Presentation is loading. Please wait.

Presentation is loading. Please wait.

CS 3214 Computer Systems Godmar Back Lecture 7. Announcements Stay tuned for Project 2 & Exercise 4 Project 1 due Sep 16 Auto-fail rule 1: –Need at least.

Published byVirgil Howard Modified over 8 years ago

Similar presentations

Presentation on theme: "CS 3214 Computer Systems Godmar Back Lecture 7. Announcements Stay tuned for Project 2 & Exercise 4 Project 1 due Sep 16 Auto-fail rule 1: –Need at least."— Presentation transcript:

1 CS 3214 Computer Systems Godmar Back Lecture 7

2 Announcements Stay tuned for Project 2 & Exercise 4 Project 1 due Sep 16 Auto-fail rule 1: –Need at least phase_4 defused to pass class. 3/13/2016CS 3214 Fall 20102

3 Buffer Overflows What is a buffer overflow? How can it be exploited? How can it be avoided? –Through programmer measures –Through system measures (and how effective are they?) 3/13/2016CS 3214 Fall 20103

4 String Library Code –Implementation of Unix function gets No way to specify limit on number of characters to read –Similar problems with other Unix functions strcpy : Copies string of arbitrary length scanf, fscanf, sscanf, when given %s conversion specification /* Get string from stdin */ char *gets(char *dest) { int c = getc(); char *p = dest; while (c != EOF && c != '\n') { *p++ = c; c = getc(); } *p = '\0'; return dest; } 3/13/20164CS 3214 Fall 2010

5 Vulnerable Buffer Code int main() { printf("Type a string:"); echo(); return 0; } /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ gets(buf); puts(buf); } 3/13/20165CS 3214 Fall 2010

6 Buffer Overflow Executions unix>./bufdemo Type a string:123 123 unix>./bufdemo Type a string:12345 Segmentation Fault unix>./bufdemo Type a string:12345678 Segmentation Fault 3/13/20166CS 3214 Fall 2010

7 Buffer Overflow Stack echo: pushl %ebp# Save %ebp on stack movl %esp,%ebp subl $20,%esp# Allocate space on stack pushl %ebx# Save %ebx addl $-12,%esp# Allocate space on stack leal -4(%ebp),%ebx# Compute buf as %ebp-4 pushl %ebx# Push buf on stack call gets# Call gets... /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ gets(buf); puts(buf); } Return Address Saved %ebp [3][2][1][0] buf %ebp Stack Frame for main Stack Frame for echo 3/13/20167CS 3214 Fall 2010

8 Buffer Overflow Stack Example Before call to gets unix> gdb bufdemo (gdb) break echo Breakpoint 1 at 0x8048583 (gdb) run Breakpoint 1, 0x8048583 in echo () (gdb) print /x *(unsigned *)$ebp $1 = 0xbffff8f8 (gdb) print /x *((unsigned *)$ebp + 1) $3 = 0x804864d Return Address Saved %ebp [3][2][1][0] buf %ebp Stack Frame for main Stack Frame for echo 0xbffff8d8 Return Address Saved %ebp [3][2][1][0] buf Stack Frame for main Stack Frame for echo bffff8 0804864d xx 3/13/20168CS 3214 Fall 2010 8048648:call 804857c 804864d:mov 0xffffffe8(%ebp),%ebx # Return Point

9 Buffer Overflow Example #1 Before Call to gets Input = “123” No Problem 0xbffff8d8 Return Address Saved %ebp [3][2][1][0] buf Stack Frame for main Stack Frame for echo bffff8 0804864d 00333231 Return Address Saved %ebp [3][2][1][0] buf %ebp Stack Frame for main Stack Frame for echo 3/13/20169CS 3214 Fall 2010

10 Buffer Overflow Stack Example #2 Input = “12345” 8048592:push %ebx 8048593:call 80483e4 # gets 8048598:mov 0xffffffe8(%ebp),%ebx 804859b:mov %ebp,%esp 804859d:pop %ebp# %ebp gets set to invalid value 804859e:ret echo code: 0xbffff8d8 Return Address Saved %ebp [3][2][1][0] buf Stack Frame for main Stack Frame for echo bfff0035 0804864d 34333231 Return Address Saved %ebp [3][2][1][0] buf %ebp Stack Frame for main Stack Frame for echo Saved value of %ebp set to 0xbfff0035 Bad news when later attempt to restore %ebp 3/13/201610CS 3214 Fall 2010

11 Buffer Overflow Stack Example #3 Input = “12345678” Return Address Saved %ebp [3][2][1][0] buf %ebp Stack Frame for main Stack Frame for echo 0xbffff8d8 Return Address Saved %ebp [3][2][1][0] buf Stack Frame for main Stack Frame for echo 38373635 08048600 34333231 Invalid address No longer pointing to desired return point %ebp and return address corrupted 3/13/201611CS 3214 Fall 2010 8048648:call 804857c 804864d:mov 0xffffffe8(%ebp),%ebx # Return Point

