Presentation is loading. Please wait.

Presentation is loading. Please wait.

University of Washington Today Happy Monday! HW2 due, how is Lab 3 going? Today we’ll go over:  Address space layout  Input buffers on the stack  Overflowing.

Published byMeryl Lawson Modified over 8 years ago

Similar presentations

Presentation on theme: "University of Washington Today Happy Monday! HW2 due, how is Lab 3 going? Today we’ll go over:  Address space layout  Input buffers on the stack  Overflowing."— Presentation transcript:

1 University of Washington Today Happy Monday! HW2 due, how is Lab 3 going? Today we’ll go over:  Address space layout  Input buffers on the stack  Overflowing buffers and injecting code  Defenses against buffer overflows

2 University of Washington IA32 Linux Memory Layout Stack  Runtime stack (8MB limit) Heap  Dynamically allocated storage  Allocated by malloc(), calloc(), new() Data  Statically allocated data  Read-only: string literals  Read/write: global arrays and variables Text  Executable machine instructions  Read-only Upper 2 hex digits = 8 bits of address FF 00 Stack Text Data Heap 08 8MB not drawn to scale 2

3 University of Washington IA32/Linux Stack Frame Current Stack Frame (“Top” to Bottom)  “Argument build” area (parameters for function about to be called)  Local variables (if can’t be kept in registers)  Saved register context (when reusing registers)  Old frame pointer (for caller) Caller’s Stack Frame  Return address  How does call/ret change the stack?  Arguments for this call Return Addr Saved Registers + Local Variables Argument Build Old %ebp Arguments Caller Frame Frame pointer %ebp Stack pointer %esp 3

4 University of Washington Memory Allocation Example char big_array[1<<24]; /* 16 MB */ char huge_array[1<<28]; /* 256 MB */ int beyond; char *p1, *p2, *p3, *p4; int useless() { return 0; } int main() { p1 = malloc(1 <<28); /* 256 MB */ p2 = malloc(1 << 8); /* 256 B */ p3 = malloc(1 <<28); /* 256 MB */ p4 = malloc(1 << 8); /* 256 B */ /* Some print statements... */ } FF 00 Stack Text Data Heap 08 not drawn to scale Where does everything go? 4

5 University of Washington IA32 Example Addresses $esp0xffffbcd0 p3 0x65586008 p1 0x55585008 p40x1904a110 p20x1904a008 &p20x18049760 beyond 0x08049744 big_array 0x18049780 huge_array 0x08049760 main()0x080483c6 useless() 0x08049744 final malloc()0x006be166 address range ~2 32 FF 00 Stack Text Data Heap 08 80 not drawn to scale malloc() is dynamically linked address determined at runtime 5

6 University of Washington Internet Worm These characteristics of the traditional IA32 Linux memory layout provide opportunities for malicious programs  Stack grows “backwards” in memory  Data and instructions both stored in the same memory November, 1988  Internet Worm attacks thousands of Internet hosts.  How did it happen? 6

7 University of Washington Internet Worm These characteristics of the traditional IA32 Linux memory layout provide opportunities for malicious programs  Stack grows “backwards” in memory  Data and instructions both stored in the same memory November, 1988  Internet Worm attacks thousands of Internet hosts.  How did it happen? The Internet Worm was based on stack buffer overflow exploits!  Many Unix functions do not check argument sizes  Allows target buffers to overflow 7

8 University of Washington Buffer Overflow in a nutshell Buffer overflows are possible because C doesn’t check array boundaries Buffer overflows are dangerous because buffers for user input are often stored on the stack  Probably the most common type of security vulnerability 8

9 University of Washington String Library Code Implementation of Unix function gets()  What could go wrong in this code? /* Get string from stdin */ char *gets(char *dest) { int c = getchar(); char *p = dest; while (c != EOF && c != '\n') { *p++ = c; c = getchar(); } *p = '\0'; return dest; } 9

10 University of Washington String Library Code Implementation of Unix function gets()  No way to specify limit on number of characters to read Similar problems with other Unix functions  strcpy : Copies string of arbitrary length  scanf, fscanf, sscanf, when given %s conversion specification /* Get string from stdin */ char *gets(char *dest) { int c = getchar(); char *p = dest; while (c != EOF && c != '\n') { *p++ = c; c = getchar(); } *p = '\0'; return dest; } 10

11 University of Washington Vulnerable Buffer Code int main() { printf("Type a string:"); echo(); return 0; } /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ gets(buf); puts(buf); } unix>./bufdemo Type a string:1234567 1234567 unix>./bufdemo Type a string:12345678 Segmentation Fault unix>./bufdemo Type a string:123456789ABC Segmentation Fault 11

