Presentation is loading. Please wait.

Presentation is loading. Please wait.

University of Washington Today Memory layout Buffer overflow, worms, and viruses 1.

Published byCorey Strickland Modified over 8 years ago

Similar presentations

Presentation on theme: "University of Washington Today Memory layout Buffer overflow, worms, and viruses 1."— Presentation transcript:

1 University of Washington Today Memory layout Buffer overflow, worms, and viruses 1

2 University of Washington IA32 Linux Memory Layout Stack  Runtime stack (8MB limit) Heap  Dynamically allocated storage  When call malloc(), calloc(), new() Data  Statically allocated data  E.g., arrays & strings declared in code Text  Executable machine instructions  Read-only Upper 2 hex digits = 8 bits of address FF 00 Stack Text Data Heap 08 8MB not drawn to scale 2

3 University of Washington Memory Allocation Example char big_array[1<<24]; /* 16 MB */ char huge_array[1<<28]; /* 256 MB */ int beyond; char *p1, *p2, *p3, *p4; int useless() { return 0; } int main() { p1 = malloc(1 <<28); /* 256 MB */ p2 = malloc(1 << 8); /* 256 B */ p3 = malloc(1 <<28); /* 256 MB */ p4 = malloc(1 << 8); /* 256 B */ /* Some print statements... */ } FF 00 Stack Text Data Heap 08 not drawn to scale Where does everything go? 3

4 University of Washington IA32 Example Addresses $esp0xffffbcd0 p3 0x65586008 p1 0x55585008 p40x1904a110 p20x1904a008 &p20x18049760 beyond 0x08049744 big_array 0x18049780 huge_array 0x08049760 main()0x080483c6 useless() 0x08049744 final malloc()0x006be166 address range ~2 32 FF 00 Stack Text Data Heap 08 80 not drawn to scale malloc() is dynamically linked address determined at runtime 4

5 University of Washington Internet Worm November, 1988  Internet Worm attacks thousands of Internet hosts.  How did it happen? 5

6 University of Washington Internet Worm November, 1988  Internet Worm attacks thousands of Internet hosts.  How did it happen? The Internet Worm was based on stack buffer overflow exploits!  many Unix functions do not check argument sizes  allows target buffers to overflow 6

7 University of Washington String Library Code Implementation of Unix function gets()  Anything interesting? /* Get string from stdin */ char *gets(char *dest) { int c = getchar(); char *p = dest; while (c != EOF && c != '\n') { *p++ = c; c = getchar(); } *p = '\0'; return dest; } 7

8 University of Washington String Library Code Implementation of Unix function gets()  No way to specify limit on number of characters to read Similar problems with other Unix functions  strcpy : Copies string of arbitrary length  scanf, fscanf, sscanf, when given %s conversion specification /* Get string from stdin */ char *gets(char *dest) { int c = getchar(); char *p = dest; while (c != EOF && c != '\n') { *p++ = c; c = getchar(); } *p = '\0'; return dest; } 8

9 University of Washington Vulnerable Buffer Code int main() { printf("Type a string:"); echo(); return 0; } /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ gets(buf); puts(buf); } unix>./bufdemo Type a string:1234567 1234567 unix>./bufdemo Type a string:12345678 Segmentation Fault unix>./bufdemo Type a string:123456789ABC Segmentation Fault 9

10 University of Washington Buffer Overflow Disassembly 080484f0 : 80484f0:55 push %ebp 80484f1:89 e5 mov %esp,%ebp 80484f3:53 push %ebx 80484f4:8d 5d f8 lea 0xfffffff8(%ebp),%ebx 80484f7:83 ec 14 sub $0x14,%esp 80484fa:89 1c 24 mov %ebx,(%esp) 80484fd:e8 ae ff ff ff call 80484b0 8048502:89 1c 24 mov %ebx,(%esp) 8048505:e8 8a fe ff ff call 8048394 804850a:83 c4 14 add $0x14,%esp 804850d:5b pop %ebx 804850e:c9 leave 804850f:c3 ret 80485f2:e8 f9 fe ff ff call 80484f0 80485f7:8b 5d fc mov 0xfffffffc(%ebp),%ebx 80485fa:c9 leave 80485fb:31 c0 xor %eax,%eax 80485fd:c3 ret 10

