buffer overflow
play

Buffer Overflow Attacks & Defenses Slides are borrowed from - PowerPoint PPT Presentation

Buffer Overflow Attacks & Defenses Slides are borrowed from Franziska Roesner @UW and Dawn Song @Berkeley Linux (32-bit) process memory layout -0xFFFFFFFF Reserved for Kernal -0xC0000000 user stack %esp shared libraries -0x40000000


  1. Buffer Overflow Attacks & Defenses Slides are borrowed from Franziska Roesner @UW and Dawn Song @Berkeley

  2. Linux (32-bit) process memory layout -0xFFFFFFFF Reserved for Kernal -0xC0000000 user stack %esp shared libraries -0x40000000 brk run time heap static data segment Loaded from exec text segment (program) -0x08048000 unused -0x00000000

  3. Registers • %esp current stack pointer • %ebp base pointer for the current stack frame

  4. Registers • When you call a function, typically space is reserved on the stack for local variables. • This space is usually referenced via %ebp (all local variables and function parameters are a known constant offset from this register for the duration of the function call.)

  5. Registers • %esp , on the other hand, will change during the function call as other functions are called, or as temporary stack space is used for partial operation results. • Most compilers have an option to reference all local variables through %esp . This frees up %ebp for use as a general purpose register • So %ebp will point to the top of you stack, and %esp will point to the next available byte on the stack (Stacks usually – but not necessarily – grow down in memory.)

  6. Stack Frame -0xC0000000 To previous stack frame pointer user stack arguments return address stack frame pointer exception handlers shared libraries To the point at which -0x40000000 this function was called local variables run time heap callee saved registers static data segment text segment (program) -0x08048000 unused -0x00000000

  7. Stack Frame 1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i ]!=‘ \ 0’ && in[ i ]!=‘n’) { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: buf[i ] = ‘ \ 0’; 8:} 9:int parse(FILE *fp) { 10: char buf[5], *url, cmd[128]; 11: fread(cmd, 1, 128, fp); 12: int header_ok = 0; 13: if (cmd [0] == ‘G’) 14: if (cmd [1] == ‘E’) 15: if (cmd [2] == ‘T’) 16: if (cmd [3] == ‘ ’) 17: header_ok = 1; 18: if (!header_ok) return -1; 19: url = cmd + 4; 20: copy_lower(url, buf); 21: printf (‚Location is %s \ n‛, buf); 22: return 0; } A quick example to illustrate multiple stack frames

  8. Viewing Stack Frame with GDB Our example modified to include a main function Compile: parse.c gcc – g parse.c – o parse 1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i ]!=‘ \ 0’ && in[ i ]!=‘n’) { 4: out[i] = tolower(in[i]); Run: 5: i++; ./parse 6: } 7: buf[i ] = ‘ \ 0’; 8:} 9:int parse(FILE *fp) { 10: char buf[5], *url, cmd[128]; Debug: 11: fread(cmd, 1, 128, fp); 12: int header_ok = 0; We can debug using gdb. 13: if (cmd [0] == ‘G’) gdb parse 14: if (cmd [1] == ‘E’) 15: if (cmd [2] == ‘T’) 16: if (cmd [3] == ‘ ’) Then we can take a look at the stack. 17: header_ok = 1; 18: if (!header_ok) return -1; (gdb) break 7 19: url = cmd + 4; 20: copy_lower(url, buf); (gdb) run 21: printf (‚Location is %s \ n‛, buf); (gdb) x/64x $esp 22: return 0; } 23: /** main to load a file and run parse */

  9. Viewing Stack Frame with GDB Our running example modified to illustrate multiple stack frames Debug: parse.c (gdb) x/64x $esp

  10. What are buffer overflows? parse’s parse.c frame 1:void copy_lower (char* in, char* out) { 2: int i = 0; 0xbffff760 0x0804a008 args fp 3: while (in[i ]!=‘ \ 0’ && in[ i ]!=‘n’) { 0xbffff75c return address 0x080485a2 ret address 4: out[i] = tolower(in[i]); 5: i++; stack frame ptr 0xbffff758 0xbffff778 frame ptr 6: } 0xbffff74c 7: buf[i ] = ‘ \ 0’; 0xbffff6c4 url 8:} 0xbffff748 0x00000001 header_ok 0xbffff744 0xbfef20dc buf[4] 9:int parse(FILE *fp) { 0xbffff740 0xbf02224c local variables buf[3,2,1,0] 10: char buf[5], *url, cmd[128]; 0xbffff73c 0x00000000 11: fread(cmd, 1, 256, fp); cmd[128,127,126,125] . . . . 12: int header_ok = 0; . . . . . . . 0xbffff6c4 0x41414141 . cmd[7,6,5,4] 0xbffff6c0 19: url = cmd + 4; 0x20544547 cmd[3,2,1,0] 20: copy_lower(url, buf); 0xbffff74c callee saved 0xbffff6c4 url 21: printf (‚Location is %s \ n‛, buf); 0xbffff748 0x00000001 header_ok registers 22: return 0; } 23: /** main to load a file and run parse */ out 0xbffff6b4 0xbffff740 args in 0xbffff6b0 0xbffff6c4 (input file) file ret address return address 0xbffff6ac 0x080485a2 GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA frame ptr 0xbffff6a8 stack frame ptr 0xbffff758 local variables i 0xbffff69c 0x00000000 callee saved copy_lower’s registers frame (Unallocated)

