Video Converter
Audio Converter
Image Converter
PDF Converter
File Compressor
buffer

Buffer Overflow overflows Defenses and other memory safety - PowerPoint PPT Presentation

Nov 09, 2022 •318 likes •1.49k views

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

  1. Simple example (ret) equivalent to 0x17f: pop %edx ret mov %edx, 5 %eip %esp next … 5 0x17f %edx Text 5 gadget 0x00 0xffffffff

  2. Code sequence %eip 0x17f: mov %eax, [%esp] mov %ebx, [%esp-8] %eax mov [%ebx], %eax %ebx %esp … … … 0x404 … 5 Text 0x00 0xffffffff 0x404

  3. Code sequence 0x17f: mov %eax, [%esp] %eip mov %ebx, [%esp-8] 5 %eax mov [%ebx], %eax %ebx %esp … … … 0x404 … 5 Text 0x00 0xffffffff 0x404

  4. Code sequence 0x17f: mov %eax, [%esp] mov %ebx, [%esp-8] 5 %eax %eip mov [%ebx], %eax 0x404 %ebx %esp … … … 0x404 … 5 Text 0x00 0xffffffff 0x404

  5. Code sequence 0x17f: mov %eax, [%esp] mov %ebx, [%esp-8] 5 %eax mov [%ebx], %eax %eip 0x404 %ebx %esp … … … 0x404 … 5 5 Text 0x00 0xffffffff 0x404

  6. Equivalent ROP sequence %eip 0x17f: pop %eax ret %eax … 0x20d: pop %ebx %ebx ret … 0x21a: mov [%ebx], %eax %esp … … 0x21a 0x404 0x20d 5 Text 0x00 0xffffffff 0x404

  7. Equivalent ROP sequence 0x17f: pop %eax %eip ret 5 %eax … 0x20d: pop %ebx %ebx ret … 0x21a: mov [%ebx], %eax %esp … … 0x21a 0x404 0x20d 5 Text 0x00 0xffffffff 0x404

  8. Equivalent ROP sequence 0x17f: pop %eax ret 5 %eax … %eip 0x20d: pop %ebx %ebx ret … 0x21a: mov [%ebx], %eax %esp … … 0x21a 0x404 0x20d 5 Text 0x00 0xffffffff 0x404

  9. Equivalent ROP sequence 0x17f: pop %eax ret 5 %eax … 0x20d: pop %ebx %eip 0x404 %ebx ret … 0x21a: mov [%ebx], %eax %esp … … 0x21a 0x404 0x20d 5 Text 0x00 0xffffffff 0x404

  10. Equivalent ROP sequence 0x17f: pop %eax ret 5 %eax … 0x20d: pop %ebx 0x404 %ebx ret … %eip 0x21a: mov [%ebx], %eax … … 0x21a 0x404 0x20d 5 Text 0x00 0xffffffff 0x404

  11. Equivalent ROP sequence 0x17f: pop %eax ret 5 %eax … 0x20d: pop %ebx 0x404 %ebx ret … 0x21a: mov [%ebx], %eax %eip … … 0x21a 0x404 0x20d 5 5 Text 0x00 0xffffffff 0x404

  12. Image by Dino Dai Zovi

  13. Whence the gadgets?

  14. Whence the gadgets? • How can we find gadgets to construct an exploit?

  15. Whence the gadgets? • How can we find gadgets to construct an exploit? • Automate a search of the target binary for gadgets (look for ret instructions, work backwards) Cf. https://github.com/0vercl0k/rp -

  16. Whence the gadgets? • How can we find gadgets to construct an exploit? • Automate a search of the target binary for gadgets (look for ret instructions, work backwards) Cf. https://github.com/0vercl0k/rp - • Are there sufficient gadgets to do anything interesting?

  17. Whence the gadgets? • How can we find gadgets to construct an exploit? • Automate a search of the target binary for gadgets (look for ret instructions, work backwards) Cf. https://github.com/0vercl0k/rp - • Are there sufficient gadgets to do anything interesting? • Yes: Shacham found that for significant codebases (e.g., libc), gadgets are Turing complete Especially true on x86’s dense instruction set -

  18. Whence the gadgets? • How can we find gadgets to construct an exploit? • Automate a search of the target binary for gadgets (look for ret instructions, work backwards) Cf. https://github.com/0vercl0k/rp - • Are there sufficient gadgets to do anything interesting? • Yes: Shacham found that for significant codebases (e.g., libc), gadgets are Turing complete Especially true on x86’s dense instruction set - • Schwartz et al (USENIX Security ’11) have automated gadget shellcode creation, though not needing/requiring Turing completeness

