Presentation is loading. Please wait.

Presentation is loading. Please wait.

A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.

Published byEzra Stephens Modified over 9 years ago

Similar presentations

Presentation on theme: "A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex."— Presentation transcript:

1

2 A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex

3 Overview Introduction General Background The Attack Buffer Overrun Detector Existing Solutions Conclusions

4 Computer Security Problems Security unconscious design Programming errors –Buffer overruns –Buffer overflow –Stack smashing

5 Why to let it happen ? Language Flexibility Language Efficiency As a result … Everything left to the programmer

6 Motivation Login program, late 70’s Internet Worm, November 1988 CERT- CC (Computer Emergency Response Team Coordination Center), 1997, 15 of 28 bugs

7 What is needed to solve the problem ? Compiler tools Static analysis tools Buffer Overrun Detector

8 Overview Introduction General Background The Attack Buffer Overrun Detector Existing Solutions Conclusions

9 General Background or Why Buffer Overruns are a security issue Unix Access Control System Function call execution model C Language

10 Unix Access Control System Who owns the process ? –Real user identifier ( ruid ) –Effective user identifier ( euid ) setuid() system call R W X R W X R W X suid sgid sticky Owner Group Other

11 Function Call Execution Model Low addresses High addresses text initialized data bss heap user stack argc argv pointers env pointers argv strings env strings Process in memory Function call: parameters return address stack pointer frame pointer local variables

12 C Language Considered as a high level assembly Easy to make a mistake Easy to forget … Libraries aren’t safe

13 Overview Introduction General Background The Attack Buffer Overrun Detector Existing Solutions Conclusions

14 The Attack Pass the execve(“/bin/sh”,NULL) object code char shellcode[] = “\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd” "\x80\xe8\xdc\xff\xff\xff/bin/sh"; Overwrite the return address Hope your code will be executed Don’t forget the SUID bit and super user privilege level Stack is executable !!!

15 An example Low addresses High addresses argc !!!\0 low! stringverf er o buff i = 5 heap bss void my_func(int a, char *buff){ char buf1[6]; a = 4; strcpy(buf1,buff); } void main(){ char string=“buffer overflow!!!!”; int i; i = 5; my_func(i, string); i = 3; } program counter frame pointer stack pointer LIVE

16 An example Low addresses High addresses argc !!!\0 low! stringverf er o buff i = 5 *buff a = 5 return address stack pointer frame pointer buf1 heap bss void my_func(int a, char *buff){ char buf1[6]; a = 4; strcpy(buf1,buff); } void main(){ char string=“buffer overflow!!!!”; int i; i = 5; my_func(i, string); i = 3; } program counter frame pointer stack pointer LIVE

17 An example Low addresses High addresses argc !!!\0 low! stringverf er o buff i = 5 *buff a = 4 return address stack pointer frame pointer buf1 heap bss void my_func(int a, char *buff){ char buf1[6]; a = 4; strcpy(buf1,buff); } void main(){ char string=“buffer overflow!!!!”; int i; i = 5; my_func(i, string); i = 3; } program counter frame pointer stack pointer LIVE

18 An example Low addresses High addresses argc !!!\0 low! stringverf er o buff i = 5 *buff a = 4 return address!!!\0 stack pointerlow! frame pointerverf er o buf1buff heap bss void my_func(int a, char *buff){ char buf1[6]; a = 4; strcpy(buf1,buff); } void main(){ char string=“buffer overflow!!!!”; int i; i = 5; my_func(i, string); i = 3; } program counter frame pointer stack pointer LIVE

19 Another example void __stdcall foo(int a, int b); main() { int num; num = 5; foo(num,num+1); num = 1; printf("num is now %d \n",num); } void __stdcall foo(int a, int b) { int * p; p = &b ; p -= 2 ; (*p)+= 7; } Output: num is now 5

20 Overview Introduction General Background The Attack Buffer Overrun Detector Existing Solutions Conclusions

21 Buffer Overrun Detector Finding Critical Programs Searching for Segmentation Violation Exploiting Segmentation Violation

22 Finding Critical Programs setuid to root programs accept input parameters access environment variables configuration file

23 Searching for Segmentation Violation Large inputs Brute force approach

24 Exploiting Segmentation Violation Finding the stack location containing the return address Finding the new value for the return address

25 Overview Introduction General Background The Attack Buffer Overrun Detector Existing Solutions Conclusions

26 Existing Solutions Compiler patchesCompiler patches Library patchesLibrary patches Operating System PatchesOperating System Patches Writing safe code ! Writing safe code !

27 Compiler Patches Compile time bound checks Run time checks on pointer manipulation Examples –GCC patch at Imperial College (2-3,30) –Purify, memory accesses (5) –StackGuard - return address –MemGuard - memory accesses

28 StackGuard Low addresses High addresses !!!\0 low! stringverf er o buff i = 5 *buff a = 4 return address CANARY stack pointer frame pointer buf1 heap bss void my_func(int a, char *buff){ char buf1[2]; a = 4; strcpy(buf1,buff); } void main(){ char string=“buffer overflow!!!!”; int i; i = 5; my_func(i, string); i = 3; } program counter frame pointer stack pointer LIVE

29 StackGuard Low addresses High addresses !!!\0 low! stringverf er o buff i = 5 *buff a = 4 return address!!!\0 CANARYlow! stack pointerverf frame pointerer o buf1buff heap bss void my_func(int a, char *buff){ char buf1[2]; a = 4; strcpy(buf1,buff); } void main(){ char string=“buffer overflow!!!!”; int i; i = 5; my_func(i, string); i = 3; } program counter frame pointer stack pointer LIVE

30 Library Patches Assembly coded integrity checks Almost no performance impact But … User function aren’t checked ! Portability is limited

31 Operating System Patches Making stack non executable Program protection at no cost But... Kernel has to be patched GCC relies on executable stack Functional languages need it

32 Conclusions A tool for automatic detection of buffer overruns was presented Nothing beats writing a good code

33 It almost The End

34 Fuzz Revisited: A Re-examination of the Reliability of UNIX Utilities and Services By: Miller, Koski, Lee, Maganty, Murthy, Natarjan, Steidl. University of Wisconsin

35 Introduction Fuzz Generator Test over 80 utility programs on 9 UNIX platforms Test Network Services Test X-Windows apps Test checking return values of system calls

36 Conclusions The failure rate of commercial versions of UNIX (Sun, IBM, SGI, DEC, NEXT) - 18%-23% The failure rate of Linux - 9%, GNU - 6 % Network services are robust X-Windows more than 50% on random input, more than 25% on legal inputs X servers are robust malloc() - 25 out of 53 (47%) crashed

37 THE END

Download ppt "A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Introduction to Memory Management. 2 General Structure of Run-Time Memory.

Introduction to Memory Management. 2 General Structure of Run-Time Memory.
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
An Empirical Study of the Reliability in UNIX Utilities Barton Miller Lars Fredriksen Brysn So Presented by Liping Cai.

An Empirical Study of the Reliability in UNIX Utilities Barton Miller Lars Fredriksen Brysn So Presented by Liping Cai.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Buffer Overflow By: John Quach and Napoleon N. Valdez.

Buffer Overflow By: John Quach and Napoleon N. Valdez.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 13 Implementation Flaws Part 1: Buffer Overruns.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 13 Implementation Flaws Part 1: Buffer Overruns.
Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.

Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
Address Space Layout Permutation

Address Space Layout Permutation
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Similar presentations

Ads by Google