12/2/05CS591-F2005, UCCS Frank Gearhart 1 Why doesn’t “gets()” get it? Or more formally: An investigation into the use of the buffer overflow vulnerability.

Slides:



Advertisements
Similar presentations
Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Advertisements

Smashing the Stack for Fun and Profit
LECTURE 17 C++ Strings 18. 2Strings Creating String Objects 18 C-string C++ - string \0 Array of chars that is null terminated (‘\0’). Object.
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
C Characters & Strings Character Review Character Handling Library Initialization String Conversion Functions String Handling Library Standard Input/Output.
 2003 Prentice Hall, Inc. All rights reserved Fundamentals of Characters and Strings Character constant –Integer value represented as character.
Strings.
Character String Manipulation. Overview Character string functions sscanf() function sprintf() function.
Lecture 9. Lecture 9: Outline Strings [Kochan, chap. 10] –Character Arrays/ Character Strings –Initializing Character Strings. The null string. –Escape.
What is a pointer? First of all, it is a variable, just like other variables you studied So it has type, storage etc. Difference: it can only store the.
 2000 Prentice Hall, Inc. All rights reserved Fundamentals of Strings and Characters String declarations –Declare as a character array or a variable.
Current Assignments Homework 5 will be available tomorrow and is due on Sunday. Arrays and Pointers Project 2 due tonight by midnight. Exam 2 on Monday.
Pointer, malloc and realloc 1. Name entered was 6 char, not enough space to put null terminator 2 Array of char.
. Plab – Tirgul 2 Const, C Strings. Pointers int main() { int i,j; int *x; // x points to an integer i = 1; x = &i; j = *x; ijx 1.
1 Homework Turn in HW2 at start of next class. Starting Chapter 2 K&R. Read ahead. HW3 is on line. –Due: class 9, but a lot to do! –You may want to get.
Software and Software Vulnerabilities. Synopsis Array overflows Stack overflows String problems Pointer clobbering. Dynamic memory management Integer.
Chapter 9: Arrays and Strings
CS 117 Spring 2002 Review for Exam 3 arrays strings files classes.
C-strings Array with base type char One character per indexed variable
C-Strings Joe Meehean. C-style Strings String literals (e.g., “foo”) in C++ are stored as const char[] C-style strings characters (e.g., ‘f’) are stored.
Security Analysis What is it? Rapidly growing area of computer science. Concerned with whether or not a system and its communications are secure. Why do.
Homework Reading –Finish K&R Chapter 1 (if not done yet) –Start K&R Chapter 2 for next time. Programming Assignments –DON’T USE and string library functions,
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Homework Reading Programming Assignments
Strings in C. Strings are Character Arrays Strings in C are simply arrays of characters. – Example:char s [10]; This is a ten (10) element array that.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
C Programming - Lecture 6 This lecture we will learn: –Error checking in C –What is a ‘wrappered function’? –What is a clean interface? –How to earn your.
1 Homework Introduction to HW7 –Complexity similar to HW6 –Don’t wait until last minute to start on it File Access will be needed in HW8.
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
Chapter 9 Character Strings 9.1 Character String Constants A character string constant is a sequence of characters enclosed in double quotation mark. Examples.
Buffer Overflow Computer Organization II 1 © McQuain Buffer Overflows Many of the following slides are based on those from Complete Powerpoint.
Mitigation of Buffer Overflow Attacks
EGR 2261 Unit 9 Strings and C-Strings  Read Malik, pages in Chapter 7, and pages in Chapter 8.  Homework #9 and Lab #9 due next week.
Character Arrays Based on the original work by Dr. Roger deBry Version 1.0.
Characters and Strings File Processing Exercise C Programming:Part 3.
File IO and command line input CSE 2451 Rong Shi.
Overflow Examples 01/13/2012. ACKNOWLEDGEMENTS These slides where compiled from the Malware and Software Vulnerabilities class taught by Dr Cliff Zou.
Smashing the Stack Overview The Stack Region Buffer Overflow
Buffer Overflows Many of the following slides are based on those from
File I/O, Project 1: List ADT Bryce Boe 2013/07/02 CS24, Summer 2013 C.
CNIT 127: Exploit Development Ch 3: Shellcode. Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object.
Lecture 8: Buffer Overflow CS 436/636/736 Spring 2013 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Stack-based buffer overflows Yves Younan DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium
Memory Layout, File I/O Bryce Boe 2013/06/27 CS24, Summer 2013 C.
What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.
Shellcode Development -Femi Oloyede -Pallavi Murudkar.
5.6 String Processing Part 2. Sprintf(destnvar,…..regularprintf) Write formatted data to string Same as printf except the output is put in variable. A.
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
ENEE150 – 0102 ANDREW GOFFIN Strings. Project 2 Flight Database 4 options:  Print flight  Print airport  Find non-stop flights  Find one-stop flights.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Characters and Strings
Analyzing C/C++ Vulnerabilities -- Mike Gerschefske.
Chapter Nine Strings. Char vs String Literals Size of data types: Size of data types: –sizeof(“hello\n”)7 bytes –sizeof(“hello”)6 bytes –sizeof(“X”)2.
CS 3214 Computer Systems Godmar Back Lecture 7. Announcements Stay tuned for Project 2 & Exercise 4 Project 1 due Sep 16 Auto-fail rule 1: –Need at least.
C Strings Doing strings the old fashioned way. strings vs c-strings C++ strings are an object data type – State : list of characters – Can ask it to perform.
IO revisited CSE 2451 Rong Shi. stdio.h Functions – printf – scanf(normally stops at whitespace) – fgets – sscanf Standard streams – stdin(defaults to.
ROP Exploit. ROP Return Oriented Programming (ROP): is a hacking exploit technique where you exploit buffer overflow to inject a chain of gadgets. Each.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.
ECE 103 Engineering Programming Chapter 29 C Strings, Part 2 Herbert G. Mayer, PSU CS Status 7/30/2014 Initial content copied verbatim from ECE 103 material.
Buffer Overflow By Collin Donaldson.
CMSC 414 Computer and Network Security Lecture 21
Objective Explain basic fuzzing with concrete coding example
PPT9: Asserting expectations
Buffer Overflows.
Homework Reading Programming Assignments Finish K&R Chapter 1
ECE 103 Engineering Programming Chapter 25 C Strings, Part 1
Malware and Software Vulnerability Analysis Fuzzing Test Example Cliff Zou University of Central Florida.
Understanding and Preventing Buffer Overflow Attacks in Unix
Presentation transcript:

