Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fall 2008CS 334: Computer SecuritySlide #1 Program Security Buffer Overflows Incomplete Access Control.

Published byEthel Paul Modified over 9 years ago

Similar presentations

Presentation on theme: "Fall 2008CS 334: Computer SecuritySlide #1 Program Security Buffer Overflows Incomplete Access Control."— Presentation transcript:

1 Fall 2008CS 334: Computer SecuritySlide #1 Program Security Buffer Overflows Incomplete Access Control

2 Fall 2008CS 334: Computer SecuritySlide #2 Why Program Security? Because program flaws are the gateway through which many attacks are launched: –Intrusion detection, network security (e.g. firewalls) are necessary because computers (and specifically the programs they run) are vulnerable to attack. Because understanding how programs are attacked can help you to write more secure code.

3 Fall 2008CS 334: Computer SecuritySlide #3 Secure Programs How do we define the term secure program? –Program that meets specification? Specifications can be incorrect, incomplete, or vague Consider example in text (p. 96) of “locked” computers that all used same keys How do we identify secure programs? –# of faults discovered and fixed during design, development, etc?

4 Fall 2008CS 334: Computer SecuritySlide #4 History: Fixing Faults Software engineering research has shown that software that has many faults early on is likely to have many others waiting to be found ``Penetrate and Patch’’: Analysts search for and repair faults –Badness: pressure to repair specific fault often causes tunnel vision (failure to consider context) –Faults often have non-obvious side effects in places other than immediate area of fault –Fixed faults can cause system performance or operation to suffer

5 Fall 2008CS 334: Computer SecuritySlide #5 Secure Programs Often (somewhat vaguely) based on the notion of expectation: does a program behave as the designer and users expect? Program security flaw: unexpected behavior –Lots of terminology(vulnerability, flaw, faults, failures, etc) –Who cares: only need to know cause (what fault caused the problem) and effect (what failure is visible to user)

6 Fall 2008CS 334: Computer SecuritySlide #6 Intention Textbooks makes big deal out of notion of malicious versus non-malicious Misleading: –Buffer overflow is non-malicious? Yes, because the flaw is often the result of an accidental oversight of the programmer No, because a buffer overflow attack can be, well, not good

7 Fall 2008CS 334: Computer SecuritySlide #7 Three Types of Vulnerabilities Buffer Overflow Incomplete Mediation Time-of-check to Time-of-Use (TOCTOU) Errors

8 Fall 2008CS 334: Computer SecuritySlide #8 Buffer Overflow Simply put, trying to squeeze too much stuff into too small a space Defn: a buffer (or array or string) is a space in which data can be held –Usually, programmer needs to have declared size of the buffer beforehand (but not always) –Also, size cannot always be determined through static analysis (may be run-time decision)

9 Fall 2008CS 334: Computer SecuritySlide #9 Buffer Overflow Is this access out of bounds? Upshot: compiler cannot identify all out-of- bounds accesses Hope that language run-time flags this (if bad). Many don’t (e.g. C)

10 Fall 2008CS 334: Computer SecuritySlide #10 Buffer Overflow Effect of overflow is that data outside buffer is overwritten Exact effect depends on what is overwritten –User’s data? –User’s program code? –System data? –System program code?

11 Fall 2008CS 334: Computer SecuritySlide #11 Buffer Overflow Details You read about them (“Smashing the Stack for Fun and Profit”). Two parts: –Buffer overrun operation that modifies control flow –Execution of the payload Other good references are –Pincus and Baker “Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns” –DilDog “The Tao of Windows Buffer Overruns”

12 Fall 2008CS 334: Computer SecuritySlide #12 Trampolining Allows attacker to apply buffer overflow when the attacker doesn’t know absolute address of buffer ( buff ) Key insight: if a program register R contains a value relative to buff, control can be transferred to buff by first translating control to a sequence of instructions that indirectly transfers via R. –Key: finding such a sequence of instructions at a well-known or predictable address (this is the “trampoline”)

