Presentation is loading. Please wait.

Presentation is loading. Please wait.

Chapter 6 Weaknesses Exploited

Published byHillary Ann Green Modified over 9 years ago

Similar presentations

Presentation on theme: "Chapter 6 Weaknesses Exploited"— Presentation transcript:

1 Chapter 6 Weaknesses Exploited

2 Weaknesses Bad software is everywhere, and…
…flaws can cause security problems In this chapter Various overflow conditions Format string vulnerabilities How weaknesses are found Defenses Human factors

3 Technical Weaknesses Buffer overflow Process address space: 4 sections
Fixed-sized code block (code/text) Static data (data) Dynamic data (heap) “Scratch paper” (stack)

4 Technical Weaknesses C program example

5 Stack Frame Stack frame allocated for functions Stack holds…
Local variables Book keeping info, such as Input arguments Return address Saved frame pointer, etc.

6 Stack Frame Stack frame in action

7 Memory Organization Text == code Data == static variables
low address Text == code Data == static variables Heap == dynamic data Stack == “scratch paper” Dynamic local variables Parameters to functions Return address text data heap SP stack high address

8 Simplified Stack Example
low  void func(int a, int b){ char buffer[10]; } void main(){ func(1, 2); : SP buffer ret return address SP a SP b SP high 

9 Smashing the Stack What happens if buffer overflows?
??? : Program “returns” to wrong location SP buffer overflow ret SP ret… A crash is likely NOT! overflow a SP b SP high 

10 Smashing the Stack Trudy has a better idea… Code injection
low  Trudy has a better idea… : Code injection Trudy can run code of her choosing… On your machine! SP evil code ret ret SP a SP b SP high 

11 Smashing the Stack Trudy may not know… Solutions Address of evil code
: Trudy may not know… Address of evil code Location of ret on stack Solutions Precede evil code with NOP “landing pad” Insert ret many times NOP : NOP evil code ret ret ret : ret :

12 Stack Smashing Note that injected code is usually known as “shellcode”
Other overflow attacks are possible Some inject code, some don’t We discuss a few more examples later

13 Stack Smashing Summary
A buffer overflow must exist in the code Not all buffer overflows are exploitable Things must align just right If exploitable, attacker can inject code Trial and error is likely required Fear not, lots of help available online Smashing the Stack for Fun and Profit, Aleph One Stack smashing is “attack of the decade” Regardless of the decade… Also heap overflow, integer overflow, etc.

14 Stack Smashing Example
Program asks for a serial number that the attacker does not know Attacker does not have source code Attacker does have the executable (exe) Program quits on incorrect serial number

15 Example By trial and error, attacker discovers apparent buffer overflow Note that 0x41 is “A” Looks like ret overwritten by 2 bytes!

16 Example Next, disassemble bo.exe to find
The goal is to exploit buffer overflow to jump to address 0x401034

17 Example Find that, in ASCII, 0x401034 is “@^P4”
Byte order is reversed? Why? X86 processors are “little-endian”

18 Example Reverse the byte order to “4^P@” and…
Success! We’ve bypassed serial number check by exploiting a buffer overflow What just happened? We overwrote the return address on the stack

19 Example Note that in this example…
We overwrote return address and jumped to somewhere interesting We did not inject any code Other interesting places to jump to? Without injecting code, that is? Often called “return to libc” attacks

20 Example Attacker did not require access to the source code
Only tool used was a disassembler to determine address to jump to Possible to find desired address by trial and error? Necessary if attacker does not have exe For example, a remote attack

21 Example Source code of the buffer overflow
Flaw easily found by attacker Without the source code!

22 Stack Smashing Prevention
1st choice: employ non-executable stack “No execute” NX bit (if available) Seems like the logical thing to do, but some real code executes on the stack (Java, for example) 2nd choice: use safe languages (Java, C#) 3rd choice: use safer C functions For unsafe functions, there are safer versions For example, strncpy instead of strcpy

23 Stack Smashing Prevention
low  Canary Run-time stack check Push canary onto stack Canary value: Constant 0x000aff0d Or may depends on ret : buffer overflow canary overflow ret a high  b

24 Microsoft’s Canary Microsoft added buffer security check feature to C++ with /GS compiler flag Based on canary (or “security cookie”) Q: What to do when canary dies? A: Check for user-supplied “handler” Handler shown to be subject to attack Claims that attacker can specify handler code If so, formerly “safe” buffer overflows become exploitable when /GS is used!

