Presentation is loading. Please wait.

Presentation is loading. Please wait.

4/30/2008Prof. Hilfinger CS 164 Lecture 391 Language Security Lecture 39 (from notes by G. Necula)

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "4/30/2008Prof. Hilfinger CS 164 Lecture 391 Language Security Lecture 39 (from notes by G. Necula)"— Presentation transcript:

1 4/30/2008Prof. Hilfinger CS 164 Lecture 391 Language Security Lecture 39 (from notes by G. Necula)

2 4/30/2008Prof. Hilfinger CS 164 Lecture 392 Lecture Outline Beyond compilers –Looking at other issues in programming language design and tools C –Arrays –Exploiting buffer overruns –Detecting buffer overruns

3 4/30/2008Prof. Hilfinger CS 164 Lecture 393 Platitudes Language design has influence on –Efficiency –Safety –Security

4 4/30/2008Prof. Hilfinger CS 164 Lecture 394 C Design Principles Small language Maximum efficiency Safety less important Designed for the world as it was in 1972 –Weak machines –Superhuman programmers (or so they thought) –Trusted networks

5 4/30/2008Prof. Hilfinger CS 164 Lecture 395 Arrays in C char buffer[100]; Declares and allocates an array of 100 chars 100 *sizeof(char) 01 299

6 4/30/2008Prof. Hilfinger CS 164 Lecture 396 C Array Operations char buf1[100], buf2[100]; Write: buf1[0] = ‘a’; Read: return buf2[0];

7 4/30/2008Prof. Hilfinger CS 164 Lecture 397 What’s Wrong with this Picture? int i; for(i = 0; buf1[i] != ‘\0’; i++) { buf2[i] = buf1[i]; } buf2[i] = ‘\0’;

8 4/30/2008Prof. Hilfinger CS 164 Lecture 398 Indexing Out of Bounds The following are all well-typed C and may generate no run-time errors char buffer[100]; buffer[-1] = ‘a’; buffer[100] = ‘a’; buffer[100000] = ‘a’;

9 4/30/2008Prof. Hilfinger CS 164 Lecture 399 Why? Why does C allow out-of-bounds array references? –Proving at compile-time that all array references are in bounds is impossible in most languages –Checking at run-time that all array references are in bounds is “expensive” But it is even more expensive to skip the checks

10 4/30/2008Prof. Hilfinger CS 164 Lecture 3910 Code Generation for Arrays The C code: buf1[i] = 1; /* buf1 has type int[] */ C with bounds checks r1 = &buf1; r2 = load i; r3 = r2 * 4; if r3 < 0 then error; r5 = load limit of buf1; if r3 >= r5 then error; r4 = r1 + r3 store r4, 1 Regular C r1 = &buf1; r2 = load i; r3 = r2 * 4; r4 = r1 + r3 store r4, 1 The assembly code: Costly! Finding the array limits is non-trivial

11 4/30/2008Prof. Hilfinger CS 164 Lecture 3911 C vs. Java C array reference typical case –Offset calculation –Memory operation (load or store) Java array reference typical case –Offset calculation –Memory operation (load or store) –Array bounds check –Type compatibility check (for some arrays)

12 4/30/2008Prof. Hilfinger CS 164 Lecture 3912 Buffer Overruns A buffer overrun writes past the end of an array Buffer usually refers to a C array of char –But can be any array So who’s afraid of a buffer overrun? –Can cause a core dump –Can damage data structures –What else?

13 4/30/2008Prof. Hilfinger CS 164 Lecture 3913 Stack Smashing Buffer overruns can alter the control flow of your program! char buffer[100]; /* stack allocated array */ 100 *sizeof(char) 01 2 99 return address

14 4/30/2008Prof. Hilfinger CS 164 Lecture 3914 An Overrun Vulnerability void foo(char in[]) { char buffer[100]; int i = 0; for(i = 0; in[i] != ‘\0’; i++) { buffer[i] = in[i]; } buffer[i] = ‘\0’; }

15 4/30/2008Prof. Hilfinger CS 164 Lecture 3915 An Interesting Idea char in[104] = { ‘ ‘,…,’ ‘, magic 4 chars } foo(in); /* Return here: L RET */ 100 *sizeof(char) 01 2 99 return address foo entry (L RET ) 100 *sizeof(char) 01 2 99 return address foo exit magic 4 chars

16 4/30/2008Prof. Hilfinger CS 164 Lecture 3916 Discussion So we can make foo jump wherever we like. Result of unanticipated interaction of two features: –Unchecked array operations –Stack-allocated arrays and return addresses Knowledge of frame layout allows prediction of where array and return address are stored –Note the “magic cast” from char’s to an address

17 4/30/2008Prof. Hilfinger CS 164 Lecture 3917 The Rest of the Story Say that foo is part of a network server and the in originates in a received message –Some remote user can make foo jump anywhere ! But where is a “useful” place to jump? –Idea: Jump to some code that gives you control of the host system (e.g. code that spawns a shell) But where to put such code? –Idea: Put the code in the same buffer and jump there!

