A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.

Slides:

Advertisements

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Advertisements

Smashing the Stack for Fun and Profit

Introduction to Memory Management. 2 General Structure of Run-Time Memory.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

An Empirical Study of the Reliability in UNIX Utilities Barton Miller Lars Fredriksen Brysn So Presented by Liping Cai.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Review: Software Security David Brumley Carnegie Mellon University.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Buffer Overflow By: John Quach and Napoleon N. Valdez.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 13 Implementation Flaws Part 1: Buffer Overruns.

Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Address Space Layout Permutation

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

Lecture 0 Appendix on Implementation Threats Material from Warren Page & Chpt 11, Information Security by Mark Stamp.

Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.

Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.

Let’s look at an example I want to write an application that reports the course scores to you. Requirements: –Every student can only get his/her score.

Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.

Buffer Overflow Detection Stuart Pickard CSCI 297 June 14, 2005.

Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

Mitigation of Buffer Overflow Attacks

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 10 “Buffer Overflow”.

CSCD 303 Essential Computer Security Spring 2013 Lecture 17 Buffer Overflow Attacks.

Buffer Overflow CS461/ECE422 Spring Reading Material Based on Chapter 11 of the text.

Buffer Overflow Attack-proofing by Transforming Code Binary Gopal Gupta Parag Doshi, R. Reghuramalingam The University of Texas at Dallas 11/15/2004.

Overflow Examples 01/13/2012. ACKNOWLEDGEMENTS These slides where compiled from the Malware and Software Vulnerabilities class taught by Dr Cliff Zou.

Overflows & Exploits. In the beginning 11/02/1988 Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating,

Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.

Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.

Lecture 9: Buffer Ovefflows and ROP EEN 312: Processors: Hardware, Software, and Interfacing Department of Electrical and Computer Engineering Spring 2014,

Protecting C Programs from Attacks via Invalid Pointer Dereferences Suan Hsi Yong, Susan Horwitz University of Wisconsin – Madison.

JMU GenCyber Boot Camp Summer, Introduction to Penetration Testing Elevating privileges – Getting code run in a privileged context Exploiting misconfigurations.

Buffer overflow and stack smashing attacks Principles of application software security.

A Survey on Runtime Smashed Stack Detection 坂井研究室 M 豊島隆志.

Buffer Overflows Taught by Scott Coté.-. _ _.-. / \.-. ((___)).-. / \ /.ooM \ / \.-. [ x x ].-. / \ /.ooM \ -/ \ /-----\-----/---\--\ /--/---\-----/-----\ / \-

Web Security Firewalls, Buffer overflows and proxy servers.

Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.

Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2013.

Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.

VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Crispin Cowan SANS 2000.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.

Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing.

Chapter 10 Buffer Overflow 1. A very common attack mechanism o First used by the Morris Worm in 1988 Still of major concern o Legacy of buggy code in.

CS703 - Advanced Operating Systems By Mr. Farhan Zaidi.

@Yuan Xue Worm Attack Yuan Xue Fall 2012.

Let’s look at an example

Buffer Overflow By Collin Donaldson.

Mitigation against Buffer Overflow Attacks

Sabrina Wilkes-Morris CSCE 548 Student Presentation

Webserver w/user threads

CMSC 414 Computer and Network Security Lecture 21

Software Security.

CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst

Software Security Lesson Introduction

CNT4704: Analysis of Computer Communication Network Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Fall 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2009.

CS5123 Software Validation and Quality Assurance

Malware and Software Vulnerability Analysis Fuzzing Test Example Cliff Zou University of Central Florida.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.

Understanding and Preventing Buffer Overflow Attacks in Unix

Presentation transcript:

A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex

Overview Introduction General Background The Attack Buffer Overrun Detector Existing Solutions Conclusions

Computer Security Problems Security unconscious design Programming errors –Buffer overruns –Buffer overflow –Stack smashing

Why to let it happen ? Language Flexibility Language Efficiency As a result … Everything left to the programmer

Motivation Login program, late 70’s Internet Worm, November 1988 CERT- CC (Computer Emergency Response Team Coordination Center), 1997, 15 of 28 bugs

What is needed to solve the problem ? Compiler tools Static analysis tools Buffer Overrun Detector

Overview Introduction General Background The Attack Buffer Overrun Detector Existing Solutions Conclusions

General Background or Why Buffer Overruns are a security issue Unix Access Control System Function call execution model C Language

Unix Access Control System Who owns the process ? –Real user identifier ( ruid ) –Effective user identifier ( euid ) setuid() system call R W X R W X R W X suid sgid sticky Owner Group Other

Function Call Execution Model Low addresses High addresses text initialized data bss heap user stack argc argv pointers env pointers argv strings env strings Process in memory Function call: parameters return address stack pointer frame pointer local variables

C Language Considered as a high level assembly Easy to make a mistake Easy to forget … Libraries aren’t safe

Overview Introduction General Background The Attack Buffer Overrun Detector Existing Solutions Conclusions

The Attack Pass the execve(“/bin/sh”,NULL) object code char shellcode[] = “\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd” "\x80\xe8\xdc\xff\xff\xff/bin/sh"; Overwrite the return address Hope your code will be executed Don’t forget the SUID bit and super user privilege level Stack is executable !!!