12 University of Washington Buffer Overflow Disassembly 080484f0 : 80484f0:55 push %ebp 80484f1:89 e5 mov %esp,%ebp 80484f3:53 push %ebx 80484f4:8d 5d f8 lea 0xfffffff8(%ebp),%ebx 80484f7:83 ec 14 sub $0x14,%esp 80484fa:89 1c 24 mov %ebx,(%esp) 80484fd:e8 ae ff ff ff call 80484b0 8048502:89 1c 24 mov %ebx,(%esp) 8048505:e8 8a fe ff ff call 8048394 804850a:83 c4 14 add $0x14,%esp 804850d:5b pop %ebx 804850e:c9 leave 804850f:c3 ret 80485f2:e8 f9 fe ff ff call 80484f0 80485f7:8b 5d fc mov 0xfffffffc(%ebp),%ebx 80485fa:c9 leave 80485fb:31 c0 xor %eax,%eax 80485fd:c3 ret 12

13 University of Washington Buffer Overflow Stack echo: pushl %ebp# Save %ebp on stack movl %esp, %ebp pushl %ebx# Save %ebx leal -8(%ebp),%ebx# Compute buf as %ebp-8 subl $20, %esp# Allocate stack space movl %ebx, (%esp)# Push buf addr on stack call gets# Call gets... /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ gets(buf); puts(buf); } 13 Return Address Saved %ebp %ebp Stack Frame for main [3][2][1][0] buf Before call to gets Saved %ebx buf

14 University of Washington Buffer Overflow Stack Example 14 80485f2:call 80484f0 80485f7:mov 0xfffffffc(%ebp),%ebx # Return Point 0xffffc638 buf 0xffffc658 Return Address Saved %ebp Stack Frame for main [3][2][1][0] Stack Frame for main xx buf 58c6ff f7850408 Before call to gets Saved %ebx buf 0xffffc630

15 University of Washington Buffer Overflow Example #1 15 Overflow buf, and corrupt saved %ebx, but no problem, why? What happens if input has one more byte? 0xffffc638 0xffffc658 Stack Frame for main 34333231 buf 58c6ff f7850408 Input 1234567 00373635 buf Stack Frame for main xx Before call to gets Saved %ebx 58c6ff f7850408 0xffffc638 0xffffc658 0xffffc630

16 University of Washington Buffer Overflow Example #2 16 Frame pointer corrupted... 804850a:83 c4 14 add $0x14,%esp # deallocate space 804850d:5b pop %ebx # restore %ebx 804850e:c9 leave # movl %ebp, %esp; popl %ebp 804850f:c3 ret # Return 0xffffc638 0xffffc658 Stack Frame for main 34333231 buf 58c6ff00 f7850408 Input 12345678 38373635 buf Stack Frame for main xx Before call to gets Saved %ebx 58c6ff f7850408 0xffffc638 0xffffc658 0xffffc630

17 University of Washington Buffer Overflow Example #3 17 Return address corrupted 080485f2:call 80484f0 080485f7:mov 0xfffffffc(%ebp),%ebx # Return Point 0xffffc638 0xffffc658 Stack Frame for main 34333231 buf 43424139 f7850400 Input 123456789ABC 38373635 buf Stack Frame for main xx Before call to gets Saved %ebx 58c6ff f7850408 0xffffc638 0xffffc658 0xffffc630 Hmmm, what can you do with it?

18 University of Washington Malicious Use of Buffer Overflow 18 Input string contains byte representation of executable code Overwrite return address A with address of buffer (need to know B) When bar() executes ret, will jump to exploit code (instead of A) int bar() { char buf[64]; gets(buf);... return...; } void foo(){ bar();... } Stack after call to gets() B (was A) return address A foo stack frame bar stack frame B exploit code pad data written by gets()

19 University of Washington Exploits Based on Buffer Overflows Buffer overflow bugs allow remote machines to execute arbitrary code on victim machines Internet worm  Early versions of the finger server (fingerd) used gets() to read the argument sent by the client:  finger droh@cs.cmu.edu  Worm attacked fingerd server by sending phony argument:  finger “exploit-code padding new-return- address”  exploit code: executed a root shell on the victim machine with a direct TCP connection to the attacker 19

20 University of Washington Avoiding Overflow Vulnerability Use library routines that limit string lengths  fgets instead of gets (second argument to fgets sets limit)  strncpy instead of strcpy  Don’t use scanf with %s conversion specification  Use fgets to read the string  Or use %ns where n is a suitable integer Other ideas? /* Echo Line */ void echo() { char buf[4]; /* Way too small! */ fgets(buf, 4, stdin); puts(buf); } 20

