Buffer overflows and various code injection methods Raghunathan Srinivasan CSE 539, 2/2/2011

download Buffer overflows and various code injection methods Raghunathan Srinivasan CSE 539, 2/2/2011

of 23

  • date post

    21-Dec-2015
  • Category

    Documents

  • view

    214
  • download

    2

Embed Size (px)

Transcript of Buffer overflows and various code injection methods Raghunathan Srinivasan CSE 539, 2/2/2011

  • Slide 1
  • Buffer overflows and various code injection methods Raghunathan Srinivasan CSE 539, 2/2/2011
  • Slide 2
  • What is the deal with overflows Why does it exist? Can we get rid of it? Why cant we get rid of it?
  • Slide 3
  • Since 80 % of the general population uses Microsoft OS lets google Microsoft buffer overflow
  • Slide 4
  • Bounds checking? int main() { int a[4]; int n; scanf(%d, &n); while (n>0){ scanf(%d, &a[n]); n--; }
  • Slide 5
  • int main() { int a[4]; int n; scanf(%d, &n); if (n>3) n=3;// return while (n>0){ scanf(%d, &a[n]); n--; }
  • Slide 6
  • Why buffer overflow is possible Are our machines different? What does the stack look like?
  • Slide 7
  • Takeaways? How secure is any code? What would happen if we all used different architecture, custom compiled OS?
  • Slide 8
  • Benefits of custom compilation Randomize application memory Modify the relative distance between Return address and locals on stack for every binary Attacker needs to determine correct input values on every binary Return of investment is lower
  • Slide 9
  • Randomize the stack frame of every routine Add padding between local variables and return address Makes buffer overflow exploits difficult So how to randomize the code Source code? Executable?
  • Slide 10
  • Binary re writing No net instructions added (or subtracted) Change arguments for adding space on stack Every instruction that use locations on stack (local variables) has to be fixed
  • Slide 11
  • void foo() { char buffer[1024]; gets(buffer); } push %ebp mov %esp,%ebp sub $0x408,%esp lea -0x400(%ebp),%eax mov %eax,(%esp) call 80482c8 leave ret
  • Slide 12
  • So what instructions need to be modified? A) B) C)
  • Slide 13
  • Was this done Yes Use objdump to parse out the text Identify instructions Determine max pad for each function Go and re write instructions
  • Slide 14
  • Code injection Mprotect Ptrace Let take a look at the man page of these system calls
  • Slide 15
  • Lets write code #include #include #include #include #include /* for PAGESIZE */ #ifndef PAGESIZE #define PAGESIZE 4096 #endif int test(); int main() { int a; char *location = &test; char *d = &test; test(); printf("\nAttempting not possible stuff"); fflush(NULL); d = (char *)(((int) d) & ~(PAGESIZE-1)); if (mprotect(d, 1024, PROT_WRITE|PROT_EXEC)) { perror("Couldn't mprotect"); exit(errno); } location [1] = 0xc3; test(); printf("\nShould not be here"); fflush(NULL); return 0; } int test() { int i; printf("\n hello from test"); return 0; }
  • Slide 16
  • What does this show If an application wants to, it can cause havoc on itself. Is this useful? But this is a system call All system calls are available to every binary Can you make the execution jump to mprotect with correct stack arguments?
  • Slide 17
  • ptrace Parent process may observe and control a child process Essentially debugger
  • Slide 18
  • fork Creates a child process Execution returns back twice at the same location If return value is 0, its a child, else parent Code example 1
  • Slide 19
  • Example 2 PTRACE_TRACEME Process allows parent to trace it. When child executes a system call (any signal), the control causes it to wait and sends control to parent which is waiting. PTRACE_CONT Parent resumes the stopped child
  • Slide 20
  • Example 3 Reads a word at offset addr in the child's USER area, which holds the registers and other information about the process
  • Slide 21
  • Example 6 PTRACE_ATTACH Attaches to the process specified in pid, making it a traced "child" of the current process; the behavior of the child is as if it had done a PTRACE_TRACEME. PTRACE_GETREGS Copies the child's general purpose or floating-point registers, respectively, to location data in the parent. PTRACE_PEEKTEXT Reads a word at the location addr in the child's memory, returning the word as the result of the ptrace() call.
  • Slide 22
  • Example 7 PTRACE_SETREGS Copies the child's general purpose or floating- point registers, respectively, from location data in the parent.
  • Slide 23
  • Example 8 Do it yourself at home