Presentation is loading. Please wait.

Presentation is loading. Please wait.

Avishai Wool, lecture 1 - 1 Introduction to Information Security Lecture 1.

Published byBennett Evans Modified over 8 years ago

Similar presentations

Presentation on theme: "Avishai Wool, lecture 1 - 1 Introduction to Information Security Lecture 1."— Presentation transcript:

1 Avishai Wool, lecture 1 - 1 Introduction to Information Security Lecture 1

2 Administration Course web site: http://course.cs.tau.ac.il/infosec13// Practical emphasis – challenging hands-on exercises. Make sure you attend the TIRGUL Final grade: 65% exam, 35% exercises Avishai Wool, lecture 1 - 2

3 Administration – cont. Go to to course page  Instructions tab Make sure you join the mailing list Important: Fill in the questionnaire ! –We need to understand your background Avishai Wool, lecture 1 - 3

4 Security goals and threats GOAL Data confidentiality Data integrity User authentication Privilege separation System availability THREAT Data exposure Data modification Masquerading Privilege elevation Denial of service Pre-Requisite to many attacks: getting malicious code to run on victim’s computer system Avishai Wool, lecture 1 - 4

5 Control Hijacking Basic Control Hijacking Attacks Avishai Wool, lecture 1 - 5

6 Control hijacking attacks Attacker’s goal: –Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control flow Examples. –Buffer overflow attacks –Integer overflow attacks –Format string vulnerabilities Avishai Wool, lecture 1 - 6

7 Example 1: buffer overflows Extremely common bug in C/C++ programs. –First major exploit: 1988 Internet Worm. fingerd. Source: NVD/CVE  20% of all vuln. 2005-2007:  10% Avishai Wool, lecture 1 - 7

8 What is needed Understanding C functions, the stack, and the heap. Know how system calls are made The exec() system call Attacker needs to know which CPU and OS used on the target machine: –Our examples are for x86 running Linux or Windows –Details vary slightly between CPUs and OSs: Little endian vs. big endian ( x86 vs. Motorola ) Stack Frame structure (Unix vs. Windows) Avishai Wool, lecture 1 - 8

9 Linux process memory layout unused 0x08048000 run time heap shared libraries user stack 0x40000000 0xC0000000 %esp brk Loaded from exec 0 Avishai Wool, lecture 1 - 9

10 exception handlers Stack Frame arguments return address stack frame pointer local variables SP Stack Growth high low callee saved registers Avishai Wool, lecture 1 - 10

11 What are buffer overflows? Suppose a web server contains a function: When func() is called stack looks like: argument: str return address stack frame pointer char buf[128] SP Avishai Wool, lecture 1 - 11 void func(char *str) { char buf[128]; strcpy(buf, str); do-something(buf); }

12 What are buffer overflows? void func(char *str) { char buf[128]; strcpy(buf, str); do-something(buf); } What if *str is 136 bytes long? After strcpy : argument: str return address stack frame pointer char buf[128] SP *str Problem: no length checking in strcpy() Avishai Wool, lecture 1 - 12

13 char buf[128] return address Basic stack exploit Suppose *str is such that after strcpy stack looks like: Program P: exec(“/bin/sh”) When func() exits, the user gets shell ! Note: attack code P runs in stack. (exact shell code by Aleph One) Program P low high Avishai Wool, lecture 1 - 13

14 The NOP slide Problem: how does attacker determine ret-address? Solution: NOP slide Guess approximate stack state when func() is called Insert many NOPs before program P: nop, xor eax,eax, inc ax, etc. etc. char buf[128] return address NOP Slide Program P low Avishai Wool, lecture 1 - 14 high

15 Details and examples Some complications: –Program P should not contain the ‘\0’ character. –Overflow should not crash program before func() exits. Sample remote stack smashing overflows: –(2007) Overflow in Windows animated cursors (ANI). LoadAniIcon() –(2005) Overflow in Symantec Virus Detection test.GetPrivateProfileString "file", [long string] Avishai Wool, lecture 1 - 15

16 Many unsafe libc functions strcpy (char *dest, const char *src) strcat (char *dest, const char *src) gets (char *s) scanf ( const char *format, … ) and many more. “Safe” libc versions strncpy(), strncat() are misleading –e.g. strncpy() may leave string unterminated. Windows C run time (CRT): –strcpy_s (*dest, DestSize, *src): ensures proper termination Avishai Wool, lecture 1 - 16

17 Buffer overflow opportunities Exception handlers: (Windows SEH attacks) –Overwrite the address of an exception handler in stack frame. Function pointers: (e.g. PHP 4.0.2, MS MediaPlayer Bitmaps) –Overflowing buf will override function pointer. Longjmp buffers: longjmp(pos) (e.g. Perl 5.003) –Overflowing buf next to pos overrides value of pos. Heap or stack buf[128] FuncPtr Avishai Wool, lecture 1 - 17

