cmpsc 497 buffer overflow vulnerabilities
play

CMPSC 497 Buffer Overflow Vulnerabilities Trent Jaeger Systems - PowerPoint PPT Presentation

Dec 19, 2023 •342 likes •739 views

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Buffer Overflow Vulnerabilities Trent Jaeger

  1. Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 � Buffer Overflow Vulnerabilities Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1

  2. Bu ff er Overflow • Early example of a method to exploit a “memory error” in a C program • Discovered in the 1970s • Leveraged by the Morris Worm in 1988 – first large scale exploit • Leveraged by subsequent attacks in the early 2000s that led to security rethink • Still a problem today – Check out CVEs for “buffer overflow” Systems and Internet Infrastructure Security (SIIS) Laboratory Page 2

  3. Memory Error • A memory error allows a program statement to access memory beyond that allocated for the variables processed in the statement • Common case: Buffer overflow The C language allows writes to memory addresses ‣ specified by pointers char buf[10] – buf can be used as a pointer • C functions enable writing based on the size of the ‣ input or a length value strcpy and strncpy • However, neither limits the write to the allocated buf ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 3

  4. Morris Worm • Robert Morris, a 23-year old Cornell PhD student Wrote a small (99 line) program ‣ Launched on November 3, 1988 ‣ Simply disabled the Internet ‣ • Used a buffer overflow in a program called fingerd To get adversary-controlled code running ‣ • Then spread to other hosts – cracked passwords and leveraged open LAN configurations • Covered its tracks (set is own process name to sh , prevented accurate cores, re-forked itself) Systems and Internet Infrastructure Security (SIIS) Laboratory Page 4

  5. Process Address Space higher • Text: static code memory Stack • Data: also called heap address static variables ‣ Data dynamically allocated data ‣ (malloc, new) lower Text • Stack: program memory execution stacks address Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  6. Program Stack • For implementing procedure calls and returns • Keep track of program execution and state by storing local variables ‣ arguments to the called procedure (callee) ‣ return address of the calling procedure (caller) ‣ ... ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  7. Program Stack *Slide by Robert Seacord Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  8. Stack Frames • Stack grows from high mem to low mem addresses • The stack pointer points to the top of the stack ESP in Intel architectures • • The frame pointer points to the end of the current frame also called the base pointer ‣ EBP in Intel architectures • • The stack is modified during function calls, function initializations, returning from ‣ a function Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  9. A Running Example void function(int a, int b) { char buffer[12]; gets(buffer); return; } void main() { Run “gcc –S –o example.s example.c” to see its assembly code int x; x = 0; function(1,2); x = 1; printf("%d\n",x); } Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  10. Function Calls function (1,2) push the 2 nd arg to stack pushl $2 push the 1 st arg to stack pushl $1 push the ret addr onto the stack, call function and jumps to the function 10 Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  11. Function Calls: Stacks Before After esp ret 1 2 esp stack frame stack frame for main for main ebp ebp Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  12. Function Initialization void function(int a, int b) { saves the frame pointer pushl %ebp sets the new frame pointer movl %esp, %ebp allocate space for local subl $12, %esp variables Procedure prologue Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  13. Function Initialization: Stacks Before After esp buffer ebp old ebp esp ret ret 1 1 2 2 stack frame stack frame for main for main ebp Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  14. Function Return return; restores the old stack pointer movl %ebp, %esp restores the old frame pointer popl %ebp gets the return address, and ret jumps to it Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  15. Function Return: Stacks Before After esp buffer buffer ebp old ebp old ebp esp ret ret 1 1 2 2 stack frame stack frame for main for main ebp Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  16. Return to Calling Function In main again – following return… pushl $2 pushl $1 call function restores the stack pointer addl $8, %esp Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  17. Return to Calling Function: Stacks Before After buffer buffer old ebp old ebp esp ret ret 1 1 2 2 esp stack frame stack frame for main for main ebp ebp Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  18. A Running Example void function(int a, int b) { char buffer[12]; esp gets(buffer); return; buffer } ebp old ebp ret void main() { 1 int x; 2 x = 0; stack frame function(1,2); x = 1; for main printf("%d\n",x); } Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  19. Overwriting the Return Address esp void function(int a, int b) { buffer char buffer[12]; ebp gets(buffer); old ebp ret int* ret = (int *)buffer+?; 1 2 *ret = ?; stack frame return; for main } Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  20. Overwriting the Return Address void function(int a, int b) { char buffer[12]; gets(buffer); int* ret = (int *) buffer+16; *ret = *ret + 10; // addl and store constant 1 return; The output will be 0 } void main() { int x; x = 0; the original return address function(1,2); x = 1; the new return address printf("%d\n",x); } Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  21. Previous Attack • Not very realistic Attackers are usually not allowed to modify code ‣ Threat model: the only thing they can affect is the input ‣ Can they still carry out similar attacks? ‣ YES, because of possible buffer overflows • Systems and Internet Infrastructure Security (SIIS) Laboratory Page 21

