Sairajiv Burugapalli. This chapter covers three main categories of classic software vulnerability: Buffer overflows Integer vulnerabilities Format string.

Slides:



Advertisements
Similar presentations
Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Advertisements

Page Replacement Algorithms
IT 325 OPERATING SYSTEM C programming language. Why use C instead of Java Intermediate-level language:  Low-level features like bit operations  High-level.
Introduction to Memory Management. 2 General Structure of Run-Time Memory.
Module R2 Overview. Process queues As processes enter the system and transition from state to state, they are stored queues. There may be many different.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
Chapter 15 : Attacking Compiled Applications Alexis Kirat - International Student.
Teaching Buffer Overflow Ken Williams NC A&T State University.
CIS 101: Computer Programming and Problem Solving Lecture10 Usman Roshan Department of Computer Science NJIT.
Pointers and Memory Allocation – part 2 -L. Grewe.
Teaching Buffer Overflow Ken Williams NC A&T State University.
Software and Software Vulnerabilities. Synopsis Array overflows Stack overflows String problems Pointer clobbering. Dynamic memory management Integer.
Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.
Review of C++ Programming Part II Sheng-Fang Huang.
Software bugs (and security implications). Software security Code can have perfect design and algorithm, but still have implementation vulnerabilities.
Overview Working directly with memory locations is beneficial. In C, pointers allow you to: change values passed as arguments to functions work directly.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
CSC 386 – Computer Security Scott Heggen. Agenda Introduction to Software Security.
1 Chapter 5: Names, Bindings and Scopes Lionel Williams Jr. and Victoria Yan CSci 210, Advanced Software Paradigms September 26, 2010.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
Computer Security and Penetration Testing
BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES By: Eric Chien and Peter Szor Presented by: Jesus Morales.
OSI and TCP/IP Models And Some Vulnerabilities AfNOG th May 2011 – 10 th June 2011 Tanzania By Marcus K. G. Adomey.
CP104 Introduction to Programming File I/O Lecture 33 __ 1 File Input/Output Text file and binary files File Input/output File input / output functions.
CS 390- Unix Programming Environment CS 390 Unix Programming Environment Topics to be covered: Distributed Computing Fundamentals.
Cis303a_chapt03-2a.ppt Range Overflow Fixed length of bits to hold numeric data Can hold a maximum positive number (unsigned) X X X X X X X X X X X X X.
By Noorez Kassam Welcome to JNI. Why use JNI ? 1. You already have significantly large and tricky code written in another language and you would rather.
CIS 450 – Network Security Chapter 7 – Buffer Overflow Attacks.
CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.
Chapter 7 Formatted input and output. 7.1 introduction Tax: This result is correct; but it would be better Maybe as $13, Make formatting.
Overflow Examples 01/13/2012. ACKNOWLEDGEMENTS These slides where compiled from the Malware and Software Vulnerabilities class taught by Dr Cliff Zou.
What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.
Part I The Basic Idea software sequence of instructions in memory logically divided in functions that call each other – function ‘IE’ calls function.
+ Dynamic memory allocation. + Introduction We often face situations in programming where the data is dynamics in nature. Consider a list of customers.
© Janice Regan, CMPT 102, Sept CMPT 102 Introduction to Scientific Computer Programming Input and Output.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
CS426Fall 2010/Lecture 141 Computer Security CS 426 Lecture 14 Software Vulnerabilities: Format String and Integer Overflow Vulnerabilities.
Chapter 10 Chapter 10 Implementing Subprograms. Implementing Subprograms  The subprogram call and return operations are together called subprogram linkage.
Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing.
CSC 482/582: Computer Security
Secure Coding Rules for C++ Copyright © 2016 Curt Hill
Content Coverity Static Analysis Use cases of Coverity Examples
Shellcode COSC 480 Presentation Alison Buben.
Buffer Overflow Buffer overflows are possible because C doesn’t check array boundaries Buffer overflows are dangerous because buffers for user input are.
Protecting Memory What is there to protect in memory?
The Hardware/Software Interface CSE351 Winter 2013
Protecting Memory What is there to protect in memory?
Module 30 (Unix/Linux Security Issues II)
Type Checking Generalizes the concept of operands and operators to include subprograms and assignments Type checking is the activity of ensuring that the.
Protecting Memory What is there to protect in memory?
Chapter 6: Data Types Lectures # 10.
Understand Computer Storage and Data Types
Secure Coding Rules for C++ Copyright © Curt Hill
CSC 253 Lecture 8.
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
CSC 253 Lecture 8.
Software Security Lesson Introduction
Format String.
CSC 495/583 Topics of Software Security Format String Bug (2) & Heap
Introduction to Static Analyzer
Week 3: Format String Vulnerability
SPL – PS2 C++ Memory Handling.
Format String Vulnerability
Overflows, Injection, & Memory Safety
Presentation transcript:

