c and c vulnerability exploits and countermeasures
play

C and C++ vulnerability exploits and countermeasures Frank Piessens - PowerPoint PPT Presentation

Feb 19, 2024 •248 likes •1.03k views

C and C++ vulnerability exploits and countermeasures Frank Piessens (Frank.Piessens@cs.kuleuven.be) These slides are based on the paper: Low-level Software Security by Example by Erlingsson, Younan and Piessens KATHOLIEKE Secappdev

  1. C and C++ vulnerability exploits and countermeasures Frank Piessens (Frank.Piessens@cs.kuleuven.be) These slides are based on the paper: “Low-level Software Security by Example” by Erlingsson, Younan and Piessens KATHOLIEKE � Secappdev 2011 1 UNIVERSITEIT � LEUVEN

  2. Overview • Introduction • Example attacks – Stack-based buffer overflow – Heap-based buffer overflow – Return-to-libc attacks – Data-only attacks • Example defenses – Stack canaries – Non-executable data – Control-flow integrity – Layout randomization • Conclusion KATHOLIEKE � Secappdev 2011 2 UNIVERSITEIT � LEUVEN

  3. Introduction • An implementation-level software vulnerability is a bug in a program that can be exploited by an attacker to cause harm • Example vulnerabilities: – SQL injection vulnerabilities (discussed before) – XSS vulnerabilities (discussed before) – Buffer overflows and other memory corruption vulnerabilities • An attack is a scenario where an attacker triggers the bug to cause harm • A countermeasure is a technique to counter attacks • These lectures will discuss memory corruption vulnerabilities, common attack techniques, and common countermeasures for them KATHOLIEKE � Secappdev 2011 3 UNIVERSITEIT � LEUVEN

  4. Memory corruption vulnerabilities • Memory corruption vulnerabilities are a class of vulnerabilities relevant for unsafe languages – i.e. Languages that do not check whether programs access memory in a correct way – Hence buggy programs may mess up parts of memory used by the language run-time • In these lectures we will focus on memory corruption vulnerabilities in C programs KATHOLIEKE � Secappdev 2011 4 UNIVERSITEIT � LEUVEN

  5. Example vulnerable C program KATHOLIEKE � Secappdev 2011 5 UNIVERSITEIT � LEUVEN

  6. Introduction • Attacks that exploit such vulnerabilities can have devastating consequences: – E.g. CERT Advisory Feb 2006: “The Microsoft Windows Media Player plug-in for browsers other than Internet Explorer contains a buffer overflow, which may allow a remote attacker to execute arbitrary code .” (CVE-2006-005) • This is one (of the many) examples of a vulnerability that is exploitable by a code injection attack KATHOLIEKE � Secappdev 2011 6 UNIVERSITEIT � LEUVEN

  7. Background: Memory management in C • Memory can be allocated in many ways in C – Automatic (local variables in functions) – Static (global variables) – Dynamic (malloc and new) • Programmer is responsible for: – Appropriate use of allocated memory • E.g. bounds checks, type checks, … – Correct de-allocation of memory KATHOLIEKE � Secappdev 2011 7 UNIVERSITEIT � LEUVEN

  8. Process memory layout Arguments/ Environment High addresses Stack grows Stack down Unused and Mapped Memory Heap grows Heap (dynamic data) up Static Data Program Code Low addresses KATHOLIEKE � Secappdev 2011 8 UNIVERSITEIT � LEUVEN

  9. Memory management in C • Memory management is very error-prone • Some typical bugs: – Writing past the bound of an array – Dangling pointers – Double freeing – Memory leaks • For efficiency, practical C implementations don’t detect such bugs at run time – The language definition states that behavior of a buggy program is undefined KATHOLIEKE � Secappdev 2011 9 UNIVERSITEIT � LEUVEN

  10. Attacking unsafe code • To do a code injection attack, an attacker must: – Find a bug in the program that can break memory safety – Find an interesting memory location to overwrite – Get attack code in the process memory space KATHOLIEKE � Secappdev 2011 10 UNIVERSITEIT � LEUVEN

  11. Bugs that can break memory safety • Writing past the end of an array (buffer overrun or overflow) • Dereference a dangling pointer • Use of a dangerous API function – That internally overflows a buffer • E.g. strcpy(), gets() – That is implemented in assembly in an intrinsically unsafe way • E.g. printf() KATHOLIEKE � Secappdev 2011 11 UNIVERSITEIT � LEUVEN

  12. Interesting memory locations • Code addresses or function pointers – Return address of a function invocation – Function pointers in the virtual function table – Program specific function pointers • Pointers where the attacker can control what is written when the program dereferences the pointer – Indirect pointer overwrite: first redirect the pointer to another interesting location, then write the appropriate value KATHOLIEKE � Secappdev 2011 12 UNIVERSITEIT � LEUVEN

