Buffer Overflow Detection Stuart Pickard CSCI 297 June 14, 2005.

Slides:



Advertisements
Similar presentations
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Advertisements

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Untrustworthiness and Protection Computer Systems Security and Information Survivability - Presented by Deepak Kumar.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Buffer Overflow Prevention ”\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e \x89\xe3\x50\x53\x50\x54\x53\xb0\x3b\x50\xcd\x80” Presented to CRAB April.
K. Salah1 Buffer Overflow The crown jewel of attacks.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
DICOTS and StackGuard: Two current approaches to tolerating malicious code Carl Landwehr Mitretek Systems, Inc Colshire Dr. McLean, VA 22102
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Run-Time Storage Organization
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Address Space Layout Permutation
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Defenses Author:
1 Memory Management Memory Management COSC513 – Spring 2004 Student Name: Nan Qiao Student ID#: Professor: Dr. Morteza Anvari.
Computer Security and Penetration Testing
Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.
1 Specialization Tools and Techniques for Systematic Optimization of System Software McNamee, Walpole, Pu, Cowan, Krasic, Goel, Wagle, Consel, Muller,
Mitigation of Buffer Overflow Attacks
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 10 “Buffer Overflow”.
Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Defenses Author:
Buffer Overflow Attack-proofing by Transforming Code Binary Gopal Gupta Parag Doshi, R. Reghuramalingam The University of Texas at Dallas 11/15/2004.
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
Operating Systems Lecture 14 Segments Adapted from Operating Systems Lecture Notes, Copyright 1997 Martin C. Rinard. Zhiqing Liu School of Software Engineering.
Buffer Overflow Group 7Group 8 Nathaniel CrowellDerek Edwards Punna ChalasaniAxel Abellard Steven Studniarz.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
How to Use BO Demos. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. How to Use Buffer Overflow Demos (applets)
A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.
Operating Systems Security
Protecting C Programs from Attacks via Invalid Pointer Dereferences Suan Hsi Yong, Susan Horwitz University of Wisconsin – Madison.
Introduction Program File Authorization Security Theorem Active Code Authorization Authorization Logic Implementation considerations Conclusion.
Buffer overflow and stack smashing attacks Principles of application software security.
On the Effectiveness of Address-Space Randomization Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, Dan Boneh.
A Survey on Runtime Smashed Stack Detection 坂井研究室 M 豊島隆志.
Buffer Overflows Taught by Scott Coté.-. _ _.-. / \.-. ((___)).-. / \ /.ooM \ / \.-. [ x x ].-. / \ /.ooM \ -/ \ /-----\-----/---\--\ /--/---\-----/-----\ / \-
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2013.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.
Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Crispin Cowan SANS 2000.
Protecting C and C++ programs from current and future code injection attacks Yves Younan, Wouter Joosen and Frank Piessens DistriNet Department of Computer.
Chapter 10 Buffer Overflow 1. A very common attack mechanism o First used by the Morris Worm in 1988 Still of major concern o Legacy of buggy code in.
CS703 - Advanced Operating Systems By Mr. Farhan Zaidi.
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
Buffer Overflow Defenses
Shellcode COSC 480 Presentation Alison Buben.
Mitigation against Buffer Overflow Attacks
CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.
Protecting Memory What is there to protect in memory?
Buffer Overflow Defenses
Module 30 (Unix/Linux Security Issues II)
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Defending against Stack Smashing attacks
Software Security Lesson Introduction
CSC 495/583 Topics of Software Security Format String Bug (2) & Heap
Smashing the Stack for Fun and Profit
Buffer Overflow Defenses
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2009.
Anatomy of the Buffer Overflow
Understanding and Preventing Buffer Overflow Attacks in Unix
Return-to-libc Attacks
Presentation transcript:

Buffer Overflow Detection Stuart Pickard CSCI 297 June 14, 2005

Papers “StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks.” Crispin Cowan, Calton Pu, Dave Maier, Heather Hinton, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, and Qian Zhang. 7th USENIX Security Symposium, January 1998, San Antonio, TX. “Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade.” Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie, and Jonathan Walpole. SANS 2000, Orlando FL, March “Type-Assisted Dynamic Buffer Overflow Detection.” K.S.Hlee and J.S.Chapin. 11th Annual USENIX Security Symposium 2002.

The First Two Papers G1 was published in 1998 G2 was published in 2000 Both papers focus on Static Buffer Overflow detection and prevention in the compilation stage. Lead to the development of software for the Immunix project. The project then became Immunix Corporation. On May 10, 2005 Immunix was bought by Novell and the products are being sold under the name of AppArmor

Quote from Press Release “The new product, to be called Novell® AppArmor powered by Immunix,TM protects both the Linux operating system and applications from external or internal attacks, viruses, and malicious applications.”

Buffer Overflow life Cycle 1. A malicious user finds the vulnerability in a highly privileged program. 2. The user might be able to gain access to the system by overflowing a buffer and pushing code into the return address space of a function call. 3. Fixes are then made by patching the code to prevent future attacks.

