Presentation is loading. Please wait.

Presentation is loading. Please wait.

Understand stack Buffer overflow attack and defense Controls against program threats.

Published byEugenia Paul Modified over 8 years ago

Similar presentations

Presentation on theme: "Understand stack Buffer overflow attack and defense Controls against program threats."— Presentation transcript:

1 Understand stack Buffer overflow attack and defense Controls against program threats

2 Computer Emergency Response Team (CERT) r At the Carnegie Mellon University http://www.cert.org r Formed after Morris Worm (after 1988)  A long report on Morris Worm by Eugene Spafford of Purdue CERIAS http://portal.acm.org/citation.cfm?id=66093.66095 YearTotal vulnerabilities 2007 7,236 2006 8,064 2005 5,990 2004 3,780 2003 3,784 2002 4,129 2001 2,437 2000 1,090 1999 417 1998 262 1997 311 1996 345 1995 171 No silver bullet to achieve security effortlessly 1. exhaustive testing of all program states is infeasible 2. software engineering techniques evolve rapidly Program control – specification & verification typical approach: specify a should-do list security needs: a shouldn’t-do list

3 Some definitions and Types of flaws r Program security flaw: unexpected behavior r Error: human mistake r Fault: an incorrect step, command, process, data definition in a program r Failure: departure from system’s required behavior A taxonomy of program flaws Intentional flaws Inadvertent flaws Malicious Non-malicious Validation, domain, serialization/aliasing, Identification/authentication Boundary condition violation Logic errors Landwehr [LAN93]

4 Buffer overflows Figure 3-1 Places Where a Buffer Can Overflow. r A buffer (or array or string) is a space in which data can be held  In memory, finite capacity  Checking bound takes time/space char sample[10]; for(i=0;i<=9;i++) sample[i]=‘A’; sample[10]=‘B’; Replace code in system space with kernel privilege Java checks array bound – no buffer overflow

5 Process memory region Stack is for procedure call – jump and return Use stack for: dynamically allocate local vars pass parameters to functions return values from functions Text Initialized) Data (uninitialized) Stack Text region: code, read-only data Static variables. If data region expands or stack space runs out, new memory is added between data and stack segments Stack: an abstract data type. Last in, first out (LIFO) PUSH: add an element at top of stack POP: remove element at top of stack Aleph One. Smashing the stack for fun and profit. 96. http://www.phrack.com/issues.html?issue=49&id=14

6 How a process uses its stack: Call stack, stack pointer r Stack buffer overflow occurs when information is written into the memory allocated to a variable on a stack, but the size of this information exceeds what was allocated at compile time.  HEAP buffer overflow – used in many drive-by downloads r Run-time stack, call stack, control stack, execution stack (all the same):  What a process uses to keep track of the sequence of subroutines called and local variables encountered r Stack frame: the consecutive stack space for each calling function that has not yet finished execution r Top stack frame: for function that just got called and is being executed r Stack pointer: memory location of the top of the stack  Stored in a register Avi Kak Computer Security lecture note

7 Another example //example1.c: void function(int a, int b, int c) { char buffer1[5]; char buffer2[10]; } void main() { function(1,2,3); } buffer2 buffer1 sfp ret a b c <------ [ ] [ ] [ ] [ ] [ ] [ ] [ ] Top of stack Bottom of memory Bottom of stack Top of memory sfp: saved frame pointer

8 An example of stack and stack frame // ex.c int main() { int x = foo( 10 ); printf( "the value of x = %d\n", x ); return 0; } int foo( int i ) { int ii = i + i; int iii = bar( ii ); int iiii = iii; return iiii; } int bar( int j ) { int jj = j + j; return jj; } stack_ptr--> jj return-address to caller j iii ii return-address to caller i x argc argv stack frame for bar stack frame for foo stack frame for main

9 .globl bar.type bar, @function bar: pushl %ebp movl %esp, %ebp movl 8(%ebp), %eax addl %eax, %eax popl %ebp ret.size bar,.-bar.globl foo.type foo, @function foo: pushl %ebp movl %esp, %ebp subl $4, %esp movl 8(%ebp), %eax addl %eax, %eax movl %eax, (%esp) call bar leave ret.size foo,.-foo continues Partial assembly code of ex.c in ex.S Compile with gcc -S –O ex.c –o ex.S

