Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lecture 9: Buffer Ovefflows and ROP EEN 312: Processors: Hardware, Software, and Interfacing Department of Electrical and Computer Engineering Spring 2014,

Published byJasper Norton Modified over 8 years ago

Similar presentations

Presentation on theme: "Lecture 9: Buffer Ovefflows and ROP EEN 312: Processors: Hardware, Software, and Interfacing Department of Electrical and Computer Engineering Spring 2014,"— Presentation transcript:

1 Lecture 9: Buffer Ovefflows and ROP EEN 312: Processors: Hardware, Software, and Interfacing Department of Electrical and Computer Engineering Spring 2014, Dr. Rozier (UM)

2 BUFFER OVERFLOWS

3 Buffer Overflows General Overview of Buffer Overflow Mechanism Real Life Examples - SQL Slammer - Blaster Prevention and Detection Mechanisms

4 General Overview Can be done on the stack or on the heap. Can be used to overwrite the return address (transferring control when returning) or function pointers (transferring control when calling the function) “Smashing the Stack” (overflowing buffers on the stack to overwrite the return address) is the easiest vulnerability to exploit and the most common type in practice

5 Are Buffer Overflows Really A Problem? A large percentage of CERT advisories are about buffer overflow vulnerabilities. They dominate the area of remote penetration attacks, since they give the attacker exactly what they want - the ability to inject and execute attack code.

6 Are Buffer Overflows Really A Problem?

7 Anatomy of the Stack Executable Code Data Heap Stack Lower Memory Addresses Assumptions Stack grows down (Intel, Motorola, SPARC, MIPS) Stack pointer points to the last address on the stack

8 Example Program void function(int a, int b, int c){ char buffer1[5]; char buffer2[10]; } int main(){ function(1,2,3); } Let us consider how the stack of this program would look:

9 Stack Frame Function Parameters Return Address Saved Frame Pointer Local Variables Higher Memory Addresses pushl$3 pushl$2 pushl$1 call function function prolog pushl%ebp movl%esp, %ebp subl$20, %esp Allocates space for local variables

10 Linear View Of Frame/Stack 444 cba 44 retsfpbuffer1buffer2 812 Top of memory Bottom of stack Bottom of memory Top of stack

11 Example Program 2 Buffer overflows take advantage of the fact that bounds checking is not performed void function(char *str){ char buffer[16]; strcpy(buffer, str); } int main(){ char large_string[256]; int i; for (i = 0; i < 255; i++){ large_string[i] = ‘A’; } function(large_string); }

12 Example Program 2 When this program is run, it results in a segmentation violation 4 *str 44 retsfpbuffer 16 Top of memory Bottom of stack Bottom of memory Top of stack AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA A A A A A A A A A A A A A A A A The return address is overwritten with ‘AAAA’ (0x41414141) Function exits and goes to execute instruction at 0x41414141…..

13 Example Program 3 Can we take advantage of this to execute code, instead of crashing? void function(int a, int b, int c){ char buffer1[5]; char buffer2[10]; int *r; r = buffer1 + 12; (*r) += 8; } int main(){ int x = 0; function(1,2,3); x = 1; printf(“%d\n”, x); }

14 Example Program 3 444 cba 44 retsfpbuffer1buffer2 812 Top of memory Bottom of stack Bottom of memory Top of stack 4 r +8 Note: modern implementations have extra info in the stack between the local variables and sfp. This would slightly impact the value added to the address of buffer1. buffer1 + 12 This causes it to skip the assignment of 1 to x, and prints out 0 for the value of x

15 15 Slammer Worm Info First example of a high speed worm (previously only existed in theory) Infected a total of 75,000 hosts in about 30 minutes Infected 90% of vulnerable hosts in 10 min Exploited a vulnerability in MS SQL Server Resolution Service, for which a patch had been available for 6 months

16 16 Slammer Worm Info Code randomly generated an IP address and sent out a copy of itself Used UDP - limited by bandwidth, not network latency (TCP handshake). Packet was just 376 bytes long… Spread doubled every 8.5 seconds Max scanning rate (55 million scans/second) reached in 3 minutes

17 17 Slammer Worm

18 18 Slammer Worm

19 19 Slammer Worm Could have been much worse Slammer carried a benign payload - devastated the network with a DOS attack, but left hosts alone Bug in random number generator caused Slammer to spread more slowly (last two bits of the first address byte never changed)

20 ARM Defenses ARM attempts to defend against these attacks by protecting the stack! – Stack is not executable memory. – Exception if we try to jump to it. But… we can still overwrite the stack!

