buffer
play

Buffer Software Security overflows and other memory safety - PowerPoint PPT Presentation

This time We will begin By investigating our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Software security Security is a form


  1. We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that 
 adjusts the size of the stack at runtime 0x00000000 0xffffffff Heap 2 1 Stack Stack push 1 
 push 2 
 pointer push 3

  2. We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that 
 adjusts the size of the stack at runtime 0x00000000 0xffffffff Heap 3 2 1 Stack Stack push 1 
 push 2 
 pointer push 3

  3. We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that 
 adjusts the size of the stack at runtime 0x00000000 0xffffffff Heap 3 2 1 Stack Stack push 1 
 push 2 
 pointer push 3 return

  4. We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that 
 adjusts the size of the stack at runtime 0x00000000 0xffffffff Heap 3 2 1 Stack Stack push 1 
 push 2 
 pointer push 3 return

  5. We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that 
 adjusts the size of the stack at runtime 0x00000000 0xffffffff Heap 3 2 1 Stack { apportioned by the OS; Stack push 1 
 push 2 
 managed in-process pointer push 3 by malloc return

  6. We are going to focus on runtime attacks Stack and heap grow in opposite directions Compiler provides instructions that 
 adjusts the size of the stack at runtime 0x00000000 0xffffffff Heap 3 2 1 Stack { apportioned by the OS; Stack push 1 
 push 2 
 managed in-process pointer push 3 by malloc return Focusing on the stack for now

  7. Stack layout when calling functions • What do we do when we call a function? • What data need to be stored? • Where do they go? • How do we return from a function? • What data need to be restored ? • Where do they come from? Code examples

  8. Stack layout when calling functions void func(char *arg1, int arg2, int arg3) { char loc1[4] int loc2; int loc3; } 0x00000000 0xffffffff caller’s data

  9. Stack layout when calling functions void func(char *arg1, int arg2, int arg3) { char loc1[4] int loc2; int loc3; } 0x00000000 0xffffffff arg1 arg2 arg3 caller’s data Arguments 
 pushed in 
 reverse order of code

  10. Stack layout when calling functions void func(char *arg1, int arg2, int arg3) { char loc1[4] int loc2; int loc3; } 0x00000000 0xffffffff … loc2 loc1 arg1 arg2 arg3 caller’s data Local variables 
 Arguments 
 pushed in the pushed in 
 same order as reverse order they appear 
 of code in the code

  11. Stack layout when calling functions void func(char *arg1, int arg2, int arg3) { char loc1[4] int loc2; int loc3; } 0x00000000 0xffffffff … loc2 loc1 ??? ??? arg1 arg2 arg3 caller’s data Local variables 
 Arguments 
 pushed in the pushed in 
 same order as reverse order they appear 
 of code in the code

  12. Accessing variables void func(char *arg1, int arg2, int arg3) { char loc1[4] int loc2; int loc3; 
 ... loc2++; ... } 0x00000000 0xffffffff … loc2 loc1 ??? ??? arg1 arg2 arg3 caller’s data

  13. Accessing variables void func(char *arg1, int arg2, int arg3) { char loc1[4] int loc2; int loc3; 
 ... Q: Where is (this) loc2 ? loc2++; ... } 0x00000000 0xffffffff … loc2 loc1 ??? ??? arg1 arg2 arg3 caller’s data

  14. Accessing variables void func(char *arg1, int arg2, int arg3) { char loc1[4] int loc2; int loc3; 
 ... Q: Where is (this) loc2 ? loc2++; ... } 0x00000000 0xffffffff … loc2 loc1 ??? ??? arg1 arg2 arg3 caller’s data 0xbffff323

  15. Accessing variables void func(char *arg1, int arg2, int arg3) { char loc1[4] int loc2; int loc3; 
 ... Q: Where is (this) loc2 ? loc2++; ... } 0x00000000 0xffffffff … loc2 loc1 ??? ??? arg1 arg2 arg3 caller’s data 0xbffff323 Undecidable at 
 compile time

  16. Accessing variables void func(char *arg1, int arg2, int arg3) { char loc1[4] int loc2; int loc3; 
 ... Q: Where is (this) loc2 ? loc2++; ... } 0x00000000 0xffffffff … loc2 loc1 ??? ??? arg1 arg2 arg3 caller’s data 0xbffff323 Undecidable at 
 - I don’t know where loc2 is, compile time

  17. Accessing variables void func(char *arg1, int arg2, int arg3) { char loc1[4] int loc2; int loc3; 
 ... Q: Where is (this) loc2 ? loc2++; ... } 0x00000000 0xffffffff … loc2 loc1 ??? ??? arg1 arg2 arg3 caller’s data 0xbffff323 Undecidable at 
 - I don’t know where loc2 is, compile time - and I don’t know how many args

  18. Accessing variables void func(char *arg1, int arg2, int arg3) { char loc1[4] int loc2; int loc3; 
 ... Q: Where is (this) loc2 ? loc2++; ... } 0x00000000 0xffffffff … loc2 loc1 ??? ??? arg1 arg2 arg3 caller’s data 0xbffff323 Undecidable at 
 - I don’t know where loc2 is, compile time - and I don’t know how many args - but loc2 is always 8B before “???”s