11 University of Washington Buffer Overflow Stack echo: pushl %ebp# Save %ebp on stack movl %esp, %ebp pushl %ebx# Save %ebx leal -8(%ebp),%ebx# Compute buf as %ebp-8 subl $20, %esp# Allocate stack space movl %ebx, (%esp)# Push buf addr on stack call gets# Call gets... /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ gets(buf); puts(buf); } Return Address Saved %ebp %ebp Stack Frame for main Stack Frame for echo [3][2][1][0] buf Before call to gets 11

12 University of Washington Buffer Overflow Stack Example 12 80485f2:call 80484f0 80485f7:mov 0xfffffffc(%ebp),%ebx # Return Point 0xffffc638 buf 0xffffc658 Return Address Saved %ebp Stack Frame for main Stack Frame for echo [3][2][1][0] Stack Frame for main Stack Frame for echo xx buf ff c658 080485f7 Before call to gets

13 University of Washington Buffer Overflow Example #1 13 Overflow buf, but no problem 0xffffc638 0xffffc658 Stack Frame for main Stack Frame for echo xx buf 0xffffc638 0xffffc658 Stack Frame for main Stack Frame for echo 34333231 buf 00373635 Before call to gets Input 1234567 ff c658 080485f7 ff c658 080485f7

14 University of Washington Buffer Overflow Example #2 14 Base pointer corrupted 0xffffc638 0xffffc658 Stack Frame for main Stack Frame for echo xx buf 0xffffc638 0xffffc658 Stack Frame for main Stack Frame for echo 34333231 buf 00 38373635 Before call to gets Input 12345678... 804850a:83 c4 14 add $0x14,%esp # deallocate space 804850d:5b pop %ebx # restore %ebx 804850e:c9 leave # movl %ebp, %esp; popl %ebp 804850f:c3 ret # Return ff c658 080485f7 ffc658 080485f7

15 University of Washington Buffer Overflow Example #3 15 Return address corrupted 0xffffc638 0xffffc658 Stack Frame for main Stack Frame for echo xx buf 0xffffc638 0xffffc658 Stack Frame for main Stack Frame for echo 34333231 buf 43424139 00 38373635 Before call to gets Input 123456789ABC 80485f2:call 80484f0 80485f7:mov 0xfffffffc(%ebp),%ebx # Return Point ff c658 080485f7 0485f7

16 University of Washington Malicious Use of Buffer Overflow 16 Input string contains byte representation of executable code Stack frame must be big enough to hold exploit code Overwrite return address with address of buffer (need to know B) When bar() executes ret, will jump to exploit code (instead of A) int bar() { char buf[64]; gets(buf);... return...; } void foo(){ bar();... } Stack after call to gets() B (was A) return address A foo stack frame bar stack frame B exploit code pad data written by gets()

17 University of Washington Exploits Based on Buffer Overflows Buffer overflow bugs allow remote machines to execute arbitrary code on victim machines Internet worm  Early versions of the finger server (fingerd) used gets() to read the argument sent by the client:  finger droh@cs.cmu.edu  Worm attacked fingerd server by sending phony argument:  finger “exploit-code padding new-return- address”  exploit code: executed a root shell on the victim machine with a direct TCP connection to the attacker. 17

18 University of Washington Code Red Worm History  June 18, 2001. Microsoft announces buffer overflow vulnerability in IIS Internet server  July 19, 2001. over 250,000 machines infected by new virus in 9 hours  White house must change its IP address. Pentagon shut down public WWW servers for day 18

19 University of Washington Code Red Exploit Code Starts 100 threads running Spread self  Generate random IP addresses & send attack string  Between 1st & 19th of month Attack www.whitehouse.gov  Send 98,304 packets; sleep for 4-1/2 hours; repeat  Denial of service attack  Between 21st & 27th of month Deface server’s home page  After waiting 2 hours Later versions even more aggressive And it goes on still… 19

20 University of Washington Avoiding Overflow Vulnerability Use library routines that limit string lengths  fgets instead of gets (second argument to fgets sets limit)  strncpy instead of strcpy  Don’t use scanf with %s conversion specification  Use fgets to read the string  Or use %ns where n is a suitable integer /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ fgets(buf, 4, stdin); puts(buf); } 20

