Presentation is loading. Please wait.

Presentation is loading. Please wait.

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Published by Modified over 8 years ago

Similar presentations

Presentation on theme: "Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:"— Presentation transcript:

1 Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143: Secure Sensor Networks

2 Overview Buffer Overruns Basics Techniques Stack Smashing Arc Injection Pointer Subterfuge Function-pointer Clobbering Data Pointer Modification Exception-handler Hijacking VPTR Smashing Heap Smashing Conclusions

3 What is a Buffer Overrun? When a program attempts to read or write beyond the end of a bounded array (also known as a buffer) Typically, attackers use this to modify a return address saved on the stack to point to code residing in a stack buffer at a known location

4 Examples Stack Buffer Overrun void f1a (void * arg, size_t len) { char buff[100]; memcpy(buf, arg, len) /* buffer overrun if len > 100 */ … return } Heap Buffer Overrun void f1b ( void * arg, size_t len){ char * ptr = malloc(100); if (ptr == NULL_ return; memcpy(ptr, arg, len); /* buffer overrun if len > 100 */ … return; }

5 How does it work? void function(char *str) { char buffer[16]; strcpy(buffer,str); } bottom of stack top of stack buffer sfp ret *str [ ][ ][ ][ ]

6 How does it work? – cont’d int main (){ char large_string[256];..fill ‘large_string’. function(large_string); } bottom of stack top of stack buffer sfp ret *str [ sssssssssss ][ ssss ][ 0xD8 ][ …. ]

7 Stack Smashing void f1a (void * arg, size_t len) { char buff[100]; memcpy(buf, arg, len) /* buffer overrun if len > 100 */ … return } Attacker must provide a value for arg that contains an executable payload and the address here the payload will be loaded into memory (the address of buff). Program control transferred to buff rather than return to the calling procedure.

8 Stack Smashing -- Enhancements Trampolining If buff’s absolute address is not known ahead of time, an attacker can use a program register R containing a value relative to buff by first transferring control to a sequence of instructions that indirectly transfers via R. Find the address on the stack using instructions pop/pop/return Separating payload (attacker’s code) from the buffer overrun operation. Storing code in an environment variable Good for overrunning small buffers

9 Arc Injection Attacker supplies data that, when a program operates on that data, causes a desired (by the attacker) effect. Uses a stack buffer overrun to modify return address to point to a location already in the program’s address space. Usually the system function in the C stdlib. Useful when the program has non-executable stacks

10 Pointer Subterfuge Involves modifying a pointer’s value. Many different attacks Function-pointer Clobbering Data Pointer Modification Exception-handler Hijacking VPTR Smashing

11 Function-pointer Clobbering Modifying a function pointer to point to attackers code. void f3 (void * arg, size_t len){ char buff[100]; void (*f) () = …; memcpy(buff, arg, len); /* buffer overrun */ f(); …return; } Use overrun to set f to buff, and call will send control to code in buff Can combine with Arc to point F to system call.

12 Data-pointer modification void f4(void * arg, size_t len){ char buff[100]; long val = …; long *ptr = …; extern void (*f)(); memcpy(buff, arg, len) /* overrun! */ *ptr = val; f(); … return;} Allows attacker to modify memory locations Can use *ptr = val to assign any 4 bytes of memory

13 Exception-handler hijacking When an exception is generated, Windows examines a linked list of exception handlers (registered by program when it starts) and invokes one or more of them via function pointers stored in the list. Because the list entries are stored on the stack, it is possible to replace the exception-handler function pointer with a buffer overflow. The known variations of this vulnerability are supposedly fixed in WindowsXP SP2.

14 VPTR smashing VTBL (associated with each class) is an array of function pointers used at runtime to implement dynamic dispatch. Objects point to appropriate VTBL with virtual pointers (VPTR) stored as part of the object’s header. Replacing the VPTR with a pointer to an attacker supplied VTBL transfers control when the next virtual function is invoked. Can apply to both stack and heap overruns

15 Heap smashing Allocators keep headers for each heap block chained together in a doublely linked list of allocated and freed blocks. If you have three adjacent blocks X, Y, Z; an overrun of X into Y can corrupt pointers in Y’s header, and lead to modification of arbitrary memory locations when Y is freed. More complicated because: Attacker typically doesn’t know the heap block’s location ahead of time Difficult to predict when heap-free operation will occur. Difficult (especially in with multiple threads) to predict whether the next block has been allocated at time of overrun.

16 Conclusions Buffer overruns are likely to be continued source of potential vulnerabilities. New techniques invalidate old assumptions: Arc injection needs no injected code Pointer subterfuge doesn’t overwrite return addresses Heap smashing and pointer subterfuge show not just the stack that’s vulnerable. Developers need to be cautious of ‘assumptions’. Arms race continues.

Download ppt "Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:"

Similar presentations

Dynamic memory allocation

Dynamic memory allocation
Dynamic Memory Allocation in C.  What is Memory What is Memory  Memory Allocation in C Memory Allocation in C  Difference b\w static memory allocation.

Dynamic Memory Allocation in C.  What is Memory What is Memory  Memory Allocation in C Memory Allocation in C  Difference b\w static memory allocation.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Buffer Overflows By Tim Peterson Joel Miller Dan Block.

Buffer Overflows By Tim Peterson Joel Miller Dan Block.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Dynamic Memory Allocation in C++. Memory Segments in C++ Memory is divided in certain segments – Code Segment Stores application code – Data Segment Holds.

Dynamic Memory Allocation in C++. Memory Segments in C++ Memory is divided in certain segments – Code Segment Stores application code – Data Segment Holds.
1 Storage Registers vs. memory Access to registers is much faster than access to memory Goal: store as much data as possible in registers Limitations/considerations:

1 Storage Registers vs. memory Access to registers is much faster than access to memory Goal: store as much data as possible in registers Limitations/considerations:
1 1 Lecture 4 Structure – Array, Records and Alignment Memory- How to allocate memory to speed up operation Structure – Array, Records and Alignment Memory-

1 1 Lecture 4 Structure – Array, Records and Alignment Memory- How to allocate memory to speed up operation Structure – Array, Records and Alignment Memory-
Buffer Overflow. Process Memory Organization.

Buffer Overflow. Process Memory Organization.
Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.

Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.
Overview C programming Environment C Global Variables C Local Variables Memory Map for a C Function C Activation Records Example Compilation.

Overview C programming Environment C Global Variables C Local Variables Memory Map for a C Function C Activation Records Example Compilation.

Similar presentations

Ads by Google