4 basic approaches to defending against buffer overflow attacks 1. Write Code to fully check array bounds 2. Non-Executable Buffers – prevent the data segment of the victim program’s address space from being executed 3. Array Bounds Checking – Check all accesses and writes to an array. (Pruify) 4. Perform integrity checks on code pointers before dereferencing them to detect an attack (not as strong as the others)

Problem with patches Fixes to buffer overflows with patches are attacking the problem at the source. The first two papers suggest solving the problem of buffer overflows by protecting the stack (The Destination of the Attack)

Brief Review of a Buffer Overflow (Stack Smashing) The injected attack code typically spawns a shell with root privileges. StackGuard will prevent the injected attack code from executing. The next slide discusses their method. If a program is written with a buffer overflow vulnerability, then the attacker can crash Stack Guard

StackGuard StackGuard prevents change to the return address of a function on the stack by either preventing change to the address or by preventing the write to the return address. StackGuard is more effective when the return address cannot be altered, however there is more overhead. StackGuard can run in both modes.

How StackGuard is Implemented The return address is unaltered IIF the canary word is unaltered. Reason: This only really works for buffer overflow attacks since the attacker needs to write in a linear sequential manner. Thus, if the return address is modified, then the canary word is also modified. StackGuard is implemented by modifying the open source gcc compiler functions: function_prologue and function_epilogue. The modifications include modified code that emits a canary word to the stack and checks that the canary word has not been modified before the function return.

StackGuard continued total changes are under 100 extra lines of code to the gcc compiler. Canary values need to be random StackGuard Example:

MemGuard: Preventing return address changes MemGuard will protect the return address by making it read-only when the function is called. It will then un- protect the return address when the function finishes and needs to return The protection and un-protection occur in gcc’s function_prologue and function_epilogue.

StackGuard Canary version is more efficient, however, MemGuard is more secure. Immunix project solution: Run StackGuard in Canary version until a treat is detected, then run with MemGuard.

Results

Final thoughts on StackGuard StackGuard not only patches a broad range of existing faults, it patches faults that have not been discovered. It turns the problem of attackers gaining root access to a problem of mild degradation-of-service attacks (switch from Canary to MemGuard mode) This software gives software developers more time to fix these problems. Compare StackGuard to Purify and other array bounds checking for C. In regards to level of overhead, we have Canary Mode as most efficient then MemGuard, then Purify, then other array bounds checking implementations.

PointGuard - Pointer Integrity Checking In the second paper, not only is StackGuard discussed, but the new (as of 2000) patch to the gcc compiler is PointGuard PointGuard is a generalization of StackGuard which places “canaries” next to all code pointers (function pointers) As of writing this paper, PointGuard is not past the prototyping stage. PointGuard will include a special canary storage class that forces canary protection onto arbitrary variables.

Questions? StackGuard – In MemGuard mode or Canary Mode PointGuard Immunix Novell AppArmor

Third Paper – Type-Assisted Dynamic Buffer Overflow Detection This paper first covers many of the other buffer overflow prevention techniques. Most notably, they describe StackGuard and how it is vulnerable to some attacks. They claim that StackGuarded software is vulnerable to attacks exploiting code pointers other than the return address. With this vulnerability StackGuard can be bypassed. They also claim that StackGuard can be bypassed by exploiting the heap memory objects.

Their Solution Enable range checking on buffers at runtime by implementing an intermediary step during compilation that emits an additional data structure into the binary file. This structure describes the types of automatic buffers and static buffers. They generate a type table – a data structure that associates the address of each function with the information of the function’s automatic buffers. They implemented a prototype by extending the GNU C compiler on Linux.

Their Solution continued... The source files are not modified. Just the separate type tables are created. Range checking is done with the following steps: 1. Locate the stack frame of the buffer by chasing down the saved frame pointer. 2. Retrieve the return address of the next stack frame to find out who allocated the stack frame. 3. Locate the function who allocated the stack frame by comparing the return address with function addresses in the type table. 4. Locate the buffer of the function by comparing the buffer address with offsets in the table + frame pointer value, 5. The size of the buffer (or the size of a field if it is a struct variable) is returned

Limitations to their solution There are two cases where they cannot determine the size of automatic buffers. 1. stack buffers dynamically allocated with alloca(); 2. variable-length automatic arrays

Results: C-library string functions

Conclusions The results from the last paper point to the fact that it might not be practical to keep track of buffer ranges during runtime. However, certain vulnerabilities that exist with the StackGuard solution, are prevented with Type-Assisted Dynamic Buffer Overflow Detection

Conclusions..... The solution to buffer overflow attacks most likely lies in a combination of these techniques. Also, maybe it is unlikely that we can totally be guaranteed prevention of these kind of attacks.

References: “StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks.” Crispin Cowan, Calton Pu, Dave Maier, Heather Hinton, Peat Bakke, Steve Beattie, Aaron Grier, Perry Wagle, and Qian Zhang. 7th USENIX Security Symposium, January 1998, San Antonio, TX. “Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade.” Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie, and Jonathan Walpole. SANS 2000, Orlando FL, March “Type-Assisted Dynamic Buffer Overflow Detection.” K.S.Hlee and J.S.Chapin. 11th Annual USENIX Security Symposium “Buffer Overflow demo: Embry-Riddle, NSF Scholarships for Service Grant.” Susan Gerhart, Jan Hogle, Jedidiah Crandall

Discussion