Presentation is loading. Please wait.

Presentation is loading. Please wait.

K. Salah1 Buffer Overflow The crown jewel of attacks.

Published byWilliam Flynn Modified over 9 years ago

Similar presentations

Presentation on theme: "K. Salah1 Buffer Overflow The crown jewel of attacks."— Presentation transcript:

1 K. Salah1 Buffer Overflow The crown jewel of attacks

2 K. Salah2 Buffer Overflow Remains the principle method used to exploit software by remotely injecting malicious code Remains the principle method used to exploit software by remotely injecting malicious code It remains to be the “Crown Jewel of Attacks.” It remains to be the “Crown Jewel of Attacks.” Started with Robert Morris worm in 1988 exploiting a buffer overflow vulnerability in fingerd. Started with Robert Morris worm in 1988 exploiting a buffer overflow vulnerability in fingerd. Code Red worm of 2001, exploiting a buffer overflow vulnerability in Mircosoft IIS (Internet Information Server). Code Red worm of 2001, exploiting a buffer overflow vulnerability in Mircosoft IIS (Internet Information Server). The new MS Blaster of 2003, exploiting a buffer overflow vulnerability in MS DCOM/RPC. The new MS Blaster of 2003, exploiting a buffer overflow vulnerability in MS DCOM/RPC. The next attack will be most likely linked to buffer overflow The next attack will be most likely linked to buffer overflow CERT Security Alert by Years– upto the first 2 months of 2002

3 K. Salah3 A living legend article Best article on the know-how details of the buffer overflow can be found in Phrack Magazine (issue 49) titled, published in 1996: http://www.phrack.org/show.php?p=49&a=14 Best article on the know-how details of the buffer overflow can be found in Phrack Magazine (issue 49) titled, published in 1996: http://www.phrack.org/show.php?p=49&a=14 “Smashing the Stack for Fun and Profit,” “Smashing the Stack for Fun and Profit,”ByAlephOne@underground.org

4 K. Salah4

5 5  Called Payload “This is a hex representation of some binary executable code”

6 K. Salah6 Unsafe functions in the standard C Library

7 K. Salah7 “C gives you a rope to build a bridge and hang yourself” “C gives you a rope to build a bridge and hang yourself”

8 K. Salah8 Finding buffer overflow Issue requests or arguments with long strings Issue requests or arguments with long strings  Long strings end with “$$$$$” If application crashes, If application crashes,  Search core dump for “$$$$$” to find overflow location  Use reverse engineering Some automated tools exist Some automated tools exist

9 K. Salah9 Buffer Overflow Countermeasures Validate all arguments or parameters received whenever you write a function. Validate all arguments or parameters received whenever you write a function.  Bounds checking  Performance is compromised!! Use secure functions instead, e.g., strncpy() and strncat() Use secure functions instead, e.g., strncpy() and strncat() Use safe compilers Use safe compilers  Watch out for free compilers!!! Can be made by hackers, for hackers! Test and review your code thoroughly -- the power of code review Test and review your code thoroughly -- the power of code review Keep applying patches Keep applying patches Good site for advisory is CERT at Carnegie Mellon SWE Institute Good site for advisory is CERT at Carnegie Mellon SWE Institute  http://www.cert.org/advisories Can this attack be ever eliminated?

10 K. Salah10 Protecting the Stack Good number of references is found in: Good number of references is found in:  http://www.crhc.uiuc.edu/EASY/Papers02/EASY02-xu.pdf How? How?  Splitting control stack from data stack Control stack contains return addresses Data stack contains local variables and passed parameters  Use middleware software (libsafe) to intercept calls to library functions known to be vulnerable.  Using StackGuard and StackShield Adding more code at the beginning and end of each function Check to see if ret address is altered and signal a violation  Others  Performance due to overhead is always as issue!

11 K. Salah11 The Adventure Continues Bypassing the countermeasure for smashing the stack Bypassing the countermeasure for smashing the stack  Crispin Cowan, Steve Beattie, Ryan Finnin Day, Calton Pu, Perry Wagle and Erik Walthinsen. Protecting Systems from Stack Smashing Attacks with StackGuard http://www.immunix.org/documentation.html  In May 2000 issue of Phrack Magazine (www.phrack.org) “Bypassing StackGuard and StackShield” by Bulba and Kil3r

12 K. Salah12 Buffer Overflow in Java and C# More immune to BO vulnerabilities More immune to BO vulnerabilities  Still can happen  JVM is written in C  Possible to confuse type checking  Hostile applets aren’t too hard to write http://java.sun.com/sfaq/chronolgy.html (about 1 new vulnerability per month) http://java.sun.com/sfaq/chronolgy.html “type safe” language with strong type checking “type safe” language with strong type checking Control flow safe: “jumps” must be within the function or do “call/return” Control flow safe: “jumps” must be within the function or do “call/return” Using the JVM and its built-in bytecode verifier Has no support for pointers to manipulate memory addresses Has no support for pointers to manipulate memory addresses Has built-in security managers to define what resources to be accessed Has built-in security managers to define what resources to be accessed Implements “code signing” to verify data origin and integrity Implements “code signing” to verify data origin and integrity

Download ppt "K. Salah1 Buffer Overflow The crown jewel of attacks."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Buffer Overflow Prevention ”\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e \x89\xe3\x50\x53\x50\x54\x53\xb0\x3b\x50\xcd\x80” Presented to CRAB April.

Buffer Overflow Prevention ”\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e \x89\xe3\x50\x53\x50\x54\x53\xb0\x3b\x50\xcd\x80” Presented to CRAB April.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
DICOTS and StackGuard: Two current approaches to tolerating malicious code Carl Landwehr Mitretek Systems, Inc. 7525 Colshire Dr. McLean, VA 22102

DICOTS and StackGuard: Two current approaches to tolerating malicious code Carl Landwehr Mitretek Systems, Inc Colshire Dr. McLean, VA 22102
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Buffer Overflow By: John Quach and Napoleon N. Valdez.

Buffer Overflow By: John Quach and Napoleon N. Valdez.
Teaching Buffer Overflow Ken Williams NC A&T State University.

Teaching Buffer Overflow Ken Williams NC A&T State University.
Preventing Buffer Overflow Attacks. Some unsafe C lib functions strcpy (char *dest, const char *src) strcat (char *dest, const char *src) gets (char *s)

Preventing Buffer Overflow Attacks. Some unsafe C lib functions strcpy (char *dest, const char *src) strcat (char *dest, const char *src) gets (char *s)
Analysis of the Internet Worm of August 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Dr. K. Salah September 2003.

Analysis of the Internet Worm of August 2003 INFORMATION AND COMPUTER SCIENCE DEPARTMENT Dr. K. Salah September 2003.
Teaching Buffer Overflow Ken Williams NC A&T State University.

Teaching Buffer Overflow Ken Williams NC A&T State University.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.

Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.
Lecture 16 Buffer Overflow

Lecture 16 Buffer Overflow
Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle David Evans University of Virginia Department of Computer Science Supported.

Statically Detecting Likely Buffer Overflow Vulnerabilities David Larochelle David Evans University of Virginia Department of Computer Science Supported.

Similar presentations

Ads by Google