Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Published byJett Gravitt Modified over 9 years ago

Similar presentations

Presentation on theme: "Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University."— Presentation transcript:

1 Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University of Wisconsin – Eau Claire

2 Smashing the stack  Limitations of C permit security exploits  Library routines:  strcpy, strcat, sprintf, etc.  no automatic bounds checking.  Shortcomings:  allow writing past end of array.  Major source of security exploitssecurity exploits

3 The Original Exploit  The trade magazine "Phrack" published:  "Smashing the Stack for Fun and Profit" by Aleph One  http://www.phrack.com/phrack/49/P49-14 http://www.phrack.com/phrack/49/P49-14  Original exploit done on the Intel architecture

4 Overall Strategy  Write a small program that starts a shell window: use something like system("/bin/sh")  Translate the program into HEX, modifying individual bytes as needed (explained later)  Put the HEX code into a buffer, followed by the address of the start of that buffer, repeated many times  Will overwrite the return address (on the stack) of the servers buffer handler routine

5 Basic Steps  Get a copy of the OS to be attacked  Analyze the system stack layout for that OS  Put the "shell window" HEX code into a buffer  Send your buffer to a program on the target OS (maybe one that runs as "root") that takes a buffer as input, makes a copy of that buffer, and doesn't check its bounds

6 Typical MIPS Memory Layout

7 Stack Frame On a function call:  Preserve state of calling function  Allocate additional memory for calling function  Stack frame (activation record) created  Pushed onto execution stack

8 Stack Frame – cont’d Stack frame (activation record) contains:  Function arguments  Local variables  Return address ($ra)  Global pointer ($gp) Note: Not all local variables may be stacked: Optimizing compiler may put them in registers.

9 Typical Procedure Call Memory Layout Return address (if any) Arguments (if > 4 args; $4-$7 holds 1 st four) Saved Registers (preserved across calls) Local Variables Old SP New SP Global pointer (to static data segment for fast access using offset) Subsequent examples will exclude saved registers & argument details for brevity. Note:

10 Mechanics of Function Calls Simple C program where: main( )  foo( )  bar( ) main( )foo(x)bar(y) foo(8)foo_p = x +2bar_q = y bar(foo_p)

11 Mechanics of Function Calls – cont’d void bar(int y) { int bar_q;/* will be allocated on the stack */ bar_q = y; } void foo(int x) { int foo_p;/* will be allocated on the stack */ foo_p = x + 2; bar(foo_p); /* return address points to here */ } void main( ) { foo(8); /* return address points to here */ }

12 Memory Layout for foo( )

13 Overview of an Overflow void foo(char *buf) { char local_buf[10]; strcpy(local_buf,buf); } void main() { char *large_buf = “a……a”; // lots of a’s foo(large_buf); /* location of return from foo() */ }

14 Overflowing foo( )’s Buffer local_buf$ra …… ‘a’…. ‘a’ (a) Stack before strcpy( ) in foo( ) (b) Stack after strcpy( ) in foo( )

15 Implementing Overflow in the MIPS ISA void foo(char *buf) { char local_buf[10]; int i = 0; while (buf[i] != 0) { local_buf[i] = buf[i]; i++; } bar(); /* code for bar() not shown */ /* bar( )’s RA in $31 reg.; foo( )’s RA on stack */ } void main() { char *large_buf = “a……a”; // lots of a’s foo(large_buf); /* location of return from foo() */ }

16 32-bit MIPS stack during call to foo( ) addrStack contents new $sp  X-28allocated by compiler X-24allocated by compiler X-20local_buf[0] … local_buf[3] X-16local_buf[4] … local_buf[7] X-12local_buf[8], local_buf[9], null, null X-8Global pointer ($gp) from main() X-4Return address ($ra) back into main() old $sp  X…

17 32 bit MIPS translation using “gcc –S –O2”.L4: jalbar lw$ra,24($sp) lw$gp,20($sp) jr$ra addu$sp, $sp, 28.endfoo.LC0:# lots of a’s.byte0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61.byte0x61,0x61,0x61,0x61,0x61,0x61,0x61,0x61.byte0x61,0x61,0x61,0x61,0x00 main: subu$sp,$sp,16 sw$ra,12($sp) sw$gp,8($sp) la$a0,.LC0 jalfoo ….endmain foo: subu$sp,$sp,28 sw$ra,24($sp) sw$gp,20($sp) lbu$v0,0($a0) beq$v0,$zero,.L4 addi$a1,$zero,0 addu$a2,$sp,8 # addr local_buf[0].L5 lbu$v0,0($a0) addu$a0, $a0, 1 addu$v1,$a2,$a1 sb$v0,0($v1) # write onto stack lbu$v0,0($a0) bne$v0,$zero,.L5 addu$a1,$a1,1

18 Buffer Overflow With Code Exploit To cause the exploit, when foo is called:  Pass a buffer of length greater than foo( )’s local buffer  Ensure none of values copied into foo( )’s buffer prior to $ra contain value of 0 (terminates buffer copy prematurely)  Ensure bytes in buffer contain MIPS (exploit) code  Overwrite $ra with address that points back into buffer containing MIPS exploit code  Ensure buffer copy is terminated by a 0 value after $ra