21 University of Washington System-Level Protections Randomized stack offsets  At start of program, allocate random amount of space on stack  Makes it difficult for hacker to predict beginning of inserted code Nonexecutable code segments  Only allow code to execute from “text” sections of memory  Do NOT execute code in stack, data, or heap regions  Hardware support 21 FF 00 Stack Text Data Heap 08 not drawn to scale

22 University of Washington Worms and Viruses Worm: A program that  Can run by itself  Can propagate a fully working version of itself to other computers Virus: Code that  Adds itself to other programs  Cannot run independently Both are (usually) designed to spread among computers and to wreak havoc (and, these days, profit$$$) 22

Download ppt "University of Washington Today Memory layout Buffer overflow, worms, and viruses 1."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson

CSc 352 Programming Hygiene Saumya Debray Dept. of Computer Science The University of Arizona, Tucson
Machine-Level Programming V: Miscellaneous Topics Topics Buffer Overflow Linux Memory Layout Understanding Pointers Floating-Point Code CS 105 Tour of.

Machine-Level Programming V: Miscellaneous Topics Topics Buffer Overflow Linux Memory Layout Understanding Pointers Floating-Point Code CS 105 Tour of.
Today C operators and their precedence Memory layout

Today C operators and their precedence Memory layout
Carnegie Mellon 1 Machine-Level Programming V: Advanced Topics 15-213: Introduction to Computer Systems 8 th Lecture, Sep. 16, 2010 Instructors: Randy.

Carnegie Mellon 1 Machine-Level Programming V: Advanced Topics : Introduction to Computer Systems 8 th Lecture, Sep. 16, 2010 Instructors: Randy.
Machine-Level Programming V: Miscellaneous Topics Sept. 24, 2002 Topics Linux Memory Layout Understanding Pointers Buffer Overflow Floating Point Code.

Machine-Level Programming V: Miscellaneous Topics Sept. 24, 2002 Topics Linux Memory Layout Understanding Pointers Buffer Overflow Floating Point Code.
Machine-Level Programming V: Miscellaneous Topics Topics Linux Memory Layout Buffer Overflow Floating Point Code CS213.

Machine-Level Programming V: Miscellaneous Topics Topics Linux Memory Layout Buffer Overflow Floating Point Code CS213.
– 1 – EECS213, S’08 Alignment Aligned Data Primitive data type requires K bytes Address must be multiple of K Required on some machines; advised on IA32.

– 1 – EECS213, S’08 Alignment Aligned Data Primitive data type requires K bytes Address must be multiple of K Required on some machines; advised on IA32.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
Fabián E. Bustamante, Spring 2007 Machine-Level Prog. V – Miscellaneous Topics Today Buffer overflow Floating point code Next time Memory.

Fabián E. Bustamante, Spring 2007 Machine-Level Prog. V – Miscellaneous Topics Today Buffer overflow Floating point code Next time Memory.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Introduction to x86 Assembly or “How does someone hack my laptop?”

Introduction to x86 Assembly or “How does someone hack my laptop?”
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Machine Programming – IA32 memory layout and buffer overflow CENG331: Introduction to Computer Systems 7 th Lecture Instructor: Erol Sahin Acknowledgement:

Machine Programming – IA32 memory layout and buffer overflow CENG331: Introduction to Computer Systems 7 th Lecture Instructor: Erol Sahin Acknowledgement:
Carnegie Mellon 1 This week Buffer Overflow  Vulnerability  Protection.

Carnegie Mellon 1 This week Buffer Overflow  Vulnerability  Protection.
1 UCR Common Software Attacks EE 260: Architecture/Hardware Support for Security Slide credits: some slides from Dave O’halloran, Lujo Bauer (CMU) and.

1 UCR Common Software Attacks EE 260: Architecture/Hardware Support for Security Slide credits: some slides from Dave O’halloran, Lujo Bauer (CMU) and.
Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.

Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.
Functions & Activation Records Recursion

Functions & Activation Records Recursion
Carnegie Mellon Introduction to Computer Systems 15-213/18-243, spring 2009 10 th Lecture, Feb. 12 th Instructors: Gregory Kesden and Markus Püschel.

Carnegie Mellon Introduction to Computer Systems /18-243, spring th Lecture, Feb. 12 th Instructors: Gregory Kesden and Markus Püschel.
IA32 Linux Memory Layout Stack Heap Data Text not drawn to scale FF

IA32 Linux Memory Layout Stack Heap Data Text not drawn to scale FF

Similar presentations

Ads by Google