Part I The Basic Idea software sequence of instructions in memory logically divided in functions that call each other – function ‘IE’ calls function.

Slides:

Advertisements

Similar presentations

Smashing the Stack for Fun and Profit

Advertisements

Introduction to Memory Management. 2 General Structure of Run-Time Memory.

1/1/ / faculty of Electrical Engineering eindhoven university of technology Introduction Part 2: Data types and addressing modes dr.ir. A.C. Verschueren.

Topic 10 Java Memory Management. 1-2 Memory Allocation in Java When a program is being executed, separate areas of memory are allocated for each class.

Procedure call frame: Hold values passed to a procedure as arguments

Interrupts Chapter 8 – pp Chapter 10 – pp Appendix A – pp 537 &

Review: Software Security David Brumley Carnegie Mellon University.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

1 Storage Registers vs. memory Access to registers is much faster than access to memory Goal: store as much data as possible in registers Limitations/considerations:

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Memory Allocation. Three kinds of memory Fixed memory Stack memory Heap memory.

Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.

Software and Software Vulnerabilities. Synopsis Array overflows Stack overflows String problems Pointer clobbering. Dynamic memory management Integer.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

Computer Security and Penetration Testing

Automatic Diagnosis and Response to Memory Corruption Vulnerabilities Authors: Jun Xu, Peng Ning, Chongkyung Kil, Yan Zhai, Chris Bookholt In ACM CCS’05.

Runtime Environments Compiler Construction Chapter 7.

Functions and Procedures. Function or Procedure u A separate piece of code u Possibly separately compiled u Located at some address in the memory used.

Computer Science Detecting Memory Access Errors via Illegal Write Monitoring Ongoing Research by Emre Can Sezer.

The Structure of Processes (Chap 6 in the book “The Design of the UNIX Operating System”)

1 Program Layout in memory –Code –Data Global variables –Stack Local variables & function Invocation Frames –Heap Dynamically allocated memory Today’s.

Richard P. Paul, SPARC Architecture, Assembly Language Programming, and C Chapter 7 – Subroutines These are lecture notes to accompany the book SPARC Architecture,

Exploitation possibilities of memory related vulnerabilities

Part II Let’s make it real Memory Layout of a Process.

Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.

by Richard P. Paul, 2nd edition, 2000.

What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.

CSC 8505 Compiler Construction Runtime Environments.

JMU GenCyber Boot Camp Summer, Introduction to Penetration Testing Elevating privileges – Getting code run in a privileged context Exploiting misconfigurations.

Buffer overflow and stack smashing attacks Principles of application software security.

CS 155 Section 1 PP1 Eu-Jin Goh. Setting up Environment Demo.

Reminder Bomb lab is due tomorrow! Attack lab is released tomorrow!!

Sairajiv Burugapalli. This chapter covers three main categories of classic software vulnerability: Buffer overflows Integer vulnerabilities Format string.

Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.

Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.

Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.

MIPS Subroutines Subroutine Call – jal subname Saves RA in $31 and jumps to subroutine entry label subname Subroutine Return – jr $31 Loads PC with return.

About Exploits Writing ABOUT EXPLOITS WRITING Gerardo Richarte 

CNIT 127: Exploit Development Ch 8: Windows Overflows Part 1.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.

Storage Classes There are three places in memory where data may be placed: In Data section declared with .data in assembly language in C - Static) On the.

Part of the Assembler Language Programmers Toolbox

Introduction to Information Security

Introduction to Compilers Tim Teitelbaum

Functions and Procedures

Recitation: Attack Lab

CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst

Advanced Buffer Overflow: Pointer subterfuge

Understanding Program Address Space

by Richard P. Paul, 2nd edition, 2000.

Smashing the Stack for Fun and Profit

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2015.

CNT4704: Analysis of Computer Communication Network Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Fall 2011.

Destructor CSCE 121 J. Michael Moore.

Buffer Overflows.

Destructor CSCE 121.

Runtime Environments What is in the memory?.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.

Understanding and Preventing Buffer Overflow Attacks in Unix

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2013.

