Presentation is loading. Please wait.

Presentation is loading. Please wait.

Libsafe for Windows Shuo Chen Mentor: Timothy K. Tsai Avaya Labs Aug. 16, 2001.

Published byKaitlyn Lopez Modified over 11 years ago

Similar presentations

Presentation on theme: "Libsafe for Windows Shuo Chen Mentor: Timothy K. Tsai Avaya Labs Aug. 16, 2001."— Presentation transcript:

1 Libsafe for Windows Shuo Chen Mentor: Timothy K. Tsai Avaya Labs Aug. 16, 2001

2 Background: Libsafe for Linux Released in April 2000, Libsafe has gained popularity in the Linux community. Libsafe is very easy to install. Once installed, Libsafe does its job transparently. Libsafe does not need access to the source code of the program to be protected. Libsafe protection is system-wide. Libsafe automatically attaches to applications. Libsafe incurs only a slight overhead.

3 Motivation for porting Libsafe to Windows Windows is also susceptible to buffer overflow attacks. From 1999 to 2001, there were 54 buffer overflow bugs reported to SecurityFocus.com for Microsoft products running on Windows. Eleven of them were reported between Jan. 2001 and August 2001. Our investigation reveals that: 1) 63% of executables and DLLs are still using unchecked string functions. 2) 83% of services are still using unchecked string functions. Unchecked string functions are still widely used in Windows system DLLs and applications. Windows is also susceptible to buffer overflow attacks. Unchecked string functions are still widely used in Windows system DLLs and applications.

4 Magic of Microsoft Detours Runtime insertion of the detour function and trampoline functions between source function and target function.

5 Sample exploit program Buffer (80 bytes) fp ra Attack code g & a b r u b f a f g e e r void foo(char * input_string) { char buffer[80]; strcpy(buffer,input_string); return; } /*input_string = attack code+garbage+&buffer total length = 88 bytes */ A vulnerable program running without Libsafe

6 Sample exploit program(cont.) Buffer (80 bytes) fp ra void foo(char * input_string) { char buffer[80]; strcpy(buffer,input_string); return; }/*len(input_string)=88 bytes*/ char * libsafeStrcpy( char *dest, const char * src) { if (src is longer than max_size) report the event; else return strcpy(dest,src); } A vulnerable program running with Libsafe max_size=80

7 Real exploit: vCard buffer overflow When a.vcf file contains a long BDAY string, a buffer in Windows Address Book (wab.exe) will overflow. BEGIN:VCARD VERSION:2.1 N:Chen;Shuo FN:Shuo Chen BDAY:19750317AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAA EMAIL;PREF;INTERNET:shuochen@avaya.com REV:20010619T141800Z END:VCARD

8 Real exploit: Netscape Smartdownload 1.3 buffer overflow A component for URL parsing has an unchecked buffer. This is a test. Crash Me End test.

9 Real exploit: FrontPage Server Extension sub- component buffer overflow vulnerability When we make the following request: $ curl http://TARGET/_vti_bin/_vti_aut/fp30reg.dll?`perl -e 'print "A"x258'` we get such response: HTTP Error 501 NOT IMPLEMENTED The server is unable to perform the method AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA at this time. But if that it is longer than 258 bytes, a buffer overflow will occur. $ curl http://TARGET/_vti_bin/_vti_aut/fp30reg.dll?`perl -e 'print "A"x259'`

10 IIS running without Libsafe: Remote attack succeeds (Screen Shots) Start attack from kira Try to get a shell Get full access

11 IIS running with Libsafe: Remote attack fails (Screen Shots) Start attack from kira Try to get a shell Attack fails

12 Limitations of Libsafe The buffer overflow should be caused by the string functions intercepted by Libsafe. The program to be protected should use frame-pointers. The attack string should try to overwrite the return address. This implies that the buffer has to be on the stack. (Libsafe is bypassed when it cannot handle the situation. It does no harm to the program.)

13 My work in this summer Investigated the effectiveness of Libsafe on Windows Ported Libsafe to Windows Tested Libsafe with sample/real-world exploit programs Wrote a detailed TM This work will be distributed internally and externally

14 Acknowledgment My mentor: Tim Tsai ARC Help people: Tarek Warraky, Lookman Fazal and Eniko Kovacs My first-week-mentors: Navjot Singh and Hamilton Slye

Download ppt "Libsafe for Windows Shuo Chen Mentor: Timothy K. Tsai Avaya Labs Aug. 16, 2001."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Introduction to Memory Management. 2 General Structure of Run-Time Memory.

Introduction to Memory Management. 2 General Structure of Run-Time Memory.
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Communications of the ACM (CACM), Vol. 32, No. 6, June 1989

Communications of the ACM (CACM), Vol. 32, No. 6, June 1989
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Chapter 15 : Attacking Compiled Applications Alexis Kirat - International Student.

Chapter 15 : Attacking Compiled Applications Alexis Kirat - International Student.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Stack buffer overflow http://en.wikipedia.org/wiki/Stack_buffer_overflow.

Stack buffer overflow
Preventing Buffer Overflow Attacks. Some unsafe C lib functions strcpy (char *dest, const char *src) strcat (char *dest, const char *src) gets (char *s)

Preventing Buffer Overflow Attacks. Some unsafe C lib functions strcpy (char *dest, const char *src) strcat (char *dest, const char *src) gets (char *s)
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
Computer Security Buffer Overflow lab Eu-Jin Goh.

Computer Security Buffer Overflow lab Eu-Jin Goh.
Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.

Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

Similar presentations

Ads by Google