Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Defenses Author:

Slides:



Advertisements
Similar presentations
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Advertisements

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Buffer Overflow Intro. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Preventing Buffer Overflows (for C programmers)
Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Causes Author: Jedidiah.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
K. Salah1 Buffer Overflow The crown jewel of attacks.
Exception Handling Introduction Exception handling is a mechanism to handle exceptions. Exceptions are error like situations. It is difficult to decide.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Java.  Java is an object-oriented programming language.  Java is important to us because Android programming uses Java.  However, Java is much more.
Software Engineering Lifecycle. ©2002. Jan G. Hogle, Susan L. Gerhart. Software Engineering Lifecycle Authors: Jan G. Hogle,
Lecture 16 Buffer Overflow
C Programmer Quiz. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Quiz: For C Programmers Author: Jedidiah.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.
15-740/ Oct. 17, 2012 Stefan Muller.  Problem: Software is buggy!  More specific problem: Want to make sure software doesn’t have bad property.
Introduction to Buffer Overflows Author: Jedidiah R. Crandall, Distributed: 14 July 2002 Embry-Riddle Aeronautical University in Prescott,
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
Computer Security and Penetration Testing
Buffer Overflow Intro. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Introduction to Buffer Overflows Author:
Embry-Riddle Aeronautical University Prescott, Arizona
Buffer Overflow Detection Stuart Pickard CSCI 297 June 14, 2005.
Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.
Mitigation of Buffer Overflow Attacks
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 10 “Buffer Overflow”.
Buffer Overflow Causes Quiz. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Quiz: Buffer Overflow Causes Author:
Security - Why Bother? Your projects in this class are not likely to be used for some critical infrastructure or real-world sensitive data. Why should.
Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Defenses Author:
© Janice Regan, CMPT 300, May CMPT 300 Introduction to Operating Systems Memory: Relocation.
Buffer Overflow Defenses Quiz. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Quiz: Buffer Overflow Defenses.
Buffer Overflow Attack-proofing by Transforming Code Binary Gopal Gupta Parag Doshi, R. Reghuramalingam The University of Texas at Dallas 11/15/2004.
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
CSCI Rational Purify 1 Rational Purify Overview Michel Izygon - Jim Helm.
Buffer Overflow Group 7Group 8 Nathaniel CrowellDerek Edwards Punna ChalasaniAxel Abellard Steven Studniarz.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University IWPSE 2003 Program.
How to Use BO Demos. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. How to Use Buffer Overflow Demos (applets)
Protecting C Programs from Attacks via Invalid Pointer Dereferences Suan Hsi Yong, Susan Horwitz University of Wisconsin – Madison.
Information Leaks Without Memory Disclosures: Remote Side Channel Attacks on Diversified Code Jeff Seibert, Hamed Okhravi, and Eric Söderström Presented.
Buffer overflow and stack smashing attacks Principles of application software security.
Intro to Buffer Overflow Quiz. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Quiz: Buffer Overflow Intro Author:
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
Exceptions Lecture 11 COMP 401, Fall /25/2014.
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Crispin Cowan SANS 2000.
CS703 - Advanced Operating Systems By Mr. Farhan Zaidi.
Cases Study: Code Red. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Case Study: Code Red Author: Jedidiah.
Memory Protection through Dynamic Access Control Kun Zhang, Tao Zhang and Santosh Pande College of Computing Georgia Institute of Technology.
HIPS. Host-Based Intrusion Prevention Systems  One of the major benefits to HIPS technology is the ability to identify and stop known and unknown attacks,
Secure Programming Dr. X
Buffer Overflow Defenses
Mitigation against Buffer Overflow Attacks
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
Protecting Memory What is there to protect in memory?
Buffer Overflow Defenses
Protecting Memory What is there to protect in memory?
Secure Programming Dr. X
Protecting Memory What is there to protect in memory?
CMSC 414 Computer and Network Security Lecture 21
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Quiz: Buffer Overflow Causes
Software Security Lesson Introduction
Case Study: Code Red Author: Jedidiah R. Crandall,
Buffer Overflow Defenses
Preventing Buffer Overflows (for C programmers)
Presentation transcript:

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Defenses Author: Jedidiah R. Crandall, This Document was Funded by the National Science Foundation Federal Cyber Service Scholarship For Service Program: Grant No Distributed July 2002 Embry-Riddle Aeronautical University Prescott, Arizona USA

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Defenses This presents some examples, pros, and cons of various defenses against buffer overflows. Caveats: 1. This is not intended to be a complete list of products that defend against buffer overflows. 2. There is no silver bullet that will stamp out buffer overflows, but some of these tools may help.

