Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 10 Buffer Overflow 1. A very common attack mechanism o First used by the Morris Worm in 1988 Still of major concern o Legacy of buggy code in.

Published byDiane Holmes Modified over 8 years ago

Similar presentations

Presentation on theme: "Chapter 10 Buffer Overflow 1. A very common attack mechanism o First used by the Morris Worm in 1988 Still of major concern o Legacy of buggy code in."— Presentation transcript:

1 Chapter 10 Buffer Overflow 1

2 A very common attack mechanism o First used by the Morris Worm in 1988 Still of major concern o Legacy of buggy code in widely deployed operating systems and applications o Continued careless programming practices by programmers 2

3 Buffer Overflow/Buffer Overrun A buffer overflow, also known as a buffer overrun, is defined in the NIST Glossary of Key Information Security Terms as follows: “A condition at an interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information. Attackers exploit such a condition to crash a system or to insert specially crafted code that allows them to gain control of the system.” 3

4 Buffer Overflow Basics Programming error when a process attempts to store data beyond the limits of a fixed-sized buffer Overwrites adjacent memory locations o Locations could hold other program variables, parameters, or program control flow data Buffer could be located on the stack, in the heap, or in the data section of the process Stack overflow: writing past the end of a buffer on the stack, and modify the stack to Return to a different address than that intended Include code that does something malicious Consequences: Corruption of program data Unexpected transfer of control Memory access violations Execution of code chosen by attacker 4

5 5

6 Stack Buffer Overflows Occur when buffer is located on stack Also referred to as stack smashing Stack frame When one function calls another it needs somewhere to save the return address Also needs locations to save the parameters to be passed in to the called function and to possibly save register values Both are stored in the stack frame 6

7 A Buggy Procedure Copies from its argument string argv[] to its local variable buffer[5] on the stack What if argv[] contains more than 5 chars? 7 int A(char argv[]) {char buffer[5]; strcpy(buffer,argv[1]); return 0; }

8 8 Stack Buffer Overflow Attack (a) Situation when main program is running (b) After procedure A() called (c) Buffer overflow alters the return address from A(). o Can be garbage that causes program crash, or can be address of a malicious program

9 Buffer Overflow Attacks To exploit a buffer overflow an attacker needs: To identify a buffer overflow vulnerability in some program that can be triggered using externally sourced data under the attacker’s control To understand how that buffer is stored in memory and determine potential for corruption Identifying vulnerable programs can be done by: Inspection of program source Tracing the execution of programs as they process oversized input Using tools such as fuzzing to automatically identify potentially vulnerable programs 9

10 Programming Language History Modern high-level languages have a strong notion of type and valid operations Not vulnerable to buffer overflows Does incur overhead, some limits on use C and related languages have high-level control structures, but allow direct access to memory Hence are vulnerable to buffer overflow Have a large legacy of widely used, unsafe, and hence vulnerable code 10

11 Table 10.2 Some Common Unsafe C Standard Library Routines 11

12 Shellcode Code supplied by attacker Often saved in buffer being overflowed Traditionally transferred control to a user command-line interpreter (shell) Traditionally written in assembly code Specific to processor and operating system Need good assembly language skills to create Metasploit Project ( http://www.metaexploit.com Provides useful information to people who perform penetration and exploit research 12

13 Stack Overflow Variants Target program can be: A trusted system utility Network service daemon Commonly used library code Shellcode functions Set up a listening service to launch a remote shell when connected to Create a reverse shell that connects back to the hacker Use local exploits that establish a shell Change firewall rules that currently block other attacks Break out of a chroot (restricted execution) environment, giving full access to the system 13

14 Buffer Overflow Defenses Buffer overflows are widely exploited Two broad defense approaches Compile-time Aim to harden programs to resist attacks in new programs Run-time Aim to detect and abort attacks in existing programs 14

15 Compile-Time Defenses: Programming Language Use a modern high-level language Not vulnerable to buffer overflow attacks Compiler enforces range checks and permissible operations on variables Disadvantages Additional code must be executed at run time to impose checks Flexibility and safety comes at a cost in resource use Distance from the underlying machine language and architecture means that access to some instructions and hardware resources is lost Limits their usefulness in writing code, such as device drivers, that must interact with such resources 15

16 Compile-Time Defenses: Safe Coding Techniques C designers placed much more emphasis on space efficiency and performance considerations than on type safety Assumed programmers would exercise due care in writing code Programmers need to inspect the code and rewrite any unsafe coding An example of this is the OpenBSD project Programmers have audited the existing code base, including the operating system, standard libraries, and common utilities This has resulted in what is widely regarded as one of the safest operating systems in widespread use 16