10 Inspecting the call stack – assembly code of ex.c To inspect the assembly code, run gcc -S -O ex.c -o ex.S esp: stack pointer – top of the stack ebp: base pointer (aka frame pointer) – param/local var of current statck frame eip: instruction pointer – next CPU instruction to be executed foo: pushl %ebppush value stored in register ebp onto stack movl %esp, %ebpmove value in register esp to ebp subl $4, %espsubstract 4 from value in esp (stack grows) movl 8(%ebp), %eaxmove i into an accumulator addl %eax, %eaxi+i movl %eax, (%esp)move accumulator content into stack location pointed to by the content of esp register – so that local var ii becomes the argument to bar call barcall bar leave ret Intel X86 32 bit architecture Avi Kak Computer Security lecture note

11 Another buffer overflow example void function(char *str) { char buffer[16]; strcpy(buffer,str); } void main() { char large_string[256]; int i; for( i = 0; i < 255; i++) large_string[i] = 'A'; function(large_string); } buffer sfp ret str* <------ [ ] [ ] [ ] [ ] Top of stack Bottom of stack Overwritten by ‘A’ (0x414141…) Return address is overwritten and becomes 0x41414141 You get segmentation fault Worse, attacker can change flow of program

12 Observing buffer overflow in action – try this at home #include int main() { while(1) foo(); } int foo(){ unsigned int yy = 0; char buffer[5]; char ch; int i = 0; printf("Say something: "); while ((ch = getchar()) != '\n') buffer[i++] = ch; buffer[i] = '\0'; printf("You said: %s\n", buffer); printf("The variable yy: %d\n", yy); return 0; } Avi Kak Computer Security lecture note gcc -fno-stack-protector buffover2.c -o buffover2

13 Heap overflow r Heap located above program code/global data r For use in dynamic data structures, e.g., linked lists r Can affect the memory following it r Unlike stack, there is no return address to overwrite r So aims to overwrite pointer to a function  E.g., a list of record containing data & their processing function

14 Another type of buffer overflow (usually in web applications) Overflow when passing parameters to a routine http://www.somesite.com/userinout.asp?param1=(808)555-1212&param2=2009Jan17 Web developer may just allocate 20 bytes for param1. How does the program handle long phone number, e.g., 1000 digits?

15 Defense against buffer overflow r Boundary checking, sanity checking by developers r Canaries: a know value on the stack just before the return address – canary word  Check the canary when function is to return  Stack guard by Crispin Cowan (a gcc extension) r Non-executable stacks r Address randomization r Compiler boundary checking  In Java  Java JVM may still be susceptible to buffer overflow attacks

Download ppt "Understand stack Buffer overflow attack and defense Controls against program threats."

Similar presentations

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.

David Brumley Carnegie Mellon University Credit: Some slides from Ed Schwartz.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.

Memory Image of Running Programs Executable file on disk, running program in memory, activation record, C-style and Pascal-style parameter passing.
1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)

1 Function Calls Professor Jennifer Rexford COS 217 Reading: Chapter 4 of “Programming From the Ground Up” (available online from the course Web site)
– 1 – 15-213, F’02 ICS05 Instructor: Peter A. Dinda TA: Bin Lin Recitation 4.

– 1 – , F’02 ICS05 Instructor: Peter A. Dinda TA: Bin Lin Recitation 4.
1 Homework Reading –PAL, pp 201-216, 297-312 Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.

1 Homework Reading –PAL, pp , Machine Projects –Finish mp2warmup Questions? –Start mp2 as soon as possible Labs –Continue labs with your.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
Stack Activation Records Topics IA32 stack discipline Register saving conventions Creating pointers to local variables February 6, 2003 CSCE 212H Computer.

Stack Activation Records Topics IA32 stack discipline Register saving conventions Creating pointers to local variables February 6, 2003 CSCE 212H Computer.
Stacks and Frames Demystified CSCI 3753 Operating Systems Spring 2005 Prof. Rick Han.

Stacks and Frames Demystified CSCI 3753 Operating Systems Spring 2005 Prof. Rick Han.
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Computer Architecture and Operating Systems CS 3230 :Assembly Section Lecture 7 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.

Computer Architecture and Operating Systems CS 3230 :Assembly Section Lecture 7 Department of Computer Science and Software Engineering University of Wisconsin-Platteville.
Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.

Assembly, Stacks, and Registers Kevin C. Su 9/26/2011.
Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.

Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.
Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)

Lecture 6: Buffer Overflow CS 436/636/736 Spring 2014 Nitesh Saxena *Adopted from a previous lecture by Aleph One (Smashing the Stack for Fun and Profit)

Similar presentations

Ads by Google