Presentation is loading. Please wait.

Presentation is loading. Please wait.

Buffer overflow1 BUFFER OVERFLOW Tsega Gebreyonas Sunny Choi CS 265 November 18, 2003.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Buffer overflow1 BUFFER OVERFLOW Tsega Gebreyonas Sunny Choi CS 265 November 18, 2003."— Presentation transcript:

1 Buffer overflow1 BUFFER OVERFLOW Tsega Gebreyonas Sunny Choi CS 265 November 18, 2003

2 Buffer overflow2 Overview The Basics Attacks exploiting buffer overflow Prevention and countermeasures Recent Case Studies Conclusion and Observations

3 Buffer overflow3 Why Study Buffer Overflow? Vulnerability since the 1970s “Computer vulnerability of the decade” 1 Cause of at least half of all vulnerabilities found in Operating Systems Code Red worm, 2001 Blaster worm, 2003

4 Buffer overflow4 Basics of Buffer Overflow A “stuffing” of more data into a buffer than the allocated size. Two types: –corrupt the execution stack by writing past the end of an array (aka. smashing the stack/ stack overflow) –corrupt the heap (heap overflow)

5 Buffer overflow5 How Does Buffer Overflow Happen? Careless use of buffer without bounds check No automatic bounds checking for buffer in C/C++ programming languages Unsafe library function calls Off-by-one errors Old code used for new purposes Formatting and logic errors

6 Buffer overflow6 Possible causes of buffer overflow Un-terminated strings can produce overflow Segmentation fault, crash

7 Buffer overflow7 Process Memory Organization Text Data Lower Memory addresses Higher Memory addresses Process Memory Regions Heap Stack

8 Buffer overflow8 Text region –Fixed by the program –Includes code (instructions) –Read-only Data region –Contains initialized and un-initialized data –Static variables are stored here. Text Data Heap Stack

9 Buffer overflow9 The Stack Contains: –local variables for functions –Return address and local stack pointer –Used to Dynamically allocate the local variables used in functions. Pass parameters to functions. Return values from functions.

10 Buffer overflow10 –Stack pointer (SP) points to the top of the stack. –The bottom of the stack is at a fixed address. –Consists of logical stack frames that are pushed when calling a function and popped when returning. –Frame pointer (FP) points to a fixed location within a frame. Text Data Heap Stack

11 Buffer overflow11 Example stack.c void function(int a, int b, int c) { char buffer1[5]; char buffer2[10]; } void main() { function(1,2,3); }

12 Buffer overflow12 Example cont.. (1) After ‘gcc –S –o stack.s stack.c’ –See notes below Call function is translated to pushl $3 pushl $2 pushl $1 call function

13 Buffer overflow13 Example cont.. (2) –Its pushes the 3 arguments backwards into the stack. –The instruction ‘call’ will push the EIP onto the stack. Procedure prolog push %ebp mov %esp, %ebp sub $20, %esp

14 Buffer overflow14 Example cont.. (3) pushes the FP onto the stack. Copies the current SP onto EBP, make it the new FP. Allocates space for the local variables by subtracting their size from SP. –Memory can only be addressed in multiples of the word size. –5 byte buffer take 8 bytes (2 words). –10 byte buffer take 12 bytes (3 words). –SP is subtracted by 20

15 Buffer overflow15 c b a ret SFP buffer1 buffer2 Stack EBP

16 Buffer overflow16 Principle of Stack Overflows When a program is run: – the next instruction address, ret, is stored on the stack. – modifying this value in the stack forces the EIP to get new value. So when the function returns, the program may execute the code (e.g. some shellcode) at this new address specified by overflowing the stack.

17 Buffer overflow17 Principle of Stack Overflows cont.. How to find where the ret is, to overwrite? –methods of improving chances NOPs shellcode (or some code to execute) repeated return address buffer overflow with this – as long as ret is overflowed with any part of this string, shellcode will be executed

18 Buffer overflow18 Stack Overflow Example # include void show_string(char * str2) { char buffer[5]; strcpy(buffer, str2); printf(“Your string is : %s\n”, buffer); } main () { char str [10]; gets(str1); show_string(str1); exist (0); }

19 Buffer overflow19 The Heap Definition: contains memory that is dynamically allocated by the application Buffer overflow can happen here –Although more difficult to achieve than stack overflows

20 Buffer overflow20 User Exploits of Heap Overflow Overwrite: - filenames - passwords - … Manipulate: - pointers - function pointers

21 Buffer overflow21 Principle of Heap Overflows Requires some preconditions to be met in the source code of the vulnerable binary: –a buffer must be declared (or defined) first. –a pointer must be declared. Example:... static char buf[BUFSIZE]; static char *ptr_to_something;...

