Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSCD 303 Essential Computer Security Spring 2013 Lecture 17 Buffer Overflow Attacks.

Similar presentations


Presentation on theme: "CSCD 303 Essential Computer Security Spring 2013 Lecture 17 Buffer Overflow Attacks."— Presentation transcript:

1 CSCD 303 Essential Computer Security Spring 2013 Lecture 17 Buffer Overflow Attacks

2 Overview What are they? Look at most common – Stack Overflow Example Some Solutions

3 Buffer Overflow life Cycle 1. A malicious user finds vulnerability in a highly privileged program 2. User might be able to gain access to the system by overflowing a buffer and pushing code into return address space of a function call 3. Fixes are then made by patching code to prevent future attacks 4. Usually fix is to limit length of buffer

4 Question Are they still happening? YES !!!

5 National Cyber Alert System Technical Cyber Security Alert TA09-161A Adobe Acrobat and Reader Vulnerabilities Original release date: June 10, 2009 Last revised: -- Source: US-CERT Systems Affected * Adobe Reader versions 9.1.1 and earlier * Adobe Acrobat versions 9.1.1 and earlier Overview Adobe has released Security Bulletin APSB09-07, which describes several buffer overflow vulnerabilities that could allow a remote attacker to execute arbitrary code.

6 Buffer Overflows as Percent of Total Vulnerabilities DHS National Cyber Security Division/US-CERT National Vulnerability Database

7 The “Buffer Overflow” Problem Buffer is a contiguous block of memory, of a fixed size Buffer overflow is a spill, fill over the top, or bounds. Buffers can be over flown with too much data, if not checked This can be exploited by malicious program to change the flow of control to the malicious code

8 Anatomy of a Buffer Overflow Buffer Memory used to store user input, has fixed maximum size Buffer overflow When user input exceeds max buffer size Extra input goes into unexpected memory locations

9 A Small Example void get_input() { char buf[1024]; gets(buf); } void main(int argc, char*argv[]){ get_input(); } Malicious user enters > 1024 chars, but can only store 1024 chars Extra chars overflow buffer

10 10 More Examples void foo(char *s) { char buf[10]; strcpy(buf,s); printf(“buf is %s\n”,s); } … foo(“thisstringistolongforfoo”);

11 11 Address Space 0x00000000 0x08048000code static data bss heap shared library stack kernel space 0x42000000 0xC0000000 0xFFFFFFFF

12 Background- layout of the Virtual Space of a Process The layout of the virtual space of a process in Linux

13 Memory Explained Code and data consist of instructions and initialized, uninitialized global and static data respectively Runtime heap is used for dynamically allocated memory(malloc()); The stack is used whenever a function call is made – Think of the stack and temporary or scratch memory http://www.geeksforgeeks.org/memory-layout-of-c-program/

14 Stack Basics So, what is a stack? A stack is contiguous block of memory containing data Stack pointer (SP) – a register that points to the top of the stack The bottom of the stack is at fixed address Its size is dynamically adjusted by kernel at run time CPU implements instructions to PUSH onto and POP off the stack

15 15 C Call Stack When a function call is made Return address is put on the stack. Values of parameters are put on the stack Function saves stack frame pointer Local variables are put on the stack.

16 16 Parameters Return Address Calling Frame Pointer Local Variables A Stack Frame 00000000 Addresses SP BP BP = Base Pointer SP = Stack Pointer

17 17 Example – Buffer of A's Try to overflow a buffer and inject A's Proof of concept !!! See what happens

18 More Detail /* test buffer program */ #include void Test() { char buff[4]; printf("Some input: "); gets(buff); puts(buff); } int main(int argc, char *argv[ ]) { Test(); return 0; } ebp is stack frame pointer to previous frame Top of Stack http://www.tenouk.com/Bufferoverflowc/Bufferoverflow4.html

19 More Detail – gets(“AAA”)

20 More Detail – gets(“AAAAA”)

21 More Detail – gets(“AAAAAAAAAAAA”)

22 22 “Smashing the Stack” The general idea is to overflow a buffer so that it overwrites the return address. When the function is done it will jump to whatever address is on the stack. We put some code in the buffer and set the return address to point to it!

23 23 Before and After void foo(char *s) { char buf[100]; strcpy(buf,s); … address of s return-address saved sp buf address of s pointer to pgm Small Program

24 24 Issues How do we know what value the pointer should have (the new “return address”). –It’s the address of the buffer, but how do we know what address this is? How do we build the “small program” and put it in a string?

