Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSC 495/583 Topics of Software Security Stack Overflows (2)

Published byVirginia Austin Modified over 6 years ago

Similar presentations

Presentation on theme: "CSC 495/583 Topics of Software Security Stack Overflows (2)"— Presentation transcript:

1 CSC 495/583 Topics of Software Security Stack Overflows (2)
Class5 CSC 495/583 Topics of Software Security Stack Overflows (2) Dr. Si Chen

2 Review

3 Overflow.c

4 Overflow.c

5 Overflow.c

6 Bug  Vulnerability Step 1. Fine the vulnerability
Read & read & read the code (code audit) Fuzz testing Crash Output some info that shouldn’t been output

7 Bug  Vulnerability Step 2. Control-flow Hijack
Try to change the flow of the program Change the return address Change the function pointer, so the behavior of the will change when called Change the variable, change the behavior of the function (e.g. uid = 0)

8 Bug  Vulnerability Step 3. Execute Payload Launch the attack
Open a shell Read/write file/data Implement backdoor…

9 Buffer Overflow Common Unsafe C Functions

10 Stack Buffer Overflow The local variable stored on Stack has overflow vulnerability. Use new value to cover the return address Other name: Stack smashing

11 Return Hijack The return address will be stored on stack when calling a new function. (EIP) The local valuable will be store on the low address If the variable is an array, and if we store too many data, it will cover the return address which store on the high address.

12 From Crash to Hack If the input is larger than the size of the array, normally, the program will crash. Need to craft special data to exploit this vulnerability. The general idea is to overflow a buffer so that it overwrites the return address. AAAA BBBB CCCC DDDD New Return Address

13 Jump to Shellcode When the function is done it will jump to whatever address is on the stack. We put some code in the buffer and set the return address to point to it! Small Program New Return Address

14 How? How do we know what value the pointer should have (the new “return address”). It’s the address of the buffer, but how do we know what address this is? How do we build the “small program” and put it in a string? Small Program New Return Address

15 Guessing Addresses Typically you need the source code so you can estimate the address of both the buffer and the return-address. An estimate is often good enough! (more on this in a bit).

16 Crafting Shellcode (the small program)
Example: launch a shell shellcode.asm

17 Crafting Shellcode (the small program)
Example: launch a shell To compile it use nasm: shellcode.asm Use objdump to get the shellcode bytes:

18 Crafting Shellcode (the small program)
Extracting the bytes gives us the shellcode: \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80

19 Finding a possible place to inject shellcode
\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80 Small Program New Return Address

20 Finding a possible place to inject shellcode
\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80 Small Program Use GDB to figure out the memory address of the beginning of the buffer New Return Address

21 NOP slide

22 NOP slide Using NOPs Most CPUs have a No-Operation instruction – it does nothing but advance the instruction pointer. Usually we can put a bunch of these ahead of our program (in the string). As long as the new return-address points to a NOP we are OK.

23 NOP slide \x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 Small Program \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80 New Return Address

24 Estimating the stack size
We can also guess at the location of the return address relative to the overflowed buffer. Put in a bunch of new return addresses!

25 Estimating the Location
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90 \x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80 Small Program New Return Address New Return Address New Return Address

26 Protection: ASLR, DEP, Stack Protector
Shutdown ASLR (Address space layout randomization) -fno-stack-protector Shutdown stack protector -z execstack Shutdown DEP(Data Execution Prevention)

27 Protection: ASLR, DEP, Stack Protector
Address Space Layout Randomization (ASLR) is a technology used to help prevent shellcode from being successful. It does this by randomly offsetting the location of modules and certain in-memory structures. 

28 Protection: ASLR, DEP, Stack Protector
Data Execution Prevention (DEP) prevents certain memory sectors, e.g. the stack, from being executed. Stack protection will abort your program if it detects stack overflow. That’s why I failed last time …. Bypassing ASLR/DEP - exploit-db

29 Q & A

Download ppt "CSC 495/583 Topics of Software Security Stack Overflows (2)"

Similar presentations

Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.

Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.

Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
English Shellcode J. Mason, S. Small, F. Monrose, G. MacManus CCS ’09 Presented by: Eugenie Lee EE515/IS523: Security101: Think Like an Adversary.

English Shellcode J. Mason, S. Small, F. Monrose, G. MacManus CCS ’09 Presented by: Eugenie Lee EE515/IS523: Security101: Think Like an Adversary.
Buffer Overflow. Process Memory Organization.

Buffer Overflow. Process Memory Organization.
Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.

Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Buffer overflows.

Buffer overflows.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)

Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

Similar presentations

Ads by Google