Presentation is loading. Please wait.

Presentation is loading. Please wait.

Exploits Against Software and Defences

Published byMiranda Houston Modified over 9 years ago

Similar presentations

Presentation on theme: "Exploits Against Software and Defences"— Presentation transcript:

1 Exploits Against Software and Defences
Nicolas T. Courtois University College London

2 How to Break Into Computers?
Reading How to Break Into Computers? Stack attacks: Chapter 10.4. SQL injection: not at the exam: see our lab. Defences: Chapter 10.7. Nicolas T. Courtois, January 2009

3 Is that All? There is MUCH more (not covered here): Language Based Security COMPGS10 course (Term 2)… Government agencies and hackers have found LOTS of software security holes, AUTOMATION, formal methods Requires source code (cf. Common Criteria evaluations) Example: in just one Huawei Chinese router firmware experts found unsafe calls to the sprintf function alone… Main Learning Objective: Understand the principal sources of attacks and what the defences are. Nicolas T. Courtois, January 2009

4 Goals of Attackers

5 Break In Stage 1: Get to run some code (even without privileges).
CompSec COMPGA01 Break In Stage 1: Get to run some code (even without privileges). Stage 2: Gain admin access, usually by calling other local programs and exploiting their vulnerabilities. Nicolas T. Courtois, December 2009

6 create a backdoor for later access cover your traces
CompSec COMPGA01 Later… create a backdoor for later access cover your traces e.g. disable anti-virus, erase log files, etc… payload: execute extra tasks Nicolas T. Courtois, December 2009

7 Goals for Software Exploits
CompSec COMPGA01 Goals for Software Exploits crash software (can be DOS) crash hardware (e.g. hard drive) get some data or side channels inject arbitrary code these also happen accidentally… Nicolas T. Courtois, December 2009

8 What’s Wrong?

9 Software Vulnerabilities
CompSec COMPGA01 Software Vulnerabilities Input validation problems Buffer overflow Format string vulnerabilities Integer overflows, CPU bugs Failing to handle errors / exceptions properly etc… Nicolas T. Courtois, December 2009

10 Vectors of Attack - Inputs

11 Software Input Exploits
CompSec COMPGA01 Software Input Exploits Exe programs: command line arguments environment variables configuration files / settings changed in the registry by another program… network packets etc… Dlls / Unix runtime precompiled libraries: function calls from other programs Nicolas T. Courtois, December 2009

12 Danger of Environment Variables
CompSec COMPGA01 Danger of Environment Variables In UNIX: Set LD_LIBRARY_PATH system variable to avoid the standard precompiled libraries… Hacker puts his own libraries in his own directory… BTW. Fix: modern C runtime libraries in Unix stopped using LD_LIBRARY_PATH at least in many cases… Nicolas T. Courtois, December 2009

13 Revision: set-uid programs
CompSec COMPGA01 Revision: set-uid programs Def: A “set-uid program” (property acquired at install) is a program that assumes the identity and has euid and privileges of the owner of the program, though a different user runs it. Examples: passwd su, sudo BTW: if copied to a “user” directory, stop working! Nicolas T. Courtois, December 2009

14 More Attacks on PATH in Unix
CompSec COMPGA01 More Attacks on PATH in Unix Now imagine that any “setuid program” contains the following line: system(“ls … ”); OOPS… there are several ways to use this to run any program as root… Nicolas T. Courtois, December 2009

15 More Attacks on PATH in Unix
CompSec COMPGA01 More Attacks on PATH in Unix A “setuid program” ABC contains the following line: system(“ls …”); The user sets his PATH to be =“.” and places his own program ls in the current directory. This program ls will be run as root. (remark: the program A can reset PATH or do checks on PATH…) Nicolas T. Courtois, December 2009

16 Another Known Exploit in Unix
CompSec COMPGA01 Another Known Exploit in Unix The IFS variable: the characters that the system considers as white space now add “s” to the IFS set of characters system(ls) becomes system(l) a function l in the current directory will be run as root… Nicolas T. Courtois, December 2009

17 Can this be done remotely?
CompSec COMPGA01 Can this be done remotely? In PHP language, used by all web servers, they have PASSTHRU() function that executes arbitrary code… Assume it contains a user input that comes from the web client browser. insert “; command231” or “| command231”. This will make the server execute command231 and output the result to the web page displayed. PHP have later banned this and many other things from the PHP language… Nicolas T. Courtois, December 2009

