Presentation is loading. Please wait.

Presentation is loading. Please wait.

Review: Software Security David Brumley Carnegie Mellon University.

Published bySheila Newman Modified over 9 years ago

Similar presentations

Presentation on theme: "Review: Software Security David Brumley Carnegie Mellon University."— Presentation transcript:

1 Review: Software Security David Brumley dbrumley@cmu.edu Carnegie Mellon University

2 Basic Execution Model 2 Process Memory Stack Heap Processor Fetch, decode, execute read and write Code Data...

3 cdecl – the default for Linux & gcc 3 int orange(int a, int b) { char buf[16]; int c, d; if(a > b) c = a; else c = b; d = red(c, buf); return d; } … b a return addr caller’s ebp callee-save locals (buf, c, d ≥ 28 bytes if stored on stack) caller-save buf c return addr orange’s ebp … %ebp frame %esp stack parameter area (caller) orange’s initial stack frame to be created before calling red after red has been called grow

4 Be prepared to draw and analyze stack diagrams 4

5 Control Flow Hijack: Always Computation + Control computation + control shellcode (aka payload)padding&buf 5 code injection return-to-libc Heap metadata overwrite return-oriented programming... Same principle, different mechanism

6 Channeling Vulnerabilities... arise when control and data are mixed into one channel. 6

7 Buffer overflows Gaining control through... – Overwriting saved return addresses – Overwriting function pointers 7

8 format strings For non-variadic functions, the compiler: – knows number and types of arguments – emits instructions for caller to push arguments right to left – emits instructions for callee to access arguments via frame pointer (or stack pointer [advanced]) For variadic functions, the compiler emits instructions for the program to walk the stack at runtime for arguments 8

9 format string exploits Occur when the user can control the format string specifier Can be used to: 1.View memory (e.g., information disclosure) 2.Write to specific addresses 3.sprintf: expand user input to cause a buffer overflow 9

10 Defenses 10 computation + control shellcode (aka payload)padding&buf Primarily DEPPrimarily ASLR

11 How to attack with ASLR? Attack Brute Force Non- randomized memory Stack Juggling ret2text Func ptr ret2ret ret2pop GOT Hijacking GOT Hijacking ret2got 11

12 Return-Oriented Programming (ROP) how it works and when it is needed 12 Desired Shellcode Mem[v2] = v1 … argv argc return addr caller’s ebp buf (64 bytes) argv[1] buf %ebp %esp a3a3 v2v2 a2a2 v1v1 a1a1 a 1 : pop eax; ret a 2 : pop ebx; ret a 3 : mov [ebx], eax Desired store executed!

13 CFI Sound/Complete Sensitivity in program analysis CFI instrumentation CFI assumptions 13

14 Test In-class Timed Closed book, closed note, closed computer 14 Good Luck!

15 15 Questions?

16 END

17 17 Thought

Download ppt "Review: Software Security David Brumley Carnegie Mellon University."

Similar presentations

Calling sequence ESP.

Calling sequence ESP.
Control Flow Hijack Defenses Canaries, DEP, and ASLR

Control Flow Hijack Defenses Canaries, DEP, and ASLR
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos

CS457 – Introduction to Information Systems Security Software 3 Elias Athanasopoulos
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Exploits Buffer Overflows and Format String Attacks David Brumley Carnegie Mellon University.

Exploits Buffer Overflows and Format String Attacks David Brumley Carnegie Mellon University.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.

Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.

Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.
Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.

Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.
1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)

1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)
Computer Security Buffer Overflow lab Eu-Jin Goh.

Computer Security Buffer Overflow lab Eu-Jin Goh.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Computer Architecture and Operating Systems CS 3230 :Assembly Section Lecture 7 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.

Computer Architecture and Operating Systems CS 3230 :Assembly Section Lecture 7 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.
Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.

Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

Similar presentations

Ads by Google