25 25 Guessing Addresses Typically you need the source code so you can estimate the address of both the buffer and the return-address. An estimate is often good enough! (more on this in a bit).

26 26 Building the small program Typically, the small program stuffed in to the buffer does an exec(). Sometimes it changes the password db or other files…

27 27 exec()‏ In Unix, the way to run a new program is with the exec() system call. –There is actually a family of exec() system calls… –This doesn't create a new process, it changes the current process to a new program. –To create a new process you need something else ( fork() ).

28 28 exec() example #include char *args[] = {"/bin/ls", NULL}; void execls(void) { execv("/bin/ls",args); printf(“I’m not printed\n"); }

29 This is more a more Typical Program #include void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); }

30 30 Generating a String You can take code like previous slide, and generate machine language Copy down the individual byte values and build a string – Use GDB, see reference at end of slides To do a simple exec requires less than 100 bytes Result is “Shellcode” A shellcode is an assembly language program which executes a shell, such as the '/bin/sh' for Unix/Linux shell, or the command.com shell on DOS and Microsoft Windows This is what goes into the buffer for injecting into the victim program

31 31 A Sample Program/String Does an exec() of /bin/ls: unsigned char cde[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0” “\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c” “\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/ls";

32 32 Some important issues Small program should be position- independent – able to run at any memory location. It can’t be too large, or we can’t fit program and new return-address on stack!

33 33 Attacking a real program Recall... idea is to feed a server a string that is too big for a buffer This string overflows buffer and overwrites the return address on stack Assuming we put our small program in the string, we need to know it’s address Not always easy to guess exact address of buffer in memory

34 34 NOPs Most CPUs have a No-Operation instruction – it does nothing but advance the instruction pointer. Usually we can put a bunch of these ahead of our program (in the string). As long as the new return-address points to a NOP we are OK.

35 35 Using NOPs Real program (exec /bin/ls or whatever)‏ new return address nop instructions Can point anywhere in here

36 36 Some Solutions Prevent Stack Overwriting StackGuard ProPolice

37 StackGuard Canary: random value, unpredictable to attacker Compiler technique: inserts canary before return address on stack Corrupt Canary: code halts program to thwart a possible attack Not comprehensive protection Source: C. Cowan et. al., StackGuard,

38 Canary Protection In General... Canary words known values placed between a buffer and control data on stack to monitor buffer overflows When buffer overflows, first data to be corrupted will be canary, and failed verification of canary data is therefore an alert of an overflow Idea references historic practice of using canaries in coal mines – Since they would be affected by toxic gases earlier than miners, thus providing a biological warning system

39 GCC Extension Pro-Police The "Stack-Smashing Protector" or SSP, also known as ProPolice, is an enhancement of the StackGuard concept written and maintained by Hiroaki Etoh of IBM Its name derives from the word propolis. ProPolice differs from StackGuard in three ways: ProPolice moves canary code generation from the back- end to the front-end of the compiler ProPolice also protects all saved registers, for example the frame pointer not only Return Address ProPolice, in addition to canary protection, also sorts array variables (where possible) to the highest part of the stack frame, to make it more difficult to overflow them and corrupt other variables It also creates copies of arguments of the function, and relocates them together with local variables, effectively protecting the arguments

40 Teaching Stack Overflow Threats Most Students –Are not attuned into dangers of buffer overflows –Can't recognize a buffer overflow vulnerability when they see it, so they don’t even think of it when coding –Do not inspect or test their code as well as one would like –Are often not made aware of buffer overflows by instructors or textbooks –Want you all to be the exceptions !!!!

41 41 References Classic Paper by Aleph One http://www-inst.eecs.berkeley.edu/~cs161/ fa08/papers/stack_smashing.pdf Creating Shellcode Here http://www.tenouk.com/Bufferoverflowc/Bufferoverflow5.html Prabhaker Mateti Buffer Overflow http://www.cs.wright.edu/~pmateti/InternetSecurity/Lectures/ BufferOverflow/#References Wikipedia Buffer Overflows http://en.wikipedia.org/wiki/Buffer_overflow_protection#GCC _Stack-Smashing_Protector_.28ProPolice.29

42 End


Download ppt "CSCD 303 Essential Computer Security Spring 2013 Lecture 17 Buffer Overflow Attacks."

Similar presentations


Ads by Google