Presentation is loading. Please wait.

Presentation is loading. Please wait.

Software Security Buffer Overflows more countermeasures

Published byAmie Payne Modified over 6 years ago

Similar presentations

Presentation on theme: "Software Security Buffer Overflows more countermeasures"— Presentation transcript:

1 Software Security Buffer Overflows more countermeasures
Erik Poll Digital Security Radboud University Nijmegen

2 Recap last week Recurring security problems in C(++) code
buffer overflows bugs with pointers esp. if you use dynamically allocated memory (ie the heap) integer overflows also a way to trigger buffer overflows format string attacks for some calls of printf(),... Spotting buffer overflows in C(++) code is hard! spotting potential format strings problems is easier Platform level defences: canaries, non-executable stacks, ASLR, CFI, against ever more advanced attack techniques: incl. return-to-libc, ROP

3 'C is a terse & unforgiving abstraction of silicon'

4 Common themes Buffer overflows involve three more general anti-patterns: lack of input validation mixing data & code namely data and return address on the stack believing in & relying on an abstraction that is not 100% guaranteed & enforced namely types and procedure interfaces in C int f(float f, boolean b, char* buf);

5 More countermeasures We can take countermeasures against buffer overflows to prevent, migitate, or detect buffer overflows at different levels & different points in time, incl. at ‘platform level’ (as discussed last week) in libraries testing (dynamic analysis) at runtime static analysis at compile time

6 Generic defence mechanisms
Reducing attack surface Not running or even installing certain software, or enabling all features by default, mitigates the threat A particular instance of this is OS hardening Mitigating impact by reducing permissions Reducing OS permissions of software (or user) will restrict the damage that an attack can have following the principle of least privilege But, we will always need high-privileged code that is an interesting target eg login program will need access to the password file

7 Prevention Don’t use C or C++
you can write insecure code in any programming language, but some make it easier... Better programmer awareness & training Read – and make other people read – books like CERT secure coding guidelines for C and C Online at Secure Coding in C and C++, R.C. Seacord 24 deadly sins of software security, M. Howard, D LeBlanc & J. Viega, 2005 Secure programming for Linux and UNIX HOWTO, D. Wheeler Building Secure Software, J. Viega & G. McGraw, 2002 Writing Secure Code, M. Howard & D. LeBlanc, 2002 ...

8 Dangerous C system calls
Extreme risk gets High risk strcpy strcat sprintf scanf sscanf fscanf vfscanf vsscanf streadd Moderate risk getchar fgetc getc read bcopy Low risk fgets memcpy snprintf strccpy strcadd strncpy strncat vsnprintf strecpy strtrns realpath syslog getenv getopt getopt_long getpass [source: Building secure software, J. Viega & G. McGraw, 2002]

9 Better implementations of string libraries ‏
libsafe.h provides safer, modified versions of eg. strcpy prevents buffer overruns beyond current stack frame; the functions in this library check that they will not exceed stack frame libverify enhancement of libsafe the functions in this library keep a copy of the stack return address on the heap, and checks if these match on returning Like the platfom-level defences discussed last week, these are transparant to the programmer ie. program code does not have to change (apart from importing a different library)

10 Better string libraries ‏
strlcpy(dst,src,size) and strlcat(dst,src,size) where size is the size of destination array dst, not the maximum length copied. Less error-prone; consistently used in OpenBSD glib.h provides Gstring type for dynamically growing null- terminated strings in C Strsafe.h by Microsoft guarantees null-termination and always takes destination size as argument C++ string class C++ string objects are less error-prone than C strings but data() and c-str()return a C string, ie. a char*, and result of data()is not always null-terminated on all platforms.

