CSc 466/566 Computer Security 20 : Operating Systems —...
Transcript of CSc 466/566 Computer Security 20 : Operating Systems —...
![Page 1: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/1.jpg)
CSc 466/566
Computer Security
20 : Operating Systems — Application SecurityVersion: 2014/11/20 13:07:28
Department of Computer ScienceUniversity of Arizona
Copyright c© 2014 Christian Collberg
Christian Collberg
1/68
![Page 2: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/2.jpg)
Outline
1 Introduction2 Arithmetic Overflow3 Buffer Overflow
Stacks and BuffersBasic IdeaStack Smashing AttackPreventing Buffer Overflows
4 Heap-Based Buffer Overflows5 Format String Attacks6 Race Conditions
Introduction 2/68
![Page 3: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/3.jpg)
Introduction
Programmers tend to avoid
checking for error conditions that rarely happen;checking for boundary conditions to save time ;checking user input to make sure it’s valid.
Such programming errors can be exploited in aprivilege escalation attack.
How do we avoid writing vulnerable code? We needdefensive programming practices !
Introduction 3/68
![Page 4: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/4.jpg)
Outline
1 Introduction2 Arithmetic Overflow3 Buffer Overflow
Stacks and BuffersBasic IdeaStack Smashing AttackPreventing Buffer Overflows
4 Heap-Based Buffer Overflows5 Format String Attacks6 Race Conditions
Arithmetic Overflow 4/68
![Page 5: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/5.jpg)
Arithmetic Overflow
Integers typically have fixed size.
Programmers typically don’t check for overflow conditions.
Java doesn’t throw exceptions for integer overflow/underflow!
Arithmetic Overflow 5/68
![Page 6: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/6.jpg)
Example
Code to grant access to the first 5 users who try to connect:✞ ☎
i n t main ( ) {uns i gned i n t conn e c t i on s = 0 ;// network codeconn e c t i on s++;i f ( connec t i on s <5)
g r a n t a c c e s s ( ) ;e l s e
den y a c c e s s ( ) ;}✝ ✆
Arithmetic Overflow 6/68
![Page 7: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/7.jpg)
Example — Attack
✞ ☎
conn e c t i on s++;i f ( connec t i on s <5)
g r a n t a c c e s s ( ) ;e l s e
den y a c c e s s ( ) ;✝ ✆
Attack:
1 make a huge number of connections;
2 wait for the counter to overflow;
3 gain access!
Arithmetic Overflow 7/68
![Page 8: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/8.jpg)
Example — Safe Programming Practices
This code avoids possible overflows:✞ ☎
i n t main ( ) {uns i gned i n t conn e c t i on s = 0 ;// network codei f ( connec t i on s <5)
conn e c t i on s++;i f ( connec t i on s <5)
g r a n t a c c e s s ( ) ;e l s e
den y a c c e s s ( ) ;}✝ ✆
Arithmetic Overflow 8/68
![Page 9: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/9.jpg)
Outline
1 Introduction2 Arithmetic Overflow3 Buffer Overflow
Stacks and BuffersBasic IdeaStack Smashing AttackPreventing Buffer Overflows
4 Heap-Based Buffer Overflows5 Format String Attacks6 Race Conditions
Buffer Overflow 9/68
![Page 10: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/10.jpg)
Introduction
Buffer overflow attacks explained with beer!http://www.youtube.com/watch?v=7LDdd90aq5Y
What is a buffer overflow attack?
Why are they possible?
How do I perform a buffer overflow attack?
How do I prevent a buffer overflow attack?
Buffer Overflow 10/68
![Page 11: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/11.jpg)
Definitions
buffer : A span of contiguous writable memory.
stack frame : The space on the stack alotted to a particularprocedure.
buffer overflow : Writing past the declared bounds of a buffer.
buffer overflow attack :
A method of gaining control of a system by executing someprogram/procedure with more data than it is prepared tohandle.The extra data is designed to cause malicious side effects.
Buffer Overflow 11/68
![Page 12: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/12.jpg)
Buffer overflow attack — Basic Idea
1 Inject some code into the memory of an executing program.The code consists of
Malicious payload that we want to execute;Some way to get this code to execute.
