Presentation is loading. Please wait.

Presentation is loading. Please wait.

Prof. Bodik CS 164 Lecture 261 Language Security Lecture 26.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Prof. Bodik CS 164 Lecture 261 Language Security Lecture 26."— Presentation transcript:

1 Prof. Bodik CS 164 Lecture 261 Language Security Lecture 26

2 Prof. Bodik CS 164 Lecture 262 Lecture Outline Beyond compilers –Looking at other issues in programming language design and tools C –Arrays –Exploiting buffer overruns Java –Is type safety enough?

3 Prof. Bodik CS 164 Lecture 263 Platitudes Language design has influence on –Safety –Efficiency –Security

4 Prof. Bodik CS 164 Lecture 264 C Design Principles Small language Maximum efficiency Safety less important Designed for the world in 1972 –Weak machines –Trusted networks

5 Prof. Bodik CS 164 Lecture 265 Arrays in C char buffer[100]; Declares and allocates an array of 100 chars 100 *sizeof(char) 01 299

6 Prof. Bodik CS 164 Lecture 266 C Array Operations char buf1[100], buf2[100]; Write: buf1[0] = ‘a’; Read: return buf2[0];

7 Prof. Bodik CS 164 Lecture 267 What’s Wrong with this Picture? int i; for(i = 0; buf1[i] != ‘\0’; i++) { buf2[i] = buf1[i]; } buf2[i] = ‘\0’;

8 Prof. Bodik CS 164 Lecture 268 Indexing Out of Bounds The following are all legal C and may generate no run-time errors char buffer[100]; buffer[-1] = ‘a’; buffer[100] = ‘a’; buffer[100000] = ‘a’;

9 Prof. Bodik CS 164 Lecture 269 Why? Why does C allow out of bounds array references? –Proving at compile-time that all array references are in bounds is very difficult (impossible in C) –Checking at run-time that all array references are in bounds is expensive

10 Prof. Bodik CS 164 Lecture 2610 Code Generation for Arrays The C code: buf1[i] = 1; /* buf1 has type int[] */ C with bounds checks r1 = &buf1; r2 = load i; r3 = r2 * 4; if r3 < 0 then error; r5 = load limit of buf1; if r3 >= r5 then error; r4 = r1 + r3 store r4, 1 Regular C r1 = &buf1; r2 = load i; r3 = r2 * 4; r4 = r1 + r3 store r4, 1 The assembly code: Costly! Finding the array limits is non-trivial

11 Prof. Bodik CS 164 Lecture 2611 C vs. Java C array reference typical case –Offset calculation –Memory operation (load or store) Java array reference typical case –Offset calculation –Memory operation (load or store) –Array bounds check –Type compatibility check (for stores)

12 Prof. Bodik CS 164 Lecture 2612 Buffer Overruns A buffer overrun writes past the end of an array Buffer usually refers to a C array of char –But can be any array So who’s afraid of a buffer overrun? –Cause a core dump –Can damage data structures –What else?

13 Prof. Bodik CS 164 Lecture 2613 Stack Smashing Buffer overruns can alter the control flow of your program! char buffer[100]; /* stack allocated array */ 100 *sizeof(char) 01 2 99 return address

14 Prof. Bodik CS 164 Lecture 2614 An Overrun Vulnerability void foo(char in[]) { char buffer[100]; int i = 0; for(i = 0; in[i] != ‘\0’; i++) { buffer[i] = in[i]; } buffer[i] = ‘\0’; }

15 Prof. Bodik CS 164 Lecture 2615 An Interesting Idea char in[104] = { ‘ ‘,…,’ ‘, magic 4 chars } foo(in); (**) 100 *sizeof(char) 01 2 99 return address foo entry (**) 100 *sizeof(char) 01 2 99 return address foo exit magic 4 chars

16 Prof. Bodik CS 164 Lecture 2616 Discussion So we can make foo jump wherever we like. How is this possible? Unanticipated interaction of two features: –Unchecked array operations –Stack-allocated arrays Knowledge of frame layout allows prediction of where array and return address are stored –Note the “magic cast” from char’s to an address

17 Prof. Bodik CS 164 Lecture 2617 The Rest of the Story Say that foo is part of a network server and the in originates in a received message –Some remote user can make foo jump anywhere ! But where is a “useful” place to jump? –Idea: Jump to some code that gives you control of the host system (e.g. code that spawns a shell) But where to put such code? –Idea: Put the code in the same buffer and jump there!

