heap unitialized variables initialized variables code instructions Direction of stack growth Direction of heap growth

Breno de MedeirosFlorida State University Fall 2005 How to smash  Give application a very long string with malicious code  The string length, being much larger than the space allocated in the heap (buffer size declaration) causes the heap to overflow into the stack and overwrites the return address  The return address now points to the beginning of the malicious code function arguments Return address (overwritten with entry address of malicious code) Previous frame pointer (overwritten w/ malicious code) local variables (overwritten w/ malicious code) local buffer variables (overwritten w/ malicious code) Direction of stack growth

Breno de MedeirosFlorida State University Fall 2005 Canary Guards  Like the legendary canary-in-the-mine, it detects stack smash attacks.  Inserts a “Canary value” just below the return address (Stack Guard) or just below the previous frame pointer (Stack Smashing Protector). This value gets checked right before a function returns.

Breno de MedeirosFlorida State University Fall 2005 SSP  Prevents overflow of local non-buffer variables  Canary value checking only takes place at return time, so other attacks possible function arguments return address previous frame pointer local buffer variables local non-buffer variables Direction of stack growth Canary value

Breno de MedeirosFlorida State University Fall 2005 Alternatives to canaries  Use a compiler that does full bounds checking, i.e., makes sure that the code always allocate enough memory for arguments  Like SSP, code has to be re-compiled with this compiler  Significant performance penalty (Java/C)

Breno de MedeirosFlorida State University Fall 2005 Static analysis  Use a code analyzer to detect buffer overflows  Since checking that arbitrary code does not overflow is an undecidable problem, the code must be annotated in order for this to work  Depends on programmer expertise (costly)  Some common and useful programming techniques are prohibited (performance and engineering costs)  Advantage is that the compiled code does not suffer from performance deterioration

Breno de MedeirosFlorida State University Fall 2005 Safe libraries  Many vulnerabilities in code are due to unsafe use of system libraries  An alternative is to install a kernel patch that dynamically substitutes calls to unsafe library functions for safe versions of those  Not possible for closed-source systems such as MS operating systems

Breno de MedeirosFlorida State University Fall 2005 Memory address randomization  Patch at the kernel level, changing the memory mapping  Small performance penalty, by extra memory lookups (actually, extra cache lookups)  Makes it very difficult to perform a useful buffer overflow  However, unlike some other strategies, does not improve robustness (liveness) properties

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.