  19. Blind ROP

  20. Blind ROP • Defense: Randomizing the location of the code (by compiling for position independence) on a 64- bit machine makes attacks very difficult

  21. Blind ROP • Defense: Randomizing the location of the code (by compiling for position independence) on a 64- bit machine makes attacks very difficult • Recent, published attacks are often for 32-bit versions of executables

  22. Blind ROP • Defense: Randomizing the location of the code (by compiling for position independence) on a 64- bit machine makes attacks very difficult • Recent, published attacks are often for 32-bit versions of executables • Attack response : Blind ROP

  23. Blind ROP • Defense: Randomizing the location of the code (by compiling for position independence) on a 64- bit machine makes attacks very difficult • Recent, published attacks are often for 32-bit versions of executables • Attack response : Blind ROP If server restarts on a crash, but does not re-randomize:

  24. Blind ROP • Defense: Randomizing the location of the code (by compiling for position independence) on a 64- bit machine makes attacks very difficult • Recent, published attacks are often for 32-bit versions of executables • Attack response : Blind ROP If server restarts on a crash, but does not re-randomize: 1.Read the stack to leak canaries and a return address

  25. Blind ROP • Defense: Randomizing the location of the code (by compiling for position independence) on a 64- bit machine makes attacks very difficult • Recent, published attacks are often for 32-bit versions of executables • Attack response : Blind ROP If server restarts on a crash, but does not re-randomize: 1.Read the stack to leak canaries and a return address 2.Find gadgets (at run-time) to effect call to write

  26. Blind ROP • Defense: Randomizing the location of the code (by compiling for position independence) on a 64- bit machine makes attacks very difficult • Recent, published attacks are often for 32-bit versions of executables • Attack response : Blind ROP If server restarts on a crash, but does not re-randomize: 1.Read the stack to leak canaries and a return address 2.Find gadgets (at run-time) to effect call to write 3.Dump binary to find gadgets for shellcode http://www.scs.stanford.edu/brop/

  27. Defeat! • The blind ROP team was able to completely automatically , only through remote interactions , develop a remote code exploit for nginx , a popular web server

  28. Defeat! • The blind ROP team was able to completely automatically , only through remote interactions , develop a remote code exploit for nginx , a popular web server • The exploit was carried out on a 64-bit executable with full stack canaries and randomization

  29. Defeat! • The blind ROP team was able to completely automatically , only through remote interactions , develop a remote code exploit for nginx , a popular web server • The exploit was carried out on a 64-bit executable with full stack canaries and randomization • Conclusion: give an inch, and they take a mile?

  30. Defeat! • The blind ROP team was able to completely automatically , only through remote interactions , develop a remote code exploit for nginx , a popular web server • The exploit was carried out on a 64-bit executable with full stack canaries and randomization • Conclusion: give an inch, and they take a mile? • Put another way: Memory safety is really useful!

  31. void safe() { char buf[80]; fgets(buf, 80, stdin); } void safer() { char buf[80]; fgets(buf, sizeof(buf), stdin); }

  32. void safe() { char buf[80]; fgets(buf, 80, stdin); } void safer() { char buf[80]; fgets(buf, sizeof(buf), stdin); } void vulnerable() { char buf[80]; if(fgets(buf, sizeof(buf), stdin)==NULL) return; printf(buf); }

  33. void safe() { char buf[80]; fgets(buf, 80, stdin); } void safer() { char buf[80]; fgets(buf, sizeof(buf), stdin); } void vulnerable() { char buf[80]; if(fgets(buf, sizeof(buf), stdin)==NULL) return; printf(buf); }

  34. Format string vulnerabilities

  35. printf format strings int i = 10; printf(“%d %p\n”, i, &i);

  36. printf format strings int i = 10; printf(“%d %p\n”, i, &i); 0x00000000 0xffffffff … %ebp %eip &fmt 10 &i

  37. printf format strings int i = 10; printf(“%d %p\n”, i, &i); 0x00000000 0xffffffff … %ebp %eip &fmt 10 &i printf ’s stack frame

  38. printf format strings int i = 10; printf(“%d %p\n”, i, &i); 0x00000000 0xffffffff … %ebp %eip &fmt 10 &i printf ’s stack frame caller’s 
 stack frame

  39. printf format strings int i = 10; printf(“%d %p\n”, i, &i); 0x00000000 0xffffffff … %ebp %eip &fmt 10 &i printf ’s stack frame caller’s 
 stack frame