FIGURE Illustration of Stack Buffer Overflow

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2010.

Return-to-libc Attacks

Presentation transcript:

Part I The Basic Idea

software sequence of instructions in memory logically divided in functions that call each other – function ‘IE’ calls function ‘getURL’ to read the corresponding page in CPU, the program counter contains the address in memory of the next instruction to execute – normally this is the next address (instruction 100 is followed by instruction 101, etc) – not so with function call IE getURL 104 call getURL return result

software sequence of instructions in memory logically divided in functions that call each other – function ‘IE’ calls function ‘getURL’ to read the corresponding page in CPU, the program counter contains the address in memory of the next instruction to execute – normally this is the next address (instruction 100 is followed by instruction 101, etc) – not so with function call return result call getURL PC IE getURL

software so how does our CPU know where to return? – it keeps administration – on a ‘stack’ stack PC call getURL return result 103 PC IE getURL stack pointer (SP)  Points to last added entry on the stack

real functions  variables getURL () { char buf[10]; read(keyboard,buf,64); get_webpage (buf); } IE () { getURL (); }

real functions  variables getURL () { char buf[10]; read(keyboard,buf,64); get_webpage (buf); } IE () { getURL (); } call read IE getURL 104 call getURL return result

real functions  variables call read IE getURL 104 call getURL return result getURL () { char buf[10]; read(keyboard,buf,64); get_webpage (buf); } IE () { getURL (); } stack old FP frame pointer (FP)  Points to start of this function’s stack frame

real functions  variables call read IE getURL 104 call getURL return result getURL () { char buf[10]; read(keyboard,buf,64); get_webpage (buf); } IE () { getURL (); } stack old FP

real functions  variables old FP call read IE 104 call getURL return result stack buf getURL () { char buf[10]; read(keyboard,buf,64); get_webpage (buf); } IE () { getURL (); } getURL return read

real functions  variables call read IE 104 call getURL return result stack getURL () { char buf[10]; read(keyboard,buf,64); get_webpage (buf); } IE () { getURL (); } (buf) fd old FP buf getURL stack return read

real functions  variables call read IE 104 call getURL return result stack getURL () { char buf[10]; read(keyboard,buf,64); get_webpage (buf); } IE () { getURL (); } old FP (buf) fd buf getURL return read

real functions  variables call read IE 104 call getURL return result stack getURL () { char buf[10]; read(keyboard,buf,64); get_webpage (buf); } IE () { getURL (); } old FP (buf) fd getURL return read frame pointer (FP)

real functions  variables call read IE 104 call getURL return result stack getURL () { char buf[10]; read(keyboard,buf,64); get_webpage (buf); } IE () { getURL (); } old FP (buf) fd on “return from read” getURL return read

real functions  variables call read IE 104 call getURL return result stack getURL () { char buf[10]; read(keyboard,buf,64); get_webpage (buf); } IE () { getURL (); } old FP (buf) fd getURL return read POP

real functions  variables call read IE 104 call getURL return result stack getURL () { char buf[10]; read(keyboard,buf,64); get_webpage (buf); } IE () { getURL (); } old FP (buf) fd getURL return read

real functions  variables call read IE 104 call getURL return result stack getURL () { char buf[10]; read(keyboard,buf,64); get_webpage (buf); } IE () { getURL (); } old FP (buf) fd getURL return read RET

real functions  variables call read IE 104 call getURL return result stack getURL () { char buf[10]; read(keyboard,buf,64); get_webpage (buf); } IE () { getURL (); } old FP (buf) fd getURL return read

Where is the vulnerability?

Exploit buf getURL () { char buf[10]; read(keyboard, buf, 64); get_webpage (buf); } IE () { getURL (); } 1013

You may also overwrite other things For instance: – Other variables that are also on the stack – Other addresses – Etc.

Memory Corruption Final words Part I We have sketched only the most common memory corruption attack – many variations, e.g.: heap   stack more complex overflows off-by-one But there are others also – integer overflows – format string attacks – double free – etc. Not now, perhaps later… *different kinds