  22. Bu ff er Overflows • A buffer overflow occurs when data is written outside of the boundaries of the memory allocated to a particular data structure (buffer) • Happens when buffer boundaries are neglected and unchecked • Can be exploited to modify memory after buffer Stack: return address, local variables, function pointers, ‣ etc. Heap: data structures and metadata (next time) ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 22

  23. Smashing the Stack • Occurs when a buffer overflow overwrites other data in the program stack • Successful exploits can overwrite the return address on the stack enabling the execution of arbitrary code on the targeted machine • What happens if we input a large string? ./example • ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff ‣ • Segmentation fault – why is that? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 23

  24. What Happened? The Stack is Smashed void function(int a, int b) { char buffer[12]; gets(buffer); f buffer return; ⁞ } old ebp f ret f 1 2 If the input is large, then gets(buffer) will write outside the bound of buffer, stack frame and the return address is overwritten for main – with “ffff” (in ASCII), which likely is not a legal code address – seg fault 24 Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  25. Figure Out A Nasty Input void function (int a, int b) { char buffer[12]; gets(buffer); return; } ret 1 void main() { 2 int x; stack frame x = 0; for main function(1,2); x = 1; A nasty input puts the return printf("%d\n",x); address after x=1. } Arc injection 25 Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  26. Injecting Code void function (int a, int b) { Injected char buffer[12]; gets(buffer); code return; } ret 1 void main() { 2 int x; stack frame x = 0; for main function(1,2); x = 1; The injected code can do anything. printf("%d\n",x); E.g., download and install a worm } 26 Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  27. Code Injection • Attacker creates a malicious argument—a specially crafted string that contains a pointer to malicious code provided by the attacker • When the function returns, control is transferred to the malicious code Injected code runs with the permission of the ‣ vulnerable program when the function returns. Programs running as root or other elevated ‣ privileges are normally targeted Programs with the setuid bit on • 27 Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Recommend

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Last time We finished up By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow defenses (and workarounds) Format string vulnerabilities Integer overflow vulnerabilities This time

1.29k views • 80 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow

Last time We continued By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow attacks & other vulnerabilities Overflow defenses Everything youve always wanted to know about

2.41k views • 197 slides
Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Last time We continued By launching our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow fundamentals This time We will finish up By looking at Buffer Overflow overflows

1.33k views • 103 slides
More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester Rebeiro Indian Institute of Technology Madras Buffer Overreads 2 Buffer Overread Example 3 Buffer Overread Example len read from command line

906 views • 76 slides
CMPSC 497 More on Overflow Vulnerabilities Trent Jaeger Systems and Internet Infrastructure

CMPSC 497 More on Overflow Vulnerabilities Trent Jaeger Systems and Internet Infrastructure

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 More on Overflow Vulnerabilities Trent Jaeger

634 views • 45 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

1.49k views • 117 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

1.23k views • 95 slides
Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Integer Overflow Vulnerabilities * slides adapted from those by Seacord 3 Integer Overflows An integer overflow occurs

639 views • 52 slides
Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter

Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter

Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter Buchlovsky 8. March 2004 University of Birmingham 1 Contents 1. Call-stacks, shellcode, gets 2. Exploits stack-based, heap-based 3. Defensive

1.56k views • 123 slides
Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by the Morris Worm in 1988 Prevention techniques known NX bit, stack canaries, ASLR Still of major concern Recent examples:

354 views • 21 slides
Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed

1 Buffer Overflows with Content 2 A Process Stack Buffer Overflow Common Techniques employed in buffer overflow exploits to create backdoors Execution of additional network services via the INETD daemon The addition of new users