18 Corrupting method pointers Compiler generated function pointers (e.g. C++ code) After overflow of buf : ptr data Object T FP1 FP2 FP3 vtable method #1 method #2 method #3 ptr buf[256] data object T vtable NOP slide shell code

19 Finding buffer overflows To find overflow: –Run web server on local machine –Issue malformed requests (ending with “$$$$$” ) Many automated tools exist (called fuzzers) –If web server crashes, search core dump for “$$$$$” to find overflow location Construct exploit (not easy given latest defenses) Avishai Wool, lecture 1 - 19

20 Control Hijacking More Control Hijacking Attacks Avishai Wool, lecture 1 - 20

21 More Hijacking Opportunities Integer overflows: (e.g. MS DirectX MIDI Lib) Double free: double free space on heap. –Can cause memory mgr to write data to specific location –Examples: CVS server Format string vulnerabilities Avishai Wool, lecture 1 - 21

22 Integer Overflow Integer overflow: an arithmetic operation attempts to create a numeric value that is larger than can be represented within the available storage space. Example: Test 1: short x = 30000; short y = 30000; printf(“%d\n”, x+y); Test 2: short x = 30000; short y = 30000; short z = x + y; printf(“%d\n”, z); Will two programs output the same? What will they output? Avishai Wool, lecture 1 - 22

23 C Data Types short int 16bits [-32,768; 32,767] unsigned short int 16bits [0; 65,535] unsigned int 16bits [0; 4,294,967,295] int 32bits [-2,147,483,648; 2,147,483,647] long int 32 bits [-2,147,483,648; 2,147,483,647] signed char 8bits [-128; 127] unsigned char 8 bits [0; 255] Avishai Wool, lecture 1 - 23

24 When does casting occur in C? When assigning to a different data type For binary operators +, -, *, /, %, &, |, ^, –if either operand is an unsigned long, both are cast to an unsigned long –in all other cases where both operands are 32-bits or less, the arguments are both upcast to int, and the result is an int For unary operators –~ changes type, e.g., ~((unsigned short)0) is int –++ and -- does not change type Avishai Wool, lecture 1 - 24

25 Where Does Integer Overflow Matter? Allocating spaces using calculation. Calculating indexes into arrays Checking whether an overflow could occur Direct causes: –Truncation; Integer casting Avishai Wool, lecture 1 - 25

26 Integer Overflow: Example 1 const long MAX_LEN = 20K; char buf[MAX_LEN]; short len = strlen(input); if (len < MAX_LEN) strcpy(buf, input); Can a buffer overflow attack occur? If so, how long does input needs to be? Avishai Wool, lecture 1 - 26

27 Integer Overflows Example 2 (see Phrack 60) Problem: what happens when int exceeds max value? int m;(32 bits) short s;(16 bits) char c; (8 bits) c = 0x80 + 0x80 = 128 + 128 ⇒ c = 0 s = 0xff80 + 0x80 ⇒ s = 0 m = 0xffffff80 + 0x80 ⇒ m = 0 Can this be exploited? Avishai Wool, lecture 1 - 27

28 void func( char *buf1, *buf2, unsigned int len1, len2) { char temp[256]; if (len1 + len2 > 256) {return -1} // length check memcpy(temp, buf1, len1); // concatenate buffers memcpy(temp+len1, buf2, len2); do-something(temp); // do stuff } What if len1 = 0x80, len2 = 0xffffff80 ? ⇒ len1+len2 = 0 Second memcpy() will overflow stack (or heap) !! Avishai Wool, lecture 1 - 28

29 Source: NVD/CVE Integer overflow exploit stats Avishai Wool, lecture 1 - 29

30 Format string bugs Avishai Wool, lecture 1 - 30

31 Format string problem int func(char *input) { fprintf( stderr, input); } “input” is treated as a format string – missing arguments If “input” includes % formats – access places on stack Problem: what if * input = “%s%s%s%s%s%s%s” ?? –Most likely program will crash: DoS. –If not, program will print memory contents. Privacy? Correct form: fprintf( stdout, “%s”, input); Avishai Wool, lecture 1 - 31

32 Format string attacks (“%n”) “%n” format writes the number of bytes formatted so far into a variable! printf(“abc %n”, &x) will change the value of the variable x (to 4) –in other words, the parameter value on the stack is interpreted as a pointer to an integer value, and the place pointed by the pointer is overwritten Avishai Wool, lecture 1 - 32

33 Exploit Dumping arbitrary memory: –Walk up stack until desired pointer is found. –printf( “%08x.%08x.%08x.%08x|%s|”) Writing to arbitrary memory: –printf( “hello %n”, &temp) -- writes ‘6’ into temp. –printf( “%08x.%08x.%08x.%08x.%n”) Avishai Wool, lecture 1 - 33

