Presentation is loading. Please wait.

Presentation is loading. Please wait.

Review: Software Security David Brumley Carnegie Mellon University.

Similar presentations

Presentation on theme: "Review: Software Security David Brumley Carnegie Mellon University."— Presentation transcript:

1 Review: Software Security David Brumley Carnegie Mellon University

2 Basic Execution Model 2 Process Memory Stack Heap Processor Fetch, decode, execute read and write Code Data...

3 cdecl – the default for Linux & gcc 3 int orange(int a, int b) { char buf[16]; int c, d; if(a > b) c = a; else c = b; d = red(c, buf); return d; } … b a return addr caller’s ebp callee-save locals (buf, c, d ≥ 28 bytes if stored on stack) caller-save buf c return addr orange’s ebp … %ebp frame %esp stack parameter area (caller) orange’s initial stack frame to be created before calling red after red has been called grow

4 Be prepared to draw and analyze stack diagrams 4

5 Control Flow Hijack: Always Computation + Control computation + control shellcode (aka payload)padding&buf 5 code injection return-to-libc Heap metadata overwrite return-oriented programming... Same principle, different mechanism

6 Channeling Vulnerabilities... arise when control and data are mixed into one channel. 6

7 Buffer overflows Gaining control through... – Overwriting saved return addresses – Overwriting function pointers 7

8 format strings For non-variadic functions, the compiler: – knows number and types of arguments – emits instructions for caller to push arguments right to left – emits instructions for callee to access arguments via frame pointer (or stack pointer [advanced]) For variadic functions, the compiler emits instructions for the program to walk the stack at runtime for arguments 8

9 format string exploits Occur when the user can control the format string specifier Can be used to: 1.View memory (e.g., information disclosure) 2.Write to specific addresses 3.sprintf: expand user input to cause a buffer overflow 9

10 Defenses 10 computation + control shellcode (aka payload)padding&buf Primarily DEPPrimarily ASLR

11 How to attack with ASLR? Attack Brute Force Non- randomized memory Stack Juggling ret2text Func ptr ret2ret ret2pop GOT Hijacking GOT Hijacking ret2got 11

12 Return-Oriented Programming (ROP) how it works and when it is needed 12 Desired Shellcode Mem[v2] = v1 … argv argc return addr caller’s ebp buf (64 bytes) argv[1] buf %ebp %esp a3a3 v2v2 a2a2 v1v1 a1a1 a 1 : pop eax; ret a 2 : pop ebx; ret a 3 : mov [ebx], eax Desired store executed!

13 CFI Sound/Complete Sensitivity in program analysis CFI instrumentation CFI assumptions 13

14 Test In-class Timed Closed book, closed note, closed computer 14 Good Luck!

15 15 Questions?

16 END

17 17 Thought

Download ppt "Review: Software Security David Brumley Carnegie Mellon University."

Similar presentations

Ads by Google