12 Malicious Use of Buffer Overflow –Input string contains byte representation of executable code –Overwrite return address with address of buffer –When bar() executes ret, will jump to exploit code void bar() { char buf[64]; gets(buf);... } void foo(){ bar();... } Stack after call to gets() B return address A foo stack frame bar stack frame B exploit code pad data written by gets() 3/13/201612CS 3214 Fall 2010

13 Avoiding Overflow Vulnerability Use Library Routines that check/limit string lengths –fgets instead of gets –strncpy/strlcpy instead of strcpy –snprintf instead of sprintf –Don’t use scanf with %s conversion specification Use fgets to read the string /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ fgets(buf, 4, stdin); puts(buf); } 3/13/201613CS 3214 Fall 2010

14 Virtual Dispatch Tables What happens if you call a virtual method in Java or C++? (non-private, non-static) 3/13/2016CS 3214 Fall 201014 class A { FieldType1 field1; FieldType2 field2; … virtual void f(); virtual void g(); … } vtable field1 field2 vtable field1 field2 vtable field1 field2 A__table:.long A__f.long A__g A__table:.long A__f.long A__g // A.s A__f: … ret A__g: … ret // A.s A__f: … ret A__g: … ret Instances of A

15 Example of vtable Corruption #include using namespace std; class A { public: virtual void f() { cout << "In f\n"; } }; void exploit() { cout << "In exploit\n"; } void callf(A *a) { a->f(); } int main() { A a; #if 1 int vtable[1] = { (int) exploit }; * (int **)&a = vtable; #endif callf(&a); } 3/13/2016CS 3214 Fall 201015 If attacker can corrupt an object’s vtable pointer, they may be able to divert execution the next time the program calls a virtual function on that object. If attacker can corrupt an object’s vtable pointer, they may be able to divert execution the next time the program calls a virtual function on that object.

Download ppt "CS 3214 Computer Systems Godmar Back Lecture 7. Announcements Stay tuned for Project 2 & Exercise 4 Project 1 due Sep 16 Auto-fail rule 1: –Need at least."

Similar presentations

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Machine-Level Programming V: Miscellaneous Topics Topics Buffer Overflow Linux Memory Layout Understanding Pointers Floating-Point Code CS 105 Tour of.

Machine-Level Programming V: Miscellaneous Topics Topics Buffer Overflow Linux Memory Layout Understanding Pointers Floating-Point Code CS 105 Tour of.
Today C operators and their precedence Memory layout

Today C operators and their precedence Memory layout
Carnegie Mellon 1 Machine-Level Programming V: Advanced Topics 15-213: Introduction to Computer Systems 8 th Lecture, Sep. 16, 2010 Instructors: Randy.

Carnegie Mellon 1 Machine-Level Programming V: Advanced Topics : Introduction to Computer Systems 8 th Lecture, Sep. 16, 2010 Instructors: Randy.
Machine-Level Programming V: Miscellaneous Topics Sept. 24, 2002 Topics Linux Memory Layout Understanding Pointers Buffer Overflow Floating Point Code.

Machine-Level Programming V: Miscellaneous Topics Sept. 24, 2002 Topics Linux Memory Layout Understanding Pointers Buffer Overflow Floating Point Code.
Machine-Level Programming V: Miscellaneous Topics Topics Linux Memory Layout Buffer Overflow Floating Point Code CS213.

Machine-Level Programming V: Miscellaneous Topics Topics Linux Memory Layout Buffer Overflow Floating Point Code CS213.
– 1 – EECS213, S’08 Alignment Aligned Data Primitive data type requires K bytes Address must be multiple of K Required on some machines; advised on IA32.

– 1 – EECS213, S’08 Alignment Aligned Data Primitive data type requires K bytes Address must be multiple of K Required on some machines; advised on IA32.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
Fabián E. Bustamante, Spring 2007 Machine-Level Prog. V – Miscellaneous Topics Today Buffer overflow Floating point code Next time Memory.

Fabián E. Bustamante, Spring 2007 Machine-Level Prog. V – Miscellaneous Topics Today Buffer overflow Floating point code Next time Memory.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Introduction to x86 Assembly or “How does someone hack my laptop?”

Introduction to x86 Assembly or “How does someone hack my laptop?”
CSCE 815 Network Security Lecture 20 Intruders / Intrusion Detection April 3, 2003.

CSCE 815 Network Security Lecture 20 Intruders / Intrusion Detection April 3, 2003.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Machine Programming – IA32 memory layout and buffer overflow CENG331: Introduction to Computer Systems 7 th Lecture Instructor: Erol Sahin Acknowledgement:

Machine Programming – IA32 memory layout and buffer overflow CENG331: Introduction to Computer Systems 7 th Lecture Instructor: Erol Sahin Acknowledgement:
Carnegie Mellon 1 This week Buffer Overflow  Vulnerability  Protection.

Carnegie Mellon 1 This week Buffer Overflow  Vulnerability  Protection.
1 UCR Common Software Attacks EE 260: Architecture/Hardware Support for Security Slide credits: some slides from Dave O’halloran, Lujo Bauer (CMU) and.

1 UCR Common Software Attacks EE 260: Architecture/Hardware Support for Security Slide credits: some slides from Dave O’halloran, Lujo Bauer (CMU) and.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

Similar presentations

Ads by Google