18 Buffer Overflow

19 Software Buffer Overflow Exploits
CompSec COMPGA01 Software Buffer Overflow Exploits I will explain in details only 1 type of code injection attack… “Buffer Overflow through Stack Smashing” There are many other types of software vulnerabilities… Study of these requires a lot of technical expertise about programming, compilers, assembly and CPUs… Discovery of new attacks is like a 1 G$ project: it requires: source code + formal methods + maths + software solver technology + lots of experimentation + machine learning + extensive knowledge of what’s out there etc. Nicolas T. Courtois, December 2009

20 Buffer Overflow History
CompSec COMPGA01 Buffer Overflow History Extremely common since the 1980s. Consistently about 50 % of all CERT advisories still in late 2000s… Usually leads to a total compromise of the machine… Nicolas T. Courtois, December 2009

21 Can Programmers Get It Right?
CompSec COMPGA01 Can Programmers Get It Right? Lot of evidence around that they cannot. the behavior of Turing machines is very HARD to analyse, cf. Rice thm. it is usually easier to rewrite code from the scratch than to find all bugs in it, open source software was like a virus… software economics, time to market, code re-use etc… Major problems also occur at the compiler and runtime level… (even CPUs have bugs that can be used for exploits). Nicolas T. Courtois, December 2009

22 Problems with C and C++ C and C++ particularly dangerous
CompSec COMPGA01 Problems with C and C++ C and C++ particularly dangerous Fast, therefore used in servers and all critical code (fast data manipulation, crypto and security functions) allows arbitrary manipulation of pointers but not outside the virtual 2 Gbyte space allocated by the OS Nicolas T. Courtois, December 2009

23 CompSec COMPGA01 Problems with C and C++ Memory Safety = a restriction on copying data from one memory location to another, except for if types clearly allow assignments. closely related to type safety: …preventing type cast and copy data that don’t have the same type. Java and C# offer (imperfect) memory safety. hard to prove, actually shown not quite true for Java Nicolas T. Courtois, December 2009

24 CompSec COMPGA01 **Dangling Pointers = pointers that do not point to a valid object in the program For example in C use malloc, realloc and free, Then the pointer is not automatically reset to NULL. Good practice is to do it manually all the time. Nicolas T. Courtois, December 2009

25 inject arbitrary code through standard input channels of the program.
CompSec COMPGA01 Software Under Attack Main goal: inject arbitrary code through standard input channels of the program. Input-dependent vulnerabilities. Excessively common in software we use every day… Unix and Windows alike… Nicolas T. Courtois, December 2009

26 CompSec COMPGA01 Exploit = specially crafted input that allows a certain task to be accomplished compromising the security policy usually executing arbitrary code. Goal: execute with the privilege level of the program: web server running as superuser… Ordinary programs running as user… Furthermore, injected code may use another vulnerability to permit privilege escalation. Nicolas T. Courtois, December 2009

27 Buffer Overflow Attack: Stack Smashing and Code Injection in C

28 allocated from the stack.
CompSec COMPGA01 Buffer Overflow in C char command[256]=“”; allocated from the stack. Now imagine we input longer data than 256 bytes and use strcpy(command,*input_data). In theory: “undefined behaviour”.. In practice: we can predict what will happen. Nicolas T. Courtois, December 2009

29 And saving the return address.
CompSec COMPGA01 historical roots Since ever, in CPU assembly and in compiling structured programs, the habit is to save the state of the CPU when calling a sub-routine. And saving the return address. It is essential which comes first… otherwise there would be no such attack. This is saved on the process stack. Nicolas T. Courtois, December 2009

30 Process Memory Layout 0x08048000
CompSec COMPGA01 Process Memory Layout 0x Text Text: loaded from exec code and read-only data size fixed at compilation Heap: runtime allocated objects, large (2 Gb) Stack: LIFO, holds function arguments and local variables, small size (256 K) Heap Grows toward high memory Grows toward low memory 0x Stack 0xC Nicolas T. Courtois, December 2009