  13. Overview • Introduction • Example attacks – Stack-based buffer overflow – Heap-based buffer overflow – Return-to-libc attacks – Data-only attacks • Example defenses – Stack canaries – Non-executable data – Control-flow integrity – Layout randomization • Conclusion KATHOLIEKE � Secappdev 2011 13 UNIVERSITEIT � LEUVEN

  14. Stack based buffer overflow • The stack is a memory area used at run time to track function calls and returns – Per call, an activation record or stack frame is pushed on the stack, containing: • Actual parameters, return address, automatically allocated local variables, … • As a consequence, if a local buffer variable can be overflowed, there are interesting memory locations to overwrite nearby KATHOLIEKE � Secappdev 2011 14 UNIVERSITEIT � LEUVEN

  15. Stack based buffer overflow Stack Return address f0 Saved Frame Ptr f0 FP f0: IP … Local variables f0 call f1 … SP f1: buffer[] overflow() … KATHOLIEKE � Secappdev 2011 15 UNIVERSITEIT � LEUVEN

  16. Stack based buffer overflow Stack Return address f0 Saved Frame Ptr f0 f0: … Local variables f0 call f1 … Arguments f1 f1: IP Return address f1 buffer[] Saved Frame Ptr f1 FP overflow() … Space for buffer SP KATHOLIEKE � Secappdev 2011 16 UNIVERSITEIT � LEUVEN

  17. Stack based buffer overflow Stack Return address f0 Saved Frame Ptr f0 f0: … Local variables f0 call f1 … Arguments f1 f1: Overwritten address buffer[] FP overflow() IP … Injected Code SP KATHOLIEKE � Secappdev 2011 17 UNIVERSITEIT � LEUVEN

  18. Stack based buffer overflow • Shell code strings: LINUX on Intel: char shellcode[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd" "\x80\xe8\xdc\xff\xff\xff/bin/sh"; SPARC Solaris: char shellcode[] = "\x2d\x0b\xd8\x9a\xac\x15\xa1\x6e\x2f\x0b\xdc\xda\x90\x0b\x80\x0e" "\x92\x03\xa0\x08\x94\x1a\x80\x0a\x9c\x03\xa0\x10\xec\x3b\xbf\xf0" "\xdc\x23\xbf\xf8\xc0\x23\xbf\xfc\x82\x10\x20\x3b\x91\xd0\x20\x08" "\x90\x1b\xc0\x0f\x82\x10\x20\x01\x91\xd0\x20\x08"; KATHOLIEKE � Secappdev 2011 18 UNIVERSITEIT � LEUVEN

  19. Very simple shell code • In examples further on, we will use: KATHOLIEKE � Secappdev 2011 19 UNIVERSITEIT � LEUVEN

  20. Stack based buffer overflow • Example vulnerable program: KATHOLIEKE � Secappdev 2011 20 UNIVERSITEIT � LEUVEN

  21. Stack based buffer overflow • Or alternatively: KATHOLIEKE � Secappdev 2011 21 UNIVERSITEIT � LEUVEN

  22. Stack based buffer overflow • Snapshot of the stack before the return: KATHOLIEKE � Secappdev 2011 22 UNIVERSITEIT � LEUVEN

  23. Stack based buffer overflow • Snapshot of the stack before the return: KATHOLIEKE � Secappdev 2011 23 UNIVERSITEIT � LEUVEN

  24. Stack based buffer overflow • Lots of details to get right before it works: – No nulls in (character-)strings – Filling in the correct return address: • Fake return address must be precisely positioned • Attacker might not know the address of his own string – Other overwritten data must not be used before return from function – … • More information in – “Smashing the stack for fun and profit” by Aleph One KATHOLIEKE � Secappdev 2011 24 UNIVERSITEIT � LEUVEN

  25. Overview • Introduction • Example attacks – Stack-based buffer overflow – Heap-based buffer overflow – Return-to-libc attacks – Data-only attacks • Example defenses – Stack canaries – Non-executable data – Control-flow integrity – Layout randomization • Conclusion KATHOLIEKE � Secappdev 2011 25 UNIVERSITEIT � LEUVEN

  26. Heap based buffer overflow • If a program contains a buffer overflow vulnerability for a buffer allocated on the heap, there is no return address nearby • So attacking a heap based vulnerability requires the attacker to overwrite other code pointers • We look at two examples: – Overwriting a function pointer – Overwriting heap metadata KATHOLIEKE � Secappdev 2011 26 UNIVERSITEIT � LEUVEN

  27. Overwriting a function pointer • Example vulnerable program: KATHOLIEKE � Secappdev 2011 27 UNIVERSITEIT � LEUVEN

  28. Overwriting a function pointer • And what happens on overflow: KATHOLIEKE � Secappdev 2011 28 UNIVERSITEIT � LEUVEN

Recommend

Routing Bottlenecks in the Internet: Causes, Exploits, and Countermeasures Min Suk Kang Virgil