11 Safer dialects of C Some approaches go further and propose safer dialects of C which include bounds checks type checks automated memory management with garbage collection or region-based memory management‏ Examples: Cyclone, CCured, Vault, Control-C, Fail-Safe C, D, Rust

12 Runtime detection on instrumented binaries
There are many memory error detection tools that instrument binaries to allow runtime detection of memory errors, esp. out-of-bounds access use-after-free bugs on heap with some overhead (time, memory space) but no false positives. For example Valgrind (Memcheck), Dr. Memory, Purify, Insure++, BoundsChecker, Cachegrind, Intel Parallel Inspector, Discoverer, AddressSanitizer,… Detecting out-of-bounds access requires additional administration in pointers, using so-called fat pointers

13 Fuzzing aka fuzz testing
A classic technique to find buffer weaknesses is fuzz testing send random, very long inputs, to an application if there are buffer overflow weaknesses, this is likely to crash the application with a segmentation fault This is easy to automate! More on fuzz testing in the security testing lecture.

14 Code review & static analysis
ie. someone reviewing the code manually Expensive & labour intensive Code scanning tools aka static analysis Automated tools that look for suspicious patterns in code; ranges for CTRL-F or grep, to advanced analyses Incl. free tools RATS – also for PHP, Python, Perl Flawfinder , ITS4, Deputy, Splint PREfix, PREfast by Microsoft plus other commercial tools Coverity, PolySpace, Klocwork, ...

15 Program verification The most extreme form of static analysis:
proving by mathematical means (eg Hoare logic) that memory management of a program is safe extremely labour-intensive  eg hypervisor verification project by Microsoft & Verisoft: Beware: in industry “verification” means testing, in academia it means formal program verification

16 Conclusions

17 Moral of the story Don’t use C(++), if you can avoid it
but use a safer language that provides memory safety If you do have to use C(++), become or hire an expert Required reading Sections 3 & 4 of 'Low-Level Software Security by Example' by Ulfar Erlingsson, Yves Younan, and Frank Piessens This describes stack canaries, non-executable memory, control flow integrity (CFI) and layout randomisation Sections 1 & 2 explain details of how buffer overflows work, and are not required reading Sections 3.1 & 3.2 of lecture notes on language-based security

18 Exam questions: you should be able to
explain how simple buffer overflows work & what root causes are spot a simple buffer overflow. format string attack, or integer overflow explain how countermeasures like stack canaries, non- executable memory, ASLR, CFI explain why they might not always work

Download ppt "Software Security Buffer Overflows more countermeasures"

Similar presentations

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Buffer Overflow Exploits CS-480b Dick Steflik. What is a buffer overflow? Memory global static heap malloc( ), new Stack non-static local variabled value.

Buffer Overflow Exploits CS-480b Dick Steflik. What is a buffer overflow? Memory global static heap malloc( ), new Stack non-static local variabled value.
Teaching Buffer Overflow Ken Williams NC A&T State University.

Teaching Buffer Overflow Ken Williams NC A&T State University.
© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 13 Implementation Flaws Part 1: Buffer Overruns.

© 2003 School of Computing, University of Leeds SY32 Secure Computing, Lecture 13 Implementation Flaws Part 1: Buffer Overruns.
Teaching Buffer Overflow Ken Williams NC A&T State University.

Teaching Buffer Overflow Ken Williams NC A&T State University.
1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)

1 RISE: Randomization Techniques for Software Security Dawn Song CMU Joint work with Monica Chew (UC Berkeley)
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2012.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2012.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2013.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2013.
Static Analysis for Security Amir Bazine Per Rehnberg.

Static Analysis for Security Amir Bazine Per Rehnberg.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
An anti-hacking guide.  Hackers are kindred of expert programmers who believe in freedom and spirit of mutual help. They are not malicious. They may.

An anti-hacking guide.  Hackers are kindred of expert programmers who believe in freedom and spirit of mutual help. They are not malicious. They may.
2012/02/07 1 John Wilander, Mariam Kamkar Linkopings Universitet Nick Nikiforakis, Yves Younan, Wouter Joosen Katholieke Universiteit Leuven.

2012/02/07 1 John Wilander, Mariam Kamkar Linkopings Universitet Nick Nikiforakis, Yves Younan, Wouter Joosen Katholieke Universiteit Leuven.
Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.

Chapter 6 Buffer Overflow. Buffer Overflow occurs when the program overwrites data outside the bounds of allocated memory It was one of the first exploited.
Computer Security and Penetration Testing

Computer Security and Penetration Testing

Similar presentations

Ads by Google