Advanced Buffer Overflow: Pointer subterfuge

Slides:

Advertisements

Similar presentations

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.

Advertisements

Buffer Overflow Prabhaker Mateti Wright State University.

Smashing the Stack for Fun and Profit

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

Review: Software Security David Brumley Carnegie Mellon University.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Buffer Overflows By Tim Peterson Joel Miller Dan Block.

Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.

Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.

Computer Security Buffer Overflow lab Eu-Jin Goh.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

September 22, 2014 Pengju (Jimmy) Jin Section E

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Software attacks Lorenzo Dematte’ Software Attacks Buffer Overflow.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.

Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Stack allocation and buffer overflow CSCE 531 Presentation by Miao XU

Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

Software attacks Lorenzo Dematté Software attacks Advanced buffer overflow: heap smashing.

Mitigation of Buffer Overflow Attacks

Brian E. Brzezicki. This tutorial just illustrates the underlying concepts of buffer overflows by way of an extremely simple stack overflow  Most buffer.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 10 “Buffer Overflow”.

Buffer Overflow CS461/ECE422 Spring Reading Material Based on Chapter 11 of the text.

Buffer Overflow Attack-proofing by Transforming Code Binary Gopal Gupta Parag Doshi, R. Reghuramalingam The University of Texas at Dallas 11/15/2004.

Smashing the Stack Overview The Stack Region Buffer Overflow

CS216: Program and Data Representation University of Virginia Computer Science Spring 2006 David Evans Lecture 22: Unconventional.

Overflows & Exploits. In the beginning 11/02/1988 Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating,

Lecture 8: Buffer Overflow CS 436/636/736 Spring 2013 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)

Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.

Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.

What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.

Part I The Basic Idea software sequence of instructions in memory logically divided in functions that call each other – function ‘IE’ calls function.

CNIT 127: Exploit Development Ch 8: Windows Overflows Part 2.

Buffer overflow and stack smashing attacks Principles of application software security.

CS 155 Section 1 PP1 Eu-Jin Goh. Setting up Environment Demo.

Buffer Overflow Attack- proofing of Code Binaries Ramya Reguramalingam Gopal Gupta Gopal Gupta Department of Computer Science University of Texas at Dallas.

Foundations of Network and Computer Security J J ohn Black CSCI 6268/TLEN 5550, Spring 2013.

CNIT 127: Exploit Development Ch 8: Windows Overflows Part 1.

Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.

ROP Exploit. ROP Return Oriented Programming (ROP): is a hacking exploit technique where you exploit buffer overflow to inject a chain of gadgets. Each.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.

1 Introduction to Information Security , Spring 2016 Lecture 2: Control Hijacking (2/2) Avishai Wool.

Mitigation against Buffer Overflow Attacks

Buffer Overflow Buffer overflows are possible because C doesn’t check array boundaries Buffer overflows are dangerous because buffers for user input are.

CS 177 Computer Security Lecture 9

Return Oriented Programming

The Hardware/Software Interface CSE351 Winter 2013

Introduction to Information Security

Exploiting & Defense Day 2 Recap

Recitation: Attack Lab

CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst

Understanding Program Address Space

Lecture 9: Buffer Overflow*

Machine Level Representation of Programs (IV)

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2015.

Multi-modules programming

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.

Understanding and Preventing Buffer Overflow Attacks in Unix

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2013.

Return-to-libc Attacks

Implementing Functions: Overview

Presentation transcript:

Advanced Buffer Overflow: Pointer subterfuge Software attacks Advanced Buffer Overflow: Pointer subterfuge

The problem What is a pointer subterfuge? It is essentially a buffer overflow + pointer manipulation The pointer could be a function pointer (a pointer to a code section) or even a data pointer This technique can help bypassing stack checks

Function-pointer clobbering Recall code from the last lesson void func(void* arg, size_t len) { char buffer[100]; void (*f)() = ...; memcpy(buff, arg, len); //buffer overflow f(); ... } 0x00401212 AAAAAAAAAAA 004119A2 00000003 00000002 Return address a b 0012FE90 EBP saved unitiliazed f buffer StackCanary locals params The function pointer could be set to a value of our own choice! And without being caught by stack checks

Data pointer modification (1) It requires a particular stack configuration BUT a modified version of this attack is also used in heap smashing exploits The basic idea: modify a pointer to a memory region AND the value assigned to perform an arbitrary memory write It is often used as a building block for other attacks

Data pointer modification (2) void func(void* arg, size_t len) { char buffer[100]; int val; int* ptr; memcpy(buff, arg, len); //overflow ... *ptr = val; return; } My Memory AAAAAAAAAAA My value 004119A2 00000003 00000002 Return address 0012FE90 EBP saved unitiliazed ptr buffer StackCanary locals params val Even in this case, we don’t have canary or ret overwriting

Data pointer modification (2) void func(void* arg, size_t len) { char buffer[100]; int val; int* ptr; memcpy(buff, arg, len); //overflow ... *ptr = val; return; } AAAAAAAAAAA 004119A2 00000003 00000002 Return address 0012FE90 EBP saved unitiliazed ptr buffer StackCanary locals params val My value My Memory My value My Memory Old value

