Presentation is loading. Please wait.

Presentation is loading. Please wait.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Published byRonald Harness Modified over 9 years ago

Similar presentations

Presentation on theme: "Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow."— Presentation transcript:

1 Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow

2 Buffer Overflow  a very common attack mechanism from 1988 Morris Worm to Code Red, Slammer, Sasser and many others from 1988 Morris Worm to Code Red, Slammer, Sasser and many others  prevention techniques known  still of major concern due to legacy of widely deployed buggy legacy of widely deployed buggy continued careless programming techniques continued careless programming techniques

3 Buffer Overflow Basics  caused by programming error  allows more data to be stored than capacity available in a fixed sized buffer buffer can be on stack, heap, global data buffer can be on stack, heap, global data  overwriting adjacent memory locations corruption of program data corruption of program data unexpected transfer of control unexpected transfer of control memory access violation memory access violation execution of code chosen by attacker execution of code chosen by attacker

4 Buffer Overflow Example

5

6 Buffer Overflow Attacks  to exploit a buffer overflow an attacker must identify a buffer overflow vulnerability in some program must identify a buffer overflow vulnerability in some program inspection, tracing execution, fuzzing toolsinspection, tracing execution, fuzzing tools understand how buffer is stored in memory and determine potential for corruption understand how buffer is stored in memory and determine potential for corruption

7 A Little Programming Language History  at machine level all data an array of bytes interpretation depends on instructions used interpretation depends on instructions used  modern high-level languages have a strong notion of type and valid operations not vulnerable to buffer overflows not vulnerable to buffer overflows does incur overhead, some limits on use does incur overhead, some limits on use  C and related languages have high-level control structures, but allow direct access to memory hence are vulnerable to buffer overflow hence are vulnerable to buffer overflow have a large legacy of widely used, unsafe, and hence vulnerable code have a large legacy of widely used, unsafe, and hence vulnerable code

8 Function Calls and Stack Frames

9 Stack Buffer Overflow  occurs when buffer is located on stack used by Morris Worm used by Morris Worm “Smashing the Stack” paper popularized it “Smashing the Stack” paper popularized it  have local variables below saved frame pointer and return address hence overflow of a local buffer can potentially overwrite these key control items hence overflow of a local buffer can potentially overwrite these key control items  attacker overwrites return address with address of desired code program, system library or loaded in buffer program, system library or loaded in buffer

10 Programs and Processes

11 Stack Overflow Example

12

13 Another Stack Overflow

14

15 Shellcode  code supplied by attacker often saved in buffer being overflowed often saved in buffer being overflowed traditionally transferred control to a shell traditionally transferred control to a shell  machine code specific to processor and operating system specific to processor and operating system traditionally needed good assembly language skills to create traditionally needed good assembly language skills to create more recently have automated sites/tools more recently have automated sites/tools

16 Shellcode Development  illustrate with classic Intel Linux shellcode to run Bourne shell interpreter  shellcode must marshall argument for execve() and call it marshall argument for execve() and call it include all code to invoke system function include all code to invoke system function be position-independent be position-independent not contain NULLs (C string terminator) not contain NULLs (C string terminator)

17 Example Shellcode

18 Example Stack Overflow Attack

19 More Stack Overflow Variants  target program can be: a trusted system utility a trusted system utility network service daemon network service daemon commonly used library code, e.g. image commonly used library code, e.g. image  shellcode functions spawn shell spawn shell create listener to launch shell on connect create listener to launch shell on connect create reverse connection to attacker create reverse connection to attacker flush firewall rules flush firewall rules break out of choot environment break out of choot environment

20 Buffer Overflow Defenses  buffer overflows are widely exploited  large amount of vulnerable code in use despite cause and countermeasures known despite cause and countermeasures known  two broad defense approaches compile-time - harden new programs compile-time - harden new programs run-time - handle attacks on existing programs run-time - handle attacks on existing programs

21 Compile-Time Defenses: Programming Language  use a modern high-level languages with strong typing not vulnerable to buffer overflow not vulnerable to buffer overflow compiler enforces range checks and permissible operations on variables compiler enforces range checks and permissible operations on variables  do have cost in resource use  and restrictions on access to hardware so still need some code inC like languagesl so still need some code inC like languagesl

22 Compile-Time Defenses: Safe Coding Techniques  if using potentially unsafe languages eg C  programmer must explicitly write safe code by design with new code by design with new code after code review of existing code, cf OpenBSD after code review of existing code, cf OpenBSD  buffer overflow safety a subset of general safe coding techniques (Ch 12) allow for graceful failure allow for graceful failure checking have sufficient space in any buffer checking have sufficient space in any buffer

23 Compile-Time Defenses: Language Extension, Safe Libraries  have proposals for safety extensions to C performance penalties performance penalties must compile programs with special compiler must compile programs with special compiler  have several safer standard library variants new functions, e.g. strlcpy() new functions, e.g. strlcpy() safer re-implementation of standard functions as a dynamic library, e.g. Libsafe safer re-implementation of standard functions as a dynamic library, e.g. Libsafe

