1. Secure Coding Techniques
" ... the world outside your function should be treated as hostile and bent upon your destruction" [Writing Secure Code, Howard and LeBlanc]
"Distrust and caution are the parents of security" - Benjamin Franklin

2. Three Critical Programming Errors*
accepting input from users without validating and sanitizing the input “… the number one killer of healthy software” Monster Mitigations [2011, The MITRE Corporation]
allowing data placed in buffers to exceed the length of the buffer
“Buffer overflows are Mother Nature's little reminder of that law of physics that says: if you try to put more stuff into a container than it can hold, you're going to make a mess.” Classic Buffer Overflow [2011, The MITRE Corporation]
handling integers incorrectly “In the real world, 255+1=256. But to a computer program, sometimes 255+1=0, or 0-1=65535, or maybe 40,000+40,000= […] When programmers forget that computers don't do math like people, bad things ensue - anywhere from crashes, faulty price calculations, infinite loops, and execution of code.” Integer Overflow [2011, The MITRE Corporation]
*Responsible for 90% of the critical security vulnerabilities in 2006; SANS Institute. ** 2011 CWE/SANS Top 25 Most Dangerous Software Errors [2011, The MITRE Corporation]

3. March 23, 2017 – Three days, $833,000 acquiring 51 different bugs
March 23, 2017 – Three days, $833,000 acquiring 51 different bugs. Targets: Microsoft, Apple, Adobe and Mozilla with extra incentives for SYSTEM or ROOT level privileges. [Pwn2Own, hosted by Zero Day Initiative, Trend CanSecWest.]
Mozilla Firefox - an integer overflow and an uninitialized buffer in the Windows kernel to escalate privileges
Apple Safari - an info disclosure, 4 different type confusion bugs, and use-after-free vulnerability to escalate to root
Adobe Reader - an info leak in Reader followed by a UAF to get code execution. Then leveraged a UAF in the kernel to gain SYSTEM-level privileges.
Microsoft Edge - an arbitrary write in Chakra and a logic bug within the sandbox to escape the sandbox.
Microsoft Windows - an integer overflow in the kernel to escalate privileges.

4. March 25, 2017 – Final Day: escaping the virtual machine, getting root, and how to go from guest to root. [Pwn2Own, hosted by Zero Day Initiative, Trend CanSecWest.]
a heap overflow in Microsoft Edge, a type confusion in the Windows kernel, and an uninitialized buffer in VMware Workstation for a complete virtual machine escape.
two separate use-after-free (UAF) bugs in Microsoft Edge and then escalated to SYSTEM using a buffer overflow in the Windows kernel.
Virtual Machine Escapes (Guest-to-Host) category: a Windows kernel UAF, a VMWare Workstation info leak, and an uninitialized buffer in Workstation to go guest-to-host. [VMware Tools were not installed in the guest.]

5. Buffer Overflows
data can be stored: - in the program area - on the stack - in the heap
in many systems, a memory area is either writable or executable but not both
e.g. cannot write into program area → “heap error”
buffer overflows in this configuration (program data area) are rare
main … …
data area 1
sr1 …
data area 2
sr2 …
JSR XXX
DC.L data
data area 3

6. Static Buffer Overflow (stack frame configuration)
calling program:
define return area
push parameters on stack
call routine
parameter cleanup
called program:
set up stack frame with local area
save registers
… do stuff
restore registers
collapse frame
return
saved
registers
local
area
A6 →
A6 old
PC (return)
parameters
return area
SP →

7. Static Buffer Overflow
the local area of the routine contains the buffer for a string
routine depends on a null terminated string BUT
does not calculate the length of the string OR
calculates string length but doesn’t verify it against the maximum length
user input overflows the buffer
intentional vs unintentional
SP →
saved
registers
local area
A6 →
A6 old
PC (return)
parameters

8. Static Buffer Overflow
What would you like to do?
replace the return address with the address of your routine
trash the pointer/return for denial of service
put payload in local area and execute now or later
remember, you can use the frame pointer to do address calculations and local area does not “disappear”
payload in local area modifies parameter on previously stacked frame

9. Heap-based Buffer Overflows
heaps are dynamically allocated
can overwrite key data
can overwrite function pointers in memory
can inject code and manipulate pointer to cause execution
MS adds cookies to the heap. If cookies are missing/corrupt, raise a heap buffer s/w exception.
hdr 1[nxt,prev,s,u]
memory space 1
hdr 2[nxt,prev,s,u]
memory space 2
header free
free memory

10. Heap-based Buffer Overflows
hdr 1[nxt,prev,s,u]
memory space 1
hdr 2
memory space 2
header free
free memory

11. Buffer Overflows Attacker’s goal: run own code with privilege
To achieve the goal:
attack code must be available in the original program’s address space
inject the code (payload)
on the stack (local variables)
on the heap (malloc’d variables)
in the static data area (DC,DS)
already on user’s machine
original program must jump to the attack code
modify code addresses

12. Reading:
Three Programming Errors Most Frequently Responsible for Critical Security Vulnerabilities [SANS, ©2007]
Secure Coding Guide – Types of Security Vulnerabilities [© 2014 Apple Inc.]
Understanding Pool Corruption Part 1 – Buffer Overflows (optional) Microsoft] Pool is kernel mode memory used as a storage space for drivers (software that allows your computer to communicate with hardware or devices). If a driver uses more space than is allocated (a buffer overflow), they will write into the next driver’s space and corrupt that driver’s data. When this corrupted memory is run, things will not go well (typically, a blue screen).
@RISK: The Consensus Security Vulnerability Alert: March 23, provides a weekly summary of (1) newly discovered attack vectors, (2) vulnerabilities with active new exploits, (3) explanations of how recent attacks worked.