2 Overwrite a memory address with the address of the payload.
This is often the return address of a function.
3 When the program jumps to this address, it instead jumps toour payload!
Buffer Overflow 12/68
![Page 13: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/13.jpg)
Stack layout
The execution stack of a program (on an x86 machine) growsdownward (to lower memory addresses) as procedures arecalled.
Information is placed in stack frames.
Among the things stored on the stack are
the local and formal variables,the return address, andthe frame pointer of the procedure.
The positions of these values in memory are shown on thenext slide:
Buffer Overflow 13/68
![Page 14: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/14.jpg)
Stack layout. . .
✞ ☎
void f u n c t i o n ( i n t a , i n t b ){i n t c ;i n t d ;
}✝ ✆
b High addresses, bottom of stack
a
return address
fp
c
d Low addresses, top of stack
Buffer Overflow 14/68
![Page 15: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/15.jpg)
Basic idea
If we could overwrite the return address of a procedure with adifferent address, then when the procedure returned it wouldjump wherever we wanted.
How do we find the return address?1 declare a local variable, anchor;2 take its address;3 add an increasing offset to anchor;4 overwrite this new address with the address of payload;5 return;6 did we go to payload?
Buffer Overflow 15/68
![Page 16: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/16.jpg)
Example: changing the return address
ret.c:✞ ☎
void pay load (){}#de f i n e OFFSET (HERE)i n t f oo ( ){
v o l a t i l e long anchor=−1;void (∗ v ) ( ) = &pay load ;v o l a t i l e long ∗ a = &anchor ;a = ( v o l a t i l e long ∗ ) ( ( long ) a + ( long )OFFSET) ;∗a = ( long ∗) v ;
}i n t main ( ){
f oo ( ) ;}✝ ✆
Buffer Overflow 16/68
![Page 17: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/17.jpg)
call foo()
Payload
Low addresses
High addressesframe n−1
Stack
anchor
v
a
frame n
RETURN ADDRESS
More Stuff Here!
Code
}
main() {
![Page 18: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/18.jpg)
main() {
Low addresses
High addresses
Code
}
call foo()
OFFSET=0
Payload
frame n−1
Stack
v
a
frame n
RETURN ADDRESS
More Stuff Here!
anchor
![Page 19: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/19.jpg)
call foo()
Low addresses
High addresses
Code
frame n−1
Stack
anchor
v
a
frame n
Payload
RETURN ADDRESS
OFFSET=1
}
main() {
More Stuff Here!
![Page 20: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/20.jpg)
call foo()
Low addresses
High addressesframe n−1
Stack
anchor
v
a
frame n
RETURN ADDRESS
OFFSET=2
Code
}
main() {
Payload
More Stuff Here!
![Page 21: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/21.jpg)
call foo()
Low addresses
High addressesframe n−1
Stack
anchor
v
a
frame n
RETURN ADDRESS
More Stuff Here!
Payload
OFFSET=3
Code
}
main() {
![Page 22: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/22.jpg)
call foo()
Low addresses
High addressesframe n−1
Stack
anchor
v
a
frame nOFFSET=4
Code
}
main() {
More Stuff Here!
Payload
RETURN ADDRESS
![Page 23: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/23.jpg)
Example: changing the return address. . .
findret:
#!/bin/csh -f
set i = 0
while ($i < 30)
echo "OFFSET = $i"
sed "s/HERE/$i/" ret.c > r.c
gcc -o ret -g r.c >& /dev/null
gdb -quiet -x cmd ./ret |& grep payload
echo ""
@ i = $i + 1
end
Buffer Overflow 18/68
![Page 24: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/24.jpg)
Example: changing the return address. . .
gdb command file, cmd:✞ ☎
break pay loadrunq u i t
✝ ✆
Buffer Overflow 19/68
![Page 25: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/25.jpg)
Problems
1 Don’t know the address of the procedure’s return address inthe stack frame.
2 Once we find it, we need an address to replace it with, so wemust have our evil code somewhere in memory along with therest of the program.