  40. printf format strings int i = 10; printf(“%d %p\n”, i, &i); 0x00000000 0xffffffff … %ebp %eip &fmt 10 &i printf ’s stack frame caller’s 
 stack frame • printf takes variable number of arguments • printf pays no mind to where the stack frame “ends” • It presumes that you called it with (at least) as many arguments as specified in the format string

  41. printf format strings int i = 10; printf(“%d %p\n”, i, &i); 0x00000000 0xffffffff … %ebp %eip &fmt 10 &i printf ’s stack frame caller’s 
 stack frame • printf takes variable number of arguments • printf pays no mind to where the stack frame “ends” • It presumes that you called it with (at least) as many arguments as specified in the format string

  42. printf format strings int i = 10; printf(“%d %p\n”, i, &i); 0x00000000 0xffffffff … %ebp %eip &fmt 10 &i printf ’s stack frame caller’s 
 stack frame • printf takes variable number of arguments • printf pays no mind to where the stack frame “ends” • It presumes that you called it with (at least) as many arguments as specified in the format string

  43. printf format strings int i = 10; printf(“%d %p\n”, i, &i); 0x00000000 0xffffffff … %ebp %eip &fmt 10 &i printf ’s stack frame caller’s 
 stack frame • printf takes variable number of arguments • printf pays no mind to where the stack frame “ends” • It presumes that you called it with (at least) as many arguments as specified in the format string

  44. void vulnerable() { char buf[80]; if(fgets(buf, sizeof(buf), stdin)==NULL) return; printf(buf); }

  45. void vulnerable() { char buf[80]; if(fgets(buf, sizeof(buf), stdin)==NULL) return; printf(buf); } “%d %x"

  46. void vulnerable() { char buf[80]; if(fgets(buf, sizeof(buf), stdin)==NULL) return; printf(buf); } “%d %x" 0x00000000 0xffffffff … %ebp %eip &fmt caller’s 
 stack frame

  47. void vulnerable() { char buf[80]; if(fgets(buf, sizeof(buf), stdin)==NULL) return; printf(buf); } “%d %x" 0x00000000 0xffffffff … %ebp %eip &fmt caller’s 
 stack frame

  48. void vulnerable() { char buf[80]; if(fgets(buf, sizeof(buf), stdin)==NULL) return; printf(buf); } “%d %x" 0x00000000 0xffffffff … %ebp %eip &fmt caller’s 
 stack frame

  49. Format string vulnerabilities

  50. Format string vulnerabilities • printf(“100% dml”);

  51. Format string vulnerabilities • printf(“100% dml”); • Prints stack entry 4 byes above saved %eip

  52. Format string vulnerabilities • printf(“100% dml”); • Prints stack entry 4 byes above saved %eip • printf(“%s”);

  53. Format string vulnerabilities • printf(“100% dml”); • Prints stack entry 4 byes above saved %eip • printf(“%s”); • Prints bytes pointed to by that stack entry

  54. Format string vulnerabilities • printf(“100% dml”); • Prints stack entry 4 byes above saved %eip • printf(“%s”); • Prints bytes pointed to by that stack entry • printf(“%d %d %d %d …”);

  55. Format string vulnerabilities • printf(“100% dml”); • Prints stack entry 4 byes above saved %eip • printf(“%s”); • Prints bytes pointed to by that stack entry • printf(“%d %d %d %d …”); • Prints a series of stack entries as integers

Recommend

External buffer Raslan Darawsheh Mellanox External buffer First was introduced by Olivier

External buffer Raslan Darawsheh Mellanox External buffer First was introduced by Olivier

x External buffer Raslan Darawsheh Mellanox External buffer First was introduced by Olivier in his presentation in 2016. The support for External buffer has been there since DPDK 18.05 2 External buffer: Contd 3 External

544 views • 12 slides
TinyOS Determine when Fill message Specify Pass buffer message buffer Network Communication

TinyOS Determine when Fill message Specify Pass buffer message buffer Network Communication

Inter-Node Communication General idea: Sender: TinyOS Determine when Fill message Specify Pass buffer message buffer Network Communication buffer with data Recipients to OS can be reused Computer Network Receiver:

176 views • 3 slides
Lab 2: Buffer Overflows Fengwei Zhang SUSTech CS 315 Computer Security 1 Buffer Overflows

Lab 2: Buffer Overflows Fengwei Zhang SUSTech CS 315 Computer Security 1 Buffer Overflows

Lab 2: Buffer Overflows Fengwei Zhang SUSTech CS 315 Computer Security 1 Buffer Overflows One of the most common vulnerabilities in software Programming languages commonly associated with buffer overflows including C and C++

1.14k views • 17 slides
Delta Pointers: Buffer Overflow Checks Without the Checks Tadde us Kroes & Koen Koning