497 views • 30 slides
Buffer Overflow CS461/ECE422 Spring 2012 Reading Material

Buffer Overflow CS461/ECE422 Spring 2012 Reading Material

Buffer Overflow CS461/ECE422 Spring 2012 Reading Material Based on Chapter 11 of the text Outline Buffer Overflow Stack Buffer Overflow Shell

783 views • 28 slides
Buffer Software Security overflows and other memory safety vulnerabilities History

Buffer Software Security overflows and other memory safety vulnerabilities History

This time We will begin By investigating our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Analyzing security Security

1.41k views • 107 slides
History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood as early as 1972 Computer Security Technology Planning Study Morris Worm First

1.07k views • 42 slides
CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking

CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking

CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking & Loading, continued Buffer Overflow Read: CSAPP2: section 3.12: out-of-bounds memory references & buffer overflow K&R:

775 views • 43 slides
Buffer Software Security overflows and other memory safety vulnerabilities History

Buffer Software Security overflows and other memory safety vulnerabilities History

This time We will begin By investigating our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Software security Security is a form

2.11k views • 190 slides
IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A

IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A

IT 4500 : Information Security Secure Programming Dr Joe Francom Buffer Overflow What it is? A buffer overflow occurs when a program or process tries to store more data in a buffer (temporary data storage area) than it was intended to hold.

221 views • 3 slides
Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a

Buffer Overflows and Defenses CS 419: Computer Security Lecture 10 and 11 Buffer Overflow a very common attack mechanism from 1988 Morris Worm to Code Red, Slammer, Sasser and many others prevention techniques known still of major concern

873 views • 53 slides
Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * some slides adapted from those by Trent Jaeger Overflow Vulnerabilities Despite

901 views • 46 slides
Buffer Overflow EXAMPLE CASE STUDY WALKTHROUGH PADRAIGNIX 12/09/2019 Agenda ELF file format

Buffer Overflow EXAMPLE CASE STUDY WALKTHROUGH PADRAIGNIX 12/09/2019 Agenda ELF file format

Buffer Overflow EXAMPLE CASE STUDY WALKTHROUGH PADRAIGNIX 12/09/2019 Agenda ELF file format layout Buffer Overflow theory Example code Initial Investigation / Assembly Registers Tooling Fuzzing Shellcode /

700 views • 16 slides
VOTD: Buffer Overflow Engineering Secure Software Last Revised: August 17, 2020 SWEN-331:

VOTD: Buffer Overflow Engineering Secure Software Last Revised: August 17, 2020 SWEN-331:

VOTD: Buffer Overflow Engineering Secure Software Last Revised: August 17, 2020 SWEN-331: Engineering Secure Software Benjamin S Meyers 1 What is Buffer Overflow? Writing data outside of the intended buffer (memory space) SWEN-331:

298 views • 6 slides
Delta Pointers: Buffer Overflow Checks Without the Checks Tadde us Kroes & Koen Koning

Delta Pointers: Buffer Overflow Checks Without the Checks Tadde us Kroes & Koen Koning

Delta Pointers: Buffer Overflow Checks Without the Checks Tadde us Kroes & Koen Koning Erik van der Kouwe Herbert Bos Cristiano Giuffrida June 19, 2018 Preview buffer[10] secret 2 Preview buffer[10] secret buffer[5] 2 Preview

934 views • 74 slides
Software Vulnerability I Presenter: Yinzhi Cao Lehigh University Overview Buffer Overflow

Software Vulnerability I Presenter: Yinzhi Cao Lehigh University Overview Buffer Overflow

CSE350/450 Lehigh University Fall 2016 Software Vulnerability I Presenter: Yinzhi Cao Lehigh University Overview Buffer Overflow Shellcode Heap Overflow Format Strings Return-oriented Programming Metasploit 101 Anatomy of the Stack

1.83k views • 124 slides
------------ GOOD LUCK ON THE EXAM ----------------- 1) In Buffer Overflow exploit, which of the

------------ GOOD LUCK ON THE EXAM ----------------- 1) In Buffer Overflow exploit, which of the

------------ GOOD LUCK ON THE EXAM ----------------- 1) In Buffer Overflow exploit, which of the following registers gets overwritten with return address of the exploit code? A. EIP B. ESP C. EAP D. EEP Ans: A 2)Which type of scan does not

431 views • 18 slides

More recommend