Buffer Overflow 20/68
![Page 26: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/26.jpg)
Languages of choice
C: “A language that combines all the elegance andpower of assembly language with all the readabilityand maintainability of assembly language.” – NewHacker’s Dictionary
C++: “An octopus made by nailing extra legs onto a dog.”– Steve Taylor
Buffer Overflow 21/68
![Page 27: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/27.jpg)
C library routines
In the C libraries there are many routines designed for copying datafrom one buffer to another:
memcpy(void *dest, void *src, int n) : copy n bytesfrom src to dest.
strcpy(char *dest, char *src) : copy data from src
into dest until a null character is found.
strcat(char *dest, char *src) : concatenate src ontothe end of dest (starting at the null character).
sprintf(char *buffer, char *format, ...) : printformatted output into a buffer.
char* gets(char *str) : read until end-of-line/file.
Idea: Let’s target routines that continue copying until a nullcharacter is reached.
Buffer Overflow 22/68
![Page 28: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/28.jpg)
Buffer overflow idea
1 Find a procedure that uses one of these routines.
Buffer Overflow 23/68
![Page 29: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/29.jpg)
Buffer overflow idea
1 Find a procedure that uses one of these routines.
2 Check that it has a local variable buffer.
Buffer Overflow 23/68
![Page 30: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/30.jpg)
Buffer overflow idea
1 Find a procedure that uses one of these routines.
2 Check that it has a local variable buffer.
3 Check that it copies data from somewhere into the localbuffer.
Buffer Overflow 23/68
![Page 31: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/31.jpg)
Buffer overflow idea
1 Find a procedure that uses one of these routines.
2 Check that it has a local variable buffer.
3 Check that it copies data from somewhere into the localbuffer.
4 Overflow the buffer.
Buffer Overflow 23/68
![Page 32: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/32.jpg)
Buffer overflow idea
1 Find a procedure that uses one of these routines.
2 Check that it has a local variable buffer.
3 Check that it copies data from somewhere into the localbuffer.
4 Overflow the buffer.
5 Write over the return address.
Buffer Overflow 23/68
![Page 33: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/33.jpg)
Buffer overflow idea
1 Find a procedure that uses one of these routines.
2 Check that it has a local variable buffer.
3 Check that it copies data from somewhere into the localbuffer.
4 Overflow the buffer.
5 Write over the return address.
6 When the procedure returns, jump where we want.
Buffer Overflow 23/68
![Page 34: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/34.jpg)
Buffer overflow example I
buf.c:✞ ☎
void pay load (){}i n t i ;i n t f oo ( ){
long ∗ buf [ 1 0 ] ;void (∗ v ) ( ) = &pay load ;f o r ( i =0; i <30; i ++) buf [ i ] = ( long ∗) v ;
}i n t main ( ){ f oo ( ) ; }
✝ ✆
To execute:✞ ☎
> gcc −g −o buf buf . c> gdb bufgdb> break pay loadgdb> run✝ ✆
Buffer Overflow 24/68
![Page 35: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/35.jpg)
call foo()
Payload
Low addresses
High addresses
More stuff here!
Code
}
main() {
frame n−1
Stack
frame n
RETURN ADDRESS
buf:
![Page 36: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/36.jpg)
call foo()
Payload
Low addresses
High addresses
More stuff here!
Code
}
main() {
frame n−1
Stack
frame n
RETURN ADDRESS
buf:
![Page 37: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/37.jpg)
call foo()
Payload
Low addresses
High addresses
More stuff here!
Code
}
main() {
frame n−1
Stack
frame n
RETURN ADDRESS
buf:
![Page 38: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/38.jpg)
call foo()
Payload
Low addresses
High addresses
More stuff here!
Code
}
main() {
frame n−1
Stack
frame n
RETURN ADDRESS
buf:
![Page 39: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/39.jpg)
call foo()
Payload
Low addresses
High addresses
More stuff here!
Code
}
main() {
frame n−1
Stack
frame n
RETURN ADDRESS
buf:
![Page 40: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/40.jpg)
call foo()
Payload
Low addresses
High addresses
More stuff here!
Code
}
main() {
frame n−1
Stack
frame n
RETURN ADDRESS
buf:
![Page 41: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/41.jpg)
call foo()
Payload
Low addresses
High addresses
More stuff here!