34 History First exploit discovered in June 2000. Examples: –wu-ftpd 2.* :remote root –Linux rpc.statd:remote root –IRIX telnetd:remote root –BSD chpass:local root Avishai Wool, lecture 1 - 34

35 Vulnerable functions Any function using a format string. Printing: printf, fprintf, sprintf, … vprintf, vfprintf, vsprintf, … Logging: syslog, err, warn Avishai Wool, lecture 1 - 35

36 Control Hijacking Platform Defenses Avishai Wool, lecture 1 - 36

37 Preventing hijacking attacks 1. Fix bugs: –Audit software Automated tools: Coverity, Prefast/Prefix. –Rewrite software in a type safe languange (Java, ML) Difficult for existing (legacy) code … 2.Concede overflow, but prevent code execution 3. Add runtime code to detect overflows exploits –Halt process when overflow exploit detected –StackGuard, LibSafe, … Avishai Wool, lecture 1 - 37

38 Marking memory as non-execute (W^X) Prevent attack code execution by marking stack and heap as non- executable NX -bit on AMD Athlon 64, XD -bit on Intel P4 Prescott –NX bit in every Page Table Entry (PTE) Deployment: – Linux (via PaX project); OpenBSD – Windows: since XP SP2 (DEP) Boot.ini : /noexecute=OptIn or AlwaysOn Visual Studio: /NXCompat[:NO] Limitations: –Some apps need executable heap (e.g. JITs). –Does not defend against `return-to-libc’ exploits

39 Examples: DEP controls in Windows DEP terminating a program Avishai Wool, lecture 1 - 39

40 Attack: return to libc Control hijacking without executing code args ret-addr sfp local buf stack exec() printf() “/bin/sh” libc.so Avishai Wool, lecture 1 - 40

41 Response: randomization ASLR : ( Address Space Layout Randomization) –Map shared libraries to rand location in process memory  Attacker cannot jump directly to exec function –Deployment: (/DynamicBase) Windows Vista:8 bits of randomness for DLLs –aligned to 64K page in a 16MB region  256 choices Linux (via PaX):16 bits of randomness for libraries –More effective on 64-bit architectures Other randomization methods: –Sys-call randomization: randomize sys-call id’s –Instruction Set Randomization ( ISR ) Avishai Wool, lecture 1 - 41

42 ASLR Example Booting twice loads libraries into different locations: Avishai Wool, lecture 1 - 42

Download ppt "Avishai Wool, lecture 1 - 1 Introduction to Information Security Lecture 1."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
What is a pointer? First of all, it is a variable, just like other variables you studied So it has type, storage etc. Difference: it can only store the.

What is a pointer? First of all, it is a variable, just like other variables you studied So it has type, storage etc. Difference: it can only store the.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Basic Control Hijacking Attacks

Basic Control Hijacking Attacks
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Avishai Wool, lecture 1 - 1 Introduction to Information Security Lecture 1.

Avishai Wool, lecture Introduction to Information Security Lecture 1.
1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Lecture 8: Control hijacking attacks Eran Tromer Slides credit: Dan Boneh, Stanford.

1 Information Security – Theory vs. Reality , Winter 2011 Lecture 8: Control hijacking attacks Eran Tromer Slides credit: Dan Boneh, Stanford.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.

Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Teaching Buffer Overflow Ken Williams NC A&T State University.

Teaching Buffer Overflow Ken Williams NC A&T State University.
1 Control Hijacking Attacks Buffer overflows and format string bugs.

1 Control Hijacking Attacks Buffer overflows and format string bugs.
Preventing Buffer Overflow Attacks. Some unsafe C lib functions strcpy (char *dest, const char *src) strcat (char *dest, const char *src) gets (char *s)

Preventing Buffer Overflow Attacks. Some unsafe C lib functions strcpy (char *dest, const char *src) strcat (char *dest, const char *src) gets (char *s)
1 Control Hijacking Attacks Buffer overflows and format string bugs.

1 Control Hijacking Attacks Buffer overflows and format string bugs.
Control Hijacking Attacks Note: project 1 is out Section this Friday 4:15pm.

Control Hijacking Attacks Note: project 1 is out Section this Friday 4:15pm.
Teaching Buffer Overflow Ken Williams NC A&T State University.

Teaching Buffer Overflow Ken Williams NC A&T State University.
1 Buffer Overflow Attacks and Format String bugs.

1 Buffer Overflow Attacks and Format String bugs.
Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.

Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.
CS426Fall 2010/Lecture 111 Computer Security CS 426 Lecture 11 Software Vulnerabilities: Input Validation Issues & Buffer Overflows.

CS426Fall 2010/Lecture 111 Computer Security CS 426 Lecture 11 Software Vulnerabilities: Input Validation Issues & Buffer Overflows.

Similar presentations

Ads by Google