Presentation is loading. Please wait.

Presentation is loading. Please wait.

Buffer Overflow Prevention ”\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e \x89\xe3\x50\x53\x50\x54\x53\xb0\x3b\x50\xcd\x80” Presented to CRAB April.

Published byDaniel Robinson Modified over 9 years ago

Similar presentations

Presentation on theme: "Buffer Overflow Prevention ”\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e \x89\xe3\x50\x53\x50\x54\x53\xb0\x3b\x50\xcd\x80” Presented to CRAB April."— Presentation transcript:

1 Buffer Overflow Prevention ”\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e \x89\xe3\x50\x53\x50\x54\x53\xb0\x3b\x50\xcd\x80” Presented to CRAB April 27, 2004

2 Outline Buffer overflow review Prevention overview Randomized instruction sets Address randomization Solutions compared Conclusion

3 What is a Buffer Overflow? Intent  Arbitrary code execution Spawn a remote shell or infect with worm/virus  Denial of service Steps  Inject attack code into buffer  Redirect control flow to attack code  Execute attack code

4 Attack Possibilities Targets  Stack, heap, static area  Parameter modification (non-pointer data) E.g., change parameters for existing call to exec() Injected code vs. existing code Absolute vs. relative address dependencies Related Attacks  Integer overflows, double-frees  Format-string attacks

5 Typical Address Space 0x00000000 0x08048000code static data bss heap shared library stack kernel space 0x42000000 0xC0000000 0xFFFFFFFF From Dawn Song’s RISE: http://research.microsoft.com/projects/SWSecInstitute/slides/Song.ppt argument 2 argument 1 RA frame pointer locals buffer Attack code Address of Attack code

6 Examples (In)famous: Morris worm (1988)  gets() in fingerd Code Red (2001)  MS IIS.ida vulnerability Blaster (2003)  MS DCOM RPC vulnerability Mplayer URL heap allocation (2004) % mplayer http://`perl –e ‘print “\””x1024;’`

7 Preventing Buffer Overflows Strategies  Detect and remove vulnerabilities (best)  Prevent code injection  Detect code injection  Prevent code execution Stages of intervention  Analyzing and compiling code  Linking objects into executable  Loading executable into memory  Running executable

8 Preventing Buffer Overflows Splint - Check array bounds and pointers Non-executable stack Stackguard – put canary before RA Libsafe – replace vulnerable library functions RAD – check RA against copy Analyze call trace for abnormality PointGuard – encrypt pointers Binary diversity – change code to slow worm propagation PAX – binary layout randomization by kernel Randomize system call numbers

9 Preventing Buffer Overflows Randomize code  Barrantes, Ackley, Forrest, Palmer, Stefanovic, Zovi, “Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks,” ACM CCS 2003. Randomize location of code/data  Bhatkar, DuVarney, Sekar, “Address Obfuscation: an Efficient Approach to Combat a Broad Range of Memory Error Exploits,” USENIX Security 2003.

10 Randomized Instruction Sets Threat: binary code injection from network Goal: de-standardize each system in an externally unobservable way Solution:  Each program has a different and secret instruction set  Use translator to randomize instructions at load- time Limits: no defense against data-only modifications

11 Data Scrambled Code RISE: loading binary Code Data Valgrind / RISEMemory ELF binary file + Key

12 RISE: executing code Hardware Data Scrambled Code Valgrind / RISEMemory + Key Code

13 RISE: foreign code Hardware Data Scrambled Code Valgrind / RISEMemory + Key Code Injected from network Scrambled Code SIGILL

14 Complications Shared libraries  Usually code from libraries is shared among multiple processes  RISE scrambles shared code, at increased memory expense Protecting plaintext  Descrambled code blocks stored in trace cache  Make cache read-only except when updating Entanglement  Should not use same libraries as process emulated  Some libraries use dispatch tables stored in code

15 Performance 9 out of 14 attacks failed due to Valgrind itself Others were stopped by RISE RISE costs ~5% more than Valgrind (which is 4-50x slower than native) Keeping “key” and shared libs triples memory x86 opcode space is dense, so “random” instruction might not be illegal