Code
}
main() {
frame n−1
Stack
frame n
RETURN ADDRESS
buf:
![Page 42: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/42.jpg)
call foo()
Payload
Low addresses
High addresses
More stuff here!
Code
}
main() {
frame n−1
Stack
frame n
RETURN ADDRESS
buf:
![Page 43: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/43.jpg)
call foo()
Payload
Low addresses
High addresses
More stuff here!
Code
}
main() {
frame n−1
Stack
frame n
RETURN ADDRESS
buf:
![Page 44: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/44.jpg)
call foo()
Payload
Low addresses
High addresses
More stuff here!
Code
}
main() {
frame n−1
Stack
frame n
RETURN ADDRESS
buf:
![Page 45: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/45.jpg)
call foo()
Payload
Low addresses
High addresses
More stuff here!
Code
}
main() {
frame n−1
Stack
frame n
RETURN ADDRESS
buf:
![Page 46: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/46.jpg)
call foo()
Payload
Low addresses
High addresses
More stuff here!
Code
}
main() {
frame n−1
Stack
frame n
RETURN ADDRESS
buf:
![Page 47: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/47.jpg)
buf:
frame n−1
Stack
frame n
Code
}
main() {
Payload
Low addresses
High addresses
call foo()
RETURN ADDRESS
More stuff here!
![Page 48: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/48.jpg)
frame n−1
Stack
frame n
Payload
Low addresses
High addresses
buf:
main() {
call foo()
Code
}
RETURN ADDRESS
More stuff here!
![Page 49: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/49.jpg)
Buffer overflow example II
We could just copy from another buffer instead (buf2.c):✞ ☎
void p l ( ){}t y p ed e f void (∗ fun ) ( ) ;fun s r c [32] = {& pl ,& pl ,& pl ,& pl ,& pl ,& pl , . . . } ;i n t i ;i n t f oo ( ){
long ∗ buf [ 2 ] ;f o r ( i =0; i <30; i++)
buf [ i ] = s r c [ i ] ;}i n t main ( ){ f oo ( ) ; }
✝ ✆
Buffer Overflow 26/68
![Page 50: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/50.jpg)
Buffer overflow example III
We want to use one of the built-in copy functions (buf3.c):✞ ☎
void p l ( ){}t y p ed e f void (∗ fun ) ( ) ;fun s r c [32] = {& pl ,& pl ,& pl , . . . , 0 } ;i n t i ; char ∗ p ;i n t f oo ( ){
long ∗ buf [ 2 ] ;b u i l t i n s t r c p y ( buf , s r c ) ;
p = &buf ;f o r ( i =0; i <( s i z e o f ( fun ) ∗32 ) ; i ++){(∗p)−−;p++;}
}i n t main ( ){
i n t i ; char ∗ p = & s r c ;f o r ( i =0; i <( s i z e o f ( fun ) ∗32 ) ; i ++){(∗p)++; p++;};f oo ( ) ;
}✝ ✆
Buffer Overflow 27/68
![Page 51: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/51.jpg)
Buffer overflow idea. . .
Hey, what’s up with the increment loop???✞ ☎
char ∗ p = & s r c ;f o r ( i =0; i <( s i z e o f ( fun ) ∗ 3 2 ) ; i ++) {
(∗ p)++;p++;
} ;f oo ( ) ;
✝ ✆
The problem is the strcpy copies until it sees a nullcharacter, so, somehow, we need to remove all zero:s from thesource “string”.
Also, compile like this:✞ ☎
> gcc − fno−s tack−p r o t e c t o r −g −o buf3 buf3 . c✝ ✆
Buffer Overflow 28/68
![Page 52: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/52.jpg)
Trivial Stack Smashing Attack
A stack smashing attack exploits a buffer vulnerability.1 inject malicious code (the payload ) onto the stack;2 overwrite the return address of the current routine;3 when a ret is executed: jump to payload!
Buffer Overflow 29/68
![Page 53: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/53.jpg)
frame n−1
RETURN ADDRESS
BUFFER
Stack
Code
foo() {
}
call bar()
frame n
![Page 54: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/54.jpg)
frame n−1
frame n
RETURN ADDRESS
BUFFER
Stack
Code
foo() {
}
call bar()
frame n−1
Stack
NEW RET ADDRESS
PAYLOAD
PADDING
ATTACKER’S INPUT
![Page 55: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/55.jpg)
Stack Smashing Attack — Problems
Essentially, we want to✞ ☎
s t a c k [ cu r f r ame ] . r e t a d d r e s s = &( pay load )✝ ✆
Problems:1 How do I find where ret address is?2 How can I find the address of payload?
