Presentation is loading. Please wait.

Presentation is loading. Please wait.

Host and Application Security Lesson 10: Code Injection.

Published byThomas Gregory Modified over 9 years ago

Similar presentations

Presentation on theme: "Host and Application Security Lesson 10: Code Injection."— Presentation transcript:

1 Host and Application Security Lesson 10: Code Injection

2 Vulnernabities: Easy!  However, a more interesting class is code injection vulns…

3 What is code?  Actually, that’s not nearly as simple a question as it sounds  What about interpreted versus native?

4 Binary (native) code  Ultimately, machine code  Runs directly on the chip  Turns into microcode at the next layer down  Running native code is the holy grail when it comes to exploits

5 Understanding basic injection  The goal of code injection: Get something that is not code to run as code Why does it have to be not code?

6 Buffer Overflow  Five pounds of sugar in a four pound bag…  So, in a language like C/C++ what is the implication  Now, how can we turn that into code injection

7 How functions get called  stdcall calling convention: Parms on the stack, right to left Callee is responsible for cleaning up the stack

8 Stack-based injection  Let’s work our example now on the stack of a real program

9 Defenses  No execute flag: mark something in memory that makes memory non-executable  In particular, the non-executable stack  Stack cookies (canaries) help… but they leave a gap in protection

10 Return to libc attacks  We have a library with a known address (such as libc on Unix)  We have control of the stack, but have a non- executable stack…  What does the stack need to look like before a call? Bingo!

11 Return Oriented Programming  Much like return to libc, but we jump to “gadgets”  Using our gadgets, we build the program we want to run

12 Assignment  There’s a vulnerable program in your SVN…  Figure out how to exploit it  If you cannot figure it out, you should tell me what you tried and what you learned  By the midterm, you should read: The Geometry of Innocent Flesh on the Bone: Return-into-libc without Function Calls (on the x86) Smashing the Stack for fun and profit

13 Questions?

Download ppt "Host and Application Security Lesson 10: Code Injection."

Similar presentations

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.

ROP is Still Dangerous: Breaking Modern Defenses Nicholas Carlini et. al University of California, Berkeley USENIX Security 2014 Presenter: Yue Li Part.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.

Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Stack buffer overflow http://en.wikipedia.org/wiki/Stack_buffer_overflow.

Stack buffer overflow
Chapter 9 Security 9.4 - 9.6 Authentication Insider Attacks Exploiting Code Bugs.

Chapter 9 Security Authentication Insider Attacks Exploiting Code Bugs.
Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.

Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Buffer Overflow Attacks Figure 9-21. (a) Situation when the main program is running. (b) After the procedure A has been called. (c) Buffer overflow shown.

Buffer Overflow Attacks Figure (a) Situation when the main program is running. (b) After the procedure A has been called. (c) Buffer overflow shown.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.

Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
Host and Application Security Lesson 22: Patch Management.

Host and Application Security Lesson 22: Patch Management.

Similar presentations

Ads by Google