Presentation is loading. Please wait.

Presentation is loading. Please wait.

Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas.

Published byLorin Stanley Modified over 8 years ago

Similar presentations

Presentation on theme: "Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas."— Presentation transcript:

1 Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas

2 Buffer Overflow Attacks Buffer Overflow Attacks (B.O.A): A majority of attacks for which advisories are issued are based on B.O.A. Other forms of attacks, such as distributed denial of service attacks, sometimes rely on B.O.A. B.O.A. exploit the memory organization of the traditional activation stack model to overwrite the return address B.O.A. becomes possible due to bad SW engg practices Software purchaser has no way to prevent these bad practices and really can’t do much.

3 Security Concern Percentage of buffer overflows listed in CERT advisories each year Some examples include Windows 2003 server, sendmail, windows HTML conversion library Buffer Overflows Per Year as listed by CERT

4 Most Recent Warning Microsoft Windows animated cursor stack buffer overflow Public Date: March 29, 2007 Date Last Updated: April 4, 2007 Source: US-CERT Impact A remote, unauthenticated attacker may be able to execute arbitrary code or cause a denial-of-service condition System affected Microsoft Windows 2000 SP4 through Vista Overview Microsoft Windows contains a stack buffer overflow in the handling of animated cursor files. This vulnerability may allow a remote attacker to execute arbitrary code or cause a denial-of-service condition.

5 Background – Memory Layout Lower Memory Location Higher Memory Location Code Data Heap Stack Base Pointer Local Data Return Address Function Arguments Memory write direction Stack growth

6 Background – Function Call Sample Code void foo( char * Arg1) { char Buffer[64];....... } void main ( ) {....... foo( “abc” );....... } Stack Base Pointer Local Data Return Address Function Arguments Stack Frame of main function Base Pointer Local Data – Buffer[64] Return Address Function Arguments – “abc” Stack Frame of foo function ESP EBP ESP EBP

7 Buffer Overflow – Example Sample Code void fn (char *str) { char buffer[8]; strcpy (buffer, str); } void main( ) { char LargeString[256] ; for (int i=0; i<255; i++) LargeString [i] = ‘A’; fn(LargeString);....... } Stack LargeString = not initialized Base Pointer Return Address Function Arguments ESP EBP 41 41 41 41 64 bytes long data Buffer = not initialized Base Pointer Return Address Pointer to LargeString ESP EBP 41 41 41 41 41 41 41 41 Return address has changed !!!!

8 Issues in tackling BOA Do I have to modify my hardware? Do I have to modify my executable code? Do I have to modify my source code? Do I have to modify my compiler? Do I have to modify all of the above?

9 Buffer Overflow Solutions RAD: Ret. Addr. Defender stores return addr. in RAR area Impl. as a gcc compiler patch. All code has to be recompiled Stackguard: Stackguard inserts a ‘canary’ word to protect return address The ‘canary’ word can be compromised Propolice: stackguard + place buffers after pointers Same weaknesses as stackguard Splint: Splint allows the user to write annotations in the code that define allocated and used sizes User is required to write annotations Wagner’s Prevention Method: Static analysis solution Depends on source code availability

10 Buffer Overflow is achieved by overwriting the return address If a return address is recorded in a separate area, away from the buffer overflow, then it cannot be overwritten So modify the memory organization to add a new auxiliary return address stack, allocated in an area opposite to the direction of buffer write/overflow When a function call returns, it uses the return address from this new stack Transform the binary to make it consistent with this new memory organization. BinarySecure: An Overview

11 The return address is saved as part of the program execution stack This stack is uncompromised as memory writes occur in the opposite direction Lower Memory Location Higher Memory Location Code Data Heap Stack Base Pointer Local Data Return Address Function Arguments Memory write direction New Stack Stack growth direction

12 BinarySecure: An Overview Executable file Opcodes to be modified Disassembled file & Metadata Code flow graph Executable file Opcodes to be modified Code flow graph Executable with Modified opcodes Final executable with new instructions Executable file Disassembled file & Metadata Step - 1 Step – 2 Step - 3

13 Binary Secure: Specifications These are some of the conditions that must hold Code must be re-entrant Code should not modify the stack pointer Processor: Intel x386 Compiler: Dev C++ compiler 4.9.9.1 Platform: Windows

14 Advantages Binary code is analyzed. This can be used on third-party software where one does not have access to source code. Run-time checks require modification to the source code (Splint) Compiler modifications are costly and performing changes to all available compilers is not possible. (RAD, Stackguard) Return addresses are stored on the stack itself. Hence overhead incurred while accessing addresses in other areas is reduced.