21 University of Washington System-Level Protections Randomized stack offsets  At start of program, allocate random amount of space on stack  Makes it difficult for exploit to predict beginning of inserted code Use techniques to detect stack corruption Nonexecutable code segments  Only allow code to execute from “text” sections of memory  Do NOT execute code in stack, data, or heap regions  Hardware support needed 21 FF 00 Stack Text Data Heap 08 not drawn to scale

Download ppt "University of Washington Today Happy Monday! HW2 due, how is Lab 3 going? Today we’ll go over:  Address space layout  Input buffers on the stack  Overflowing."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Machine-Level Programming V: Miscellaneous Topics Topics Buffer Overflow Linux Memory Layout Understanding Pointers Floating-Point Code CS 105 Tour of.

Machine-Level Programming V: Miscellaneous Topics Topics Buffer Overflow Linux Memory Layout Understanding Pointers Floating-Point Code CS 105 Tour of.
Machine Programming – Procedures and IA32 Stack CENG334: Introduction to Operating Systems Instructor: Erol Sahin Acknowledgement: Most of the slides are.

Machine Programming – Procedures and IA32 Stack CENG334: Introduction to Operating Systems Instructor: Erol Sahin Acknowledgement: Most of the slides are.
Today C operators and their precedence Memory layout

Today C operators and their precedence Memory layout
Carnegie Mellon 1 Machine-Level Programming V: Advanced Topics 15-213: Introduction to Computer Systems 8 th Lecture, Sep. 16, 2010 Instructors: Randy.

Carnegie Mellon 1 Machine-Level Programming V: Advanced Topics : Introduction to Computer Systems 8 th Lecture, Sep. 16, 2010 Instructors: Randy.
University of Washington Last Time For loops  for loop → while loop → do-while loop → goto version  for loop → while loop → goto “jump to middle” version.

University of Washington Last Time For loops  for loop → while loop → do-while loop → goto version  for loop → while loop → goto “jump to middle” version.
Machine-Level Programming V: Miscellaneous Topics Sept. 24, 2002 Topics Linux Memory Layout Understanding Pointers Buffer Overflow Floating Point Code.

Machine-Level Programming V: Miscellaneous Topics Sept. 24, 2002 Topics Linux Memory Layout Understanding Pointers Buffer Overflow Floating Point Code.
Machine-Level Programming V: Miscellaneous Topics Topics Linux Memory Layout Buffer Overflow Floating Point Code CS213.

Machine-Level Programming V: Miscellaneous Topics Topics Linux Memory Layout Buffer Overflow Floating Point Code CS213.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
September 22, 2014 Pengju (Jimmy) Jin Section E

September 22, 2014 Pengju (Jimmy) Jin Section E
Fabián E. Bustamante, Spring 2007 Machine-Level Prog. V – Miscellaneous Topics Today Buffer overflow Floating point code Next time Memory.

Fabián E. Bustamante, Spring 2007 Machine-Level Prog. V – Miscellaneous Topics Today Buffer overflow Floating point code Next time Memory.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.
Introduction to x86 Assembly or “How does someone hack my laptop?”

Introduction to x86 Assembly or “How does someone hack my laptop?”
Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-

Security Exploiting Overflows. Introduction r See the following link for more info: operating-systems-and-applications-in-
Machine Programming – IA32 memory layout and buffer overflow CENG331: Introduction to Computer Systems 7 th Lecture Instructor: Erol Sahin Acknowledgement:

Machine Programming – IA32 memory layout and buffer overflow CENG331: Introduction to Computer Systems 7 th Lecture Instructor: Erol Sahin Acknowledgement:
Carnegie Mellon 1 This week Buffer Overflow  Vulnerability  Protection.

Carnegie Mellon 1 This week Buffer Overflow  Vulnerability  Protection.
1 UCR Common Software Attacks EE 260: Architecture/Hardware Support for Security Slide credits: some slides from Dave O’halloran, Lujo Bauer (CMU) and.

1 UCR Common Software Attacks EE 260: Architecture/Hardware Support for Security Slide credits: some slides from Dave O’halloran, Lujo Bauer (CMU) and.
Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.

Fall 2008CS 334: Computer SecuritySlide #1 Smashing The Stack A detailed look at buffer overflows as described in Smashing the Stack for Fun and Profit.
Functions & Activation Records Recursion

Functions & Activation Records Recursion
IA32 Linux Memory Layout Stack Heap Data Text not drawn to scale FF

IA32 Linux Memory Layout Stack Heap Data Text not drawn to scale FF

Similar presentations

Ads by Google