Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSC 495/583 Topics of Software Security StackGuard & Format String Bug

Published byEdmund Hansen Modified over 5 years ago

Similar presentations

Presentation on theme: "CSC 495/583 Topics of Software Security StackGuard & Format String Bug"— Presentation transcript:

1 CSC 495/583 Topics of Software Security StackGuard & Format String Bug
Class18 CSC 495/583 Topics of Software Security StackGuard & Format String Bug Dr. Si Chen

2 Binary Protection Mechanism
NX/DEP (turn off execution) ASLR (Randomize the address) turn off stack guard

3 StackGuard Sometimes called Stack Canaries, or Cookies
Insert Canary (random integer) before the function being called. Check this value to see if it been tweaked PRIOR to Function RETURN Cowan, Crispan, et al. "Stackguard: automatic adaptive detection and prevention of buffer-overflow attacks." USENIX Security Symposium. Vol

4 “Canaries” Canaries were iconically used in coal mines to detect the presence of carbon monoxide. The bird's rapid breathing rate, small size, and high metabolism, compared to the miners, led birds in dangerous mines to succumb before the miners, thereby giving them time to take action.

5 0xDEADBEEF StackGuard -- History
In 1998, the first canary was introduced and was hardcoded 0xDEADBEEF

6 StackGuard Terminator canary CR, LF, 00, -1 Single random canary
Using /dev/random Single XOR random canary Xor-ed return address

7 Drawbacks Adds overhead (huge cache footprint)
Only defends against stack overflows NULL canaries can potentially be abused Random canaries can potentially be learned

8 How to bypass StackGuard?

9 StackGuard: Brute force stack reading
Overwrite canary byte by byte and try every possible value If no crash  success Crash  wrong guess Requires same canary for each thread, so can’t call execve() 0xCAFEBABE Canary (0xCAFEBABE): -Buffer- BE BA FE CA Brute force attack for finding the first byte -- “BE”: AAAA… 01 BA FE CA Crash! AAAA… 02 BA FE CA Crash! AAAA… BD BA FE CA Crash! AAAA… BE BA FE CA No crash!

10 Format String Bug

11 Format String Bug What is a Format String? A Format String is an ASCII string that contains text and format parameters printf("%s %d\n", str, a); fprintf(stderr, "%s %d\n", str, a); sprintf(buffer, "%s %d\n", str, a); E.g. My name is Chen

12 Format String Bug

13 Format String Bug The wrong way…

14

15 Example: fmt_wrong.c

16 Example: fmt_wrong.c %08x. %08x. %08x. %08x. %08x. %08x. %08x. %08x. %08x. %08x. %08x. %08x. %08x. %08x. %08x. %08x. %08x. %08x. %08x. %08x. %08x. %08x. %08x. %08x.%08x. %08x. %08x. %08x. %08x. %08x. %08x. %08x. %08x. %08x. %08x. %08x. the argument is passed directly to the “printf” function. the function didn’t find a corresponding variable or value on stack so it will start popping values off the stack

17 Example: fmt_wrong.c

18 Example: fmt_wrong.c Notice that the value “ ” was popped off the stack which means the prepended string is written on stack

19 Advanced Usage: Format String Direct Access
this let’s try to directly access the 12th parameter on stack using the dollar sign qualifier. “%12$x” is used which will read the 12th parameter on stack

20 Advanced Usage: Format String Direct Access

21 What is this BUG used for?
Read data in any memory address: %s to read data in an arbitrary memory address Write data in any memory address: printf not only allows you to read but also write %n

22 fmt_write.c In C printf(), %n is a special format specifier which instead of printing something causes printf() to load the variable pointed by the corresponding argument with a value equal to the number of characters that have been printed by printf() before the occurrence of %n.

23 Write data in any memory address:
%n  DWORD %hn  WORD %hhn  BYTE

24 What is this BUG used for?
Disclose sensitive information: Variable(s) EBP value The correct location for putting Shellcode

25 What is this BUG used for?
Disclose StackGuard Canary: By pass stack checking

26 What is this BUG used for?
Disclose Library Address When enable ASLR, the library address will change each time It’s impossible to call these functions in your shellcode (e.g. system()) Use this bug to disclose one function’s address in a given library. you can use it to deduce other function’s address

27 What is this BUG used for?
Disclose Library Address When enable ASLR, the library address will change each time It’s impossible to call these functions in your shellcode (e.g. system()) Use this bug to disclose one function’s address in a given library. you can use it to deduce other function’s address

28 Q & A

Download ppt "CSC 495/583 Topics of Software Security StackGuard & Format String Bug"

Similar presentations

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.

Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget  Are there any.
StackGuard: A Historical Perspective

StackGuard: A Historical Perspective
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Stack buffer overflow http://en.wikipedia.org/wiki/Stack_buffer_overflow.

Stack buffer overflow
TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.

TaintCheck and LockSet LBA Reading Group Presentation by Shimin Chen.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2012.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2012.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2013.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow II: Defense Techniques Cliff Zou Spring 2013.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Chapter 18 I/O in C. Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 18-2 Standard C Library I/O commands.

Chapter 18 I/O in C. Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display Standard C Library I/O commands.
1 - buttons Click “Step Forward” to execute one line of the program. Click “Reset” to start over. “Play,” “Stop,” and “Step Back” are disabled in this.

1 - buttons Click “Step Forward” to execute one line of the program. Click “Reset” to start over. “Play,” “Stop,” and “Step Back” are disabled in this.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Mitigation of Buffer Overflow Attacks

Mitigation of Buffer Overflow Attacks
Brian E. Brzezicki. This tutorial just illustrates the underlying concepts of buffer overflows by way of an extremely simple stack overflow  Most buffer.

Brian E. Brzezicki. This tutorial just illustrates the underlying concepts of buffer overflows by way of an extremely simple stack overflow  Most buffer.

Similar presentations

Ads by Google