18 Prof. Bodik CS 164 Lecture 2618 The Plan We’ll make the code jump to the following code: In C: exec(“/bin/sh”); In assembly (pretend): mov $a0, 15 ; load the syscall code for “exec” mov $a1, &Ldata ; load the command syscall ; make the system call Ldata:.byte ‘/’,’b’,’i’,’n’,’/’,’s’,’h’,0 ; null-terminated In machine code: 0x20, 0x42, 0x00, …

19 Prof. Bodik CS 164 Lecture 2619 The Plan char in[104] = { 104 magic chars } foo(in); 01 2 99 return address foo exit 0x20, 0x42, 0x00, … The last 4 bytes in “in” must equal the start address of buffer Its position might depend on many factors !

20 Prof. Bodik CS 164 Lecture 2620 Guess the Location of the Injected Code Trial & error: gives you a ballpark Then pad the injected code with NOP –E.g. add $0, $1, 0x2020 stores result in $0 which is hardwired to 0 anyway Encoded as 0x20202020 01 2 99 return address foo exit 0x20, …, 0x20, 0x20, 0x42, 0x00, … Works even with an approximate address of buffer ! The bad code

21 Prof. Bodik CS 164 Lecture 2621 More Problems We do not know exactly where the return address is –Depends on how the compiler chose to allocate variables in the stack frame Solution: pad the buffer at the end with many copies of the “magic return address X” 01 2 99 return address foo exit 0x20, …, 0x20, 0x20, 0x42, 0x00, …, X, X, X, X, …, X, X, … The bad code

22 Prof. Bodik CS 164 Lecture 2622 Even More Problems The most common way to copy the bad code in a stack buffer is using string functions: strcpy, strcat, etc. This means that buf cannot contain 0x00 bytes –Why? Solution: –Rewrite the code carefully –Instead of “addiu $4,$0,0x0015 (code 0x20400015) –Use “addiu $4,$0,0x1126; subiu $4, $4, 0x1111”

23 Prof. Bodik CS 164 Lecture 2623 The State of C Programming Buffer overruns are common –Programmers must do their own bounds checking –Easy to forget or be off-by-one or more –Program still appears to work correctly In C w.r.t. to buffer overruns –Easy to do the wrong thing –Hard to do the right thing

24 Prof. Bodik CS 164 Lecture 2624 The State of Hacking Buffer overruns are the attack of choice –40-50% of new vulnerabilities are buffer overrun exploits –Many recent attacks of this flavor: Code Red, Nimda, MS-SQL server (Slammer) Highly automated toolkits available to exploit known buffer overruns –Search for “buffer overruns” yields > 25,000 hits

25 Prof. Bodik CS 164 Lecture 2625 The Sad Reality Even well-known buffer overruns are still widely exploited –Hard to get people to upgrade millions of vulnerable machines We assume that there are many more unknown buffer overrun vulnerabilities –At least unknown to the good guys

26 Prof. Bodik CS 164 Lecture 2626 Can Dataflow Analysis Help? Idea: for each variable used as an array index, calculate its possible range of values at each program point (eg. [0,99]) –If we have array sizes, can check if bounds are respected Problem: infinite number of dataflow facts! –Analysis of loops probably won’t terminate An efficient approximation gives too many false warnings Other compiler techniques more successful

27 Prof. Bodik CS 164 Lecture 2627 What about Java? Type safety prevents incorrectly-typed pointers –B b = new A() disallowed unless A extends B Array-bounds checks prevent buffer overflows Together, these checks prevent execution of arbitrary user code… Unless the computer breaks!

28 Prof. Bodik CS 164 Lecture 2628 Memory Errors A flip of some bit in memory –Can be caused by cosmic ray, or deliberately through radiation (heat) 0x4400 0x4404 0x4408 0x440C 0x4410 flip bit 3 0x4408 Exploitable!

