Presentation is loading. Please wait.

Presentation is loading. Please wait.

Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Crispin Cowan SANS 2000.

Published byAnna Leonard Modified over 8 years ago

Similar presentations

Presentation on theme: "Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Crispin Cowan SANS 2000."— Presentation transcript:

1 Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Crispin Cowan SANS 2000

2 Buffer Overflows Inject and execute attack code at the privilege of the vulnerable program. “exec(/bin/sh)”

3

4 Inject Code On the stack (automatic variables) On the heap (malloc’d variables) In static data areas Code does not need to be in the overflowing buffer.

5 Use Code Already There “exec(arg)” by making arg point to “/bin/sh”

6 Jump to Attacker’s Code Activation Record Overflow into return address on the stack and make it point at the code. Overflow into return address on the stack and make it point at the code. Function pointers Overflow into “void (*foo())()” and it point at the code. Overflow into “void (*foo())()” and it point at the code.

7 Buffer Overflow Defenses Writing Correct Code Vulnerable programs continue to emerge on a regular basis Vulnerable programs continue to emerge on a regular basis C has many error-prone idioms and a culture that favors performance over correctness. Static Analysis Tools Fortify – looks for vulnerable constructs Fortify – looks for vulnerable constructs Too many false positives. Too many false positives.

8 Buffer Overflow Defenses Non-executable buffers Non executable data segments Non executable data segments Optimizing compiles emit code into program data segments Non executable stack segments Non executable stack segments Highly effective against code injection on the stack but not against code injections on the heap or static variables.

9 Buffer Overflow Defenses Array Bound Checking Can run 12x-30x slower Can run 12x-30x slower a[3] is checked but *(a+3) is not a[3] is checked but *(a+3) is not

10 Buffer Overflow Defenses Type safe languages: Java or ML There are millions of lines of C code in operating systems and security system applications There are millions of lines of C code in operating systems and security system applications Attack the Java Virtual Machine which is a C program Attack the Java Virtual Machine which is a C program

11

12 Canary Terminator Canary 0 (null), CR, LF, -1 (EOF) 0 (null), CR, LF, -1 (EOF) Random Canary 32 bit random number 32 bit random number

13 StackGuard Compiler Recompiled Linux Prevented old and new attacks Execution cost of SSH and Apache was indistinguishable

14 StackGuard Compiler Performance Pointer dereferencing occurs much less than array references Pointer dereferencing occurs much less than array references There does not exist any bounds checking compiler capable of approaching the compatibility and performance of the StackGuard compiler

15 PointGuard Compiler Put canary next to function pointers as well. Only the relative obscure form of buffer overflow attack that corrupts non-pointer variables to affect the program’s logic will escape PointGuard (Morris worm)

16 Conclusion Use Safer Library : Strsafe.h Visual C++.NET /GS option Similar to StackGuard Similar to StackGuard

Download ppt "Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade Crispin Cowan SANS 2000."

Similar presentations

12/13/04Craig E. Ward, CMSI 6011 Implications of Programming Language Selection on the Construction of Secure Software Systems A presentation of the paper.

12/13/04Craig E. Ward, CMSI 6011 Implications of Programming Language Selection on the Construction of Secure Software Systems A presentation of the paper.
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
StackGuard: A Historical Perspective

StackGuard: A Historical Perspective
Buffer Overflow Prevention ”\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e \x89\xe3\x50\x53\x50\x54\x53\xb0\x3b\x50\xcd\x80” Presented to CRAB April.

Buffer Overflow Prevention ”\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e \x89\xe3\x50\x53\x50\x54\x53\xb0\x3b\x50\xcd\x80” Presented to CRAB April.
K. Salah1 Buffer Overflow The crown jewel of attacks.

K. Salah1 Buffer Overflow The crown jewel of attacks.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
CMSC 426/626: Secure Coding Krishna M. Sivalingam Sources: From Secure Coding, Mark and van Wyk, O’Reilly, 2003 www.cert.org/secure-coding.

CMSC 426/626: Secure Coding Krishna M. Sivalingam Sources: From Secure Coding, Mark and van Wyk, O’Reilly,
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
DICOTS and StackGuard: Two current approaches to tolerating malicious code Carl Landwehr Mitretek Systems, Inc. 7525 Colshire Dr. McLean, VA 22102

DICOTS and StackGuard: Two current approaches to tolerating malicious code Carl Landwehr Mitretek Systems, Inc Colshire Dr. McLean, VA 22102
Teaching Buffer Overflow Ken Williams NC A&T State University.

Teaching Buffer Overflow Ken Williams NC A&T State University.
Preventing Buffer Overflow Attacks. Some unsafe C lib functions strcpy (char *dest, const char *src) strcat (char *dest, const char *src) gets (char *s)

Preventing Buffer Overflow Attacks. Some unsafe C lib functions strcpy (char *dest, const char *src) strcat (char *dest, const char *src) gets (char *s)
Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.

Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 13 Implementation Flaws Part 1: Buffer Overruns.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 13 Implementation Flaws Part 1: Buffer Overruns.
Teaching Buffer Overflow Ken Williams NC A&T State University.

Teaching Buffer Overflow Ken Williams NC A&T State University.
SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 1 Agenda Last words on buffer overflows Overview.

SUNY at Buffalo; Computer Science; CSE620 – Advanced Networking Concepts; Fall 2005; Instructor: Hung Q. Ngo 1 Agenda Last words on buffer overflows Overview.

Similar presentations

Ads by Google