Application security Application security September 25, 2020 - PDF document

Application security Application security September 25, 2020 Administrative – – submittal instructions submittal instructions Administrative � answer the lab assignment’s questions in written report form, as a text, pdf, or Word document file (no obscure formats please) � deadline is start of your lab session the following week � reports not accepted (zero for lab) if late � submit via D2L 1

Administrative – Administrative – Prof Prof Neuman's Neuman's website URL website URL � pls note, random web search may yield the 2019 site � some students go there unaware it's the wrong site � pls make sure you reach the right site – Morgan's webpage link to Neuman's site is OK – or, literal URL: http://csclass.info/USC/CSCI530/F20/ please verify Administrative - - calendar adjusted calendar adjusted Administrative � calendar conformed to the Oct 9 midterm date – I will lecture next week (topic: packet sniffing) – but doing the lab will be delayed a week – no lab for you nor lecture by me in midterm week (see calendar on class web page) 2

Administrative – Administrative – for this exercise for this exercise � there are two new base machines for you to get � scripts for this exercise, have been added to the zip files new VMs new scripts in these zips Administrative - - office hours office hours Administrative � held yesterday, no students came � next Thursday – will hold office hours at 11am – will terminate office hours after 10 minutes if not needed – if you wish to come, do so at or shortly after 11am 3

Administrative Administrative � refer during upcoming lab to these slides’ screenshots – recommend you have paper or electronic access to those slides that contain detailed screenshots (lab asks you to mimic screenshot activities) � use only the provided VM environment (hostnamed "stackoverflowVM" cloned from Snort-on-Centos base by vmconfigure-populate) – it has been customized a little – other platforms/compilers generally won’t work Administrative – – pre pre- -homework homework Administrative � advance preparation for this lab � read through page 8 http://www-scf.usc.edu/~csci530l/downloads/stackoverflow_en.pdf 4

Three aspects of lab Three aspects of lab � Generic stack overflow � heartbleed bounds checking oversight g h u o n e o t N e r v o c o e t m i t e o n t s l a s h i t ( : � sign extension code flaw in crypt_blowfish Generic stack buffer overflow 5

Stack buffer overflow Stack buffer overflow � what’s a stack? � what’s an overflow? Special list: a stack Special list: a stack stack pointer base pointer (top, last/latest) (bottom,first/oldest) Q C I M W All insertions and deletions occur at one end, the “top. 6

Used for intra- Used for intra -program control flow program control flow _________________________ 4000 main _________________________ _________________________ _______ ____ call procA ________ 4160 _________________________ call procA _________________________ _________________________ ____ _________________________ ______ _________________________ _________________________ procedure A 4400 _________________________ _________________________ _______ _________________________ ____ call procB ________ call procB 4500 _________________________ ____________ _________________________ ________ _________________________ _________________________ _________ _________________________ ____ call procB ________ 4650 return _________________________ _________________________ _________________________ _________________________ _________________________ procedure B ____ _________________________ 5000 _________ _________________________ ____ _________________________ _________________________ _________________________ return _________________________ _________________________ Uses a stack to get back Uses a stack to get back Main Memory Stack base register 1000 Stack pointer register 1015 7

Uses a stack Uses a stack Main Memory Stack base register 1000 Stack pointer register 1022 Uses a stack Uses a stack Main Memory Stack base register 1000 Stack pointer register 1015 8

Uses a stack Uses a stack Main Memory Stack base register 1000 Stack pointer register 1010 Finding your way back— — Finding your way back breadcrumbs & return addresses breadcrumbs & return addresses 9

Intra- -program Flow of control program Flow of control Intra Evolving Stack State after 1 st after 2 nd outset after after return _________________________ 4000 _________________________ call procA call procB from procB call procB _________________________ 4160 ____ call procA ________ _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ 4400 _________________________ _________________________ 4161 4161 4161 4161 _________________________ ____ call procB ________ 4500 _________________________ 4501 4651 _________________________ _________________________ _________________________ _________________________ ____ call procB ________ 4650 _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ 5000 _________________________ _________________________ return addresses _________________________ _________________________ _________________________ _________________________ Intra- -program Flow of control program Flow of control Intra Evolving Stack State after 2 nd after return after return 4000 _________________________ _________________________ call procB from procB from procA _________________________ 4160 ____ call procA ________ _________________________ _________________________ _________________________ _________________________ _________________________ 4400 _________________________ _________________________ _________________________ _________________________ 4161 4161 ____ call procB ________ 4500 _________________________ 4651 _________________________ _________________________ _________________________ _________________________ 4650 ____ call procB ________ _________________________ _________________________ _________________________ _________________________ _________________________ 5000 _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ _________________________ 10

Not only return addresses get “ Not only return addresses get “stacked stacked” ” � local variables � frame (intrastack) pointers � return addresses � arguments/parameters for called functions Stack diagram Stack diagram “For example, if a subroutine named DrawLine is currently running, having just been called by a subroutine DrawSquare, the top part of the call stack might be laid out like this (where the stack is growing towards the top): From: http://en.wikipedia.org/wiki/Stack_frame#Structure 11

vars.c – vars.c – has local variables has local variables Local variables on the stack Local variables on the stack esp=0xbfe775a0 (latest) ebp=0xbfe775c8 (oldest) - byte where esp points - byte before where ebp points higher addresses stack growth 12

rvals.c – rvals.c – has a function has a function frame pointers & return addresses frame pointers & return addresses pointer to base of current stack/frame (byte preceding stack’s first), in register before function call after function call pointer to base of previous stack/frame, in stack previous frame, intact 13

& return addresses & return addresses …continued continued… … … breadcrumb! place to go back to in calling routine, when done where to go back to where you left off (at the call ) stack_2.c – stack_2.c –function parameters to pass function parameters to pass 14

…and and args args for called functions for called functions … args for fn, placed on stack via main local vars of main (bottom) and fn (top) pointer to base of previous stack frame return address …continued … continued return address checks out – is the right resumption location to pick up where we left off (at the call ) 15

Return address location Return address location formula: $ebp+4 * * formula: $ebp+4 return address +4=0xbfed9cfc * just in case you ever want to overwrite it stack_1.c – stack_1.c – fixed fixed param param space, but space, but variable arg variable arg len len* * * parameter - placeholder variable in function definition for receiving a passed value argument – specific value that is passed 16

Stack separation between Stack separation between argument & return address argument & return address make enough room to contain 10 characters ten Ds return address Crafting an attack based on this Crafting an attack based on this � control argument length – extend enough to overwrite the return address � control argument content – craft meaningful code into early portion – calculate overwritten return address value to backpoint into that code 17