21 Why doesn’t the Processor Protect the Stack from being Overwritten?

22 Attacking the LR We can overwrite the LR to jump to places we aren’t allowed to jump to! Execute any code already extant on the system.

23 Breaching the Gates How do we circumvent non-executable stacks? Common method for x86-64: Ret2Libc – Libc library is mapped into the memory space of most programs. – Once we corrupt the stack, we can point the LR at a function in Libc – Good target: system() which can be passed the argument “/bin/sh” to get a shell

24 Breaching the Gates Why is this method not possible on ARM?

25 Breaching the Gates Why is this method not possible on ARM? – IA32/x86-64 arguments are where? – ARM arguments are where?

26 Breaching the Gates We need to get the registers filled appropriately some other way…

27 Finding a Double Agent

28 Breaching the Gates

29

30

31 ABCDEFGH JunkValid address erand48 address address of “bin/sh” string (r0) Junk (r1) Valid address system() address “/bin/sh” argument

32 Breaching the Gates

33 The Attack

34 Finding Other Vectors

35 Gadgets

36

37

38 For next time Read Chapter 4, Sections 4.5 – 4.9 Project 3 out Friday

Download ppt "Lecture 9: Buffer Ovefflows and ROP EEN 312: Processors: Hardware, Software, and Interfacing Department of Electrical and Computer Engineering Spring 2014,"

Similar presentations

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)

Buffer Overflows Nick Feamster CS 6262 Spring 2009 (credit to Vitaly S. from UT for slides)
Smashing the Stack for Fun and Profit

Smashing the Stack for Fun and Profit
Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?

Integrity & Malware Dan Fleck CS469 Security Engineering Some of the slides are modified with permission from Quan Jia. Coming up: Integrity – Who Cares?
Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.

Computer Security: Principles and Practice EECS710: Information Security Professor Hossein Saiedian Fall 2014 Chapter 10: Buffer Overflow.
Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.

Computer Security: Principles and Practice First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Chapter 11 – Buffer Overflow.
Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.

Lecture 16 Buffer Overflow modified from slides of Lawrie Brown.
Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.

Foundations of Network and Computer Security J J ohn Black Lecture #30 Nov 26 th 2007 CSCI 6268/TLEN 5831, Fall 2007.
Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.

Breno de MedeirosFlorida State University Fall 2005 Buffer overflow and stack smashing attacks Principles of application software security.
1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.

1 CHAPTER 8 BUFFER OVERFLOW. 2 Introduction One of the more advanced attack techniques is the buffer overflow attack Buffer Overflows occurs when software.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:

Beyond Stack Smashing: Recent Advances in Exploiting Buffer Overruns Jonathan Pincus Microsoft Research Brandon Baker Microsoft Carl Hartung CSCI 7143:
Smashing the Stack A General Overview of Buffer Overflow Attacks and How To Write Safe Code Mark Shaneck October 22, 2003 Mark Shaneck October 22, 2003.

Smashing the Stack A General Overview of Buffer Overflow Attacks and How To Write Safe Code Mark Shaneck October 22, 2003 Mark Shaneck October 22, 2003.
Buffer Overflow. Process Memory Organization.

Buffer Overflow. Process Memory Organization.
Smashing the Stack Launching or Preventing a Slammer-like Worm Mark Shaneck October 20, 2003 Mark Shaneck October 20, 2003.

Smashing the Stack Launching or Preventing a Slammer-like Worm Mark Shaneck October 20, 2003 Mark Shaneck October 20, 2003.
Smashing the Stack Launching or Preventing a Slammer-like Worm Mark Shaneck October 15, 2003 Mark Shaneck October 15, 2003.

Smashing the Stack Launching or Preventing a Slammer-like Worm Mark Shaneck October 15, 2003 Mark Shaneck October 15, 2003.
Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.

Assembly תרגול 8 פונקציות והתקפת buffer.. Procedures (Functions) A procedure call involves passing both data and control from one part of the code to.
Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh

Andrea Bittau, Adam Belay, Ali Mashtizadeh, David Maziéres, Dan Boneh
Lecture 16 Buffer Overflow

Lecture 16 Buffer Overflow
CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 20 Jonathan Katz.
Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Address Obfuscation: An Efficient Approach to Combat a Broad Range of Memory Error Exploits Sandeep Bhatkar, Daniel C. DuVarney, and R. Sekar Stony Brook.

Similar presentations

Ads by Google