16 RISE: locations of crash 6% 25% Percentage of runs Offset from start address to failure location

17 Address Randomization Threat: memory error exploits Goal: remove predictability from memory access Solution:  Relocate memory regions  Permute order of variables and code  Introduce random gaps between objects Limits: not all are easy to implement with common ABIs at load-time

18 Randomizing Obfuscations Randomize base addresses of memory regions  Stack: subtract large value  Heap: allocate large block  DLLs: link with dummy lib  Code/static data: convert to shared lib, or re-link at different address Makes absolute address- dependent attacks harder code static data bss heap shared library stack kernel space

19 Randomizing Obfuscations Permute the order of variables / routines  Local variables in stack frame  Order of static variables  Order of routines in DLLs or executable Makes relative-address dependent attacks harder Not implemented by authors

20 Randomizing Obfuscations Introduce random gaps between objects  Randomly pad stack frames Between frame pointer and local variables  Randomly pad successive malloc() calls  Randomly pad between static variables  Add gaps inside routines and jump s to skip them Helps randomize objects which must maintain relative order First two are implemented by authors

21 Performance A probabilistic approach, increasing attacker’s expected work Each failed attempt results in crash; at restart, randomization is different ~3000 attempts for P(success) = 0.5 0-21% overhead on execution time Limited protection for:  Modifications within heap-allocated blocks  Overflows of adjacent data within stack frame or static variables

22 Comparison RISE xxx

23 Conclusion Common weaknesses:  Overflows onto adjacent data  Read/write attacks  Double-pointer attacks  Lack of information at runtime Distinguishing pointers from non-pointers Determining sizes of data objects Distinguishing code from data Static analysis + Link & Load-time randomization can be very effective (for now)

24 References Barrantes, Ackley, Forrest, Palmer, Stefanovic, Zovi, “Randomized Instruction Set Emulation to Disrupt Binary Code Injection Attacks,” ACM CCS 2003. Bhatkar, DuVarney, Sekar, “Address Obfuscation: an Efficient Approach to Combat a Broad Range of Memory Error Exploits,” USENIX Security 2003. Cowan, Beattie, Johansen, Wagle, “PointGuard: Protecting Pointers From Buffer Overflow Vulnerabilities,” USENIX Security 2003. Wilander, Kamkar, “A Comparison of Publicly Available Tools for Dynamic Buffer Overflow Prevention,” NDSS 2003.

Download ppt "Buffer Overflow Prevention ”\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e \x89\xe3\x50\x53\x50\x54\x53\xb0\x3b\x50\xcd\x80” Presented to CRAB April."

Similar presentations

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.

Dynamic Taint Analysis for Automatic Detection, Analysis, and Signature Generation of Exploits on Commodity Software Paper by: James Newsome and Dawn Song.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
K. Salah1 Buffer Overflow The crown jewel of attacks.

K. Salah1 Buffer Overflow The crown jewel of attacks.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October.

Instruction-Set Randomization “Countering Code-Injection Attacks With Instruction-Set Randomization” G. Kc, A. Keromytis, and V. Prevelakis CCS October.
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:
Memory Management. 2 How to create a process? On Unix systems, executable read by loader Compiler: generates one object file per source file Linker: combines.

Memory Management. 2 How to create a process? On Unix systems, executable read by loader Compiler: generates one object file per source file Linker: combines.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Lecture 16 Buffer Overflow

Lecture 16 Buffer Overflow
Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.

Efficient Instruction Set Randomization Using Software Dynamic Translation Michael Crane Wei Hu.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Address Space Layout Permutation

Address Space Layout Permutation
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Operating System Chapter 7. Memory Management Lynn Choi School of Electrical Engineering.

Operating System Chapter 7. Memory Management Lynn Choi School of Electrical Engineering.
Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Web Application Access to Databases. Logistics Test 2: May 1 st (24 hours) Extra office hours: Friday 2:30 – 4:00 pm Tuesday May 5 th – you can review.

Similar presentations

Ads by Google