13 Fall 2008CS 334: Computer SecuritySlide #13 Another Enhancement Separate two parts of buffer overflow –Useful if the buffer being overrun is too small for payload –Attacker arranges for payload to be in another location, possibly executed later Payload in programs memory space? Stored in an environment variable (because typically accessible on linux systems from well-known address near base of the stack)

14 Fall 2008CS 334: Computer SecuritySlide #14 Heap Overflow Stack is used to store local variables Heap stores memory that is global and also memory that is dynamically allocated (e.g. via call to malloc() )

15 Fall 2008CS 334: Computer SecuritySlide #15 Arc Injection Attack Instead of supplying code, supply data that will lead to desired effect when programs existing code operates on it. –E.g. attacker supplies a command line that the program under attack will use to spawn another process Called arc injection because the attack causes a new arc (control-flow transfer) into the programs control flow graph, as opposed to code injection (e.g. smashing the stack) which also inserts a new node into graph

16 Fall 2008CS 334: Computer SecuritySlide #16 Arc Injection Basic Example Stack buffer overrun modifies saved return address to point to location in the program’s address space –Specifically to location within system function in C standard library –system function takes arbitrary command line as argument, checks arguments validity, loads it into a register R, and makes a call to create the process

17 Fall 2008CS 334: Computer SecuritySlide #17 Arc Injection Example (cont) Attacker arranges for R to point to attacker supplied string, then jumps directly to location target, bypassing validity check and assignment C standard library loads most processes at a well known location, so computing target’s absolute address is straightforward

18 Fall 2008CS 334: Computer SecuritySlide #18 Arc Injection Example (cont) How does attacker get R to point to attacker supplied string? –It can be trivial: programs routinely reuse registers, so it would not be unusual that the program uses R in the procedure in which a buffer overrun occurs (e.g., pointing to buff in code below). –Attacker simply writes command line string into buff and ensures that target’s location appears at correct offset in buffer to overwrite return address –Then on return, control is passed to middle of system function

19 Fall 2008CS 334: Computer SecuritySlide #19 Pointer Subterfuge Four flavors –Function-pointer clobbering –Data-pointer modification –Exception-handler hijacking –Virtual Pointer (VPTR)smashing Bottom line is that if you can control pointers, you can cause memory to be overwritten, etc.

20 Fall 2008CS 334: Computer SecuritySlide #20 Incomplete Mediation An Example: http://www.somesite.com/subpage/userinput.asp?parm1 =(808)5551212&parm2=2009Jan17 This URL causes the execution of code on the server that reads the two parameters parm1 and parm2. –There may be code on the client (browser) page that checks validity of parameters. –It’s likely also that the values were entered using forms that prohibit certain kinds of entries for various fields –But the parameters are packed into the URL line, which is user modifiable. So whatever checks were made are ineffective.

21 Fall 2008CS 334: Computer SecuritySlide #21 Incomplete Mediation The problem: the sensitive data was not completely mediated -- it was placed in an exposed uncontrolled condition A true-life example: http://www.things.com/order.asp?custID=101&part=55 &qy=20&price=10&ship=boat&shipcost=5&total=205 http://www.things.com/order.asp?custID=101&part=55 &qy=20&price=10&ship=boat&shipcost=5&total=25 original modifie d Question: why even transmit price data?!

22 Fall 2008CS 334: Computer SecuritySlide #22 TOCTOU Errors Time-of-check to Time-of-Use Errors Synchronization error: basically, exploitable gap between (time condition for accessing object is checked) and (time access actually occurs) Ex: Sculpture costs $100. Buyer counts $100 and places it on table. Seller turns around to write receipt, buyer takes $20 back and hands stack to seller (who assumes there is still $100 in stack) –Between time security was checked (counting bills) and object accessed (get sculpture) the condition changed

23 Fall 2008CS 334: Computer SecuritySlide #23 TOCTOU Error File system: –Data structure “work ticket” presented to access control module. –Work ticket requires “stamp” authorizing access –Module places copy of ticket in its own work area for checking validity of request, actual ticket remains in user address space. –User modifies data structure in its own address space while access control module is checking the requested file name, etc. –Ticket is validated by access control module (e.g. by returning an auxiliary ticket) –User uses modified data structure with ticket validation for illegal access