17 17 Both codes do not check destination buffer size, hence prune to buffer overflow attack

18 Compile-Time Defenses: Language Extensions/Safe Libraries Handling dynamically allocated memory is more problematic because the size information is not available at compile time o Requires an extension to the semantics of a pointer to include bounds information and the use of library routines to ensure these values are set correctly. Programs and libraries need to be recompiled Likely to have problems with third-party applications Concern with C is use of unsafe standard library routines o One approach is to replace these with safer variants Libsafe is an example; implemented as a dynamic library arranged to load before the existing standard libraries 18

19 Compile-Time Defenses: Stack Protection Add function entry and exit code to check stack for signs of corruption GCC extensions that insert additional function entry and exit code o Stackguard Added function entry code writes a random canary value below the old frame pointer address, before the allocation of space for local variables. Added function exit code checks that the canary value has not changed Stackshield and Return Address Defender (RAD) Added function entry code writes a copy of the return address to a safe region of memory Added function exit code checks the return address in the stack frame against the saved copy If change is found, aborts the program 19

20 Run-Time Defenses: Executable Address Space Protection Use virtual memory support to make some regions of memory non-executable Requires support from memory management unit (MMU) NX bit (No-eXecute) in modern CPUs Put in page table; says “don’t execute code in this page” Issues Some programs do need to place executable code on the stack, e.g., Java just-in-time compilers 20

21 Run-Time Defenses: Address Space Randomization Manipulate location of key data structures o Stack, heap, global data o Using random shift for each process o Takes advantage of large address range on modern CPUs Randomize location of heap buffers Random location of standard library functions 21

22 Run-Time Defenses: Guard Pages Place guard pages between critical regions of memory o Flagged in MMU as illegal addresses o Any attempted access aborts process Further extension places guard pages between multiple stack frames and heap buffers 22

23 Heap Overflow Attack buffer located in heap o Malloc() in C, and new() in C++ o Memory is requested by programs to use in dynamic data structures (such as linked lists of records) No return address o Hence no easy transfer of control o Attacker may change function pointers to point to shellcode Defenses Making the heap non-executable Randomizing the allocation of memory on the heap 23 Stack grows downward Heap grows upward

24 Global Data Overflow Can attack buffer located in global data o May be located above program code o If has function pointer and vulnerable buffer o Or adjacent process management tables o Aim to overwrite function pointer later called Defenses o Non executable or random global data region o Move function pointers o Guard pages 24

25 Integer Overflow Attack If arithmetic results exceed maximum integer size, computer stores an incorrect value Feed a program large params to cause integer overflow, then program may allocate a too-small buffer based on arithmetic result, hence enabling buffer overflow attack o Convert a dataflow attack into a control flow attack 25 int f() {! unsigned short x = 65535;! x++; // overflows to become 0! printf(“%d\n”,x); // memory safe! char *p = malloc(x); // size-0 buffer!! p[1] = ‘a’; // violation! }

26 Summary Other forms of overflow attacks o Heap overflows o Global data area overflows o Integer overflows Buffer overflows o Buffer overflow basics o Stack buffer overflows o Shellcode Defending against buffer overflows o Compile-time defenses o Run-time defenses 26

Download ppt "Chapter 10 Buffer Overflow 1. A very common attack mechanism o First used by the Morris Worm in 1988 Still of major concern o Legacy of buggy code in."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Introduction to Memory Management. 2 General Structure of Run-Time Memory.

Introduction to Memory Management. 2 General Structure of Run-Time Memory.
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Chapter 15 : Attacking Compiled Applications Alexis Kirat - International Student.

Chapter 15 : Attacking Compiled Applications Alexis Kirat - International Student.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Teaching Buffer Overflow Ken Williams NC A&T State University.

Teaching Buffer Overflow Ken Williams NC A&T State University.
Teaching Buffer Overflow Ken Williams NC A&T State University.

Teaching Buffer Overflow Ken Williams NC A&T State University.
Chapter 2: Impact of Machine Architectures What is the Relationship Between Programs, Programming Languages, and Computers.

Chapter 2: Impact of Machine Architectures What is the Relationship Between Programs, Programming Languages, and Computers.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Lecture 16 Buffer Overflow

Lecture 16 Buffer Overflow
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

Similar presentations

Ads by Google