25 ASLR Address Space Layout Randomization
Randomize place where code loaded in memory Makes most buffer overflow attacks probabilistic Vista uses 256 random layouts So about 1/256 chance buffer overflow works? Similar thing in Mac and other OSs Attacks against Microsoft’s ASLR do exist Possible to “de-randomize”

26 Buffer Overflow A major threat yesterday, today, and tomorrow
Can greatly reduced overflow attacks Use safe languages/safer functions Educate developers, use tools, etc. Buffer overflows will exist for a long time Legacy code Bad software development practices

27 Race Condition Security processes should be atomic
Occur “all at once” Race conditions can arise when security- critical process occurs in stages Attacker makes change between stages Often, between stage that gives authorization, but before stage that transfers ownership Example: prepaid debit card

28 Race Condition Adding cash to card Race condition?
User inserts card into card reader machine Machine reads value of card: x User insert cash into machine: y User presses “enter” key Machine writes x+y to card Machine ejects card Race condition?

29 Race Condition Attacks on cash card protocol?
Insert 2 cards, sandwiched together Card that is read has $100 value, unread card has $1 value Step 2: Machine reads x = 100 Insert $2, so y = 2 Pull out read card, leaving unread one Press “enter”…

30 Race Conditions Race conditions appear to be common in software
May be more common than buffer overflows But race conditions harder to exploit Buffer overflow is “low hanging fruit” today To prevent race conditions… Make security-critical processes atomic Occur all at once, not in stages Not so easy to accomplish in practice

31 Heap Overflow Heap used for dynamic variables
For example, malloc in C Can overflow one array into another Makes it possible to change data Like example on next slide

32 Simple Buffer Overflow
Consider boolean flag for authentication Buffer overflow could overwrite flag allowing anyone to authenticate! Boolean flag buffer F O U R S C T F In some cases, Trudy can be more systematic

33 Heap Overflow Example BEFORE: buf2 = AFTER: buf2 =

34 Heap Overflow Bookkeeping info stored on heap
Can attacker exploit this?

35 Heap Overflow Data structure to keep track of free memory
Assume it is a doubly-linked list Heap overflow attacks?

36 Heap Overflow Here we free block B “Unlink” B from heap
If overflow in A, can overwrite B’s pointers…

37 Heap Overflow Overwrite B’s pointers Then free B
Now if we ever get to B, will go to shellcode

38 Integer Overflow Many “integer” problems This example…
What if len is negative? Note that memcpy thinks len is unsigned

39 Format String Vulnerabilities
Format string example printf(“The magic number is %d\n”, 42); Format strings: Parameter Meaning Passed by… %d int value %u unsigned int %x hex %s string reference %n bytes written so far

40 Format Strings and the Stack
Formatting functions retrieve parameters from the stack Assuming that’s where they’re stored… Consider printf(“a has value %d at address %d\n”, a, &a); What if there are too few arguments? For example printf(“a has value %d at address %d\n”);

41 Format Strings and the Stack
Consider again printf(“a has value %d at address %d\n”, a, &a); Here, x1 and x2 are other things on the stack high  : a address of a x1 x2 low  “a has … \n”

42 Format Strings and the Stack
What if there are too few arguments? For example printf(“a has value %d at address %d\n”); What happens? high  : x1 x2 x3 x4 low  “a has … \n” Print stuff on stack Is this useful?

