Presentation is loading. Please wait.

Presentation is loading. Please wait.

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

Published byCitlali Burnison Modified over 9 years ago

Similar presentations

Presentation on theme: "CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson"— Presentation transcript:

1 CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson debray@cs.arizona.edu

2 Bugs have consequences 2

3 An example 3

4 4

5 What happened The program made an assumption but did nothing to enforce it This led to a buffer overflow that corrupted memory 5 don’t trust external input!

6 Buffer overflows C does not have array bounds checking – it is possible to write past the end of an array – this has the effect of overwriting other memory locations – depending on what gets corrupted, the program may: show no effects compute different results crash let someone else take control of your program (and possibly your computer) 6

7 Buffer overflows 7

8 Some examples of buffer overflows 8

9 How buffer overflows are exploited The attacker provides an input string that is too long for an array (buffer) it is written to – the buffer overflows – contents of neighboring memory locations are overwritten By careful selection of the input string, the attacker can control exactly what the neighboring locations are overwritten with This can allow the attacker to force the victim’s computer to execute arbitrary code 9

10 Example: “Stack Smashing” 10 direction of stack growth return address caller’s stack frame input buffer int foo( … ) { char buf[32]; … scanf(“%s”, buf); … return; }  compromised!

11 Example: “Stack Smashing” 11 Compromised! direction of stack growth caller’s stack frame input buffer int foo( … ) { char buf[32]; … scanf(“%s”, buf); … return; }  return address jump to code injected by the attacker

12 Controlling amount of input read [f]scanf lets you specify a maximum field width before the conversion specifier – max. field width: optional decimal integer – if specified: reading of characters stops when this width is reached – for strings: field width does not include terminating ‘\0’ 12

13 Controlling the amount read 13

14 Guarding scanf isn’t enough 14 scanf is being guarded and yet memory gets corrupted!

15 Guarding scanf isn’t enough Any function that writes an unbounded amount into a memory region is potentially a problem Common culprits: – string library routines: strcpy, strcat – input routines: scanf, gets – output routines: sprintf 15 unguarded  guarded strcpystrncpy strcatstrncat getsfgets sprintfsnprintf

16 Example: strcpy vs. strncpy 16

17 It’s easy to get careless 17 str0[ ], name[ ] are the same size: 4 bytes we’ve made sure we copied at most 4 bytes into str0 therefore it’s OK to use just strcpy() to copy str0 into v0.name right?

18 It’s easy to get careless 18 input output ?!?

19 What happened? 19

20 What happened? 20 strncpy didn’t NULL-terminate the string, and this caused the string in str0[ ] to be much longer than intended

21 Why is this a problem? Any time a buffer can overflow with user-supplied data, the program has a huge security hole. Example: variation on the previous problem int n0, n1, n2; char buf1[4], buf2[64]; … scanf(“%d %d %d %64s”, n0, n1, n2, buf2); strncpy(buf1, buf2, 4); 21 n0, n1, n2, buf1 may be in contiguous memory (compiler dependent) non-NULL-terminated strncpy() can create a user- controlled string that is longer than intended this can set the stage for a buffer-overflow exploit

22 The moral of the story Careless handling of user-supplied data can get you into trouble – read man pages carefully – learn which input/string routines don’t guarantee NULL- terminated strings Make sure buffers are NULL-terminated – allocate space for the terminating NULL character – declare buffers as char buf[MAXSIZE + 1]; 22

23 Is that enough? 23 allocating space for terminating NULL initializing the array checking how many characters to copy using “safe” string functions guarding scanf buffer eating our vegetables

24 Is that enough? 24   

25 What happened? We forgot to check the input! Signature for strncpy: char *strncpy(char *dest, char *src, size_t n) – size_t is an unsigned type – a negative number, treated as an unsigned value, looks like a very big number e.g., on a 32-bit machine, -1 (signed) = 0xffffffff = 2 32 -1 (unsigned) – strncpy() copies over a very large no. of bytes this corrupts memory and causes the seg fault 25

Download ppt "CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson"

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Introduction to C Programming

Introduction to C Programming
A C++ Crash Course Part II UW Association for Computing Machinery Questions & Feedback.

A C++ Crash Course Part II UW Association for Computing Machinery Questions & Feedback.
Vulnerabilities in Embedded Harvard Architecture Processors Presented By: Michael J. Hohnka Cyber Vulnerabilities Lead Cyber Innovation Division Communications,

Vulnerabilities in Embedded Harvard Architecture Processors Presented By: Michael J. Hohnka Cyber Vulnerabilities Lead Cyber Innovation Division Communications,
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
C Characters & Strings Character Review Character Handling Library Initialization String Conversion Functions String Handling Library Standard Input/Output.

C Characters & Strings Character Review Character Handling Library Initialization String Conversion Functions String Handling Library Standard Input/Output.
I/O: SPARC Assembly Department of Computer Science Georgia State University Georgia State University Updated Spring 2014.

I/O: SPARC Assembly Department of Computer Science Georgia State University Georgia State University Updated Spring 2014.
1 Chapter 10 Strings and Pointers. 2 Introduction  String Constant  Example: printf(“Hello”); “Hello” : a string constant oA string constant is a series.

1 Chapter 10 Strings and Pointers. 2 Introduction  String Constant  Example: printf(“Hello”); “Hello” : a string constant oA string constant is a series.
Lecture 20 Arrays and Strings

Lecture 20 Arrays and Strings
What is a pointer? First of all, it is a variable, just like other variables you studied So it has type, storage etc. Difference: it can only store the.

What is a pointer? First of all, it is a variable, just like other variables you studied So it has type, storage etc. Difference: it can only store the.
Strings CS240 Dick Steflik. What is a string A null terminated array of characters: char thisIsAString[10]; 0 1 2 3 4 5 6 7 8 9 \0 The “\0” (null character)

Strings CS240 Dick Steflik. What is a string A null terminated array of characters: char thisIsAString[10]; \0 The “\0” (null character)
Nirmalya Roy School of Electrical Engineering and Computer Science Washington State University Cpt S 122 – Data Structures Characters and Strings.

Nirmalya Roy School of Electrical Engineering and Computer Science Washington State University Cpt S 122 – Data Structures Characters and Strings.
Current Assignments Homework 5 will be available tomorrow and is due on Sunday. Arrays and Pointers Project 2 due tonight by midnight. Exam 2 on Monday.

Current Assignments Homework 5 will be available tomorrow and is due on Sunday. Arrays and Pointers Project 2 due tonight by midnight. Exam 2 on Monday.
Buffer Overflow Intro. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Preventing Buffer Overflows (for C programmers)

Buffer Overflow Intro. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Preventing Buffer Overflows (for C programmers)
Buffer Overflows By Tim Peterson Joel Miller Dan Block.

Buffer Overflows By Tim Peterson Joel Miller Dan Block.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Chapter 15 : Attacking Compiled Applications Alexis Kirat - International Student.

Chapter 15 : Attacking Compiled Applications Alexis Kirat - International Student.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Stack buffer overflow http://en.wikipedia.org/wiki/Stack_buffer_overflow.

Stack buffer overflow
Buffer Overflow Exploits CS-480b Dick Steflik. What is a buffer overflow? Memory global static heap malloc( ), new Stack non-static local variabled value.

Buffer Overflow Exploits CS-480b Dick Steflik. What is a buffer overflow? Memory global static heap malloc( ), new Stack non-static local variabled value.

Similar presentations

Ads by Google