An analysis of stack based vulnerabilities

1972: First recorded overflow vulnerability by the Computer Security Technology Planning Study 1988: The Morris worm becomes the first major Internet Worm 2001: Red Code I & II Infect hundreds of thousands of hosts 2003: SQL Slammer (aka Sapphire) becomes the fastest spreading worm in modern history

1972: First recorded overflow vulnerability by the Computer Security Technology Planning Study

1988: The Morris worm becomes the first major Internet Worm

2001: Red Code I & II Infect hundreds of thousands of hosts

2003: SQL Slammer (aka Sapphire) becomes the fastest spreading worm in modern history

Overflow vulnerabilities are not obvious from source code inspection alone Linking to any vulnerable library effectively makes an application vulnerable Effective protection may require special OS and compiler configuration

Overflow vulnerabilities are not obvious from source code inspection alone

Linking to any vulnerable library effectively makes an application vulnerable

Effective protection may require special OS and compiler configuration

Major CPU elements include: Memory Paged, Hardware protected Registers Move data from memory to other hardware Control Unit Send OpCodes, Operands, HW Signals ALU Perform OpCodes, set status flags

Major CPU elements include:

Memory

Paged, Hardware protected

Registers

Move data from memory to other hardware

Control Unit

Send OpCodes, Operands, HW Signals

ALU

Perform OpCodes, set status flags

Standardized mnemonic references for hardware supported operations Hardware OpCode: 0x0305000000 Assembly Instruction: ADD R0, R1 All high level languages ultimately compiled, assembled, linked, and loaded

Standardized mnemonic references for hardware supported operations

Hardware OpCode: 0x0305000000

Assembly Instruction: ADD R0, R1

All high level languages ultimately compiled, assembled, linked, and loaded

Stack: First in, last out data structure implemented on reserved memory page Every procedure is given a stack frame Procedures allocate space for local variables within their frame New frame is pushed onto the stack when a procedure is called, popped off on return

Stack: First in, last out data structure implemented on reserved memory page

Every procedure is given a stack frame

Procedures allocate space for local variables within their frame

New frame is pushed onto the stack when a procedure is called, popped off on return

Write malicious payload assembly program Compile, determine OpCodes, encode in hexadecimal string Overflow target buffer with addresses pointing to injected code

Write malicious payload assembly program

Compile, determine OpCodes, encode in hexadecimal string

Overflow target buffer with addresses pointing to injected code

Key Defensive Goals: Make target address guess difficult Detect or prevent the attempt at run-time Developers: Safe Libraries Stack Protecting Compilers Static Code Analysis Hardware NX Memory Page Bit (Sun SPARC, IBM PowerPC, newer Intel x86-64)

Key Defensive Goals:

Make target address guess difficult

Detect or prevent the attempt at run-time

Developers:

Safe Libraries

Stack Protecting Compilers

Static Code Analysis

Hardware

NX Memory Page Bit (Sun SPARC, IBM PowerPC, newer Intel x86-64)

Operating System Address Space Randomization (Linux, Windows Vista/Server2008, some support in Mac OS 10.5) Memory Page protection (OpenBSD derivatives, Windows if harware supports it) The combination of these two techniques has great potential

Operating System

Address Space Randomization (Linux, Windows Vista/Server2008, some support in Mac OS 10.5)

Memory Page protection (OpenBSD derivatives, Windows if harware supports it)

The combination of these two techniques has great potential

Defenses are being developed in a wide cross section of areas Rate of new attack ideas is limited in scope and incidence return-to-libc , format string errors Operating system defenses will probably remove this threat one day Best present advice: Deploy all important patches!

Defenses are being developed in a wide cross section of areas

Rate of new attack ideas is limited in scope and incidence

return-to-libc , format string errors

Operating system defenses will probably remove this threat one day

Best present advice: Deploy all important patches!

[1] Alan Clements. Principles of Computer Hardware. Oxford University Press, Inc., New York, NY, USA, 2000. [2] John L. Hennessy and David A. Patterson. Computer architecture: a quantitative approach. Morgan Kaufmann Publishers Inc., San Francisco, CA, USA, 2002. [3] Intel. Intel Architecture Software Developers Manual. Volume 1: Basic Architecture, 1999. [4] Intel. Intel Architecture Software Developers Manual. Volume 2: Instruction Set Reference, 1999 [5] Elias Levy. Smashing the stack for fun and profit. Internet Article, 1996. Accessed on November 11, 2008 from http://insecure. org/stf/smashstack.html.

[1] Alan Clements. Principles of Computer Hardware. Oxford

University Press, Inc., New York, NY, USA, 2000.

[2] John L. Hennessy and David A. Patterson. Computer architecture:

a quantitative approach. Morgan Kaufmann Publishers

Inc., San Francisco, CA, USA, 2002.

[3] Intel. Intel Architecture Software Developers Manual. Volume

1: Basic Architecture, 1999.

[4] Intel. Intel Architecture Software Developers Manual. Volume

2: Instruction Set Reference, 1999

[5] Elias Levy. Smashing the stack for fun and profit. Internet

Article, 1996. Accessed on November 11, 2008 from http://insecure.

org/stf/smashstack.html.