18 4/30/2008Prof. Hilfinger CS 164 Lecture 3918 The Plan We’ll make the code jump to the following code: In C: exec(“/bin/sh”); In assembly (pretend): mov $a0, 15 ; load the syscall code for “exec” mov $a1, &Ldata ; load the command syscall ; make the system call Ldata:.byte ‘/’,’b’,’i’,’n’,’/’,’s’,’h’,0 ; null-terminated In machine code: 0x20, 0x42, 0x00, …

19 4/30/2008Prof. Hilfinger CS 164 Lecture 3919 The Plan char in[104] = { 104 magic chars } foo(in); 01 2 99 return address foo exit 0x20, 0x42, 0x00, … The last 4 bytes in “in” must be address of start of buffer Its position might depend on many factors !

20 4/30/2008Prof. Hilfinger CS 164 Lecture 3920 Guess the Location of the Injected Code Trial & error: gives you a ballpark Then pad the injected code with NOP –E.g. add $0, $1, 0x2020 stores result in $0 which is hardwired to 0 anyway Encoded as 0x20202020 01 2 99 return address foo exit 0x20, …, 0x20, 0x20, 0x42, 0x00, … Works even with an approximate address of buffer ! The bad code

21 4/30/2008Prof. Hilfinger CS 164 Lecture 3921 More Problems We do not know exactly where the return address is –Depends on how the compiler chose to allocate variables in the stack frame Solution: pad the buffer at the end with many copies of the “magic return address X” 01 2 99 return address foo exit 0x20, …, 0x20, 0x20, 0x42, 0x00, …, X, X, X, X, …, X, X, … The bad code

22 4/30/2008Prof. Hilfinger CS 164 Lecture 3922 Even More Problems The most common way to copy the bad code in a stack buffer is using string functions: strcpy, strcat, etc. This means that buf cannot contain 0x00 bytes –Why? Solution: –Rewrite the code carefully –Instead of “addiu $4,$0,0x0015 (code 0x20400015) –Use “addiu $4,$0,0x1126; subiu $4, $4, 0x1111”

23 4/30/2008Prof. Hilfinger CS 164 Lecture 3923 The State of C Programming Buffer overruns are common –Programmers must do their own bounds checking –Easy to forget or be off-by-one or more –Program still appears to work correctly In C w.r.t. to buffer overruns –Easy to do the wrong thing –Hard to do the right thing

24 4/30/2008Prof. Hilfinger CS 164 Lecture 3924 The State of Cracking Buffer overruns are the attack of choice –40-50% of new vulnerabilities are buffer overrun exploits –Many attacks of this flavor: Code Red, Nimda, MS- SQL server Highly automated toolkits available to exploit known buffer overruns –Search for “buffer overruns” yields > 25,000 hits

25 4/30/2008Prof. Hilfinger CS 164 Lecture 3925 The Sad Reality Even well-known buffer overruns are still widely exploited –Hard to get people to upgrade millions of vulnerable machines We assume that there are many more unknown buffer overrun vulnerabilities –At least unknown to the good guys

26 4/30/2008Prof. Hilfinger CS 164 Lecture 3926 Blunt-Force Solutions Common architectures can disallow execution of code on the stack or on the heap. Unfortunately, there are legitimate uses for both.

27 4/30/2008Prof. Hilfinger CS 164 Lecture 3927 Static Analysis to Detect Buffer Overruns Detecting buffer overruns before distributing code would be better Idea: Build a tool similar to a type checker to detect buffer overruns Joint work by Alex Aiken, David Wagner, Jeff Foster, at Berkeley

28 4/30/2008Prof. Hilfinger CS 164 Lecture 3928 Focus on Strings Most important buffer overrun exploits are through string buffers –Reading an untrusted string from the network, keyboard, etc. Focus the tool only on arrays of characters

29 4/30/2008Prof. Hilfinger CS 164 Lecture 3929 Idea 1: Strings as an Abstract Data Type A problem: Pointer operations & array dereferences are very difficult to analyze statically –Where does *a point? –What does buf[j] refer to? Idea: Model effect of string library functions directly –Hard code effect of strcpy, strcat, etc.