  19. Accessing variables void func(char *arg1, int arg2, int arg3) { char loc1[4] int loc2; int loc3; 
 ... Q: Where is (this) loc2 ? loc2++; ... } 0x00000000 0xffffffff … loc2 loc1 ??? ??? arg1 arg2 arg3 caller’s data - I don’t know where loc2 is, - and I don’t know how many args - but loc2 is always 8B before “???”s

  20. Accessing variables void func(char *arg1, int arg2, int arg3) { char loc1[4] int loc2; int loc3; 
 ... Q: Where is (this) loc2 ? loc2++; ... } 0x00000000 0xffffffff … loc2 loc1 ??? ??? arg1 arg2 arg3 caller’s data Stack frame 
 for this call to func - I don’t know where loc2 is, - and I don’t know how many args - but loc2 is always 8B before “???”s

  21. Accessing variables void func(char *arg1, int arg2, int arg3) { char loc1[4] int loc2; int loc3; 
 ... Q: Where is (this) loc2 ? loc2++; ... } 0x00000000 0xffffffff … loc2 loc1 ??? ??? arg1 arg2 arg3 caller’s data Stack frame 
 for this call to func %ebp Frame pointer - I don’t know where loc2 is, - and I don’t know how many args - but loc2 is always 8B before “???”s

  22. Accessing variables void func(char *arg1, int arg2, int arg3) { char loc1[4] int loc2; int loc3; 
 ... Q: Where is (this) loc2 ? loc2++; ... A: -8(%ebp) } 0x00000000 0xffffffff … loc2 loc1 ??? ??? arg1 arg2 arg3 caller’s data Stack frame 
 for this call to func %ebp Frame pointer - I don’t know where loc2 is, - and I don’t know how many args - but loc2 is always 8B before “???”s

  23. Notation %ebp A memory address (%ebp) The value at memory address %ebp 
 (like dereferencing a pointer)

  24. Notation %ebp A memory address (%ebp) The value at memory address %ebp 
 (like dereferencing a pointer) 0x00000000 0xffffffff

  25. Notation %ebp A memory address 0xbfff03b8 (%ebp) The value at memory address %ebp 
 (like dereferencing a pointer) 0x00000000 0xffffffff

  26. Notation %ebp A memory address 0xbfff03b8 (%ebp) The value at memory address %ebp 
 (like dereferencing a pointer) 0xbfff03b8 0x00000000 0xffffffff %ebp

  27. Notation %ebp A memory address 0xbfff03b8 (%ebp) The value at memory address %ebp 
 0xbfff0720 (like dereferencing a pointer) 0xbfff03b8 0xbfff0720 0x00000000 0xffffffff %ebp

  28. Notation %ebp A memory address 0xbfff03b8 (%ebp) The value at memory address %ebp 
 0xbfff0720 (like dereferencing a pointer) pushl %ebp 0xbfff03b8 0xbfff0720 0x00000000 0xffffffff %ebp

  29. Notation %ebp A memory address 0xbfff03b8 (%ebp) The value at memory address %ebp 
 0xbfff0720 (like dereferencing a pointer) pushl %ebp %esp 0xbfff03b8 0xbfff0720 0x00000000 0xffffffff %ebp

  30. Notation %ebp A memory address 0xbfff03b8 (%ebp) The value at memory address %ebp 
 0xbfff0720 (like dereferencing a pointer) pushl %ebp %esp 0xbfff03b8 0xbfff0720 0x00000000 0xffffffff %ebp

  31. Notation %ebp A memory address 0xbfff03b8 (%ebp) The value at memory address %ebp 
 0xbfff0720 (like dereferencing a pointer) pushl %ebp %esp 0xbfff03b8 0xbfff0720 0x00000000 0xffffffff %ebp

  32. Notation %ebp A memory address 0xbfff03b8 (%ebp) The value at memory address %ebp 
 0xbfff0720 (like dereferencing a pointer) pushl %ebp %esp 0xbfff03b8 0xbfff0720 0xbfff03b8 0x00000000 0xffffffff %ebp

  33. Notation %ebp A memory address 0xbfff03b8 (%ebp) The value at memory address %ebp 
 0xbfff0720 (like dereferencing a pointer) pushl %ebp movl %esp %ebp /* %ebp = %esp */ %esp 0xbfff03b8 0xbfff0720 0xbfff03b8 0x00000000 0xffffffff %ebp

  34. Notation %ebp A memory address 0xbfff03b8 (%ebp) The value at memory address %ebp 
 0xbfff0720 (like dereferencing a pointer) pushl %ebp movl %esp %ebp /* %ebp = %esp */ %esp 0xbfff03b8 0xbfff0720 0xbfff03b8 0x00000000 0xffffffff %ebp

  35. Notation %ebp A memory address 0xbfff03b8 (%ebp) The value at memory address %ebp 
 0xbfff0720 (like dereferencing a pointer) pushl %ebp movl %esp %ebp /* %ebp = %esp */ %esp 0xbfff0200 0xbfff03b8 0xbfff0720 0xbfff03b8 0x00000000 0xffffffff %ebp

