Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to Information Security

Published byAnnabelle Wiggins Modified over 6 years ago

Similar presentations

Presentation on theme: "Introduction to Information Security"— Presentation transcript:

1 Introduction to Information Security
Stack Overflow

2 Buffer Overflow Low-level languages (assembly, C, C++) don't have boundary checks Careless programmers and large inputs may cause buffer to overflow This usually leads to a crash Denial of Service (DoS) But sometimes, the input can be crafted to affect the execution flow Control Hijacking s s x if (x->field > 1) ... x->method()

3 Stack Overflow When a function is called
Its return address is pushed unto the stack It is jumped to, and allocates a stack frame When the function returns It deallocates its stack frame Its return address is popped off the stack and jumped to What if we overflow a buffer until we overflow its return address? A crash! Or maybe... 0x120 0x11C 0x118 0x114 0x110 0x10C 0x108 0x104 0x100 BUF RET ... ... BUF

4 Stack Overflow The buffer is at 0x108
We can write code unto the buffer And rewire the return address to jump to it 0x120 0x11C 0x118 0x114 0x110 0x10C 0x108 0x104 0x100 RET BUF ... 0x108 0xeb 0x12 0xc0 0xb0 0x5a 0x2f

5 The Return Address But what is the return address?
When a program crashes, it creates a core dump – a snapshot of its state just before it crashed Core dumps can be opened in GDB, to view the program's memory image (among other things)

6 pushed unto the stack as the return address
The Code But what code do we write? Raw opcodes (not an ELF file) that opens a shell – a shellcode JMP _GET_BIN_BASH _GOT_BIN_BASH: MOV EAX, 0x0B POP EBX MOV ECX, 0x00 INT 0x80 # system call: execve("/bin/sh", NULL) _GET_BIN_BASH: CALL _GOT_BIN_BASH .STRING "/bin/sh" MOV EAX, 0x0B MOV EBX, "/bin/sh" MOV ECX, 0x00 INT 0x80 # system call: execve("/bin/sh", NULL) MOV EAX, 0x0B MOV EBX, "/bin/sh" MOV ECX, 0x00 INT 0x80 # system call: execve("/bin/sh", NULL) # and popped right off # This one you solve yourself  pushed unto the stack as the return address

7 NOP Slides We don't have to jump precisely to our code
We can land nearby and "slide" to it on NOPs 0x??? RET BUF ... 0x5a 0x2f 0x90 \xeb\r\xb8\x0b\x00\x00\x00[\xb9\x00\x00\x00\x00\xcd\x80\xe8\xee\xff\xff\xff/bin/sh\x00 \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \xeb\r\xb8\x0b\x00\x00\x00[\xb9\x00\x00\x00\x00\xcd\x80\xe8\xee\xff\xff\xff/bin/sh\x00

8 Null Bytes Many stack overflows are caused by use of insecure standard functions like strcpy or strcat These functions copy until a null byte ('\x00') is reached On one hand – the input size is not checked! Today, more secure functions like strncpy and strncat are used instead On the other hand – the shellcode can't contain null bytes What can we do with MOV ECX, 0? XOR ECX, ECX What can we do with .STRING "/bin/bash"? .ASCII "/bin/bash#" Load it, and then fix it b 31 c9 2f e 2f 2f e 2f

9 Related Vulnerabilities
Addendum Related Vulnerabilities

10 Format String Vulnerabilities
Another way to find out the stack address printf("%s", input) is OK printf(input) is not What if input is "%d"?

11 Integer Overflow Checking the input size should do it, right?
Not unless the programmers keep being careless If int x = 10, then x > 5 is false If int x = , is x > 5 still false?

12 Heap Spray Overflows can happen on the heap as well as the stack
"Use after free" vulnerability More common than you think, especially in complex, multi-threaded code The attacker allocates lots of "mines" (that is – sprays the heap with them) When the freed object is used, it may trigger a mine Can be used to hijack control Can be used to escape a sandbox

Download ppt "Introduction to Information Security"

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Causes Author: Jedidiah.

Buffer Overflow Causes. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Causes Author: Jedidiah.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Buffer Overflow. Process Memory Organization.

Buffer Overflow. Process Memory Organization.
Buffer Overflows Ian Kayne For School of Computer Science, University of Birmingham 16 th February 2009.

Buffer Overflows Ian Kayne For School of Computer Science, University of Birmingham 16 th February 2009.
Practical Session 8 Computer Architecture and Assembly Language.

Practical Session 8 Computer Architecture and Assembly Language.
Attacks Using Stack Buffer Overflow Boxuan Gu

Attacks Using Stack Buffer Overflow Boxuan Gu
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)

Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.

Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,

Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
1 #include void silly(){ char s[30]; gets(s); printf(%s\n,s); } main(){ silly(); return 0; }

1 #include void silly(){ char s[30]; gets(s); printf("%s\n",s); } main(){ silly(); return 0; }
Buffer Overflow CS461/ECE422 Spring 2012. Reading Material Based on Chapter 11 of the text.

Buffer Overflow CS461/ECE422 Spring Reading Material Based on Chapter 11 of the text.
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Smashing the Stack Overview The Stack Region Buffer Overflow

Smashing the Stack Overview The Stack Region Buffer Overflow
CNIT 127: Exploit Development Ch 3: Shellcode. Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object.

CNIT 127: Exploit Development Ch 3: Shellcode. Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object.

Similar presentations

Ads by Google