Security Exploiting Overflows

Introduction r See the following link for more info: operating-systems-and-applications-in- 2014/

Introduction r Buffer overflows are a major vulnerability  When a security alert contains the phrase “The most severe of these vulnerabilities allows a remote attacker to execute arbitrary code.”, the underlying problem is probably a buffer overflow.

The Security Problem  S ecurity must consider external environment of the system, and protect the system resources r Intruders (crackers) attempt to breach security r Threat is potential security violation r Attack is attempt to breach security r Attack can be accidental or malicious r Easier to protect against accidental than malicious misuse

Security Measure Levels r Security must occur at four levels to be effective: m Physical m Human Avoid social engineering, phishing, dumpster diving m Operating System m Network r Security is as weak as the weakest link in the chain

Background r Typical Attack Scenario: m Users enter data into a Web form m Web form is sent to server m Server writes data to buffer, without checking length of input data m Data overflows from buffer m Sometimes, overflow can enable an attack m Web form attack could be carried out by anyone with an Internet connection

Problem void foo(char *str) { char buf[10]; strcpy(buf,str); } … foo(“thisstringistolongforfoo”);

What Happens r This will cause the program to abort r Why? r To understand this you need some understanding of m C functions and the stack m A little knowledge of assembly m How system calls are made

Process Memory Layout r Continuous memory space for all process m Each with its physical space m Pretends you are in the same in virtual space 0xffffffff 0

Process Memory Layout r Program code and constant m binary form m loaded libraries 0xffffffff 0 text

Process Memory Layout r Program code and constant m binary form m loaded libraries m known as “text” segment m space calculated at compile time 0xffffffff 0 text

Process Memory Layout r Data: initialized global data in the program m Example: int size = 100; r BSS: un-initialized global data in the program m Example: int length; 0xffffffff 0 text data bss

Process Memory Layout r Heap: dynamically-allocated spaces m Example: malloc, free m OS knows nothing about it space content m dynamically grows as program runs 0xffffffff 0 text data bss heap

Process Memory Layout r Stack: local variables in functions m support function call/return and recursive functions m grow to low address m Why? Historical 0xffffffff 0 text data bss heap stack

What is a Stack? r A stack is a contiguous block of memory used by functions r A stack pointer points to the top of stack r The stack consists of frames which are pushed when a function is called and popped when a function if finished. r A frame pointer points to the current frame in use

Stack Buffers r Suppose a web server contains the foo function from several slides ago void foo(char *str) { char buf[10]; strcpy(buf,str);} r When this function is invoked, a new frame is pushed onto the stack Top of stack Stack grows this way bufsfp ret addr str Local variables Frame of the calling function Execute code at this address after func() finishes Arguments Pointer to previous frame

Stack Buffer  Memory pointed to by str is copied onto stack void foo(char *str) { char buf[10]; strcpy(buf,str); } r If a string is longer than 10 bytes it is copied into buffer and will overwrite adjacent stack locations strcpy does NOT check whether the string at *str contains fewer than 10 characters buf str This will be interpreted as return address! overflow Top of stack Frame of the calling function

Exploitation r General idea: Provide servers very large strings that will overflow a buffer. r For a server with sloppy code: it’s easy to crash the server by overflowing a buffer.

Problem: No range checking r strcpy does not check input size m strcpy (buf,str) simply copies memory contents into bug starting from *str until “\0” is encountered, m Ignores the size of area allocated to buf r Many C library functions are unsafe m strcpy, strcat,gets,scanf,printf

Does Range Checking Help? r What if we used strncpy instead of strcpy? strncpy(char *dest, const char *src, size_t n) r Yes – assuming that the programmer has supplied the right value of “n”

Executing Attack Code r A variation of the buffer overflow would have the overflow change the return address to point to the attack code r The implication of this is that when the function returns, control is transferred to the attack code

Executing Attack Code r Suppose buf contains attacker-created string code str Frame of the calling function ret Attacker puts actual assembly instructions into his input string, e.g., binary code of execve(“/bin/sh”) In the overflow, a pointer back into the bufferr appears in the location where the system expects to find return address Top of stack r When function exits, code in the buffer will be executed, giving attacker a shell m Root shell depending on the victim program

Buffer Overflow Issue r Executable attack code is stored on stack, inside the buffer containing attacker’s string m Stack memory is suppose to contain only data, but.. r For the basic attack, overflow portion must contain correct address of attack code in the return position m The value in the RET position must point to the beginning of the attack assembly code –Otherwise you will have a crash m Attacker must correctly guess in which stack position the buffer will be in when the function is called

Safer Languages r Several modern languages have built-in protection against stack overflow. r Java and C# check every array reference to ensure that it is within bounds. r Java does not allow stack violations.