31 Calling a Sub-Routine in C
CompSec COMPGA01 Calling a Sub-Routine in C PUSH PULL on every CPU since ever… Stack Stack Stack Nicolas T. Courtois, December 2009

32 Stack Frames for one C Function f
CompSec COMPGA01 Stack Frames for one C Function f local variables built in this order saved bottom of stack return address params of f Stack Stack Stack Nicolas T. Courtois, December 2009

33 exploit on f size easy to guess Stack CompSec COMPGA01
void f(params) { char command[256]=“”; strcpy(command,sth) } increasing addresses local variables saved bottom of stack overwrite return address size easy to guess params of f Stack Nicolas T. Courtois, December 2009

34 exploit on f easy to guess Stack shell code 0x80707050
CompSec COMPGA01 exploit on f void f(params) { char command[256]=“”; strcpy(command,sth) } increasing addresses shell code local variables saved bottom of stack overwrite 0x return address easy to guess params of f Stack Nicolas T. Courtois, December 2009

35 the frame buffer was de-allocated, data still there
CompSec COMPGA01 when f finishes the frame buffer was de-allocated, data still there shell code local variables saved bottom of stack return address 0x return address params of f Stack Nicolas T. Courtois, December 2009

36 Is It Easy? for strcpy() avoid 0’s in exploit code.
CompSec COMPGA01 Is It Easy? for strcpy() avoid 0’s in exploit code. predict the size of all local variables. IMPORTANT: does never need an exact value. patch with many NOP instructions to work for a range of addresses… put several copies of the new return address must be able to predict the stack address. not hard for simple programs… open source: MUCH easier to attack. many copies of the same program – easier. this is how Slammer infected 75 K MS-SQL servers. NOP slide shell code Nicolas T. Courtois, December 2009

37 Reliability up to very high, up to 100%
CompSec COMPGA01 Reliability up to very high, up to 100% (there are stable exploits, never ever fail and produce consistent results) Nicolas T. Courtois, December 2009

38 What Hackers Do?

39 Finding Exploits Closed source:
CompSec COMPGA01 Finding Exploits Closed source: try at random with long inputs ending by $$$$ if the program crashes, look at core dumps for $$$’s later use debuggers and disassemblers to design precise exploits… Open source: easier! Hackers have automated tools for finding exploits… Nicolas T. Courtois, December 2009

40 CompSec COMPGA01 Example With XBox 360 Microsoft made it very hard to install other OS, like Linux. Why? The console sale price was subsidized by Microsoft. Legitimate reason (!). Hackers found a buffer overflow attack on James Bond 007 game when it restored from saved game, to take over the boot loader… Very impressive… Nicolas T. Courtois, December 2009

41 ***Ethical Code Injection Exists?
CompSec COMPGA01 ***Ethical Code Injection Exists? Wikipedia: code injection can "trick" the system into behaving in a certain way without any malicious intent. Code injection could, for example: introduce a useful new column that did not appear in the original design of a search results page. offer a new way to filter, order, or group data by using a field not exposed in the default functions of the original design. Someone might resort to this sort of work-around because … software … becomes too frustrating or painful. Some developers allow or even promote the use of code injection to "enhance" their software, usually because this solution offers a less expensive way to implement new or specialized features… Nicolas T. Courtois, December 2009

42 Can We Fix It?

43 Solutions (1) use type and memory safe languages (Java, ML)
CompSec COMPGA01 Solutions (1) use type and memory safe languages (Java, ML) clean the de-allocated frame buffer: slow!!! Partial solutions (not perfect) certain forms of access control? yes, replace pointers by use of “un-forgeable reference” tokens sandboxing and “secure” VM techniques. store things in a different order: ASLR = Address Space Layout Randomisation – at the runtime! suddenly it makes a lot of sense to recompile the Apache web server software on each server. Reason: 75 K copies, Slammer worm. OpenBSD (enabled by default) Linux – weak form of ASLR by default since kernel (much better with the Exec Shield patch for Linux). Windows Vista and Windows Server 2008: ASLR enabled by default, although only for those executables and dynamic link libraries specifically linked to be ASLR-enabled. So only very few programs such as Internet Explorer 8 enable these protections… Nicolas T. Courtois, December 2009