Litchfield exploit (1) The double cookie overwrite exploit uses a data pointer modification to defeat canary based protection in VC++ 7.0 Stores shellcode in buffer as usual Modifies the pointer to point to the global cookie Overwrites stack cookie and global cookie with the same value

Litchfield exploit (2) Random value computed at process startup and stored in .data section extern int global_cookie; void vulnerable_func(void* arg, size_t len) { char buffer[100]; int i; int* ptr; int stack_cookie; memcpy(buff, arg, len); //overflow ... *ptr = i; if (stack_cookie != global_cookie) //buffer overflow occurred! exit(); return; } Inserted by compiler at stack frame bottom Check inserted by compiler just before ret instruction

Litchfield exploit (2) locals params 0x1234568 extern int global_cookie; void vulnerable_func(void* arg, size_t len) { char buffer[100]; int i; int* ptr; int stack_cookie; memcpy(buff, arg, len); //overflow ... *ptr = i; if (stack_cookie != global_cookie) //buffer overflow occurred! exit(); return; } 0x00408080 0x00408080 AAAAAAAAAAA 0x0BADF00D 004119A2 00000003 00000002 Return address 0012FE90 EBP saved unitiliazed ptr buffer 0x12345678 locals params i stack_cookie

Litchfield exploit (2) locals params 0x0BADF00D extern int global_cookie; void vulnerable_func(void* arg, size_t len) { char buffer[100]; int i; int* ptr; int stack_cookie; memcpy(buff, arg, len); //overflow ... *ptr = i; if (stack_cookie != global_cookie) //buffer overflow occurred! exit(); return; } 0x00408080 AAAAAAAAAAA 004119A2 00000003 00000002 Return address 0012FE90 EBP saved unitiliazed ptr buffer 0x12345678 locals params i 0x0BADF00D 0x00408080 0x0BADF00D stack_cookie

Litchfield exploit (2) CHECK PASS!! locals params 0x0BADF00D extern int global_cookie; void vulnerable_func(void* arg, size_t len) { char buffer[100]; int i; int* ptr; int stack_cookie; memcpy(buff, arg, len); //overflow ... *ptr = i; if (stack_cookie != global_cookie) //buffer overflow occurred! exit(); return; } 0x00408080 CHECK PASS!! AAAAAAAAAAA 004119A2 00000003 00000002 Return address 0012FE90 EBP saved unitiliazed ptr buffer 0x12345678 locals params i 0x0BADF00D 0x00408080 0x0BADF00D stack_cookie

Data pointer modification (3) An arbitrary memory overwrite can be used to set a function pointer that is everywhere in our address space The problem is… find it! =) (more on this later, maybe…) extern void (* f)(); void func(void* arg, size_t len) { char buffer[100]; int val; int* ptr; memcpy(buff, arg, len); //overflow ... *ptr = val; return; } Set ptr to &f, and val to the code we want to execute

Virtual pointer smashing Virtual pointer (VPTR): what is this? C++ programming: virtual functions Inheritance without polymorphism class B { public: int i; void f() { printf(“Base”); } }; int main() { D d; d.f(); } call D::f() class D: public B { public: int i; void f() { printf(“Derived”); } }; > Derived

Virtual pointer smashing Inheritance with polymorphism class B { public: int i; virtual void f() { printf(“Base”); } }; int main() { B* b = new D(); b.f(); b = new B(); b.f(); } class D: public B { public: int i; void f() { printf(“Derived”); } }; > Derived > Base How can the compiler distinguish?

Virtual pointer smashing class B { public: int i; virtual void f() { printf(“Base”); } }; i (4 bytes) vptr (4 bytes) vtable void (*f)() … i (4 bytes) vptr (4 bytes) int main() { B* b = new D(); b.f();

Virtual pointer smashing class B { public: int i; virtual void f() { printf(“Base”); } }; i (4 bytes) vptr (4 bytes) vtable void (*f)() … int main() { B* b = new D(); b.f(); mov edx, DWORD PTR b mov eax, DWORD PTR [edx] call DWORD PTR [eax]

Virtual pointer smashing class B { public: int i; virtual void f() { printf(“Base”); } }; i (4 bytes) vtable void (*f)() … vptr (4 bytes) 0xDDDDDDDD 0x00170000 0x0012FF6C 0x00401050 buffer void foo() { printf("Foo!!\n"); } AAAAAAAA int main() { B* b = new D1(); char buffer[20]; memcpy(buffer, msg, 24); b->f(); return 0; } f

Virtual pointer smashing class B { public: int i; virtual void f() { printf(“Base”); } }; i (4 bytes) vtable void (*f)() … vptr (4 bytes) 0x0012FF6C 0xDDDDDDDD 0x00170000 0x0012FF68 0x00401050 buffer void foo() { printf("Foo!!\n"); } AAAAAAAA int main() { B* b = new D1(); char buffer[20]; memcpy(buffer, msg, 24); b->f(); return 0; } f

Virtual pointer smashing Demo?

Virtual pointer smashing This attack relies on the method adopted by C++ compilers to have dynamic binding It’s compiler specific: where to place the vptr/vtable is up to the implementation data vptr (4 bytes) VC++ (COM-aware compilers) data vptr (4 bytes) GCC This memory layout leaves space for another exploit (anyone interested?)