30 4/30/2008Prof. Hilfinger CS 164 Lecture 3930 Idea 2: The Abstraction Model buffers as pairs of integer ranges –Alloc min allocated size of the buffer in bytes –Length max number of bytes actually in use Use integer ranges [x,y] = { x, x+1, …, y-1, y } –Alloc & length cannot be computed exactly

31 4/30/2008Prof. Hilfinger CS 164 Lecture 3931 The Strategy For each program expression, write constraints capturing the alloc and len of its string subexpressions Solve the constraints for the entire program Check for each string variable s len(s)  alloc(s)

32 4/30/2008Prof. Hilfinger CS 164 Lecture 3932 The Constraints char s[n];n  alloc(s) strcpy(dst,src)len(src)  len(dst) p = strdup(s)len(s)  len(p) & len(s)  alloc(p) p[n] = ‘\0’n+1  len(p)

33 4/30/2008Prof. Hilfinger CS 164 Lecture 3933 Constraint Solving Solving the constraints is akin to solving dataflow equations (e.g., constant propagation) Build a graph –Nodes are len(s), alloc(s) –Edges are constraints len(s)  len(t) Propagate information forward through the graph –Special handling of loops in the graph

34 4/30/2008Prof. Hilfinger CS 164 Lecture 3934 Using Solutions Once you’ve solved constraints to extract as much information as possible, look to see if len(s)  alloc(s) is necessarily true. If not, may have a problem. For example, if b is parameter about which we know nothing, then in char s[100]; strcpy (s, b); assertion len(s)  alloc(s) will not simplify to True.

35 4/30/2008Prof. Hilfinger CS 164 Lecture 3935 Results Found new buffer overruns in sendmail Found new exploitable overruns in Linux nettools package Both widely used, previously hand-audited packages

36 4/30/2008Prof. Hilfinger CS 164 Lecture 3936 Limitations Tool produces many false positives –1 out of 10 warnings is a real bug Tool has false negatives –Unsound---may miss some overruns But still productive to use

37 4/30/2008Prof. Hilfinger CS 164 Lecture 3937 Summary Programming language knowledge useful beyond compilers Useful for programmers –Understand what you are doing! Useful for tools other than compilers –Big research direction

Download ppt "4/30/2008Prof. Hilfinger CS 164 Lecture 391 Language Security Lecture 39 (from notes by G. Necula)"

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Prof. Necula CS 164 Lecture 141 Run-time Environments Lecture 8.

Prof. Necula CS 164 Lecture 141 Run-time Environments Lecture 8.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Prof. Bodik CS 164 Lecture 261 Language Security Lecture 26.

Prof. Bodik CS 164 Lecture 261 Language Security Lecture 26.
Program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc06.html.

Program analysis Mooly Sagiv html://
CS 536 Spring 20011 Run-time organization Lecture 19.

CS 536 Spring Run-time organization Lecture 19.
CS 536 Spring 20011 Intermediate Code. Local Optimizations. Lecture 22.

CS 536 Spring Intermediate Code. Local Optimizations. Lecture 22.
Pointer. Warning! Dangerous Curves C (and C++) have just about the most powerful, flexible and dangerous pointers in the world. –Most other languages.

Pointer. Warning! Dangerous Curves C (and C++) have just about the most powerful, flexible and dangerous pointers in the world. –Most other languages.
3/17/2008Prof. Hilfinger CS 164 Lecture 231 Run-time organization Lecture 23.

3/17/2008Prof. Hilfinger CS 164 Lecture 231 Run-time organization Lecture 23.
4/23/09Prof. Hilfinger CS 164 Lecture 261 IL for Arrays & Local Optimizations Lecture 26 (Adapted from notes by R. Bodik and G. Necula)

4/23/09Prof. Hilfinger CS 164 Lecture 261 IL for Arrays & Local Optimizations Lecture 26 (Adapted from notes by R. Bodik and G. Necula)
Run time vs. Compile time

Run time vs. Compile time
Overview of program analysis Mooly Sagiv html://www.cs.tau.ac.il/~msagiv/courses/wcc05.html.

Overview of program analysis Mooly Sagiv html://
Intermediate Code. Local Optimizations

Intermediate Code. Local Optimizations
Run-time Environment and Program Organization

Run-time Environment and Program Organization

Similar presentations

Ads by Google