  11. What are buffer overflows? parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 0xbffff760 0x0804a008 fp 3: while (in[i ]!=‘ \ 0’ && in[ i ]!=‘n’) { 0xbffff75c return address 0x080485a2 4: out[i] = tolower(in[i]); 5: i++; stack frame ptr 0xbffff758 0xbffff778 6: } 0xbffff74c 7: buf[i ] = ‘ \ 0’; 0xbffff6c4 url 8:} 0xbffff748 0x00000001 header_ok 0xbffff744 0xbfef20dc buf[4] 9:int parse(FILE *fp) { 0xbffff740 0xbf022261 buf[3,2,1,0] 10: char buf[5], *url, cmd[128]; 0xbffff73c 0x00000000 11: fread(cmd, 1, 256, fp); cmd[128,127,126,125] . . . . 12: int header_ok = 0; . . . . . . . 0xbffff6c4 0x41414141 . cmd[7,6,5,4] 0xbffff6c0 19: url = cmd + 4; 0x20544547 cmd[3,2,1,0] 20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url 21: printf (‚Location is %s \ n‛, buf); 0xbffff748 0x00000001 header_ok 22: return 0; } 23: /** main to load a file and run parse */ out 0xbffff6b4 0xbffff740 in 0xbffff6b0 0xbffff6c4 (input file) file return address 0xbffff6ac 0x080485a2 GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0xbffff6a8 stack frame ptr 0xbffff758 i 0xbffff69c 0x00000000 (Unallocated)

  12. What are buffer overflows? parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 0xbffff760 0x0804a008 fp 3: while (in[i ]!=‘ \ 0’ && in[ i ]!=‘n’) { 0xbffff75c return address 0x080485a2 4: out[i] = tolower(in[i]); 5: i++; stack frame ptr 0xbffff758 0xbffff778 6: } 0xbffff74c 7: buf[i ] = ‘ \ 0’; 0xbffff6c4 url 8:} 0xbffff748 0x00000001 header_ok 0xbffff744 0xbfef20dc buf[4] 9:int parse(FILE *fp) { 0xbffff740 0xbf026161 buf[3,2,1,0] 10: char buf[5], *url, cmd[128]; 0xbffff73c 0x00000000 11: fread(cmd, 1, 256, fp); cmd[128,127,126,125] . . . . 12: int header_ok = 0; . . . . . . . 0xbffff6c4 0x41414141 . cmd[7,6,5,4] 0xbffff6c0 19: url = cmd + 4; 0x20544547 cmd[3,2,1,0] 20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url 21: printf (‚Location is %s \ n‛, buf); 0xbffff748 0x00000001 header_ok 22: return 0; } 23: /** main to load a file and run parse */ out 0xbffff6b4 0xbffff740 in 0xbffff6b0 0xbffff6c4 (input file) file return address 0xbffff6ac 0x080485a2 GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0xbffff6a8 stack frame ptr 0xbffff758 i 0xbffff69c 0x00000001 (Unallocated)

  13. What are buffer overflows? parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 0xbffff760 0x0804a008 fp 3: while (in[i ]!=‘ \ 0’ && in[ i ]!=‘n’) { 0xbffff75c return address 0x080485a2 4: out[i] = tolower(in[i]); 5: i++; stack frame ptr 0xbffff758 0xbffff778 6: } 0xbffff74c 7: buf[i ] = ‘ \ 0’; 0xbffff6c4 url 8:} 0xbffff748 0x00000001 header_ok 0xbffff744 0xbfef20dc buf[4] 9:int parse(FILE *fp) { 0xbffff740 0xbf616161 buf[3,2,1,0] 10: char buf[5], *url, cmd[128]; 0xbffff73c 0x00000000 11: fread(cmd, 1, 256, fp); cmd[128,127,126,125] . . . . 12: int header_ok = 0; . . . . . . . 0xbffff6c4 0x41414141 . cmd[7,6,5,4] 0xbffff6c0 19: url = cmd + 4; 0x20544547 cmd[3,2,1,0] 20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url 21: printf (‚Location is %s \ n‛, buf); 0xbffff748 0x00000001 header_ok 22: return 0; } 23: /** main to load a file and run parse */ out 0xbffff6b4 0xbffff740 in 0xbffff6b0 0xbffff6c4 (input file) file return address 0xbffff6ac 0x080485a2 GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0xbffff6a8 stack frame ptr 0xbffff758 i 0xbffff69c 0x00000002 (Unallocated)

  14. What are buffer overflows? parse.c 1:void copy_lower (char* in, char* out) { 2: int i = 0; 0xbffff760 0x0804a008 fp 3: while (in[i ]!=‘ \ 0’ && in[ i ]!=‘n’) { 0xbffff75c return address 0x080485a2 4: out[i] = tolower(in[i]); 5: i++; stack frame ptr 0xbffff758 0xbffff778 6: } 0xbffff74c 7: buf[i ] = ‘ \ 0’; 0xbffff6c4 url 8:} 0xbffff748 0x00000001 header_ok 0xbffff744 0xbfef20dc buf[4] 9:int parse(FILE *fp) { 0xbffff740 0x61616161 buf[3,2,1,0] 10: char buf[5], *url, cmd[128]; 0xbffff73c 0x00000000 11: fread(cmd, 1, 256, fp); cmd[128,127,126,125] . . . . 12: int header_ok = 0; . . . . . . . 0xbffff6c4 0x41414141 . cmd[7,6,5,4] 0xbffff6c0 19: url = cmd + 4; 0x20544547 cmd[3,2,1,0] 20: copy_lower(url, buf); 0xbffff74c 0xbffff6c4 url 21: printf (‚Location is %s \ n‛, buf); 0xbffff748 0x00000001 header_ok 22: return 0; } 23: /** main to load a file and run parse */ out 0xbffff6b4 0xbffff740 in 0xbffff6b0 0xbffff6c4 (input file) file return address 0xbffff6ac 0x080485a2 GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0xbffff6a8 stack frame ptr 0xbffff758 i 0xbffff69c 0x00000003 (Unallocated)

Recommend


More recommend