24 Fall 2008CS 334: Computer SecuritySlide #24 Privilege Escalation Access rights and privileges of programs are dictated by program context, which is typically dictated by user running program –You can modify, delete, etc, files you own, but not critical system files Privilege Escalation attack is one in which malicious code is launched by a user with low privilege but run with high privilege

25 Fall 2008CS 334: Computer SecuritySlide #25 Example (April 2006) Symantec Live Update –Runs with elevated privilege since it needs to download and install programs in system directory –Uses four modules, LU1, LU2, Sys3, and Sys4 First two are part of Live Update, other two are functions in the OS. –In some releases for Mac, Symantec allowed Live Update to locate Sys3 and Sys4 by using the PATH environment variable rather than specifying the location explicitly.

26 Fall 2008CS 334: Computer SecuritySlide #26 Example (April 2006) But the LU modules run with escalated privilege, and this is passed automatically to the Sys modules. So an attacker can write their own function, call it Sys3 or Sys4, and modify the PATH variable so that this is what is run when Live Update runs. The end result is a user written function running with elevated privileges!

27 Fall 2008CS 334: Computer SecuritySlide #27 Covert Channels A much researched topic Defn: Programs that communicate information to people who should not receive it. –Communication usually travels unnoticed, accompanying other communications Example: Student helping others cheat on multiple choice exam by coughing, wheezing, moving foot, etc, to indicate choice (a), (b), etc.

28 Fall 2008CS 334: Computer SecuritySlide #28

29 Fall 2008CS 334: Computer SecuritySlide #29 Covert Channels Problem: these are easy to create –Timing –Existence of files –Exact format of files Number of blank spaces in fields Incorrect (but unnoticed) information –Availability of resources Dynamically allocated memory available? File locked or unlocked?

30 Fall 2008CS 334: Computer SecuritySlide #30

31 Fall 2008CS 334: Computer SecuritySlide #31 File Lock Covert Channel

32 Fall 2008CS 334: Computer SecuritySlide #32 File Existence Channel Signaling 100

33 Fall 2008CS 334: Computer SecuritySlide #33 Timing Channel Pass information by using speed at which things happen Example: two process system where info passed by accepting(1) or rejecting(0) offered processing time

Download ppt "Fall 2008CS 334: Computer SecuritySlide #1 Program Security Buffer Overflows Incomplete Access Control."

Similar presentations

1/1/ / faculty of Electrical Engineering eindhoven university of technology Memory Management and Protection Part 3:Virtual memory, mode switching, 80286.

1/1/ / faculty of Electrical Engineering eindhoven university of technology Memory Management and Protection Part 3:Virtual memory, mode switching,
Lectures on File Management

Lectures on File Management
Module R2 CS450. Next Week R1 is due next Friday ▫Bring manuals in a binder - make sure to have a cover page with group number, module, and date. You.

Module R2 CS450. Next Week R1 is due next Friday ▫Bring manuals in a binder - make sure to have a cover page with group number, module, and date. You.
Names and Bindings.

Names and Bindings.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Chapter 3 Loaders and Linkers

Chapter 3 Loaders and Linkers
Operating-System Structures

Operating-System Structures
Chapter 3 (Part 1) Network Security

Chapter 3 (Part 1) Network Security
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:
Run time vs. Compile time

Run time vs. Compile time
Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.

Memory Management 1 CS502 Spring 2006 Memory Management CS-502 Spring 2006.
CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.

CS-3013 & CS-502, Summer 2006 Memory Management1 CS-3013 & CS-502 Summer 2006.
Building Secure Software Chapter 9 Race Conditions.

Building Secure Software Chapter 9 Race Conditions.
Chap 3: Program Security.  Programming errors with security implications: buffer overflows, incomplete access control  Malicious code: viruses, worms,

Chap 3: Program Security.  Programming errors with security implications: buffer overflows, incomplete access control  Malicious code: viruses, worms,

Similar presentations

Ads by Google