Sairajiv Burugapalli

This chapter covers three main categories of classic software vulnerability: Buffer overflows Integer vulnerabilities Format string bugs INTRODUCTION

A buffer overflow is the result of stuffing more data into a buffer than it can handle. There are three types of buffer overflows Stack Overflows Heap Overflows “Off-by-One” Overflows BUFFER OVERFLOW VULNERABILITIES

bool CheckLogin(char* username, char* password) { char _username[32]; strcpy(_username username);... If the username string contains more than 32 characters, the _username buffer is overflowed, and the attacker overwrites the data in adjacent memory. STACK OVERFLOWS

bool CheckLogin(char* username, char* password) { char* _username = (char*) malloc(32); strcpy(_username, username);... The heap is implemented as a doubly linked list, each block is preceded in memory by a control structure that contains the size of the block, a pointer to the previous block on the heap, and a pointer to the next block on the heap. When a heap buffer is overflowed, the control structure of an adjacent heap block is overwritten with user-controllable data. HEAP OVERFLOWS

A specific kind of overflow vulnerability arises when a programming error enables an attacker to write a single byte beyond the end of an allocated buffer bool CheckLogin(char* username, char* password) { char _username[32]; int i; for (i = 0; username[i] && i < 32; i++) _username[i] = username[i]; _username[i] = 0;... “OFF-BY-ONE” VULNERABILITIES

The basic methodology for detecting buffer overflow vulnerabilities is to send long strings of data to an identified target and monitor for anomalous results. send an overlong string of a specific length, or within a small range of lengths. send a string that is longer than the application is expecting. DETECTING BUFFER OVERFLOW VULNERABILITIES

Integer-related vulnerabilities arise due to the problem of failing to handle integers. Two types of integer bugs are worthy of note: Integer overflows Signedness errors INTEGER VULNERABILITIES

Consider the following “fix” to the heap overflow described previously bool CheckLogin(char* username, char* password) { unsigned short len = strlen(username) + 1; char* _username = (char*) malloc(len); strcpy(_username, username);... A short-sized integer contains 16 bits, which is enough for its value to range between 0 and 65,535. When a string of length 65,535 is submitted, the program adds 1 to this, and the value wraps to become 0. A zero-length buffer is allocated, and the long username is copied into it, causing a heap overflow INTEGER OVERFLOWS

These errors occur when an application uses both signed and unsigned integers to measure the lengths of buffers and confuses them at some point. The problem might be the application makes a direct comparison between a signed and unsigned value, or it passes a signed value as a parameter to a function that takes an unsigned value. SIGNEDNESS ERRORS

Naturally, the primary locations to probe for integer vulnerabilities are any instances where an integer value is submitted from the client to the server. The most likely targets for testing are fields that appear to represent the length of a string that is being submitted DETECTING INTEGER VULNERABILITIES

Format string vulnerabilities arise when user-controllable input is passed as the format string parameter to a function that takes format specifiers that may be misused FORMAT STRING VULNERABILITIES

int count = 43; int written = 0; printf(“The value of count is %d%n.\n”, count, &written.); printf(“%d bytes were printed.\n”, written); outputs the following: The value of count is bytes were printed. The most dangerous format specifier is %n. This does not cause any data to be printed. Rather, it causes the number of bytes output so far to be written to the address of the pointer passed in as the associated variable parameter. FORMAT STRING VULNERABILITIES..

The most reliable way to detect format string bugs in a remote application is to submit data containing various format specifiers and monitor for any anomalies in the application’s behavior. DETECTING FORMAT STRING VULNERABILITIES

Software vulnerabilities in native code represent a relatively nice area in relation to attacks on web applications. Most applications run in a managed execution environment in which the classic software flaws described in this chapter do not arise. However, occasionally these kinds of vulnerabilities are highly relevant and have been found to affect many web applications running on hardware devices and other unmanaged environments. A large proportion of such vulnerabilities can be detected by submitting a specific set of test cases to the server and monitoring its behavior. SUMMARY

Time for Questions QUERIES

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.