Presentation is loading. Please wait.

Presentation is loading. Please wait.

Buffer Overflow Computer Organization II 1 ©2005-2013 McQuain Buffer Overflows Many of the following slides are based on those from Complete Powerpoint.

Published byDiana Golden Modified over 8 years ago

Similar presentations

Presentation on theme: "Buffer Overflow Computer Organization II 1 ©2005-2013 McQuain Buffer Overflows Many of the following slides are based on those from Complete Powerpoint."— Presentation transcript:

1 Buffer Overflow Computer Organization II 1 CS@VT ©2005-2013 McQuain Buffer Overflows Many of the following slides are based on those from Complete Powerpoint Lecture Notes for Computer Systems: A Programmer's Perspective (CS:APP) Randal E. BryantRandal E. Bryant and David R. O'HallaronDavid R. O'Hallaron http://csapp.cs.cmu.edu/public/lectures.html The book is used explicitly in CS 2505 and CS 3214 and as a reference in CS 2506.

2 Buffer Overflow Computer Organization II 2 CS@VT ©2005-2013 McQuain Buffer Overflows What is a buffer overflow? How can it be exploited? How can it be avoided? – Through programmer measures – Through system measures (and how effective are they?)

3 Buffer Overflow Computer Organization II 3 CS@VT ©2005-2013 McQuain String Library Code Implementation of Unix function gets No way to specify limit on number of characters to read /* Get string from stdin */ char *gets(char *dest) { int c = getc(); char *p = dest; while (c != EOF && c != '\n') { *p++ = c; c = getc(); } *p = '\0'; return dest; }

4 Buffer Overflow Computer Organization II 4 CS@VT ©2005-2013 McQuain Vulnerable Buffer Code int main() { printf("Type a string:"); echo(); return 0; } /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ gets(buf); puts(buf); }

5 Buffer Overflow Computer Organization II 5 CS@VT ©2005-2013 McQuain Buffer Overflow Executions unix>./bufdemo Type a string:123 123 unix>./bufdemo Type a string:12345 Segmentation Fault unix>./bufdemo Type a string:12345678 Segmentation Fault

6 Buffer Overflow Computer Organization II 6 CS@VT ©2005-2013 McQuain Buffer Overflow Stack echo: pushl %ebp# Save %ebp on stack movl %esp,%ebp subl $20,%esp# Allocate space on stack pushl %ebx# Save %ebx addl $-12,%esp# Allocate space on stack leal -4(%ebp),%ebx# Compute buf as %ebp-4 pushl %ebx# Push buf on stack call gets# Call gets... /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ gets(buf); puts(buf); } Return Address Saved %ebp [3][2][1][0] buf %ebp Stack Frame for main Stack Frame for echo

7 Buffer Overflow Computer Organization II 7 CS@VT ©2005-2013 McQuain Buffer Overflow Stack Example Before call to gets unix> gdb bufdemo (gdb) break echo Breakpoint 1 at 0x8048583 (gdb) run Breakpoint 1, 0x8048583 in echo () (gdb) print /x *(unsigned *)$ebp $1 = 0xbffff8f8 (gdb) print /x *((unsigned *)$ebp + 1) $3 = 0x804864d Return Address Saved %ebp [3][2][1][0] buf %ebp Stack Frame for main Stack Frame for echo 0xbffff8d8 Return Address Saved %ebp [3][2][1][0] buf Stack Frame for main Stack Frame for echo bffff8 0804864d xx 8048648:call 804857c 804864d:mov 0xffffffe8(%ebp),%ebx # Return Point

8 Buffer Overflow Computer Organization II 8 CS@VT ©2005-2013 McQuain Buffer Overflow Example #1 Before Call to gets Input = “123” No Problem 0xbffff8d8 Return Address Saved %ebp [3][2][1][0] buf Stack Frame for main Stack Frame for echo bffff8 0804864d 00333231 Return Address Saved %ebp [3][2][1][0] buf %ebp Stack Frame for main Stack Frame for echo

9 Buffer Overflow Computer Organization II 9 CS@VT ©2005-2013 McQuain Buffer Overflow Stack Example #2 Input = “12345” 8048592:push %ebx 8048593:call 80483e4 # gets 8048598:mov 0xffffffe8(%ebp),%ebx 804859b:mov %ebp,%esp 804859d:pop %ebp# %ebp gets set to invalid value 804859e:ret echo code: 0xbffff8d8 Return Address Saved %ebp [3][2][1][0] buf Stack Frame for main Stack Frame for echo bfff0035 0804864d 34333231 Return Address Saved %ebp [3][2][1][0] buf %ebp Stack Frame for main Stack Frame for echo Saved value of %ebp set to 0xbfff0035 Bad news when later attempt to restore %ebp

10 Buffer Overflow Computer Organization II 10 CS@VT ©2005-2013 McQuain Buffer Overflow Stack Example #3 Input = “12345678” Return Address Saved %ebp [3][2][1][0] buf %ebp Stack Frame for main Stack Frame for echo 0xbffff8d8 Return Address Saved %ebp [3][2][1][0] buf Stack Frame for main Stack Frame for echo 38373635 08048600 34333231 Invalid address No longer pointing to desired return point %ebp and return address corrupted 8048648:call 804857c 804864d:mov 0xffffffe8(%ebp),%ebx # Return Point