Routing Bottlenecks in the Internet: Causes, Exploits, and Countermeasures Min Suk Kang Virgil

Routing Bottlenecks in the Internet: Causes, Exploits, and Countermeasures Min Suk Kang Virgil D. Gligor ECE Department and CyLab, Carnegie Mellon University Nov 4, 2014 Route Diversity is Critical to Resiliency of Internet Connectivity

387 views • 22 slides
Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a

Vulnerability Management Spring 2020 Jay Chen What is a vulnerability? A vulnerability is a cybersecurity flaw in a system that leave it open to attack. A vulnerability may also refer to any type of weakness in a computer system

407 views • 16 slides
Pr Preve venting exploits against memo memory-co corruption vulnerabilities Chengyu Song

Pr Preve venting exploits against memo memory-co corruption vulnerabilities Chengyu Song

Pr Preve venting exploits against memo memory-co corruption vulnerabilities Chengyu Song Georgia Tech Agenda Memory corruption vulnerability Thesis Statement Approaches SDCG Kenali HDFI Conclusion Memory

737 views • 72 slides
On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 ,

On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 ,

Physical Attacks New Attacks on Classical Countermeasures Extended Countermeasures On the Need of Randomness in Fault Attack Countermeasures Application to AES Victor LOMNE 1 , Thomas ROCHE 1 , Adrian THILLARD 1 1 ANSSI (French Network and

358 views • 25 slides
Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com

Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com

Overview of Countermeasures against Implementation Attacks Marcel Medwed marcel.medwed@nxp.com Outline Motivation & general mechanisms Side-channel countermeasures Fault countermeasures Conclusions 2 Design and Security of

549 views • 40 slides
MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi

MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi

MOBILE DATA CHARGING: NEW ATTACKS NEW ATTACKS AND COUNTERMEASURES AND COUNTERMEASURES Chunyi Peng Chunyi Peng , Chi-Yu Li, Guan-Hua Tu, Songwu Lu, Lixia Zhang University of California, Los Angeles ACM CCS12 ACM CCS'12 C Peng (UCLA)

480 views • 27 slides
Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a

Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a

Arjun Surendra SaciWATERs Vulnerability Vulnerability is the propensity to suffer a significant shock that brings welfare below a socially accepted level (Khl, 2003) Vulnerability increases when there is uncertainty with respect to

529 views • 21 slides
HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference

HOST SCA Countermeasures I ECE 525 Side-Channel Analysis (SCA) Countermeasures Reference Mangard et. al, "Power Analysis Attacks, Revealing the Secrets of Smart Cards", Springer, 2009 Power analysis attacks are effective because the

479 views • 19 slides
Contents What is vulnerability? Why conduct vulnerability assessments? Defining

Contents What is vulnerability? Why conduct vulnerability assessments? Defining

6/19/2015 Vulnerability and Capacity Assessment Index (VCAI) for Climate Change Adaptation SVRK Prabhakar USAID ADAPT Asia-Pacific Presented at NABARD Training Workshop, Mumbai on 18 June 2015 Contents What is vulnerability? Why

705 views • 21 slides
Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1

Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1

Vulnerability Analysis and Food Aid W orking Group Chaired by W FP/ VAM Unit Vulnerability Assessm ent 2 0 0 4 Luanda, 2 5 June 2 0 0 4 Vulnerability Assessment 2004 - p1 Overview 1 . Methodology of the VA 2 0 0 4 2 . Highlights of

703 views • 28 slides
Vulnerability Screening Tool Identifying and addressing vulnerability: A tool for asylum and

Vulnerability Screening Tool Identifying and addressing vulnerability: A tool for asylum and

Vulnerability Screening Tool Identifying and addressing vulnerability: A tool for asylum and migration systems Purpose Intended to guide & inform frontline workers & decision makers on the relevance of vulnerability factors to

507 views • 19 slides
Earthquake Vulnerability Earthquake Vulnerability Vulnerability Assessment & EVR measures

Earthquake Vulnerability Earthquake Vulnerability Vulnerability Assessment & EVR measures

Earthquake Vulnerability Earthquake Vulnerability Vulnerability Assessment & EVR measures Islamabad Pakistan Assessment and Vulnerability Assessment and Vulnerability Reduction Measures Reduction Measures adpc Asian Disaster

702 views • 46 slides
FROM PRINTED FROM PRINTED CIRCUIT BOARDS TO CIRCUIT BOARDS TO EXPLOITS EXPLOITS (PWNING IOT

FROM PRINTED FROM PRINTED CIRCUIT BOARDS TO CIRCUIT BOARDS TO EXPLOITS EXPLOITS (PWNING IOT

FROM PRINTED FROM PRINTED CIRCUIT BOARDS TO CIRCUIT BOARDS TO EXPLOITS EXPLOITS (PWNING IOT DEVICES LIKE A BOSS) (PWNING IOT DEVICES LIKE A BOSS) @virtualabs | Hack in Paris '18 ABOUT ME ABOUT ME Head of Research @ Econocom Digital

