Presentation is loading. Please wait.

Presentation is loading. Please wait.

CMSC 414 Computer and Network Security Lecture 21

Published byTobias Harrison Modified over 5 years ago

Similar presentations

Presentation on theme: "CMSC 414 Computer and Network Security Lecture 21"— Presentation transcript:

1 CMSC 414 Computer and Network Security Lecture 21
Jonathan Katz

2 Examples using gdb

3 Even more devious… overflow buf EBP EIP Frame of the calling function
In the overflow, a pointer back into the buffer appears in the location where the system expects to find return address Attacker puts actual assembly instructions into his input string, e.g., binary code of execve(“/bin/sh”)

4 NOP sled If exact address of injected shellcode is unknown, use NOP sled to provide a margin of error

5 Severity of attack? Theoretically, attacker can cause machine to execute arbitrary code with the permissions of the program itself

6 Heap overflows The examples just described all involved overflowing the stack Also possible to overflow buffers on the heap More difficult to get arbitrary code to execute, but imagine the effects of overwriting Passwords Usernames Filenames Variables Function pointers (possible to execute arbitrary code)

7 Defenses

8 Defenses (overview) Prevent overflows from existing
Safe programming techniques/languages Input validation Static/dynamic analysis Prevent overflows from being exploited Intercept function calls (e.g., Libsafe) Canaries (StackGuard) Non-executable stack, data execution prevention (DEP) Address space layout randomization/ASLR Development/ compile time compile time O/S

9 Safe programming techniques
Use arrays instead of pointers Make buffers (slightly) longer than necessary to avoid “off-by-one” errors

10 Safe programming techniques
We have seen that strcpy is unsafe strcpy(buf, str) simply copies memory contents into buf starting from *str until “\0” is encountered, ignoring the size of buf Avoid strcpy(), strcat(), gets(), etc. Use strncpy(), strncat(), instead Even these are not perfect… (e.g., no null termination) Still need to be careful when copying multiple inputs into a buffer

11 Safe programming languages
E.g., using Java prevents many of the problems that arise when using C C variants have been developed that ensure that certain classes of overflows cannot occur E.g., Cyclone

12 Input validation (This is a general issue, not just in the context of buffer overflows) Two approaches Whitelisting Allow input that matches up with approved whitelist Blacklisting Discard input that matches up with disallowed blacklist The usual tradeoffs between usability/complexity and security

13 Length checking Beware off-by-one errors
Even when using strncpy, the programmer must use the right value for the number of bytes to copy … strncpy(record,user,MAX_STRING_LEN-1); strcat(record,”:”); strncat(record,fname,MAX_STRING_LEN-1);

14 Input validation Blacklisting can often be easily circumvented
E.g., checking for a NOP sled Replace NOP with a sequence of instructions whose net effect is to do nothing (inc eax, dec eax, …) Whitelisting can be more difficult to bypass E.g., checking for printable ASCII There are legal instructions that fall in this range!

15 ASCII printable instructions
(Partial list) AND EAX SUB EAX PUSH EAX POP EAX PUSH ESP POP ESP

16 What can be done? AND EAX val1, AND EAX val2
If val1, val2 are ASCII-printable strings that are complements of each other, this zeros EAX SUB EAX v1, SUB EAX v2, SUB EAX v3 If v1, v2, v3 ASCII-printable strings chosen appropriately, wrap around occurs and the net effect is an addition PUSH EAX, POP ESP Copies EAX into ESP

17 What can be done? In principle, could build exploit using these instructions (very hard) Alternative: inject loader code that generates shellcode on the stack

18 EIP loader code increasing addresses ESP stack Build shellcode on the stack. What happens when the EIP and ESP meet?

Download ppt "CMSC 414 Computer and Network Security Lecture 21"

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.

Introduction to Information Security ROP – Recitation 5 nirkrako at post.tau.ac.il itamarg at post.tau.ac.il.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 23 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Teaching Buffer Overflow Ken Williams NC A&T State University.

Teaching Buffer Overflow Ken Williams NC A&T State University.
CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 18 Jonathan Katz.
Lecture 16 Buffer Overflow

Lecture 16 Buffer Overflow
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.

Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.

Similar presentations

Ads by Google