44 CompSec COMPGA01 Solutions (2) Automated protections with canaries: store known data at the end of the buffer. Check. StackGuard, ProPolice, PointGuard = extensions of GCC, automatic. similar protections also by default since MsVisual Studio 2003. Time performance overhead: about +10%. Is this secure? Can the attacker predict the canary? Can he learn it from several exploit attempts? Nicolas T. Courtois, December 2009

45 Canaries Two types known:
CompSec COMPGA01 Canaries Two types known: random canaries: known but random data canaries terminator canaries: not the same at all, special ‘terminator’ values \0 to stop strcpy() {newline} + {linefeed} to stop fgets() EOF to stop fread()… can combine all these after each buffer Nicolas T. Courtois, December 2009

46 One Attack Against StackGuard and Canaries
CompSec COMPGA01 One Attack Against StackGuard and Canaries Nicolas T. Courtois, December 2009

47 CompSec COMPGA01 Solutions (3) hire a programmer with extensive understanding of software attacks less attacks, will not eliminate them Cheaper solutions: make sure that stack space is marked as impossible to execute () NX bit + Windows DEP = Data Execution Protection. Linux W  X : text pages: X, not W, data (stack, heap) pages: W, not X blacklist parts of C language! ongoing process. Nicolas T. Courtois, December 2009

48 CompSec COMPGA01 Bypassing DEP ? Yes! only prevents simple injection of assembly code on the stack… can inject some other sort of code… like system calls + parameters that will contain instructions for the shell (!!!). The simplest example: System(“command123”) Details depend a lot on OS and installed software. Modern versions: call some API, some dll, OS routines to disable DEP or manage memory etc… system() shell code local variables saved bottom of stack 0x return address command123 Stack Nicolas T. Courtois, December 2009

49 Preventing Attacks on System Calls
CompSec COMPGA01 Preventing Attacks on System Calls Can we prevent the exploits with Windows dlls? Answer: In Windows, at boot time the order and location of system calls WILL be randomised. Lowers considerably the chances to succeed, (does not eliminate the attack) ms*.dll shell code local variables saved bottom of stack 0x return address command123 Stack Nicolas T. Courtois, December 2009

50 Application-specific: check if intended length and format.
CompSec COMPGA01 Input Validation Application-specific: check if intended length and format. use special encoding for inputs use encrypted inputs, check length the attack is unlikely to do anything intended? If stream cipher, can flip bits to change one character… Routines that remove dangerous characters. In PHP, using the htmlentities() function. In an SQL request, use mysql_real_escape_string() Nicolas T. Courtois, December 2009

51 sprintf(buf, …) snprintf(buf, buflen, …),
CompSec COMPGA01 C Tips – Replace by sprintf(buf, …) snprintf(buf, buflen, …), scanf(“%s”, buf) scanf(“%10s”, buf), strcpy(buf, input) strncpy(buf, input, 256) etc… Nicolas T. Courtois, December 2009

52 Solutions (4) Automated tools working on: Source code:
CompSec COMPGA01 Solutions (4) Automated tools working on: Source code: Coverity: test trust inconsistency. Microsoft program analysis group: PREfix: looks for fixed set of bugs (e.g. null ptr ref) PREfast: local analysis to find prog errors. [Wagner, et Berkeley]: Test constraint violations. These find lots of bugs, but not all. Ready exe: Taintcheck: fix ready exe files… At runtime mark memory locations as tainted by user data. Slow. Up to 25x. Web servers cost lots of $$$, cannot afford to do it.. Nicolas T. Courtois, December 2009

53 Solutions (5) Replacement libraries:
CompSec COMPGA01 Solutions (5) Replacement libraries: Example: libsafe – dynamically linked library, will intercept calls to strcpy and check buffer sizes.. StackShield – an assembler file processor for GCC keeps backup copies of SFP and RET at the beginning of local variables, compare before exiting the function. Nicolas T. Courtois, December 2009

54 CompSec COMPGA01 Solutions (6) Instruction Set Randomization (ISR) – runtime encryption of CPU instructions… different for each program, makes code injection impossible. Has been done. not widely used. network-intensive applications run smoothly CPU-intensive applications: 20x slower Nicolas T. Courtois, December 2009