The payload is also called the shellcode because it’s oftencode to start a shell.
Buffer Overflow 31/68
![Page 56: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/56.jpg)
Finding the shellcode: NOP Sledding
Attack:1 Increase the size of the payload by adding lots of NOPs.2 Guess an approximate address within the NOP-sled.3 Jump to this approximate address, sledding into the actual
payload.
This allows us to be less accurate in determining the addressof the shellcode.
Buffer Overflow 32/68
![Page 57: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/57.jpg)
frame n
RETURN ADDRESS
BUFFER
frame n−1
Stack
Code
foo() {
}
call bar()
![Page 58: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/58.jpg)
RETURN ADDRESS
BUFFER
frame n
RETURN ADDRESS
BUFFER
frame n−1
Stack
Code
foo() {
}
call bar()
Stack
frame n
frame n−1
PAYLOAD
![Page 59: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/59.jpg)
frame n
RETURN ADDRESS
BUFFER
frame n−1
Stack
Code
foo() {
}
call bar()
frame n
RETURN ADDRESS
BUFFER
frame n−1
Stack
frame n−1
Stack
PAYLOAD
PADDING
PAYLOAD
NOPNOPNOP
NOP
GUESS RET ADDR
NOP
![Page 60: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/60.jpg)
Finding the shellcode: Trampolining
Attack:1 Find a piece of library code, always loaded at the same address,
that has a jump-indirect-through-register instruction, such as✞ ☎
JUMPIND [ ESP ]✝ ✆
2 Somehow, make ESP point to the payload, for example byputting the payload in the right location.
3 Overwrite the return address with the address of the jumpinstruction.
More precise than NOP sledding if libraries reside inpredictable locations.
Buffer Overflow 34/68
![Page 61: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/61.jpg)
}
call bar()
frame n−1
Stack
frame n
RETURN ADDRESS
BUFFER
Code
foo() {
![Page 62: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/62.jpg)
Library code
write() {
JUMPIND [ESP]
frame n
RETURN ADDRESS
BUFFER
frame n−1
Stack
Code
foo() {
}
call bar()
}
frame n−1
Stack
frame n
RETURN ADDRESS
BUFFER
ESP = &PAYLOAD
JUMP INSTR ADDR
PAYLOAD
![Page 63: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/63.jpg)
frame n
RETURN ADDRESS
frame n−1
Stack
}
Library code
write() {
JUMPIND [ESP]
frame n
RETURN ADDRESS
BUFFER
frame n−1
Stack
BUFFER
Code
foo() {
}
call bar()
}
Library code
write() {
JUMPIND [ESP]
frame n−1
Stack
frame n
RETURN ADDRESS
BUFFER
JUMP INSTR ADDR
ESP = &PAYLOAD
PAYLOAD
JUMP INSTR ADDR
PAYLOAD
ESP = &PAYLOAD
![Page 64: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/64.jpg)
Finding the shellcode: Return-to-libc
Attack:1 Find the address of a library function such as system() or
execv().2 Overwrite the return address with the address of this library
function.3 Set the arguments to the library function.
No code is executed on the stack!
Attack still works when the stack is marked non-executable.
Buffer Overflow 36/68
![Page 65: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/65.jpg)
Finding the shellcode: Return-to-libc. . .
✞ ☎
i n t execv ( const char ∗ path , char ∗ const a rgv [ ] ) ;i n t system ( const char ∗ command ) ;
✝ ✆
execv replaces the current process image with a new processimage. The first argument points to the file name of the filebeing executed.
The system() function hands the argument command to thecommand interpreter sh. The calling process waits for theshell to finish executing the command.