19 Buffer Overflow With Code Exploit void foo(char *buf) { char local_buf[256]; strcpy(local_buf,buf); } void main() { char *large_buf =“\x01\x20\x48\x20” /* add $t1, $t1, $zero */ “\x01\x20\x48\x20” … “\x20\x84\xFF\xFF” /* addi $a0, $a0, -1 */ “\x12\x34\x56\x78” /* guess address of exploit */ “\x00”; foo(large_buf); /* location of return from foo() */ }

20 Example of an Exploit addrStack contents new $sp  X-28 allocated by the compiler X-24 allocated by the compiler X-20 N O P (actually: add $t1 $t1 $0) X-16 N O P X-12 N O P X-8 addi $a0, $a0, -1 (\x20\x84\xFF\xFF) X-4 (X – ?) /* the old $ra */ old $sp  X…

21 Detailed Paper Explaining the Exploit http://www.cs.uwec.edu/~phillips/papers/bufferOverflow.pdf

Download ppt "Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Review of the MIPS Instruction Set Architecture. RISC Instruction Set Basics All operations on data apply to data in registers and typically change the.

Review of the MIPS Instruction Set Architecture. RISC Instruction Set Basics All operations on data apply to data in registers and typically change the.
The University of Adelaide, School of Computer Science

The University of Adelaide, School of Computer Science
Lecture 20: 11/12/2002CS170 Fall 20021 CS170 Computer Organization and Architecture I Ayman Abdel-Hamid Department of Computer Science Old Dominion University.

Lecture 20: 11/12/2002CS170 Fall CS170 Computer Organization and Architecture I Ayman Abdel-Hamid Department of Computer Science Old Dominion University.
Lecture 9: MIPS Instruction Set

Lecture 9: MIPS Instruction Set
MIPS ISA-II: Procedure Calls & Program Assembly. (2) Module Outline Review ISA and understand instruction encodings Arithmetic and Logical Instructions.

MIPS ISA-II: Procedure Calls & Program Assembly. (2) Module Outline Review ISA and understand instruction encodings Arithmetic and Logical Instructions.
1 Procedure Calls, Linking & Launching Applications Lecture 15 Digital Design and Computer Architecture Harris & Harris Morgan Kaufmann / Elsevier, 2007.

1 Procedure Calls, Linking & Launching Applications Lecture 15 Digital Design and Computer Architecture Harris & Harris Morgan Kaufmann / Elsevier, 2007.
ECE 232 L6.Assemb.1 Adapted from Patterson 97 ©UCBCopyright 1998 Morgan Kaufmann Publishers ECE 232 Hardware Organization and Design Lecture 6 MIPS Assembly.

ECE 232 L6.Assemb.1 Adapted from Patterson 97 ©UCBCopyright 1998 Morgan Kaufmann Publishers ECE 232 Hardware Organization and Design Lecture 6 MIPS Assembly.
10/6: Lecture Topics Procedure call Calling conventions The stack

10/6: Lecture Topics Procedure call Calling conventions The stack
1 Lecture 4: Procedure Calls Today’s topics:  Procedure calls  Large constants  The compilation process Reminder: Assignment 1 is due on Thursday.

1 Lecture 4: Procedure Calls Today’s topics:  Procedure calls  Large constants  The compilation process Reminder: Assignment 1 is due on Thursday.
Procedure Calls Prof. Sirer CS 316 Cornell University.

Procedure Calls Prof. Sirer CS 316 Cornell University.
MIPS Calling Convention Chapter 2.7 Appendix A.6.

MIPS Calling Convention Chapter 2.7 Appendix A.6.
Lecture 8 Sept 23 Completion of Ch 2 translating procedure into MIPS role of compilers, assemblers, linking, loading etc. pitfalls, conclusions Chapter.

Lecture 8 Sept 23 Completion of Ch 2 translating procedure into MIPS role of compilers, assemblers, linking, loading etc. pitfalls, conclusions Chapter.
10/9: Lecture Topics Starting a Program Exercise 3.2 from H+P Review of Assembly Language RISC vs. CISC.

10/9: Lecture Topics Starting a Program Exercise 3.2 from H+P Review of Assembly Language RISC vs. CISC.
Computer Architecture CSCE 350

Computer Architecture CSCE 350
MIPS Function Continued

MIPS Function Continued
1 Nested Procedures Procedures that don't call others are called leaf procedures, procedures that call others are called nested procedures. Problems may.

1 Nested Procedures Procedures that don't call others are called leaf procedures, procedures that call others are called nested procedures. Problems may.
CPS3340 COMPUTER ARCHITECTURE Fall Semester, 2013 10/17/2013 Lecture 12: Procedures Instructor: Ashraf Yaseen DEPARTMENT OF MATH & COMPUTER SCIENCE CENTRAL.

CPS3340 COMPUTER ARCHITECTURE Fall Semester, /17/2013 Lecture 12: Procedures Instructor: Ashraf Yaseen DEPARTMENT OF MATH & COMPUTER SCIENCE CENTRAL.
Ch. 8 Functions.

Ch. 8 Functions.
Procedures II (1) Fall 2005 Lecture 07: Procedure Calls (Part 2)

Procedures II (1) Fall 2005 Lecture 07: Procedure Calls (Part 2)

Similar presentations

Ads by Google