CNIT 127: Exploit Development Ch 4: Introduction to Heap Overflows

Slides:



Advertisements
Similar presentations
Chapter 17 vector and Free Store John Keyser’s Modifications of Slides By Bjarne Stroustrup
Advertisements

Dynamic Memory Allocation (also see pointers lectures) -L. Grewe.
Chris Riesbeck, Fall 2007 Dynamic Memory Allocation Today Dynamic memory allocation – mechanisms & policies Memory bugs.
Computer Architecture CSCE 350
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
DSP Implementation Lecture 3. Anatomy of a DSP Project In VDSP Linker Description File (.LDF) Source Files (.asm,.c,.h,.cpp,.dat) Object Files (.doj)
DIEHARDER: SECURING THE HEAP. Previously in DieHard…  Increase Reliability by random positioning of data  Replicated Execution detects invalid memory.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Run time vs. Compile time
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
Software Development and Software Loading in Embedded Systems.
Memory Allocation CS Introduction to Operating Systems.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Runtime Environments Compiler Construction Chapter 7.
Software attacks Lorenzo Dematté Software attacks Advanced buffer overflow: heap smashing.
Introduction: Exploiting Linux. Basic Concepts Vulnerability A flaw in a system that allows an attacker to do something the designer did not intend,
Chapter 4 Processes. Process: what is it? A program in execution A program in execution usually usually Can also have suspended or waiting processes Can.
Mitigation of Buffer Overflow Attacks
CIS 450 – Network Security Chapter 7 – Buffer Overflow Attacks.
CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.
1 Advanced Memory Management Techniques  static vs. dynamic kernel memory allocation  resource map allocation  power-of-two free list allocation  buddy.
Exploitation possibilities of memory related vulnerabilities
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
Lecture 9: Buffer Ovefflows and ROP EEN 312: Processors: Hardware, Software, and Interfacing Department of Electrical and Computer Engineering Spring 2014,
What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.
CNIT 127: Exploit Development Ch 8: Windows Overflows Part 2.
+ Dynamic memory allocation. + Introduction We often face situations in programming where the data is dynamics in nature. Consider a list of customers.
Processes and Virtual Memory
1 Data Organization Example 1: Heap storage management –Keep track of free chunks of memory Example 2: A simple text editor –Maintain a sequence of lines.
1 Lecture07: Memory Model 5/2/2012 Slides modified from Yin Lou, Cornell CS2022: Introduction to C.
Buffer Overflows Taught by Scott Coté.-. _ _.-. / \.-. ((___)).-. / \ /.ooM \ / \.-. [ x x ].-. / \ /.ooM \ -/ \ /-----\-----/---\--\ /--/---\-----/-----\ / \-
CNIT 127: Exploit Development Ch 14: Protection Mechanisms.
Group 9. Exploiting Software The exploitation of software is one of the main ways that a users computer can be broken into. It involves exploiting the.
CNIT 127: Exploit Development Lecture 7: 64-bit Assembler Not in textbook.
Security Attacks Tanenbaum & Bo, Modern Operating Systems:4th ed., (c) 2013 Prentice-Hall, Inc. All rights reserved.
4P13 Week 7 Talking Points Memory Mgmt Data Structs 5.
By Anand George SourceLens.org Copyright. All rights reserved. Content Owner - Meera R (meera at sourcelens.org)
CNIT 127: Exploit Development Ch 8: Windows Overflows Part 1.
VM: Chapter 7 Buffer Overflows. csci5233 computer security & integrity (VM: Ch. 7) 2 Outline Impact of buffer overflows What is a buffer overflow? Types.
Beyond Stack Smashing: Recent Advances In Exploiting Buffer Overruns Jonathan Pincus and Brandon Baker Microsoft Researchers IEEE Security and.
Heap Overflows. What is a Heap? malloc(), free(), realloc() Stores global variables Automatic memory allocation/deallocation Allocated at runtime Implemented.
Heap Overflow Attacks.
Introduction to Information Security
Mitigation against Buffer Overflow Attacks
Storage Allocation Mechanisms
CS 140 Lecture Notes: Virtual Memory
Protecting Memory What is there to protect in memory?
Protecting Memory What is there to protect in memory?
Protecting Memory What is there to protect in memory?
Linux Userspace Process Memory Layout
malloc(): Dynamic Memory Management
Process Realization In OS
Checking Memory Management
CS 140 Lecture Notes: Virtual Memory
Module 2.2 COP4600 – Operating Systems Richard Newman
Dynamic Memory A whole heap of fun….
CS 140 Lecture Notes: Virtual Memory
CSC 495/583 Topics of Software Security Format String Bug (2) & Heap
CS 140 Lecture Notes: Virtual Memory
Understanding and Preventing Buffer Overflow Attacks in Unix
Buddy Allocation CS 161: Lecture 5 2/11/19.
Windows Development Dynadata Copyright, 2014 © DynaData S.A. 1/22.
COMP755 Advanced Operating Systems
Several Tips on Project 1
Run-time environments
Week 3: Format String Vulnerability
Threads CSE 2431: Introduction to Operating Systems
Presentation transcript:

CNIT 127: Exploit Development Ch 4: Introduction to Heap Overflows

What is a Heap?

Memory Map In gdb, the "info proc map" command shows how memory is used Programs have a stack, one or more heaps, and other segments malloc() allocates space on the heap free() frees the space

Heap and Stack

Heap Structure Size of previous chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data Size of previous chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data Size of previous chunk Size of this chunk Pointer to next chunk Pointer to previous chunk Data

A Simple Example

A Simple Example

Viewing the Heap in gdb

Exploit and Crash

Crash in gdb

Targeted Exploit

The Problem With the Heap

EIP is Hard to Control The Stack contains stored EIP values The Heap usually does not However, it has addresses that are used for writes To fill in heap data To rearrange chunks when free() is called

Action of Free() Must write to the forward and reverse pointers If we can overflow a chunk, we can control those writes Write to arbitrary RAM Image from mathyvanhoef.com, link Ch 5b

Target RAM Options Saved return address on the Stack Like the Buffer Overflows we did previously Global Offset Table Used to find shared library functions Destructors table (DTORS) Called when a program exits C Library Hooks

Target RAM Options "atexit" structure (link Ch 4n) Any function pointer In Windows, the default unhandled exception handler is easy to find and exploit

Project Walkthroughs Proj 8 Proj 8x Proj 5x Exploiting a write to a heap value Proj 8x Taking over a remote server Proj 5x Buffer overflow with a canary

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.