24 Compile-Time Defenses: Stack Protection  add function entry and exit code to check stack for signs of corruption  use random canary e.g. Stackguard, Win /GS e.g. Stackguard, Win /GS check for overwrite between local variables and saved frame pointer and return address check for overwrite between local variables and saved frame pointer and return address abort program if change found abort program if change found issues: recompilation, debugger support issues: recompilation, debugger support  or save/check safe copy of return address e.g. Stackshield, RAD e.g. Stackshield, RAD

25 Run-Time Defenses: Non Executable Address Space  use virtual memory support to make some regions of memory non-executable e.g. stack, heap, global data e.g. stack, heap, global data need h/w support in MMU need h/w support in MMU long existed on SPARC / Solaris systems long existed on SPARC / Solaris systems recent on x86 Linux/Unix/Windows systems recent on x86 Linux/Unix/Windows systems  issues: support for executable stack code need special provisions need special provisions

26 Run-Time Defenses: Address Space Randomization  manipulate location of key data structures stack, heap, global data stack, heap, global data using random shift for each process using random shift for each process have large address range on modern systems means wasting some has negligible impact have large address range on modern systems means wasting some has negligible impact  also randomize location of heap buffers  and location of standard library functions

27 Run-Time Defenses: Guard Pages  place guard pages between critical regions of memory flagged in MMU as illegal addresses flagged in MMU as illegal addresses any access aborts process any access aborts process  can even place between stack frames and heap buffers at execution time and space cost at execution time and space cost

28 Other Overflow Attacks  have a range of other attack variants stack overflow variants stack overflow variants heap overflow heap overflow global data overflow global data overflow format string overflow format string overflow integer overflow integer overflow  more likely to be discovered in future  some cannot be prevented except by coding to prevent originally

29 Replacement Stack Frame  stack overflow variant just rewrites buffer and saved frame pointer so return occurs but to dummy frame so return occurs but to dummy frame return of calling function controlled by attacker return of calling function controlled by attacker used when have limited buffer overflow used when have limited buffer overflow e.g. off by one e.g. off by one  limitations must know exact address of buffer must know exact address of buffer calling function executes with dummy frame calling function executes with dummy frame

30 Return to System Call  stack overflow variant replaces return address with standard library function response to non-executable stack defences response to non-executable stack defences attacker constructs suitable parameters on stack above return address attacker constructs suitable parameters on stack above return address function returns and library function executes function returns and library function executes e.g.e.g. system(“shell commands”) attacker may need exact buffer address attacker may need exact buffer address can even chain two library calls can even chain two library calls

31 Heap Overflow  also attack buffer located in heap typically located above program code typically located above program code memory requested by programs to use in dynamic data structures, e.g. linked lists memory requested by programs to use in dynamic data structures, e.g. linked lists  no return address hence no easy transfer of control hence no easy transfer of control may have function pointers can exploit may have function pointers can exploit or manipulate management data structures or manipulate management data structures  defenses: non executable or random heap

32 Heap Overflow Example

33

34 Global Data Overflow  can attack buffer located in global data may be located above program code may be located above program code if has function pointer and vulnerable buffer if has function pointer and vulnerable buffer or adjacent process management tables or adjacent process management tables aim to overwrite function pointer later called aim to overwrite function pointer later called  defenses: non executable or random global data region, move function pointers, guard pages

35 Global Data Overflow Example

36 Summary  introduced basic buffer overflow attacks  stack buffer overflow details  shellcode  defenses compile-time, run-time compile-time, run-time  other related forms of attack replacement stack frame, return to system call, heap overflow, global data overflow replacement stack frame, return to system call, heap overflow, global data overflow

Download ppt "Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
MODERN OPERATING SYSTEMS Third Edition ANDREW S. TANENBAUM Chapter 3 Memory Management Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall,

MODERN OPERATING SYSTEMS Third Edition ANDREW S. TANENBAUM Chapter 3 Memory Management Tanenbaum, Modern Operating Systems 3 e, (c) 2008 Prentice-Hall,
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
K. Salah1 Buffer Overflow The crown jewel of attacks.

K. Salah1 Buffer Overflow The crown jewel of attacks.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Teaching Buffer Overflow Ken Williams NC A&T State University.

Teaching Buffer Overflow Ken Williams NC A&T State University.
Teaching Buffer Overflow Ken Williams NC A&T State University.

Teaching Buffer Overflow Ken Williams NC A&T State University.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Lecture 16 Buffer Overflow

Lecture 16 Buffer Overflow
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.

Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer Brett Hodges April 8, 2010.

Shuo Chen, Jun Xu, Emre C. Sezer, Prachi Gauriar, and Ravishankar K. Iyer Brett Hodges April 8, 2010.

Similar presentations

Ads by Google