Buffer Overflow 37/68
![Page 66: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/66.jpg)
}
call bar()
frame n−1
Stack
frame n
RETURN ADDRESS
BUFFER
Code
foo() {
![Page 67: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/67.jpg)
frame n
RETURN ADDRESS
BUFFER
frame n−1
Stack
Code
foo() {
}
call bar()
RETURN ADDRESS
BUFFER
}
Library code
system(cmd) {
frame n−1
Stack
frame n
cmd = "/bin/sh"
ADDR of system
![Page 68: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/68.jpg)
Preventing Buffer Overflows
Educate the programmer: Use strncpy, not strcpy.
Choice of language: Use Java, not C++.
Detect , at the OS level, when a buffer overflow occurs.
Prevent the return address from being overwritten.
Buffer Overflow 39/68
![Page 69: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/69.jpg)
Preventing Buffer Overflows: Canaries
Defense:1 Put a random value (the canary ) next to the return address.2 Regularly check that the canary has the right value.
Buffer Overflow 40/68
![Page 70: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/70.jpg)
}
call bar()
RETURN ADDRESS
Code
foo() {
Stack
frame n
BUFFER
frame n−1
CANARY
![Page 71: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/71.jpg)
frame n
RETURN ADDRESS
BUFFER
frame n−1
Stack
Code
foo() {
}
call bar()
frame n−1
Stack
frame n
BUFFER
RETURN ADDRESS
CANARY
NEW RET ADDR
KILLED CANARY
![Page 72: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/72.jpg)
Preventing Buffer Overflows: PointGuard
Defense:1 XOR all pointers (before and after use) with a random value.
✞ ☎
x = &p ;y = y−>next ;✝ ✆
⇓
✞ ☎
x = 0xFEEDFACEˆ(&p ) ;y = 0xFEEDFACEˆ((0xFEEDFACEˆy)−>next ) ;✝ ✆
The attacker cannot reliably overwrite the return address.
Buffer Overflow 42/68
![Page 73: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/73.jpg)
Preventing Buffer Overflows: Non-executable stack
Defense:1 Set the segment containing the stack to non-executable .
Doesn’t help against return-to-libc.
Some programs legitimately generate code on the stack andjump to it.
Buffer Overflow 43/68
![Page 74: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/74.jpg)
Preventing Buffer Overflows: ASLR
Address space layout randomization .
Defense:1 Place memory segments in random locations in memory.
Return-to-libc attacks are harder because it’s harder to findlibc.
Finding the shellcode is harder because it’s harder to find thestack.
If there isn’t enough entropy, brute-force-attacks can defeatASLR.
Buffer Overflow 44/68
![Page 75: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/75.jpg)
In-Class Exercise: Goodrich & Tamassia C-3.8
✞ ☎
i n t main ( i n t argc , char ∗ a rgv [ ] ) {char continue = 0;char password [ 8 ] ;s t r c p y ( password , a rgv [ 1 ] ) ;i f ( s t rcmp ( password , ”CS166”)==0)
continue = 1;i f ( continue )
∗ l o g i n ( ) ;}✝ ✆
1 Is this code vulnerable to a buffer-overflow attack withreference to the variables password[] and continue?
Buffer Overflow 45/68
![Page 76: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/76.jpg)
In-Class Exercise: Goodrich & Tamassia C-3.8
✞ ☎
i n t main ( i n t argc , char ∗ a rgv [ ] ) {char password [ 8 ] ;s t r c p y ( password , a rgv [ 1 ] ) ;i f ( s t rcmp ( password , ”CS166”)==0)
∗ l o g i n ( ) ;}✝ ✆
2 We remove the variable continue and simply use thecomparison for login. Does this fix the vulnerability?
Buffer Overflow 46/68
![Page 77: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/77.jpg)
In-Class Exercise: Goodrich & Tamassia C-3.8
✞ ☎
void l o g i n ( ) {. . .return ;
}
i n t main ( i n t argc , char ∗ a rgv [ ] ) {char password [ 8 ] ;s t r c p y ( password , a rgv [ 1 ] ) ;i f ( s t rcmp ( password , ”CS166”)==0)
l o g i n ( ) ;}✝ ✆
3 What is the existing vulnerability when login() is not apointer to the function code but terminates with a return()
command?