29 Prof. Bodik CS 164 Lecture 2629 Overview of Attack Step 1: use memory error to obtain two pointers p and q, such that p == q and p and q have incompatible, specially-designed static types –Normally prevented by Java type system Step 2: use p and q from Step 1 to write values into arbitrary memory addresses –Fill a block of memory with desired machine code –Overwrite dispatch table entry to point to block –Do the virtual call corresponding to modified entry

30 Prof. Bodik CS 164 Lecture 2630 Special Classes For Attack class A { A a1; A a2; B b; // for Step 1 A a4; int i; // for address // in Step 2 } class B { A a1; A a2; A a3; A a4; A a5; } Assume 3-word object header

31 Prof. Bodik CS 164 Lecture 2631 Step 1 (Exploiting The Memory Error) A header A A B A int B header A A A A A 0x6000 0x600A 0x6010 0x6014 0x6018 0x601A 0x6020 0x602A 0x6030 0x6034 0x6038 0x603A B orig; A tmp1 = orig.a1; B bad = tmp1.b; orig tmp1 bad flip bit 5 in orig.a1 tmp1 bad Now bad points to an A object!

32 Prof. Bodik CS 164 Lecture 2632 Step 2 (Writing arbitrary memory) A p; B q; // from Step 1, p == q; assume both point to an A int offset = 8 * 4; // offset of i field in A void write(int address, int value) { p.i = address – offset; q.a5.i = value; // q.a5 is an integer treated as a pointer } Example: write 337 to address 0x4020 A header A A B A 0x4000 p q 0x4020 0x4004 0x4000 337 p.iq.a5 … q.a5.i

33 Prof. Bodik CS 164 Lecture 2633 Putting It All Together A p; // pointer to single A object while (true) { for (int i = 0; i < b_objs.length; i++) { B orig = b_objs[i]; // Step 1, really check all fields A tmp1 = orig.a1; B q = tmp1.b; // See if we succeeded Object o1 = p; Object o2 = q; if (o1 == o2) { writeCode(p,q); // uses write from Step 2 } Heap has one A object, many B objects All fields of type A point to single object, to increase probability of success

34 Prof. Bodik CS 164 Lecture 2634 Results (Govindavajhala and Appel) With software-injected memory errors, took over both IBM and Sun JVMs with 70% success rate Equally successful through heating DRAM with a lamp Defense: memory with error-correcting codes –ECC often not included to cut costs Most serious domain of attack is smart cards

35 Prof. Bodik CS 164 Lecture 2635 Summary Programming language knowledge useful beyond compilers –Helps programmers understand the exact behavior of their code –Compiler techniques can help to address other problems like security (big research area) Safety and security are hard –Assumptions must be explicit

Download ppt "Prof. Bodik CS 164 Lecture 261 Language Security Lecture 26."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
1 Lecture 18 Subverting a Type System turning a bit flip into an exploit Ras Bodik Ali and Mangpo Hack Your Language! CS164: Introduction to Programming.

1 Lecture 18 Subverting a Type System turning a bit flip into an exploit Ras Bodik Ali and Mangpo Hack Your Language! CS164: Introduction to Programming.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Prof. Necula CS 164 Lecture 141 Run-time Environments Lecture 8.

Prof. Necula CS 164 Lecture 141 Run-time Environments Lecture 8.
Chapter 7:: Data Types Programming Language Pragmatics

Chapter 7:: Data Types Programming Language Pragmatics
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Buffer Overflows By Tim Peterson Joel Miller Dan Block.

Buffer Overflows By Tim Peterson Joel Miller Dan Block.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Teaching Buffer Overflow Ken Williams NC A&T State University.

Teaching Buffer Overflow Ken Williams NC A&T State University.
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:
CS 536 Spring 20011 Run-time organization Lecture 19.

CS 536 Spring Run-time organization Lecture 19.
Pointer. Warning! Dangerous Curves C (and C++) have just about the most powerful, flexible and dangerous pointers in the world. –Most other languages.

Pointer. Warning! Dangerous Curves C (and C++) have just about the most powerful, flexible and dangerous pointers in the world. –Most other languages.
3/17/2008Prof. Hilfinger CS 164 Lecture 231 Run-time organization Lecture 23.

3/17/2008Prof. Hilfinger CS 164 Lecture 231 Run-time organization Lecture 23.
4/30/2008Prof. Hilfinger CS 164 Lecture 391 Language Security Lecture 39 (from notes by G. Necula)

4/30/2008Prof. Hilfinger CS 164 Lecture 391 Language Security Lecture 39 (from notes by G. Necula)

Similar presentations

Ads by Google