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Kinds of Defenses Better software engineering practices Find-and-patch methods Language tools Analysis tools Compiler tools Operating system tools

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Better Software Engineering Practices Testing – Execution of the software with selected data. Code Inspection – Inspection of the code by humans with a checklist to make sure the code meets certain criteria. Documentation of vendor code – Documentation of vendor code components that others may reuse in their own projects.

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Better Software Engineering Practices - Testing Pros: –Good testing practices should catch most buffer overflowstesting Cons: –Time is money, sometimes it’s a more economically sound solution to allow buffer overflows than to find them –When using vendor software, you can’t white-box test software that you don’t have the source code or the documentation for –Data corruption is harder to detect than abnormal program behavior without dynamic analysis tools

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Better Software Engineering Practices – Code Inspection Pros: –Code inspection may catch many buffer overflows that testing won’tmay catch Cons: –Time is money –When using vendor software, you can’t do a code inspection if you don’t have the source code

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Better Software Engineering Practices - Documentation Pros: –Good documentation of reusable software components will allow people who use your code in their own projects to test and inspect it Cons: –Time is money, and the cost of documenting the code gets passed on to the customers –Often software companies don’t want to release the source code for libraries that they sell

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Find-and-patch Methods Software patches – released by vendors a security problem in their software is found to fix the vulnerability. Programs that block known attacks – Programs that keep a list of known attacks and watch for those attacks on your system.

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Find-and-patch Methods – Software patches Example: The vendor, the customer, or a group concerned about software security finds a buffer overflow and a patch is written and releasedgroup concerned about software security Pros: –Very effective at preventing known buffer overflow attacks for specific vulnerabilities Cons: –No protection against unknown attacks or known attacks for which a patch has not been released –Not all patches fix the buffer overflow, some are specific to one attack but leave the buffer overflow itself in place –The customer must regularly check for patches for their system (at the vendor’s website or and install them.

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Find-and-patch Methods– Programs that block known attacks Example: An anti-virus program that checks files and other inputs to the system for signatures of known attacks Pros: –Very effective against specific attacks that are known Cons: –Not effective against unknown attacks or attacks for which the anti-virus program does not yet have the signature –The program must keep a current list of signatures for known attacks and must be updated regularly

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Language tools Languages less susceptible to buffer overflows – Languages other than C/C++ that are less susceptible to buffer overflows when used properly. Languages based on C – Languages like Cyclone that were designed with preventing buffer overflows in mind. “Safe” buffers – Buffers that automatically truncate inputs, generate exceptions, are grow bigger. Safer library functions – Library functions that are less susceptible to buffer overflows than the standard C library.

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Language tools – Languages less susceptible to buffer overflows Examples: Ada, Java, Perl, Python, etc. Pros: –Automatic bounds checking makes them less susceptible to the buffer overflow problem –Exception handling can greatly ameliorate the problemException handling Cons: –Using different languages can increase development cost –None of these languages give the programmer access to the machine at a low level –None of these languages give you the performance of C/C++, most require distributable run-time environments –C/C++ are popular languages that many programmers are familiar with –What happens when a string that is too long is entered or an array is referenced out of bounds, is an exception generated, does the buffer grow, does the program just halt, is the user asked to provide different input? –Programmer still must be aware of buffer overflows to provide exception handlers to do what they want (Exception handling comes with its own set of problems)Exception handling

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Language tools – Languages based on C Example: Cyclone is a different dialect of C that handles pointers in a much safer mannerCyclone Pros: –The transition from C to Cyclone is an easy one because Cyclone is nearly identical to C Cons: –Existing C source code must be recompiled and probably modified –Code ported to Cyclone must be debugged, and gdb (a commonly used UNIX-based debugger) doesn’t work well with Cyclone –Using pointers in Cyclone is considerably more complicated than using pointers in C (‘*’ is replaced with ‘*’, and ‘?’) –Cyclone does not provide object-oriented features

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Language tools – “Safe” buffers Example : C++ class objects that do bounds checking like CString, or “limitless” strings like libmiblibmib Pros : –Much safer than standard string handling in C –Exceptions can be handled instead of a program halt Cons : –Require the use of different library functions, meaning that existing code has to be modified or interfaced with in a low-level way –A “limitless” string has to continually be reallocated meaning a bigger heap and a performance cost –What if you don’t want the buffer to grow and accept a bigger input?

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Language tools – Safer library functions Example: Use of a different library than the standard C libraries Pros: –Eliminates problems with unsafe library function calls in C/C++ Cons: –Existing code has to be modified –Programmers have to become familiar with a different set of libraries –Often string and memory handling libraries are replaced, but not standard library functions specific to an operating system like file handling and environment variable functions which can also lead to buffer overflows –Not all buffer overflows are caused by library functions –What happens when a buffer’s limit is reached? Does the program halt? Is the string truncated? Is an exception generated?