12/2/05CS591-F2005, UCCS Frank Gearhart 1 Why doesn’t “gets()” get it? Or more formally: An investigation into the use of the buffer overflow vulnerability in the C function gets().

12/2/05 CS591-F2005, UCCS Frank Gearhart 2 Scope of research Compare gets() function with strcpy() function, looking for area(s) where differences in code may contribute to differences in exploit behavior.

12/2/05 CS591-F2005, UCCS Frank Gearhart 3 Research plan 1.Compare C code of strcpy() & gets() 2.Compare assembly code of strcpy() & gets() 3.Find suspicious areas that might explain difference in exploit behavior between strcpy() & gets() 4.Determine how this difference might be used to exploit gets() in a new way

12/2/05 CS591-F2005, UCCS Frank Gearhart 4 Function definitions: From “C: The Complete Reference”, 4th Ed, p.372: “char *strcpy(char *str1, const char *str2); The strcpy() function copies the contents of str2 into str1. str2 must be a pointer to a null-terminated string. The strcpy() function returns a pointer to str1.” From “C: The Complete Reference”, 4th Ed, p.331: “char *gets(char *str); The gets() function reads characters from stdin and places them into the character array pointed to by str. Characters are read until a newline or an EOF is received. The newline character is not made part of the string; instead, it is translated into a null to terminate the string. If successful, gets() returns str; a null pointer is returned upon failure.”

12/2/05 CS591-F2005, UCCS Frank Gearhart 5 Comparison of gets() & strcpy() gets() Reads from stdin or newline/EOF terminated file 110 lines of assembly May call up to four other functions directly, with up to five sub-levels of calls to up to 18 additional functions strcpy() Reads from null-terminated buffer 16 lines of assembly No calls to other functions

12/2/05 CS591-F2005, UCCS Frank Gearhart 6 Difference in exploit behavior: gets() When using exploit3 on ‘vulnerable’ & appropriate buffer size, result is new shell. strcpy() When using exploits similar to exploit3 in an input file on simple file that uses gets(), (e.g.; ‘bo.c’ in homework 2), result is usually a segmentation fault.

12/2/05 CS591-F2005, UCCS Frank Gearhart 7 Areas of interest gets() calls “_IO_getline” function, which is the function that reads in characters. Why does putting shellcode in environment variable have no effect, and putting shellcode in input file results in segmentation faults?

12/2/05 CS591-F2005, UCCS Frank Gearhart 8 Current status C code reviewed - no significant differences Assembly code - significant differences, but no smoking gun yet Using gdb debugger while running exploit code under various conditions - in progress

12/2/05 CS591-F2005, UCCS Frank Gearhart 9 Intermediate conclusions: –gets() is a more complicated function than strcpy() 110 lines of assembly vs. 16 lines Up to six sublevels of up to 22 function calls vs. no function calls Complexity makes analyzing code more difficult –More work is needed Continuing to run bo & various exploit codes under gdb

12/2/05 CS591-F2005, UCCS Frank Gearhart 10 References: Schildt, Herbert, C: The Complete Reference, 4th Ed., 2000, Osborne/McGraw-Hill, Berkeley, CA GNU C Library, 1997, Free Software Foundation Inc., Boston, MA Foster, James C., et. al., Buffer Overflow Attacks, 2005, Syngress Publishing Inc., Rockland, MA

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.