An example Low addresses High addresses argc !!!\0 low! stringverf er o buff i = 5 heap bss void my_func(int a, char *buff){ char buf1[6]; a = 4; strcpy(buf1,buff); } void main(){ char string=“buffer overflow!!!!”; int i; i = 5; my_func(i, string); i = 3; } program counter frame pointer stack pointer LIVE

An example Low addresses High addresses argc !!!\0 low! stringverf er o buff i = 5 *buff a = 5 return address stack pointer frame pointer buf1 heap bss void my_func(int a, char *buff){ char buf1[6]; a = 4; strcpy(buf1,buff); } void main(){ char string=“buffer overflow!!!!”; int i; i = 5; my_func(i, string); i = 3; } program counter frame pointer stack pointer LIVE

An example Low addresses High addresses argc !!!\0 low! stringverf er o buff i = 5 *buff a = 4 return address stack pointer frame pointer buf1 heap bss void my_func(int a, char *buff){ char buf1[6]; a = 4; strcpy(buf1,buff); } void main(){ char string=“buffer overflow!!!!”; int i; i = 5; my_func(i, string); i = 3; } program counter frame pointer stack pointer LIVE

An example Low addresses High addresses argc !!!\0 low! stringverf er o buff i = 5 *buff a = 4 return address!!!\0 stack pointerlow! frame pointerverf er o buf1buff heap bss void my_func(int a, char *buff){ char buf1[6]; a = 4; strcpy(buf1,buff); } void main(){ char string=“buffer overflow!!!!”; int i; i = 5; my_func(i, string); i = 3; } program counter frame pointer stack pointer LIVE

Another example void __stdcall foo(int a, int b); main() { int num; num = 5; foo(num,num+1); num = 1; printf("num is now %d \n",num); } void __stdcall foo(int a, int b) { int * p; p = &b ; p -= 2 ; (*p)+= 7; } Output: num is now 5

Overview Introduction General Background The Attack Buffer Overrun Detector Existing Solutions Conclusions

Buffer Overrun Detector Finding Critical Programs Searching for Segmentation Violation Exploiting Segmentation Violation

Finding Critical Programs setuid to root programs accept input parameters access environment variables configuration file

Searching for Segmentation Violation Large inputs Brute force approach

Exploiting Segmentation Violation Finding the stack location containing the return address Finding the new value for the return address

Overview Introduction General Background The Attack Buffer Overrun Detector Existing Solutions Conclusions

Existing Solutions Compiler patchesCompiler patches Library patchesLibrary patches Operating System PatchesOperating System Patches Writing safe code ! Writing safe code !

Compiler Patches Compile time bound checks Run time checks on pointer manipulation Examples –GCC patch at Imperial College (2-3,30) –Purify, memory accesses (5) –StackGuard - return address –MemGuard - memory accesses

StackGuard Low addresses High addresses !!!\0 low! stringverf er o buff i = 5 *buff a = 4 return address CANARY stack pointer frame pointer buf1 heap bss void my_func(int a, char *buff){ char buf1[2]; a = 4; strcpy(buf1,buff); } void main(){ char string=“buffer overflow!!!!”; int i; i = 5; my_func(i, string); i = 3; } program counter frame pointer stack pointer LIVE

StackGuard Low addresses High addresses !!!\0 low! stringverf er o buff i = 5 *buff a = 4 return address!!!\0 CANARYlow! stack pointerverf frame pointerer o buf1buff heap bss void my_func(int a, char *buff){ char buf1[2]; a = 4; strcpy(buf1,buff); } void main(){ char string=“buffer overflow!!!!”; int i; i = 5; my_func(i, string); i = 3; } program counter frame pointer stack pointer LIVE

Library Patches Assembly coded integrity checks Almost no performance impact But … User function aren’t checked ! Portability is limited

Operating System Patches Making stack non executable Program protection at no cost But... Kernel has to be patched GCC relies on executable stack Functional languages need it

Conclusions A tool for automatic detection of buffer overruns was presented Nothing beats writing a good code

It almost The End

Fuzz Revisited: A Re-examination of the Reliability of UNIX Utilities and Services By: Miller, Koski, Lee, Maganty, Murthy, Natarjan, Steidl. University of Wisconsin

Introduction Fuzz Generator Test over 80 utility programs on 9 UNIX platforms Test Network Services Test X-Windows apps Test checking return values of system calls

Conclusions The failure rate of commercial versions of UNIX (Sun, IBM, SGI, DEC, NEXT) - 18%-23% The failure rate of Linux - 9%, GNU - 6 % Network services are robust X-Windows more than 50% on random input, more than 25% on legal inputs X servers are robust malloc() - 25 out of 53 (47%) crashed

THE END