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Analysis tools Static analysis – Tools that find possible defects in the source code.Static analysis Dynamic analysis – Tools that find possible defects by analyzing things like memory usage during execution of the program.Dynamic analysis

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Analysis tools - Static Examples: Software that searches source code for unsafe library function calls like ITS4ITS4 Pros: –Can be a very effective tool during code inspection by finding unsafe library function calls and making recommendations Cons: –Only effective against buffer overflows caused by unsafe standard C library function calls –Produces many false positives, only a fraction of the library function calls that are reported are actually unsafe

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Analysis tools - Dynamic Examples: Tools that analyze memory use of a program during testing, like PurifyPurify Pros: –Can detect buffer overflows that occur during testing –Sometimes testing won’t catch buffer overflows where data is corrupted but program behavior is not affected, dynamic analysis will Cons: –Buffer overflows that lead to erratic program behavior can usually be found during testing without dynamic analysis tools

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Compiler tools Add bounds checking to all buffers Protect the return pointer on the stack

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Compiler tools – Bounds checking Example: Attempts to add bounds checking to gccgcc Pros: –Does not require modification of the source code, although you do still have to recompile Cons: –Very significant decrease in performance, code size and execution time can double –All of the programs that a systems administrator wants to protect must be recompiled –Cannot prevent every possible buffer overflow

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Compiler tools – Protect the return pointer Examples: Placing a canary on the stack to detect buffer overflows such as StackGuard, or adding automatic bounds checking for all strings on the stack like libsafe StackGuardlibsafe Pros: –Does not require that existing code be modified (although it sometimes must be recompiled) –Will effectively prevent stack smashing attacks Cons: –Not all buffer overflow attacks are stack smashing attacks, program execution can be hijacked using heap-based attacks and data can always be corruptedstack smashing attacks –Significant performance overhead –StackGuard causes the program to halt upon detection of a buffer overflow leaving it open to denial-of-service attacks –StackGuard requires that the target program to be protected is recompiled, libsafe doesn’tlibsafe

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Operating system tools Disable execution of code outside the code space – It is possible on some architectures to distinguish between code and data and not allow data to be executed as code. Intrusion detection systems – These are programs that watch for abnormal behavior or behavior that is similar to attack behavior. Generation of an interrupt – With hardware support it is possible to set bounds on a buffer and generate an interrupt when an attempt is made to access or change memory outside those bounds.

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Operating system tools – Disable code execution outside the code space Example: A patch for Linux that disables execution of code on the stack as well as maps library function calls to addresses with a zero byte in thempatch Pros: –Currently, the most common and most devastating buffer overflow exploit is stack smashing and this patch makes stack smashing much more difficult –Does not require that existing software be modified or recompiled –A zero byte in the address of a system call forces the attacker to have a null character in the attack string Cons: –Does not prevent all stack smashing attacks, often attack code can be placed in global variables or on the heap, or library code to spin a shell already exists in the code space (i.e., system() or execv()) –Crashing still leaves programs open to denial-of-service and core dump attacks –A null character in just the right place in an attack string is not always impossible for an attacker to accomplish, and they can always jump to a small piece of code in variable space that contains a second jump to the desired location –Some legitimate programs execute code on the stack, but very few, and there is a work-around for this

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Operating system tools – Intrusion detection Example: An intrusion detection system could keep track of what patterns of system calls programs usually exhibit, and then report or react to anomalies such as an “execv()” call when the next system call is usually to close a file Pros: –Could be able to detect a variety of hijacking attacks, not just stack smashing –Could be able to detect many attacks on unknown vulnerabilities Cons: –Intrusion detection is a developing technology –The offending process will probably be killed leaving it open to a denial-of-service attack

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Operating system tools – Generation of an Interrupt Example: With hardware support the program could set the bounds of every buffer and an interrupt would be generated if an attempt was made to access or change memory outside of those bounds Pros: –Would prevent many buffer overflows if done properly Cons: –Pointer arithmetic would still be unbounded as a pointer might be pointing to an array of 100 bytes, and array of 50 bytes, or to the 40 th byte of an array of 50 bytes –Programmers would still have to be educated about buffer overflows because they need to write an interrupt handler to do what they want it to (halt, truncate the buffer, ask the user for different input?)

Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. About this Project This presentation is part of a larger package of materials on buffer overflow vulnerabilities, defenses, and software practices. For more information, go to: Also available are: –Demonstrations of how buffer overflows occur (Java applets) –PowerPoint lecture-style presentations on an introduction to buffer overflows, preventing buffer overflows (for C programmers), and a case study of Code Red –Checklists and Points to Remember for C Programmers –An interactive module and quiz set with alternative paths for journalists/analysts and IT managers as well as programmers and testers –A scavenger hunt on implications of the buffer overflow vulnerability Please complete a feedback form at to tell us how you used this material and to offer suggestions for improvements.