Bride of Buffer Overflow

Slides:



Advertisements
Similar presentations
Improving Integer Security for Systems with KINT Xi Wang, Haogang Chen, Zhihao Jia, Nickolai Zeldovich, Frans Kaashoek MIT CSAIL Tsinghua IIIS.
Advertisements

INSTRUCTION SET ARCHITECTURES
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Types and Arithmetic Operators
Integer Overflows James Walden Northern Kentucky University.
ISBN Chapter 7 Expressions and Assignment Statements.
Computer Science 1620 Other Data Types. Quick Review: checklist for performing user input: 1) Be sure variable is declared 2) Prompt the user for input.
Assembly Language and Computer Architecture Using C++ and Java
Working with the data type: char  2000 Prentice Hall, Inc. All rights reserved. Modified for use with this course. Introduction to Computers and Programming.
Representation and Conversion of Numeric Types 4 We have seen multiple data types that C provides for numbers: int and double 4 What differences are there.
1 Agenda Variables (Review) Example Input / Output Arithmetic Operations Casting Char as a Number (if time allow)
Using Java's Math & Scanner class. Java's Mathematical functions (methods) (1)
Computer Science 210 Computer Organization Introduction to C.
CENG 311 Machine Representation/Numbers
Buffer Overflow Defenses. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Buffer Overflow Defenses Author:
1-1 University of Hail College of Computer Science and Engineering Department of computer Science and Software Engineering Course: ICS313: Fundamentals.
Introduction to Java CSIS 3701: Advanced Object Oriented Programming.
COMP 116: Introduction to Scientific Programming Lecture 28: Data types.
Java Chapter 1 Problem solving: 1. Understanding the problem. 2. Breaking the problem into manageable pieces. 3. Designing a solution. 4. Considering alternatives.
Summary of what we learned yesterday Basics of C++ Format of a program Syntax of literals, keywords, symbols, variables Simple data types and arithmetic.
CSE 425: Data Types I Data and Data Types Data may be more abstract than their representation –E.g., integer (unbounded) vs. 64-bit int (bounded) A language.
Arithmetic Expressions
Chapter 7 © 1998 by Addison -Wesley Longman, Inc Arithmetic Expressions - Their evaluation was one of the motivations for the development of the.
Chapter 7 Expressions and Assignment Statements. Outline Introduction Arithmetic Expressions Overloaded Operators Type Conversions Assignment Statements.
CSCE 548 Integer Overflows Format String Problem.
Types(1). Lecture 52 Type(1)  A type is a collection of values and operations on those values. Integer type  values..., -2, -1, 0, 1, 2,...  operations.
1 IS 2150 / TEL 2810 Introduction to Security James Joshi Associate Professor, SIS Lecture 12.2 Nov 20, 2012 Integer Issues.
COMP Primitive and Class Types Yi Hong May 14, 2015.
School of Computer Science & Information Technology G6DICP - Lecture 4 Variables, data types & decision making.
Lecture 13 Page 1 CS 236 Online Major Problem Areas for Secure Programming Certain areas of programming have proven to be particularly prone to problems.
Road map char data type Reading –Liang 5: Chapter 2: 2.7.4; 2.9; –Liang 6: Chapter 2: 2.7.4; 2.9 –Liang 7: Chapter 2: 2.7.4; 2.9.
S ECURE P ROGRAMMING 6. B UFFER O VERFLOW (S TRINGS AND I NTEGERS ) P ART 2 Chih Hung Wang Reference: 1. B. Chess and J. West, Secure Programming with.
Software Development Introduction
David Evans CS201j: Engineering Software University of Virginia Computer Science Lecture 9: Designing Exceptionally.
Tokens in C  Keywords  These are reserved words of the C language. For example int, float, if, else, for, while etc.  Identifiers  An Identifier is.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
CS426Fall 2010/Lecture 141 Computer Security CS 426 Lecture 14 Software Vulnerabilities: Format String and Integer Overflow Vulnerabilities.
Announcements Assignment 2 Out Today Quiz today - so I need to shut up at 4:25 1.
Chapter 10 Buffer Overflow 1. A very common attack mechanism o First used by the Morris Worm in 1988 Still of major concern o Legacy of buggy code in.
Computer Engineering page 1 Integer arithmetic Depends what you mean by “integer”. Assume at 3-bit string. –Then we define: zero = 000 one = 001 Use zero,
7-1/27 Chapter 7 Expressions and Assignment Statements Introduction Arithmetic Expressions Overloaded Operators Type Conversions Relational and Boolean.
Language-Based Security: Overview of Types Deepak Garg Foundations of Security and Privacy October 27, 2009.
Secure Coding Rules for C++ Copyright © 2016 Curt Hill
Secure Programming Dr. X
Major Problem Areas for Secure Programming
7.2 Arithmetic Expressions
A variable is a name for a value stored in memory.
Buffer Overflow Defenses
Chapter 4 Assignment Statement
Secure Programming Dr. X
Chapter 3 Assignment Statement
C Basics.
Secure Coding Rules for C++ Copyright © Curt Hill
Expressions and Assignment Statements
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Bride of Buffer Overflow
College of Computer Science and Engineering
Secure Coding in C and C++ Integer Security
Covering CWE with Programming Languages and Tools
Basic Types Chapter 7 Copyright © 2008 W. W. Norton & Company.
Buffer Overflow Defenses
Expression and Asignment Statements
Chapter 7 Expressions and Assignment Statements.
Summary of what we learned yesterday
Operations and Arithmetic
Integer arithmetic Depends what you mean by "integer"
PRESENTED BY ADNAN M. UZAIR NOMAN
Testing & Security Dr. X.
Presentation transcript:

Bride of Buffer Overflow Chapter 7 Bride of Buffer Overflow

Chapter Synopsis Integers Wrap around errors Truncation and sign extension Conversions between unsigned and signed Methods to detect and prevent problems Runtime Protection Safe Programming Lanuages Safer C Dialects Dynamic Buffer Overflow protections

The Problem Numbers in computers are not integers but only an approximation. They are bounded, have a sign, representation, etc. Many arithmetic operations, many conversions have a risk of returning non-sense values due to machine limitations. When this non-sense value is used for memory allocation, bound a string operation or index into a buffer, we have a buffer overflow.

The 4 bit number wheels

An example An Integer Overflow causing a Buffer overflow: u_int nresp; nresp = packet_get_int(); if ( nresp > 0 ) { response = xmalloc(nresp*sizeof(char *)); for (i = 0; i < nresp; i++) response[i] = packet_get_string(NULL); } Value of nresp = 1073741824 causes problems.

Other Problems Subtracting from 0 can also cause problems. (example, page 238)‏ (next slide)

Bad subtract from 0 unsigned int readamt; readamt =getstringsize(...); if ( readamt > 1024 ) return -1; readamt--; // don't allocate space for '\n' buf = malloc(readamt)

Truncation and sign extension When integers get truncated, the most significant part is lost; when they get expanded, the most significant bit is extended, sometimes with unexpected results. Examples: -1 truncated to 4 bits is 15; 4 bit 7 expanded is still 7, but 4 bit 15 (unsigned) can become -1!

Conversion between signed and unsigned The problem is the high-order bit: the semantics are different, the meaning is different. Bad example: char *a; short len = ????; if (len < 1024 ) a = malloc((int)len); .

What to do? Use Unsigned types (watch out, though)‏ Expect bad assumptions Restrict numeric User input: use sanity checks Sanity check values used to allocate and access memory Respect compiler warnings. Use best practices for your compiler Understand Integer Conversion rules Verify overflow of operators

Use Best Practices for CL from MSDN Compile with highest possible warning level: /W4 Watch out for integer related compiler warnings Investigate all #pragma disabling overflows Enable runtime integer error checks for conversion overflows with /RTCc (for debugging only)‏

Use Best Practices for gcc Compile with -wconversion -wsign-compare Check all #pragma disabling diagnostics. Enable runtime error checks with -ftrapv (not for production runs)‏

Understand Integer Conversion rules Plethora of rules but most important ones: Less precision is usually upcast to higher precision but An unsigned type can be implicitly cast to a signed type even if not all values can be represented.

Verify conditions for operators that can overflow

Use Special Libraries SafeInt IntSafe

Safer Programming Languages/Dialects Safe Programming Languages like: Java C# Python Ruby Safe dialects of C/C++ like: Ccured Cyclone

Dynamic Buffer Overflow Protections Not a fix: Non-executable memory segments Compile-Time Instrumentation (“canaries”)‏ Virtual Execution Environments Hardened System Libraries

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.