55 END

56 *Heap Overflow: consider as home reading, not at the exam

57 Process Memory Layout 0x08048000
CompSec COMPGA01 Process Memory Layout 0x Text Text: loaded from exec code and read-only data size fixed at compilation Heap: runtime allocated objects, large (2 Gb) Stack: LIFO, holds function arguments and local variables, small size (256 K) Heap Grows toward high memory Grows toward low memory 0x Stack 0xC Nicolas T. Courtois, December 2009

58 can take most of the 2-4 Gbytes space
CompSec COMPGA01 Right Proportions Not always this area is a heap. It can be fragmented. More generally term “heap exploits” refers to all kinds of attacks on data structures dynamically allocated/freed within RAM. Text Heap can take most of the 2-4 Gbytes space Grows toward high memory Stack Nicolas T. Courtois, December 2009

59 Insights How Memory Management is implemented?
CompSec COMPGA01 Insights How Memory Management is implemented? (harder to design a working attack, less standard than stack attacks…) Implemented by a compiler through its standard dynamic libraries, example: msvc*.dll that contain executable already compiled functions. Main idea: the design of these memory management routines can be exploited. How? A bit complex. Nicolas T. Courtois, December 2009

60 CompSec COMPGA01 Insights Heap managers have linked lists with forward/backward pointers, sizes, and data fields. Nicolas T. Courtois, December 2009

61 What the attacker can do?
CompSec COMPGA01 What the attacker can do? A simple buffer overrun (works only forwards): can contain code chosen by the attacker. and if heap is marked NX, pointers to libc functions + parameters in the following bytes.. plus extra bytes that will overwrite the “malloc meta data” for the next 3 blocks = the prev/next pointers in these blocks, overwritten by values chosen by the attacker… shell code Nicolas T. Courtois, December 2009

62 What the attacker can do?
CompSec COMPGA01 What the attacker can do? What happens when the routine freeing the memory is called? On this picture, allocations 1 and 2 are already freed, which maybe happens a bit later during the same function call… The next step is to merge these two free blocks. Why? shell code Nicolas T. Courtois, December 2009

63 Concatenation after free()
CompSec COMPGA01 Concatenation after free() Defragmentation is important: otherwise allocation of large blocks might fail and the program would terminate with an out of memory message though there is plenty of memory left… This mechanism is typically automatic and sometimes is also done with a certain delay, but frequently will be called before the current C or C++ function exits… hdrnext = hdrnextnext hdrnextnextprev = hdrnextprev shell code Nicolas T. Courtois, December 2009

64 Insights The attacker can control both:
CompSec COMPGA01 Insights In heap attacks none of these addresses will ever be used as jump address. Seems hopeless? It is more subtle than that. What we do is to overwrite a return address elsewhere. On the stack. By abusing this specific “defragmentation” method/routine, when it is called (immediately or later). The attacker can control both: the address where a certain pointer will be written automatically by the heap Mgmnt the value of this pointer to be overwritten shell code hdrnext = hdrnextnext Nicolas T. Courtois, December 2009

65 Insights Suppose I override these links to point
CompSec COMPGA01 Insights Suppose I override these links to point hdrnext = to the return address of the function on the stack. hdrnextnext = a pointer to code (probably just in the buffer I overran) When the heap manager merges the two blocks, it will actually overwrite the return address on the stack with a pointer to code I control. This will be called after the current function exits. shell code Nicolas T. Courtois, December 2009

Download ppt "Exploits Against Software and Defences"

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Part IV: Memory Management

Part IV: Memory Management
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 24 Jonathan Katz.
Teaching Buffer Overflow Ken Williams NC A&T State University.

Teaching Buffer Overflow Ken Williams NC A&T State University.
Building Secure Software Chapter 9 Race Conditions.

Building Secure Software Chapter 9 Race Conditions.
CS426Fall 2010/Lecture 111 Computer Security CS 426 Lecture 11 Software Vulnerabilities: Input Validation Issues & Buffer Overflows.

CS426Fall 2010/Lecture 111 Computer Security CS 426 Lecture 11 Software Vulnerabilities: Input Validation Issues & Buffer Overflows.
Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.

Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.
Lecture 16 Buffer Overflow

Lecture 16 Buffer Overflow
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.

Java Security. Topics Intro to the Java Sandbox Language Level Security Run Time Security Evolution of Security Sandbox Models The Security Manager.

Similar presentations

Ads by Google