15 Unresolved Problems Off by One Instead of return address, attacker targets base address, i.e., EBP. Caller’s Frame Buffer Local Data EBP EIP Function Arguments Caller’s Frame Buffer Local Data EBP EIP Function Arguments Before buffer overflow stored EBP points to caller’s frame After buffer overflow stored EBP points to somewhere inside frame

16 Unresolved Problems Function Pointers Vulnerability Buffer overruns may change local function pointers Virtual function tables and Call back functions are also vulnerable. Stack Buffer Function Pointer Function Argument Return Address EBP Some Function Before buffer overflow Function Pointer points to some function in program Stack Buffer Function Pointer Function Argument Return Address EBP Some Function Other Function After buffer overflow stored Function Pointer points to other malicious function

17 Unresolved Problems Format String Attack Sprintf and its variants in C and its derivatives use variable number of arguments; attacker can exploit format tokens in first argument and gain control of the system. The attacker can perform arbitrary writes in the stack and exploit any of previous vulnerabilities.

18 New Approach – Split Stack Higher Memory Location Lower Memory Location Code – Static Data Data Stack Non FP – Local Data Data Base Pointer Control Stack Non FP Arguments Memory write direction Stack growth direction Function Pointers Control Base Pointer Return Address Arguments with FPs Problems Off by One Have to protect base pointer as it is main target in this attack. Function Pointer Vulnerability Have to protect function pointers in local data. Solution Split stack in two part One part contains ‘data’ Other part has ‘control’ Store control in opposite to memory write direction Heap

19 Current State Split Stack follows same approach as Binary Secure but eliminates more vulnerabilities. Technique currently being evaluated; system for transforming the binary to be implemented (Doshi’s MS thesis; in progress). Issue: in splitting stack would be to detect function pointers. Solution?: keep all function pointers (incl. GOT) in control stack. Keep all other pointers and data in data stack

20 Questions…

Download ppt "Buffer Overflow Attack Proofing of Code Binary Gopal Gupta, Parag Doshi, R. Reghuramalingam, Doug Harris The University of Texas at Dallas."

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.

Defenses. Preventing hijacking attacks 1. Fix bugs: – Audit software Automated tools: Coverity, Prefast/Prefix. – Rewrite software in a type safe languange.
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.

Exploring Security Vulnerabilities by Exploiting Buffer Overflow using the MIPS ISA Andrew T. Phillips Jack S. E. Tan Department of Computer Science University.
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 22 Jonathan Katz.
Review: Software Security David Brumley Carnegie Mellon University.

Review: Software Security David Brumley Carnegie Mellon University.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
Buffer Overflows By Tim Peterson Joel Miller Dan Block.

Buffer Overflows By Tim Peterson Joel Miller Dan Block.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.

Gabe Kanzelmeyer CS 450 4/14/10.  What is buffer overflow?  How memory is processed and the stack  The threat  Stack overrun attack  Dangers  Prevention.
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:
Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.

Security Protection and Checking in Embedded System Integration Against Buffer Overflow Attacks Zili Shao, Chun Xue, Qingfeng Zhuge, Edwin H.-M. Sha International.
Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.

Windows XP SP2 Stack Protection Jimmy Hermansson Johan Tibell.
Lecture 16 Buffer Overflow

Lecture 16 Buffer Overflow
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.
University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

University of Washington CSE 351 : The Hardware/Software Interface Section 5 Structs as parameters, buffer overflows, and lab 3.

Similar presentations

Ads by Google