Presentation is loading. Please wait.

Presentation is loading. Please wait.

Mitigation against Buffer Overflow Attacks

Published byWalter Cummings Modified over 6 years ago

Similar presentations

Presentation on theme: "Mitigation against Buffer Overflow Attacks"— Presentation transcript:

1 Mitigation against Buffer Overflow Attacks

2 Stack Overflow Review A buffer on the stack has an un-checked bound.
A malicious input could modify program control flow by overwriting data on the stack, e.g. saved EIP. Malicious code can be injected on the stack and EIP can be made to point to it. Key to a successful stack overflow attack The modified control gets loaded into EIP e.g. the vulnerable function successfully “returns;” Must be able to predict the address of the injected code The injected code must be executable What if those conditions cannot be met?

3 Mitigation1: stack address randomization
The OS randomly picks a location for the program stack. The chance the attacker can guess the correct stack location is slim. Where shall EIP point to? However, there are multiple ways to get around it.

4 Getting around stack randomization through indirect jump
beginning of the buffer NOP sled Shell Code EIP Shell Code ESP 0x42122ba7: JMP ESP (0xffe4)

5 Some Useful Points ldd program_name
Displays the dynamically linked libraries and their entrance addresses You can search the jump code directly in any program’s address space as long as it links the same libraries at the same locations as the target program

6 Thoughts Any register that points to somewhere after the beginning of the vulnerable buffer could work. We can look for the “jump code” by searching the virtual memory space. System libraries are a good place to start. A library’s code may not even have the jump code in its instructions, but we could still find the jump code anyway (Why?).

7 StackGuard A compile-time mechanism that detects/prevents modification of saved EIP during function execution. When the function starts, a “canary word” is put on the stack in between the function’s local variables and saved EIP. If a local buffer is overrun, the canary will have to be “killed” before the saved EIP can be modified. Before function returns, checks whether the canary is still intact. If not, hand program control to a pre-defined exception handler and terminate the program.

8 StackGuard address growth function’s return address .text .data
heap malloc’ed data address growth > heap < stack ESP local variables AAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAA AAAAAAAAAAAAAAA EBP saved EBP A A A A canary word A A A A function’s return address saved EIP A A A A function’s argument main() local variables argc, **argv, **envp environment var’s bottom of stack

9 Types of Canary Terminator canary Random canary XOR canary
A character that in most cases will terminate a malicious string, e.g. NULL. Random canary A random value produced at program execution time The random value is stored in a global variable XOR canary A random value XOR’ed with saved EIP On function return, the canary is XOR’ed with the random value and the result compared with saved EIP

10 Limitation of StackGuard
Will not work if the exploit does not depend upon modifying saved EIP Buffer overflow in certain stack layouts could give the attacker ability to modify any memory location with any value This opens up a number of new options to hijack the program’s control flow, e.g. modify the entrance table of exception handlers or system functions The same limitation applies to other similar mechanisms e.g. StackShield

11 Circumvent StackGuard
.text .data heap malloc’ed data Unsafe copy overwrites value of ptr (where). address growth > heap function body: copy(buf, attacker-controlled data); copy(ptr, attacker-controlled data); < stack ESP char buf[]; char* ptr; AAAAAAAAAAA AAAAAAAAAAAAAAA AAAAAAAAAAA AAAAAAAAAAAAAAA EBP saved EBP canary word Any copy with attacker-provided data (what) saved EIP function’s argument main() local variables Modify any memory location (where) with arbitrary data (what). argc, **argv, **envp environment var’s bottom of stack

12 Non-executable Stack OS/architecture protection of virtual memory so that injected code cannot run NX/XD bit: mark certain memory pages (e.g. stack pages) non-executable (DEP) W^X protection: a page cannot be both writable and executable Consequences Injected shellcode on the stack cannot be executed Deviates from von-Neumann architecture e.g. run-time code generation may be affected

13 Limitation of non-executable stack
Will not work if the exploit does not rely on code injected on the stack. Code can be injected in other memory segments, e.g. heap. Or no need to inject code at all!

14 Getting around non-executable stack through return-into-libc
AAAAAAAAAAAAAAAAAAAAAAAAAAAA ???? EIP W1 ???? ???? W2 ESP libc’s return address libc’s argv[1] entrance address of a libc function system(…); “/bin/sh” entrance address of the next libc function you want to run, e.g., exit();

15 Thoughts Whenever a new defense against software exploit is invented, a new way to get around it emerges. These defensive mechanisms are reactive and address a particular way of attack, not the underlying vulnerability. Nonetheless they provide an important line of defense for software vulnerabilities. To reduce the “attack surface,” we must also address the underlying vulnerabilities. Defensive programming Using type-safe languages and static code analysis

16 Implication on System Security
We must assume that software applications will have security vulnerabilities in them Proper design of protection mechanisms is essential to mitigate the threats.

Download ppt "Mitigation against Buffer Overflow Attacks"

Similar presentations

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.

Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)

Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)
Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.

Exploiting Buffer Overflows on AIX/PowerPC HP-UX/PA-RISC Solaris/SPARC.
Let’s look at an example I want to write an application that reports the course scores to you. Requirements: –Every student can only get his/her score.

Let’s look at an example I want to write an application that reports the course scores to you. Requirements: –Every student can only get his/her score.
Mitigation of Buffer Overflow Attacks

Mitigation of Buffer Overflow Attacks
Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 10 “Buffer Overflow”.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 10 “Buffer Overflow”.
CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.

CNIT 127: Exploit Development Ch 4: Introduction to Format String Bugs.

Similar presentations

Ads by Google