11 Buffer Overflow Computer Organization II 11 CS@VT ©2005-2013 McQuain Malicious Use of Buffer Overflow void foo(){ bar();... } Stack right after call to bar() toF return address toF foo stack frame bar stack frame B = &buf[0] buf[] void bar() { char buf[64];... }

12 Buffer Overflow Computer Organization II 12 CS@VT ©2005-2013 McQuain Malicious Use of Buffer Overflow gets() can now write whatever it wants, beginning at buf[0] void bar() { char buf[64]; gets(buf);... } void foo(){ bar();... } Stack right after call to gets() toF foo bar buf[] toB gets return address toB dest

13 Buffer Overflow Computer Organization II 13 CS@VT ©2005-2013 McQuain Malicious Use of Buffer Overflow Input string to gets() contains byte representation of executable code void bar() { char buf[64]; gets(buf);... } void foo(){ bar();... } Stack right before return from gets() toF foo bar buf[] toB gets return address toB dest And padding (which overwrites rest of bar()’s frame And new pointer that overwrites return address with address of buffer

14 Buffer Overflow Computer Organization II 14 CS@VT ©2005-2013 McQuain Malicious Use of Buffer Overflow void bar() { char buf[64]; gets(buf);... } void foo(){ bar();... } Stack right after return to bar() from gets() to buf[] foo bar buf[] When bar() executes ret, will jump to exploit code code padding

15 Buffer Overflow Computer Organization II 15 CS@VT ©2005-2013 McQuain Avoiding Overflow Vulnerability Use Library Routines that check/limit string lengths – fgets instead of gets – strncpy/strlcpy instead of strcpy – snprintf instead of sprintf – Don’t use scanf with %s conversion specification Use fgets to read the string /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ fgets(buf, 4, stdin); puts(buf); } http://lwn.net/Articles/507319/

Download ppt "Buffer Overflow Computer Organization II 1 ©2005-2013 McQuain Buffer Overflows Many of the following slides are based on those from Complete Powerpoint."

Similar presentations

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.

Recitation 4 Outline Buffer overflow –Practical skills for Lab 3 Code optimization –Strength reduction –Common sub-expression –Loop unrolling Reminders.
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Machine-Level Programming V: Miscellaneous Topics Topics Buffer Overflow Linux Memory Layout Understanding Pointers Floating-Point Code CS 105 Tour of.

Machine-Level Programming V: Miscellaneous Topics Topics Buffer Overflow Linux Memory Layout Understanding Pointers Floating-Point Code CS 105 Tour of.
Today C operators and their precedence Memory layout

Today C operators and their precedence Memory layout
Carnegie Mellon 1 Machine-Level Programming V: Advanced Topics 15-213: Introduction to Computer Systems 8 th Lecture, Sep. 16, 2010 Instructors: Randy.

Carnegie Mellon 1 Machine-Level Programming V: Advanced Topics : Introduction to Computer Systems 8 th Lecture, Sep. 16, 2010 Instructors: Randy.
Machine-Level Programming V: Miscellaneous Topics Sept. 24, 2002 Topics Linux Memory Layout Understanding Pointers Buffer Overflow Floating Point Code.

Machine-Level Programming V: Miscellaneous Topics Sept. 24, 2002 Topics Linux Memory Layout Understanding Pointers Buffer Overflow Floating Point Code.
Machine-Level Programming V: Miscellaneous Topics Topics Linux Memory Layout Buffer Overflow Floating Point Code CS213.

Machine-Level Programming V: Miscellaneous Topics Topics Linux Memory Layout Buffer Overflow Floating Point Code CS213.
– 1 – EECS213, S’08 Alignment Aligned Data Primitive data type requires K bytes Address must be multiple of K Required on some machines; advised on IA32.

– 1 – EECS213, S’08 Alignment Aligned Data Primitive data type requires K bytes Address must be multiple of K Required on some machines; advised on IA32.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
Fabián E. Bustamante, Spring 2007 Machine-Level Prog. V – Miscellaneous Topics Today Buffer overflow Floating point code Next time Memory.

Fabián E. Bustamante, Spring 2007 Machine-Level Prog. V – Miscellaneous Topics Today Buffer overflow Floating point code Next time Memory.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Introduction to x86 Assembly or “How does someone hack my laptop?”

Introduction to x86 Assembly or “How does someone hack my laptop?”
CSCE 815 Network Security Lecture 20 Intruders / Intrusion Detection April 3, 2003.

CSCE 815 Network Security Lecture 20 Intruders / Intrusion Detection April 3, 2003.
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Machine Programming – IA32 memory layout and buffer overflow CENG331: Introduction to Computer Systems 7 th Lecture Instructor: Erol Sahin Acknowledgement:

Machine Programming – IA32 memory layout and buffer overflow CENG331: Introduction to Computer Systems 7 th Lecture Instructor: Erol Sahin Acknowledgement:
Carnegie Mellon 1 This week Buffer Overflow  Vulnerability  Protection.

Carnegie Mellon 1 This week Buffer Overflow  Vulnerability  Protection.
1 UCR Common Software Attacks EE 260: Architecture/Hardware Support for Security Slide credits: some slides from Dave O’halloran, Lujo Bauer (CMU) and.

1 UCR Common Software Attacks EE 260: Architecture/Hardware Support for Security Slide credits: some slides from Dave O’halloran, Lujo Bauer (CMU) and.
CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.

CAP6135: Malware and Software Vulnerability Analysis Buffer Overflow : Example of Using GDB to Check Stack Memory Cliff Zou Spring 2011.
Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.

Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.

Similar presentations

Ads by Google