  36. Notation %ebp A memory address 0xbfff03b8 0xbfff0200 (%ebp) The value at memory address %ebp 
 0xbfff0720 (like dereferencing a pointer) pushl %ebp movl %esp %ebp /* %ebp = %esp */ %esp 0xbfff0200 0xbfff03b8 0xbfff0720 0xbfff03b8 0x00000000 0xffffffff %ebp

  37. Notation %ebp A memory address 0xbfff03b8 0xbfff0200 (%ebp) The value at memory address %ebp 
 0xbfff0720 0xbfff03b8 (like dereferencing a pointer) pushl %ebp movl %esp %ebp /* %ebp = %esp */ %esp 0xbfff0200 0xbfff03b8 0xbfff0720 0xbfff03b8 0x00000000 0xffffffff %ebp

  38. Returning from functions int main() { ... func(“Hey”, 10, -3); ... } 0x00000000 0xffffffff … loc2 loc1 ??? ??? arg1 arg2 arg3 caller’s data Stack frame 
 for this call to func %ebp

  39. Returning from functions int main() { ... func(“Hey”, 10, -3); ... } 0x00000000 0xffffffff … loc2 loc1 ??? ??? arg1 arg2 arg3 caller’s data Stack frame 
 for this call to func %ebp

  40. Returning from functions int main() { ... func(“Hey”, 10, -3); ... } 0x00000000 0xffffffff … loc2 loc1 ??? ??? arg1 arg2 arg3 caller’s data Stack frame 
 for this call to func %ebp %ebp

  41. Returning from functions int main() { ... func(“Hey”, 10, -3); ... Q: How do we restore %ebp? } 0x00000000 0xffffffff … loc2 loc1 ??? ??? arg1 arg2 arg3 caller’s data Stack frame 
 for this call to func %ebp %ebp

  42. Returning from functions int main() { ... func(“Hey”, 10, -3); ... Q: How do we restore %ebp? } 0x00000000 0xffffffff … ??? arg1 arg2 arg3 caller’s data Stack frame 
 for this call to func %ebp

  43. Returning from functions int main() { ... func(“Hey”, 10, -3); ... Q: How do we restore %ebp? } %esp 0x00000000 0xffffffff … ??? arg1 arg2 arg3 caller’s data Stack frame 
 for this call to func %ebp

  44. Returning from functions int main() { ... func(“Hey”, 10, -3); ... Q: How do we restore %ebp? } %esp 0x00000000 0xffffffff … ??? arg1 arg2 arg3 caller’s data %ebp Stack frame 
 for this call to func %ebp 1. Push %ebp before locals

  45. Returning from functions int main() { ... func(“Hey”, 10, -3); ... Q: How do we restore %ebp? } %esp 0x00000000 0xffffffff … ??? arg1 arg2 arg3 caller’s data %ebp Stack frame 
 for this call to func %ebp %ebp 1. Push %ebp before locals 2. Set %ebp to current %esp

  46. Returning from functions int main() { ... func(“Hey”, 10, -3); ... Q: How do we restore %ebp? } %esp 0x00000000 0xffffffff … ??? arg1 arg2 arg3 caller’s data %ebp Stack frame 
 for this call to func %ebp %ebp 1. Push %ebp before locals 2. Set %ebp to current %esp 3. Set %ebp to(%ebp) at return

  47. Returning from functions int main() { ... func(“Hey”, 10, -3); ... } 0x00000000 0xffffffff … loc2 loc1 ??? arg1 arg2 arg3 caller’s data %ebp Stack frame 
 for this call to func %ebp %ebp

  48. Returning from functions int main() { ... func(“Hey”, 10, -3); ... Q: How do we resume here? } 0x00000000 0xffffffff … loc2 loc1 ??? arg1 arg2 arg3 caller’s data %ebp Stack frame 
 for this call to func %ebp %ebp

  49. The instructions themselves are in memory 4G 0xffffffff ... 0x4a7 mov $0x0,%eax 0x4a2 call <func> 0x49b movl $0x804..,(%esp) 0x493 movl $0xa,0x4(%esp) ... Text 0x00000000 0

  50. The instructions themselves are in memory 4G 0xffffffff ... 0x4a7 mov $0x0,%eax 0x4a2 call <func> 0x49b movl $0x804..,(%esp) %eip 0x493 movl $0xa,0x4(%esp) ... Text 0x00000000 0

  51. The instructions themselves are in memory 4G 0xffffffff ... 0x4a7 mov $0x0,%eax 0x4a2 call <func> 0x49b movl $0x804..,(%esp) %eip 0x493 movl $0xa,0x4(%esp) ... Text 0x00000000 0

  52. The instructions themselves are in memory 4G 0xffffffff ... 0x4a7 mov $0x0,%eax %eip 0x4a2 call <func> 0x49b movl $0x804..,(%esp) 0x493 movl $0xa,0x4(%esp) ... Text 0x00000000 0

Recommend


More recommend