43 Format String Issue 1 We can “walk” the stack
That is, print out items on the stack For example printf(“%08x %08x %08x %08x %08x\n”); As a bonus, it’s nicely formatted…

44 Format String Issue 2 What would this do?
printf(“%s%s%s%s%s%s%s%s%s%s%s”); For each %s function printf will… Fetch a number from the stack Treat the number as an address Print out whatever is at that address, until NULL character Such an “address” might not exist!

45 Format String Example What about something like this…
void print_error(char *s){ char buffer[100]; snprintf(buffer, sizeof(buffer), “Error: %s”, s); printf(buffer);} Suppose Trudy has control over what goes into the string s Then some interesting possibilities…

46 Format String Issue 3 Suppose Trudy sets string s to
1st %d  2nd %d  high  : %d low  buffer “Error: %s…” return %s  printf Suppose Trudy sets string s to \x78\x56\x34\x12 %d%d%d%s Note \x78…\x12 is little endian for What does code on previous slide do?

47 Format String Issue 4 The %n format is used to print the number of characters written so far Q: What does this do? int i; printf(“abcde%n, &i); A: Writes 5 to variable i Can Trudy take advantage of this?

48 Format String Issue 4 Similar attack as “issue 3”…
…except use %n in place of %s Then a value written to address What value? Some claim that this allows writing of arbitrary value Is this really true?

49 Format String Defenses
Source code auditing Relatively few format strings Remove support for %n format Would this create any problems? Keep track of number of arguments General buffer overflow prevention For example, ASLR (next slide…)

50 More Defenses Mentioned by author NX approach Canary ASLR
Safe/safer languages

51 Finding Weaknesses How do attackers find weaknesses?
Technical analysis Study source code (if available) Disassemble executables (SRE) Decompile (good luck with that!) Black box analysis Study vendor patches Full disclosure websites Zero day exploit?

52 Finding Weaknesses Social engineering Impersonation Dumpster diving
Nuclear power plant company example Impersonation Dumpster diving Shoulder surfing Fake For example, ask for passwords Phishing

53 Virus Hoaxes Example: jdbgmgr.exe
I found the little bear in my machine because of that I am sending this message in order for you to find it in your machine. The procedure is very simple: … Known as the teddy bear virus because this is the icon:

54 Exploitation Engines Developing a buffer overflow attack Metasploit
Tedious, lots of trial and error Until Metasploit was invented… Metasploit Knows about lots of attacks Has lots of payloads Doesn’t require much thought/effort

55 Metasploit Payloads include Bind shell to current port
Bind shell to arbitrary port Reverse shell Windows VNC Server DLL inject Reverse VNC DLL inject Inject DLL into running application Create local admin user The Meterpreter (run command of attacker’s choosing)

56 Metasploit Web Interface

57 Metasploit Advantages for attackers? Advantages for good guys?
Reduces “development cycle” Resulting attacks much more reliable Advantages for good guys? Helps identify false positives Help improve IDS Improved penetration testing Improved management awareness

Download ppt "Chapter 6 Weaknesses Exploited"

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Software and Security Buffer Overflow 1.

Software and Security Buffer Overflow 1.
Teaching Buffer Overflow Ken Williams NC A&T State University.

Teaching Buffer Overflow Ken Williams NC A&T State University.
Application and OS Attacks 1 Application and OS Attacks.

Application and OS Attacks 1 Application and OS Attacks.
Teaching Buffer Overflow Ken Williams NC A&T State University.

Teaching Buffer Overflow Ken Williams NC A&T State University.
Run-time Environment and Program Organization

Run-time Environment and Program Organization
Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.

Netprog: Buffer Overflow1 Buffer Overflow Exploits Taken shamelessly from: netprog/overflow.ppt.
SQL Injection and Buffer overflow

SQL Injection and Buffer overflow
Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.

Control hijacking attacks Attacker’s goal: – Take over target machine (e.g. web server) Execute arbitrary code on target by hijacking application control.
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Application Security Tom Chothia Computer Security, Lecture 14.

Application Security Tom Chothia Computer Security, Lecture 14.

Similar presentations

Ads by Google