Delta Pointers: Buffer Overflow Checks Without the Checks Tadde us Kroes & Koen Koning

Delta Pointers: Buffer Overflow Checks Without the Checks Tadde us Kroes & Koen Koning Erik van der Kouwe Herbert Bos Cristiano Giuffrida June 19, 2018 Preview buffer[10] secret 2 Preview buffer[10] secret buffer[5] 2 Preview

940 views • 74 slides
Smashing the Buffer Smashing the Buffer Miroslav tampar Miroslav tampar (mstampar@zsis.hr )

Smashing the Buffer Smashing the Buffer Miroslav tampar Miroslav tampar (mstampar@zsis.hr )

Smashing the Buffer Smashing the Buffer Miroslav tampar Miroslav tampar (mstampar@zsis.hr ) (mstampar@zsis.hr ) Summary BSidesVienna 2014, Vienna (Austria) November 22nd, 2014 2 Buffer overflow (a.k.a.)

466 views • 35 slides
Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Last time We continued By launching our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow fundamentals This time We will finish up By looking at Buffer Overflow overflows

1.33k views • 103 slides
Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

1 Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed in buffer overflow exploits to create backdoors Execution of additional network services via the INETD daemon The addition of new users

497 views • 30 slides
More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester Rebeiro Indian Institute of Technology Madras Buffer Overreads 2 Buffer Overread Example 3 Buffer Overread Example len read from command line

909 views • 76 slides
Introduction Buffer Overflows Buffer overflows were the most common form of security

Introduction Buffer Overflows Buffer overflows were the most common form of security

Introduction Buffer Overflows Buffer overflows were the most common form of security vulnerability in the 90s. Buffer overflows dominate in the area of remote network penetration vulnerabilities. CS 465 They represent one of the

656 views • 4 slides
a single gadget weird machine Framing Signals a return to portable shellcode Erik Bosman and

a single gadget weird machine Framing Signals a return to portable shellcode Erik Bosman and

a single gadget weird machine Framing Signals a return to portable shellcode Erik Bosman and Herbert Bos stack buffer overflow stack return addr buffer sp 1 stack buffer overflow stack return addr buffer sp 1 stack buffer overflow

1.65k views • 89 slides
Week 03 Lectures PostgreSQL Buffer Manager 1/95 PostgreSQL buffer manager: provides a shared

Week 03 Lectures PostgreSQL Buffer Manager 1/95 PostgreSQL buffer manager: provides a shared

Week 03 Lectures PostgreSQL Buffer Manager 1/95 PostgreSQL buffer manager: provides a shared pool of memory buffers for all backends all access methods get data from disk via buffer manager Buffers are located in a large region of shared

505 views • 25 slides
Shared buffer laboratory 2 implements a shared buffer Process loop Ke yboard wait for

Shared buffer laboratory 2 implements a shared buffer Process loop Ke yboard wait for

slide 1 gaius Shared buffer laboratory 2 implements a shared buffer Process loop Ke yboard wait for keyboard int port get character put character into buffer end Read (char *ch) shared by the application process Read (char *ch); shared

398 views • 28 slides
Riparian Buffer or Riparian Forest Buffer Equivalency Demonstration and Offsetting Water

Riparian Buffer or Riparian Forest Buffer Equivalency Demonstration and Offsetting Water

Implementation of Act 162 of 2014 Riparian Buffer or Riparian Forest Buffer Equivalency Demonstration and Offsetting Water Resources Advisory Committee August 12, 2015 Tom Wolf, Governor John Quigley, Secretary Agenda 1. Overview of Act 162

535 views • 37 slides
k + -buffer: Fragment Synchronized k-buffer I3D 2014 Andreas A. Vasilakis & Ioannis Fudos {

k + -buffer: Fragment Synchronized k-buffer I3D 2014 Andreas A. Vasilakis & Ioannis Fudos {

k + -buffer: Fragment Synchronized k-buffer I3D 2014 Andreas A. Vasilakis & Ioannis Fudos { abasilak,fudos } @cs.uoi.gr Department of Computer Science & Engineering, University of Ioannina, Greece 16 March 2014 Introduction

786 views • 44 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Last time We finished up By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow defenses (and workarounds) Format string vulnerabilities Integer overflow vulnerabilities This time

1.3k views • 80 slides
AKC Education Webinar Series: Social Media Resources Buffer: What Is It? Buffer is a software

AKC Education Webinar Series: Social Media Resources Buffer: What Is It? Buffer is a software