Buffer Overflow 47/68
![Page 78: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/78.jpg)
Outline
1 Introduction2 Arithmetic Overflow3 Buffer Overflow
Stacks and BuffersBasic IdeaStack Smashing AttackPreventing Buffer Overflows
4 Heap-Based Buffer Overflows5 Format String Attacks6 Race Conditions
Heap-Based Buffer Overflows 48/68
![Page 79: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/79.jpg)
Heap-Based Buffer Overflows
A buffer contained in a heap object can also be overflowed.
This causes data to be overwritten.
An attacker can craft an overflow such that a function pointergets overwritten with the address of the shellcode.
Heap-Based Buffer Overflows 49/68
![Page 80: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/80.jpg)
Malloc
Memory is allocated from the heap via
malloc(int size)
where size is the number of bytes needed. malloc returnsthe address of (a pointer to) a region of free memory of atleast size bytes.
malloc returns 0 (NULL) if there isn’t a big enough freeregion to satisfy the request.
Heap-Based Buffer Overflows 50/68
![Page 81: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/81.jpg)
Malloc. . .
malloc searches the free list for a free region that’s bigenough, removes it from the free list, and returns its address.
malloc(40)40 4020 30 50
Heap-Based Buffer Overflows 51/68
![Page 82: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/82.jpg)
Malloc. . .
A doubly-linked-list is often used to make insertion anddeletion easier.
/20 30 5040
Heap-Based Buffer Overflows 52/68
![Page 83: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/83.jpg)
Malloc. . .
What happens if the program asks for 50 bytes, but thenwrites 60 bytes to the region? The last 10 bytes overwrite thefirst 10 bytes of the next region. This will corrupt the free listif the next region is free (and probably crash the program if itis not).
30
Globals: YX Z
*X = "very long string....."
40 20
Heap
Very long string... 30
???
40 20
Heap
Heap-Based Buffer Overflows 53/68
![Page 84: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/84.jpg)
Heap
Code
foo() {
}
Object1
42
"Hola!"
&foo
BUFFER
p
![Page 85: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/85.jpg)
Heap
Object1
Code
foo() {
}
Heap
Object1
"Hola!"
BUFFER
p
&PAYLOAD
BUFFER
p
&foo
PAYLOAD
42
"Hola!"
42
![Page 86: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/86.jpg)
Defenses
Safe programming practices.
Use a safe language (Java, not C++).
Randomize the location of the heap.
Make the heap non-executable.
Store heap meta-data (the free-list pointers, object size, etc.)separately from the objects.
Detect when heap meta-data has been overwritten.
Heap-Based Buffer Overflows 55/68
![Page 87: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/87.jpg)
Defenses: Canaries
Add a magic number in the free list node headers. This is adistinctive value that malloc checks when traversing the freelist, and complains if the value changes (which indicates thelist is corrupted). For example, put a field in the header whosevalue is always 0xfeedface.
0xfeedface
20 30 50400xfeedface 0xfeedface 0xfeedface
Heap-Based Buffer Overflows 56/68
![Page 88: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/88.jpg)
Free
The routine
free(void *address)
is used to release memory when it is no longer needed (e.g. anemployee quits or is fired).
The address parameter is a pointer to the region to be freed,and it must have previously been returned by malloc.
It is common for programmers to free the same memory twice!
Today, libc is less vulnerable to this problem.
Heap-Based Buffer Overflows 57/68
![Page 89: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/89.jpg)
Outline
1 Introduction2 Arithmetic Overflow3 Buffer Overflow
Stacks and BuffersBasic IdeaStack Smashing AttackPreventing Buffer Overflows
4 Heap-Based Buffer Overflows5 Format String Attacks6 Race Conditions
Format String Attacks 58/68
![Page 90: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/90.jpg)
Format String Attacks
✞ ☎
i n t p r i n t f ( const char ∗ r e s t r i c t format , . . . ) ;✝ ✆
restric: no pointer aliasing allowed.
const char *: a mutable pointer to an immutable string.
...: variable number of arguments.
format is expected to be a constant string, and the compilershould check for it.
However, sometimes it’s not. . .
