Presentation is loading. Please wait.

Presentation is loading. Please wait.

Libsafe for Windows Shuo Chen Mentor: Timothy K. Tsai Avaya Labs Aug. 16, 2001.

Similar presentations


Presentation on theme: "Libsafe for Windows Shuo Chen Mentor: Timothy K. Tsai Avaya Labs Aug. 16, 2001."— Presentation transcript:

1 Libsafe for Windows Shuo Chen Mentor: Timothy K. Tsai Avaya Labs Aug. 16, 2001

2 Background: Libsafe for Linux Released in April 2000, Libsafe has gained popularity in the Linux community. Libsafe is very easy to install. Once installed, Libsafe does its job transparently. Libsafe does not need access to the source code of the program to be protected. Libsafe protection is system-wide. Libsafe automatically attaches to applications. Libsafe incurs only a slight overhead.

3 Motivation for porting Libsafe to Windows Windows is also susceptible to buffer overflow attacks. From 1999 to 2001, there were 54 buffer overflow bugs reported to SecurityFocus.com for Microsoft products running on Windows. Eleven of them were reported between Jan and August Our investigation reveals that: 1) 63% of executables and DLLs are still using unchecked string functions. 2) 83% of services are still using unchecked string functions. Unchecked string functions are still widely used in Windows system DLLs and applications. Windows is also susceptible to buffer overflow attacks. Unchecked string functions are still widely used in Windows system DLLs and applications.

4 Magic of Microsoft Detours Runtime insertion of the detour function and trampoline functions between source function and target function.

5 Sample exploit program Buffer (80 bytes) fp ra Attack code g & a b r u b f a f g e e r void foo(char * input_string) { char buffer[80]; strcpy(buffer,input_string); return; } /*input_string = attack code+garbage+&buffer total length = 88 bytes */ A vulnerable program running without Libsafe

6 Sample exploit program(cont.) Buffer (80 bytes) fp ra void foo(char * input_string) { char buffer[80]; strcpy(buffer,input_string); return; }/*len(input_string)=88 bytes*/ char * libsafeStrcpy( char *dest, const char * src) { if (src is longer than max_size) report the event; else return strcpy(dest,src); } A vulnerable program running with Libsafe max_size=80

7 Real exploit: vCard buffer overflow When a.vcf file contains a long BDAY string, a buffer in Windows Address Book (wab.exe) will overflow. BEGIN:VCARD VERSION:2.1 N:Chen;Shuo FN:Shuo Chen BDAY: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAA REV: T141800Z END:VCARD

8 Real exploit: Netscape Smartdownload 1.3 buffer overflow A component for URL parsing has an unchecked buffer. This is a test. Crash Me End test.

9 Real exploit: FrontPage Server Extension sub- component buffer overflow vulnerability When we make the following request: $ curl -e 'print "A"x258'` we get such response: HTTP Error 501 NOT IMPLEMENTED The server is unable to perform the method AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA at this time. But if that it is longer than 258 bytes, a buffer overflow will occur. $ curl -e 'print "A"x259'`

10 IIS running without Libsafe: Remote attack succeeds (Screen Shots) Start attack from kira Try to get a shell Get full access

11 IIS running with Libsafe: Remote attack fails (Screen Shots) Start attack from kira Try to get a shell Attack fails

12 Limitations of Libsafe The buffer overflow should be caused by the string functions intercepted by Libsafe. The program to be protected should use frame-pointers. The attack string should try to overwrite the return address. This implies that the buffer has to be on the stack. (Libsafe is bypassed when it cannot handle the situation. It does no harm to the program.)

13 My work in this summer Investigated the effectiveness of Libsafe on Windows Ported Libsafe to Windows Tested Libsafe with sample/real-world exploit programs Wrote a detailed TM This work will be distributed internally and externally

14 Acknowledgment My mentor: Tim Tsai ARC Help people: Tarek Warraky, Lookman Fazal and Eniko Kovacs My first-week-mentors: Navjot Singh and Hamilton Slye


Download ppt "Libsafe for Windows Shuo Chen Mentor: Timothy K. Tsai Avaya Labs Aug. 16, 2001."

Similar presentations


Ads by Google