Information Security - 2. A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function.

Slides:



Advertisements
Similar presentations
Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Advertisements

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.
Smashing the Stack for Fun and Profit
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Network Security Attack Analysis. cs490ns - cotter2 Outline Types of Attacks Vulnerabilities Exploited Network Attack Phases Attack Detection Tools.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Review: Software Security David Brumley Carnegie Mellon University.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
SCSC 555 Computer Security Chapter 10 Malicious software Part B.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.
Buffer Overflow. Process Memory Organization.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.
Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Buffer overflows.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.
Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.
G53SEC 1 Software Security Overflows, overruns and (some) confusions.
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
More Network Security Threats Worm = a stand-alone program that can replicate itself and spread Worms can also contain manipulation routines to perform.
Buffer Overflows Lesson 14. Example of poor programming/errors Buffer Overflows result of poor programming practice use of functions such as gets and.
Mitigation of Buffer Overflow Attacks
University of Washington Today Happy Monday! HW2 due, how is Lab 3 going? Today we’ll go over:  Address space layout  Input buffers on the stack  Overflowing.
Buffer Overflow. Introduction On many C implementations, it is possible to corrupt the execution stack by writing past the end of an array. Known as smash.
Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.
Stack-based buffer overflows Yves Younan DistriNet, Department of Computer Science Katholieke Universiteit Leuven Belgium
What is exactly Exploit writing?  Writing a piece of code which is capable of exploit the vulnerability in the target software.
Part I The Basic Idea software sequence of instructions in memory logically divided in functions that call each other – function ‘IE’ calls function.
Shellcode Development -Femi Oloyede -Pallavi Murudkar.
JMU GenCyber Boot Camp Summer, Introduction to Penetration Testing Elevating privileges – Getting code run in a privileged context Exploiting misconfigurations.
ITEC 352 Lecture 19 Functions in Assembly. Functions + Assembly Review Questions? Project due on Friday Stacks Function activation / deactivation.
Buffer overflow and stack smashing attacks Principles of application software security.
Reminder Bomb lab is due tomorrow! Attack lab is released tomorrow!!
Vitaly Shmatikov Buffer Overflow and Stack Smashing slide 1.
Web Security Firewalls, Buffer overflows and proxy servers.
CMSC 414 Computer and Network Security Lecture 17 Jonathan Katz.
ROP Exploit. ROP Return Oriented Programming (ROP): is a hacking exploit technique where you exploit buffer overflow to inject a chain of gadgets. Each.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2014.
Software Security. Bugs Most software has bugs Some bugs cause security vulnerabilities Incorrect processing of security related data Incorrect processing.
@Yuan Xue Worm Attack Yuan Xue Fall 2012.
Shellcode COSC 480 Presentation Alison Buben.
Buffer Overflow Buffer overflows are possible because C doesn’t check array boundaries Buffer overflows are dangerous because buffers for user input are.
Buffer Overflow Walk-Through
Protecting Memory What is there to protect in memory?
The Hardware/Software Interface CSE351 Winter 2013
Protecting Memory What is there to protect in memory?
Protecting Memory What is there to protect in memory?
Recitation: Attack Lab
Buffer Overflow Walk-Through
CMSC 414 Computer and Network Security Lecture 21
CS 465 Buffer Overflow Slides by Kent Seamons and Tim van der Horst
Format String.
Smashing the Stack for Fun and Profit
CS703 - Advanced Operating Systems
Buffer Overflows.
Buffer Overflow and Stack Smashing
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2016.
Understanding and Preventing Buffer Overflow Attacks in Unix
FIGURE Illustration of Stack Buffer Overflow
Return-to-libc Attacks
Implementing Functions: Overview
Presentation transcript:

Information Security - 2

A Stack Frame. Pushed to stack on function CALL The return address is copied to the CPU Instruction Pointer when the function returns and it ’ s stack frame is POP ’ d.

The buffer overflow vulnerability. The user injected data writes beyond the unchecked buffer length, overwriting the stack frame return address!

Take control. The last byte of the buffer is the return address. To run arbitrary code of the users choice, set to the address of the buffer.

Stack Buffers Suppose Web server contains this function void func(char *str) { char buf[126]; strcpy(buf,str); } When this function is invoked, a new frame with local variables is pushed onto the stack Allocate local buffer (126 bytes reserved on stack) Copy argument into local buffer Top of stack Stack grows this way bufsfp ret addr str Local variables Frame of the calling function Execute code at this address after func() finishes Arguments Pointer to previous frame

What If Buffer is Overstuffed? Memory pointed to by str is copied onto stack… void func(char *str) { char buf[126]; strcpy(buf,str); } If a string longer than 126 bytes is copied into buffer, it will overwrite adjacent stack locations strcpy does NOT check whether the string at *str contains fewer than 126 characters buf str This will be interpreted as return address! overflow Top of stack Frame of the calling function

Executing Attack Code Suppose buffer contains attacker-created string – For example, *str contains a string received from the network as input to some network service daemon code str Frame of the calling function ret Attacker puts actual assembly instructions into his input string, e.g., binary code of execve(“/bin/sh”) In the overflow, a pointer back into the buffer appears in the location where the system expects to find return address Top of stack When function exits, code in the buffer will be executed, giving attacker a shell –Root shell if the victim program is setuid root

Spawn a shell. Write code such that a shell is spawned. – provides platform independent code to spawn a shell. Shell command is executed in the program ’ s security context. – Allows user impersonation – If program is running as root, the user now has total control of the host! – Establish a Virtual Machine based Root Kit (VMBR) Learn it in Next Session

End of Session-4 Thank You

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.