Format String Attacks 59/68
![Page 91: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/91.jpg)
Extracting Data from the Stack
formattest.c:✞ ☎
i n t main ( i n t argc , char ∗∗ a rgv ){p r i n t f ( a rgv [ 1 ] ) ;
}✝ ✆
gcc -Wno-format formattest.c -o formattest
Run:✞ ☎
> f o rma t t e s t ”Bob”Bob✝ ✆
Run (printing stack data):✞ ☎
> f o rma t t e s t ”Bob %x %x %x”Bob 65117 a90 65117 aa8 65117 b00✝ ✆
Format String Attacks 60/68
![Page 92: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/92.jpg)
The "%n" Modifier: Modifying Data
formatn.c:✞ ☎
i n t main ( ) {i n t s i z e ;p r i n t f ( ”Bob l o v e s %n A l i c e \n” , & s i z e ) ;p r i n t f ( ” s i z e = %d\n” , s i z e ) ;return 0 ;
}✝ ✆
The "%n" modifier to printf stores the number of charactersprinted so far.
Run:✞ ☎
> formatnBob l o v e s A l i c es i z e = 10
✝ ✆
Format String Attacks 61/68
![Page 93: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/93.jpg)
The "%n" Modifier: Modifying Data
formattest.c:✞ ☎
i n t main ( i n t argc , char ∗∗ a rgv ){p r i n t f ( a rgv [ 1 ] ) ;return 0 ;
}✝ ✆
Run formattest again:✞ ☎
> f o rma t t e s t ”XXXXXXXXXXXXXX %n%n%n%n”Segmentat ion f a u l t
✝ ✆
The program crashes because the "%n" modifier makesprintf write into a “random” location in memory.
Format String Attacks 62/68
![Page 94: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/94.jpg)
The "%n" Modifier: Modifying Data
http://www.cis.syr.edu/~wedu/Teaching/cis643/LectureNotes_New/Format_String.pdf
Format String Attacks 63/68
![Page 95: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/95.jpg)
Outline
1 Introduction2 Arithmetic Overflow3 Buffer Overflow
Stacks and BuffersBasic IdeaStack Smashing AttackPreventing Buffer Overflows
4 Heap-Based Buffer Overflows5 Format String Attacks6 Race Conditions
Race Conditions 64/68
![Page 96: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/96.jpg)
Race Conditions
Program behavior (unintentionally) depends on timing ofevents.
Race Conditions 65/68
![Page 97: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/97.jpg)
Open vs. Access
open() :
Opens a file using the effective user ID.A SetUID program owned by root can open any file.
access() :
Checks if the real user can open a file.
Race Conditions 66/68
![Page 98: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/98.jpg)
Example
✞ ☎
char ∗ f i l e n ame = ”/ u s e r s / j o e / my f i l e ” ;i f ( a c c e s s ( f i l ename , R OK) != 0 ) e x i t (−1);i n t f i l e = open ( f i l ename , O RDONLY) ;read ( f i l e , buf , 1 0 2 3 ) ; c l o s e ( f i l e ) ;p r i n t f ( ”%s \n” , buf ) ;
✝ ✆
There is a small delay betwee access and open.
Between access and open, the attacker can set✞ ☎
l n − s / e t c /passwd / u s e r s / j o e / my f i l e✝ ✆
Write a script tha quickly switches the link on and off, untilyou get access!
Race Conditions 67/68
![Page 99: CSc 466/566 Computer Security 20 : Operating Systems — …collberg/Teaching/466-566/2014/Slide… · buffer overflow attack: A method of gaining control of a system by executing](https://reader033.fdocuments.net/reader033/viewer/2022042921/5f6a8c8eb4c6413e750066c0/html5/thumbnails/99.jpg)
Defenses
Don’t use access.
Drop privileges before calling open.
If the user doesn’t have permissions to the file, open will fail.✞ ☎
char ∗ f i l e n ame = ”/ u s e r s / j o e / my f i l e ” ;eu i d = ge t eu i d ( ) ;u i d = ge t u i d ( ) ;
s e t e u i d ( u i d ) ;i n t f i l e = open ( f i l ename , O RDONLY) ;read ( f i l e , buf , 1 0 2 3 ) ; c l o s e ( f i l e ) ;
s e t e u i d ( eu i d ) ;
p r i n t f ( ”%s \n” , buf ) ;✝ ✆
Race Conditions 68/68