Presentation is loading. Please wait.

Presentation is loading. Please wait.

Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.

Published bySibyl Peters Modified over 9 years ago

Similar presentations

Presentation on theme: "Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any."— Presentation transcript:

1

2 Part III Counter measures

3 The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any system defenses that can help? HOW DO WE STOP THE ATTACKS?

4 A variety of tricks in combination NX bit Canaries ASLR fin

5 III.A Canaries

6 Goal: make sure we detect overflow of return address – The functions' prologues insert a canary on the stack – The canary is a 32-bit value inserted between the return address and local variables Types of canaries: 1.Terminator 2.Random 3.Random XOR The epilogue checks if the canary has been altered Drawback: requires recompilation Compiler-level techniques Canaries

7 Canaries

8 How good are they? Assume random canaries protect the stack

9 Can you still exploit this?

10

11 Another example

12 III.B “DEP”

13 DEP / NX bit / W ⊕ X Idea: separate executable memory locations from writable ones – A memory page cannot be both writable and executable at the same time “Data Execution Prevention (DEP)”

14 Bypassing W ⊕ X Return into libc Three assumptions: – We can manipulate a code pointer – The stack is writable – We know the address of a “suitable" library function (e.g., system())

15 Stack Why the “ret address”? What could we do with it? 0x08048430 buf System() 0xbfffeedc 0xbfffeeb0 0xbfffeeb4 0xbfffeeb8 0xbfffeebc 0xbfffeec0 0xbfffeec4 0xbfffeec8 0xbfffeecc 0xbfffeed0 0xbfffeed4 0xbfffeed8 0xbfffeea4 0xbfffeea8 0xbfffeeac “ret address” arg 0xbfffeee8 0xbfffeee0 0xbfffeee4

16 Return Oriented Programming ROP chains: – Small snippets of code ending with a RET – Can be chained together

17 Return Oriented Programming ROP chains – Small snippets of code ending with a RET – Can be chained together &gadget1 &gadget2 &gadget3 -- … ret … ret stack

18 How good are they? Assume random canaries protect the stack Assume DEP prevents execution of the stack

19 Can you still exploit this?

20

21 III.C ASLR

22 Let us make it a little harder still…

23 Address Space Layout Randomisation Idea: – Re-arrange the position of key data areas randomly (stack,.data,.text, shared libraries,... ) – Buffer overflow: the attacker does not know the address of the shellcode – Return-into-libc: the attacker can't predict the address of the library function – Implementations: Linux kernel > 2.6.11, Windows Vista,...

24 ASLR: Problems 32-bit implementations use few randomisation bits An attacker can still exploit non-randomised areas, or rely on other information leaks (e.g., format bug) So… (I bet you saw this one coming)….

25 How good are they? Assume random canaries protect the stack Assume DEP prevents execution of the stack Assume ASLR randomized the stack and the start address of the code – but let us assume that all functions are still at the same relative offset from start address of code – (in other words: need only a single code pointer)

26 Can you still exploit this?

27

28 Finally

29 We constructed “weird machines” New spin on fundamental questions:  “What is computable?” Shellcode, ROP, Ret2Libc  Turing Complete

30 That is all folks! We have covered quite a lot: – Simple buffer overflows – Counter measures – Counter counter measures Research suggests that buffer overflows will be with us for quite some time Best avoid them in your code!

Download ppt "Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any."

Similar presentations

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.

DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Framing Signals— A Return to Portable Shellcode

Framing Signals— A Return to Portable Shellcode
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.

Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
CS 153 Design of Operating Systems Spring 2015 Lecture 19: Page Replacement and Memory War.

CS 153 Design of Operating Systems Spring 2015 Lecture 19: Page Replacement and Memory War.
Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.

Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.

Branch Regulation: Low-Overhead Protection from Code Reuse Attacks Mehmet Kayaalp, Meltem Ozsoy, Nael Abu-Ghazaleh and Dmitry Ponomarev Department of Computer.
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
A survey of Buffer overflow exploitation on HTC touch mobile phone Advanced Defense Lab CSIE NCU Chih-Wen Ou.

A survey of Buffer overflow exploitation on HTC touch mobile phone Advanced Defense Lab CSIE NCU Chih-Wen Ou.
Host and Application Security Lesson 10: Code Injection.

Host and Application Security Lesson 10: Code Injection.
Mitigation of Buffer Overflow Attacks

Mitigation of Buffer Overflow Attacks
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 10 “Buffer Overflow”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 10 “Buffer Overflow”.

Similar presentations

Ads by Google