22 Buffer overflow22 before overflow after overflow sometmpfile.tmp /root/.rhosts BUFFER POINTER BUFFER POINTER

23 Buffer overflow23 Heap Overflow Example #define BUFSIZE 16 #define OVERSIZE 8 int main() { u_long diff; char *buf1 = (char *)malloc(BUFSIZE), char *buf2 = (char *)malloc(BUFSIZE); diff = (u_long)buf2 - (u_long)buf1; printf("buf1 = %p, buf2 = %p, diff = 0x%x bytes\n", buf1, buf2, diff); memset(buf2, 'A', BUFSIZE-1), buf2[BUFSIZE-1] = '\0'; printf("before overflow: buf2 = %s\n", buf2); memset(buf1, 'B', (u_int)(diff + OVERSIZE)); printf("after overflow: buf2 = %s\n", buf2); return 0; }

24 Buffer overflow24 Heap Overflow Example Results [root /w00w00/heap/examples/basic]#./heap1 buf1 = 0x804e000, buf2 = 0x804eff0, diff = 0xff0 bytes before overflow: buf2 = AAAAAAAAAAAAAAA after overflow: buf2 = BBBBBBBBAAAAAAA

25 Buffer overflow25 Why Not “Fix” Buffer Overflow? 1000s of lines of legacy code running as root To change and check cases is expensive Trade off : security Vs “time to market” Attitude : “If works …” no one cares Traditional approach: get it to work first, then fix it. Security is not easy to verify unless someone find issue how do you figure what will be fault in the future Lifecycle of buffer overflow: –Vulnerability exploited –Patch that program-specific attack

26 Buffer overflow26 Buffer Overflow Countermeasures Write secure code (Golden Rule) Terminate strings and pass size of buffers to functions (e.g. use strncopy instead of strcopy etc) Careful Use of C/C++ Library Functions Don’t trust inputs (validate all inputs) Stack execute invalidate Dynamic run-time checks

27 Buffer overflow27 Countermeasures cont.. Programming Languages –Automatically resize arrays (e.g. Perl, Java) –Detect and prevent buffer overflows. (e.g. Ada95, Java) –Use “C” only when speed/low level access is critical (almost all OSs are written in C nowadays) Use advanced compiler tools such StackShield and StackGuard –Same principle for heap overflows Whenever a function is called, a "canary" value is pushed on the stack. This value ‘protects’ the return address. a ret SFP buffer1 canary StackGuard Some un-guessable value

28 Buffer overflow28 Case Studies Code Red (I/II) Blaster –infected more than one million hosts over its first 24 hours of life, according to one estimate

29 Buffer overflow29 Code Red I/II, 2001 - Effects July 19 th : spread to 250,000 computers in only 9 hours Between the two worms, about 800,000 machines infected an estimated $2.5 billion in damages defaced web sites a failed attempt at a denial-of-service attack on www.whitehouse.gov.

30 Buffer overflow30 How Did Code Red Work? Exploited a buffer overflow vulnerability in Microsoft Internet Information Servers –attempts to connect to TCP port 80 on a randomly chosen host –the attacking host sends a HTTP GET request to the victim, attempting to exploit the buffer overflow in the Indexing Service –If the exploit is successful, the worm begins executing on the victim host. The Code Red II worm exploited the very same vulnerability, except it installed a back door designed to make your entire hard drive available to attackers over the Internet.

31 Buffer overflow31 Blaster, 2003 exploited a vulnerability in Microsoft's DCOM RPC interface Execution: –Infect with worm –Add the executable to the registry so that it runs at windows startup –Generates IP address and tries to infect another computer with that IP address -60% random –Send data on TCP port 135 to exploit DCOM RPC vulnerability Impact: –execute arbitrary code with Local System privileges –denial-of-service condition.

32 Buffer overflow32 Microsoft Manhunt November 5, 2003, Microsoft: –announces $250,000 reward in a worldwide manhunt for the creator of Blaster. –Earmarks $4.5 million for bounties in future attacks.

33 Buffer overflow33 Conclusions Buffer overflows exist and will continue to pose a real threat Tools can help (not solution) Best protection: – be a defensive and educated programmer; write robust code in the first place

34 Buffer overflow34 References Aleph One, "Smashing The Stack For Fun And Profit," Phrack, Vol 7, Issue 49, File 14 of 16 Howard M., LeBlanc D.,Writing Secure code, second edition, Microsoft Corporation, 2003 Mark G. Graff, Kenneth R. Van Wyk, Secure Coding, O'Reilly & Associates, July 2003 Matt Conover, and WSD, "w00w00 on Heap Overflows", January 1999, www.w00w00.org/ files/ articles/heaptut.txt Paul Festa, “Study says "buffer overflow" is most common security bug,” CNET News, November 23, 1999, http://news.com.com/2100- 1001-233483.html?legacy=cnet Pierre-Alain Fayolle, “A Buffer Overflow Study Attacks and Defenses,” 2002, http://g0tr00t.mson.org/docs/nix/bof.html Sandeep Grover, “Buffer Overflow Attacks and Their Countermeasures,” Linux Journal, March 2003

Download ppt "Buffer overflow1 BUFFER OVERFLOW Tsega Gebreyonas Sunny Choi CS 265 November 18, 2003."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
K. Salah1 Buffer Overflow The crown jewel of attacks.

K. Salah1 Buffer Overflow The crown jewel of attacks.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Buffer Overflow By: John Quach and Napoleon N. Valdez.

Buffer Overflow By: John Quach and Napoleon N. Valdez.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 13 Implementation Flaws Part 1: Buffer Overruns.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 13 Implementation Flaws Part 1: Buffer Overruns.
Lecture 16 Buffer Overflow

Lecture 16 Buffer Overflow
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.

Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Similar presentations

Ads by Google