AKC Education Webinar Series: Social Media Resources Buffer: What Is It? Buffer is a software application for the web and mobile, designed to manage accounts in social networks, by providing the means for a user to schedule posts to Twitter,

511 views • 35 slides
University of Pavia, Italy Faculty of Engineering Microcomputer lab Application specific

University of Pavia, Italy Faculty of Engineering Microcomputer lab Application specific

University of Pavia, Italy Faculty of Engineering Microcomputer lab Application specific processors for Application specific processors for intensive computing applications intensive computing applications Gianni Danese Full Professor

1.9k views • 14 slides
the reality of digital science kaitlin thaney SciPy, 13 july 2011 austin, texas

the reality of digital science kaitlin thaney SciPy, 13 july 2011 austin, texas

the reality of digital science kaitlin thaney SciPy, 13 july 2011 austin, texas Wednesday, 13 July 2011 xi. background Wednesday, 13 July 2011 about me Wednesday, 13 July 2011 Digital Science (the company) Wednesday, 13 July 2011

1.1k views • 85 slides
Deep Learning Introduction Christian Szegedy Geoffrey Irving Google Research Machine Learning

Deep Learning Introduction Christian Szegedy Geoffrey Irving Google Research Machine Learning

Deep Learning Introduction Christian Szegedy Geoffrey Irving Google Research Machine Learning Supervised Learning Task Assume Ground truth G Model architecture f Prediction metric Training samples Find model

514 views • 37 slides
We Welcome! Which specimen catches your eye? Visit trilobites.info its brilliant! 2 Wh

We Welcome! Which specimen catches your eye? Visit trilobites.info its brilliant! 2 Wh

12/8/20 Trilobites: An Introduction Dr Liam Herringshaw Palaeontologist, Hidden Horizons Director, Yorkshire Fossil Festival 1 We Welcome! Which specimen catches your eye? Visit trilobites.info its brilliant! 2 Wh What is is a

336 views • 5 slides
Software Security: Miscellaneous Spring 2016 Franziska (Franzi)

Software Security: Miscellaneous Spring 2016 Franziska (Franzi)

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Miscellaneous Spring 2016 Franziska (Franzi) Roesner franzi@cs.washington.edu

779 views • 39 slides
CAMPUS WIDE IMPROVEMENTS INCLUDING POWER UPGRADE, INCREASED BANDWIDTH, VOIP, INFRASTRUCTURE

CAMPUS WIDE IMPROVEMENTS INCLUDING POWER UPGRADE, INCREASED BANDWIDTH, VOIP, INFRASTRUCTURE

CAMPUS WIDE IMPROVEMENTS INCLUDING POWER UPGRADE, INCREASED BANDWIDTH, VOIP, INFRASTRUCTURE UPGRADES AND ADDED HVAC TO 44 CLASSROOMS. AS OF AUGUST 21, 2013 AS OF JULY 12, 2013 AS OF JULY 5, 2013

724 views • 4 slides
INTERACTING WITH THE BIBLE USING VIRTUAL REALITY AND ARTIFICIAL INTELLIGENCE Dr. Isac Artzi -

INTERACTING WITH THE BIBLE USING VIRTUAL REALITY AND ARTIFICIAL INTELLIGENCE Dr. Isac Artzi -

INTERACTING WITH THE BIBLE USING VIRTUAL REALITY AND ARTIFICIAL INTELLIGENCE Dr. Isac Artzi - Dept. of Computer Science - Grand Canyon University AGENDA 1. Current Bible study modality 2. Proposal: AI + VR 3. How we build it? 4. How does it

319 views • 21 slides
Capillarity Approximation of Conservation Laws with Discontinuous Fluxes Lorenzo di Ruvo

Capillarity Approximation of Conservation Laws with Discontinuous Fluxes Lorenzo di Ruvo

Capillarity Approximation of Conservation Laws with Discontinuous Fluxes Lorenzo di Ruvo Department of Mathematics University of Bari Via E. Orabona 4 70125 Bari (Italy) EMAIL: diruvo@dm.uniba.it Padova 2012 joint work with Prof. Giuseppe

598 views • 20 slides

More recommend

Explore More Topics

Stay informed with curated content and fresh updates.

animals pets art culture automotive transportation business finance computer internet construction architecture education-career electronics communication

Logo Sambuz

Unleash a World of Digital Possibilities—Browse, Share, and Explore Content Without Boundaries

Useful Links

About Us Privacy Services FAQ's Contact

Newsletter

Stay Informed & Inspired—Subscribe for the Latest Updates, Tips, and Exclusive Content Directly to Your Inbox.

Mail Us

mail@sambuz.com

2026 SAMBUZ, All right reserved.