1.73k views • 83 slides
Earthquake and Tsunami Countermeasures in Japan The Committee for Technical Investigation on

Earthquake and Tsunami Countermeasures in Japan The Committee for Technical Investigation on

May 10, 2013 Earthquake and Tsunami Countermeasures in Japan The Committee for Technical Investigation on Countermeasures for Earthquakes and Tsunamis Based on The Lessons Learned from The 2011 Off The Pacific Coast of Tohoku Earthquake

436 views • 29 slides
On Countermeasures for Riverine and Marine Plastic Litter in India 12 -22 May 2020 Session 2:

On Countermeasures for Riverine and Marine Plastic Litter in India 12 -22 May 2020 Session 2:

National Policy Workshop Webinar Series On Countermeasures for Riverine and Marine Plastic Litter in India 12 -22 May 2020 Session 2: Community Perceptions and behavioral aspects for plastic management and promotion of countermeasures to

473 views • 19 slides
Introduction What is Disaster vulnerability? Vulnerability is the inability to resist a

Introduction What is Disaster vulnerability? Vulnerability is the inability to resist a

Vulnerability to Disasters: A Gendered Analysis on Water Availability and Livelihoods in Nadu Colony, Kovalam, Chennai, India Group No: 02 Sumaia Kashem Shreeya Lohani Shanmuga Priya. G Meththa Prabodhani Menike

834 views • 40 slides
Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT,

Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT,

Attacks and Countermeasures for White-box Designs Alex Biryukov, Aleksei Udovenko CSC and SnT, University of Luxembourg December 5, 2018 Plan 1 Introduction 2 Attacks on Masked White-box Implementations 3 Countermeasures 4 Algebraic Security 0

797 views • 53 slides
Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter

Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter

Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter Buchlovsky 8. March 2004 University of Birmingham 1 Contents 1. Call-stacks, shellcode, gets 2. Exploits stack-based, heap-based 3. Defensive

1.56k views • 123 slides
Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of

Introduction Threats Setups Attacks Countermeasures Conclusion 1 / 31 Fault Attacks and Countermeasures Michael Hutter Summer School on Design and Security of Cryptographic Algorithms and Devices for Real-World Applications Sibenik,

849 views • 31 slides
Web vulnerability scanning and exploitation tools Scaling vulnerability scanning Companies

Web vulnerability scanning and exploitation tools Scaling vulnerability scanning Companies

Web vulnerability scanning and exploitation tools Scaling vulnerability scanning Companies with 1000+ web applications running Move to m -services architectures making things worse Huge shortage of skilled security engineers to

732 views • 48 slides
The Maldives Population Distribution Vulnerability Indicators Vulnerability Indicators

The Maldives Population Distribution Vulnerability Indicators Vulnerability Indicators

The Maldives Population Distribution Vulnerability Indicators Vulnerability Indicators (excluding Male') Highest elevation 1.5m Population: 298,968 above sea level less than 1000 97% of all inhabited 59 % Total number of

357 views • 4 slides
1 Vulnerability in WPA2 Hole196 Hole196 Vulnerability in WPA2 Presenters: Anthony Paladino,

1 Vulnerability in WPA2 Hole196 Hole196 Vulnerability in WPA2 Presenters: Anthony Paladino,

1 Vulnerability in WPA2 Hole196 Hole196 Vulnerability in WPA2 Presenters: Anthony Paladino, Managing Director, Systems Engineering Dr. Kaustubh Phanse, Principal Wireless Architect Md. Sohail Ahmad, Senior Security Researcher Moderator: Della

314 views • 29 slides
Quantitative Security Colorado State University Yashwant K Malaiya CS 559 Vulnerability Life

Quantitative Security Colorado State University Yashwant K Malaiya CS 559 Vulnerability Life

Quantitative Security Colorado State University Yashwant K Malaiya CS 559 Vulnerability Life Cycle CSU Cybersecurity Center Computer Science Dept 1 1 Topics Vulnerability Life Cycle Vulnerability Discovery models 2 Vulnerability

805 views • 46 slides
Side-Channel Countermeasures Dissection and the Limits of Closed Source Security Evaluations

Side-Channel Countermeasures Dissection and the Limits of Closed Source Security Evaluations

Introduction Countermeasures Dissection Information Extraction Attack Results Closed Source Evaluation Conclusion Side-Channel Countermeasures Dissection and the Limits of Closed Source Security Evaluations Olivier Bronchain Fran

2.22k views • 189 slides

More recommend