cmpsc 497 more on overflow vulnerabilities
play

CMPSC 497 More on Overflow Vulnerabilities Trent Jaeger Systems - PowerPoint PPT Presentation

Oct 01, 2022 •176 likes •634 views

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 More on Overflow Vulnerabilities Trent Jaeger

  1. Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 � More on Overflow Vulnerabilities Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1

  2. Overflow Vulnerabilities • Despite knowledge of buffer overflows for over 40 years, they have not been eliminated • This is partly due to the wide variety of exploit options • Variety of targets: can exploit more than return addresses – any code addresses or data • Variety of uses: can exploit on read and write • Variety of exploits: can inject or reuse code • Variety of workarounds: current defenses are incomplete Systems and Internet Infrastructure Security (SIIS) Laboratory Page 2

  3. Available Defenses • Available defenses do not prevent all options Stackguard: A canary before return address on stack ‣ DEP or W xor X: Stack memory is not executable ‣ • This combination of defenses prevents the classic buffer overflow attack, but there are many options • Plus, both defenses may be disabled by other attacks Systems and Internet Infrastructure Security (SIIS) Laboratory Page 3

  4. StackGuard Limitations • Obvious limitation: only protects the return address What about other local variables? ‣ int authenticated = 0; char packet[1000]; while (!authenticated) { PacketRead(packet); if (Authenticate(packet)) authenticated = 1; } if (authenticated) ProcessPacket(packet); Systems and Internet Infrastructure Security (SIIS) Laboratory Page 4

  5. Function Initialization: Stacks • Packet overflows overwrite the authenticated value packet authenticated old ebp CANARY ret stack frame Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  6. StackGuard Limitations • Obvious limitation: only protects the return address What is the exploit? ‣ int authenticated = 0; char packet[1000]; while (!authenticated) { PacketRead(packet); if (Authenticate(packet)) authenticated = 1; } if (authenticated) ProcessPacket(packet); Systems and Internet Infrastructure Security (SIIS) Laboratory Page 6

  7. StackGuard Limitations • Obvious limitation: only protects the return address What about other local variables? ‣ Of course, there are also other data on the stack that ‣ may also require protection Code addresses – function pointers • Data that impacts control flow – as in example • Data that may impact operation of program • • Any ways to address this limitation? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 7

  8. StackGuard Limitations • Big limitation: Disclosure attacks By performing a buffer “overread” ‣ Example is the famous Heartbleed attack against SSL ‣ Why is this a problem for Stackguard canaries? ‣ char packet[10]; … // suppose len is adversary controlled strncpy(buf, packet, len); send(fd, buf, len2); Systems and Internet Infrastructure Security (SIIS) Laboratory Page 8

  9. StackGuard Limitations • Big limitation: Disclosure attacks By performing a buffer “overread” ‣ Example is the famous Heartbleed ‣ attack against SSL Why is this a problem for Stackguard? ‣ packet old ebp char packet[10]; canary … ret addr // suppose len is adversary controlled arg strncpy(buf, packet, len); previous send(fd, buf, len); stack frame Systems and Internet Infrastructure Security (SIIS) Laboratory Page 9

  10. StackGuard Limitations • Big limitation: disclosure attacks By performing a buffer “overread” ‣ One may extract the canary values by reading beyond ‣ the end of stack buffers Which would enable the adversary to learn the ‣ (supposedly secret) canary value How would you exploit this? ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 10

  11. DEP Limitations • Big limitation: code injection is not necessary to construct adversary-controlled exploit code Code reuse attacks ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 11

  12. Vs. Injecting Shell Code • Remember this exploit execve • The adversary’s goal is (“/bin/sh”) to get execve to run to generate a command ret shell 1 • To do this the adversary 2 uses execve from libc – i.e., reuses code that is stack frame already there for main 12 Systems and Internet Infrastructure Security (SIIS) Laboratory Page

  13. Code Reuse • How can we invoke execve without code injection? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 13

  14. Code Reuse • How can we invoke execve without code injection? Call execve directly from return value ‣ • The difference is subtle, but significant In the original exploit, we wrote the address of execve ‣ into buffer on the stack and modified return address to start executing at buffer I.e., we are executing in the stack memory region • Instead, we can modify the return address to point to ‣ execve directly, so we continue to execute code Reusing available code to do what the adversary wants • Systems and Internet Infrastructure Security (SIIS) Laboratory Page 14

  15. Code Reuse • How can we invoke execve without code injection? Use the code directly ‣ • The difference is subtle, but significant execve buffer (“/bin/sh”) ret execve 1 “/bin/sh” 2 2 stack frame stack frame for main for main Systems and Internet Infrastructure Security (SIIS) Laboratory Page 15

  16. Code Reuse • How would we use code reuse to disable DEP? • Goal is to allow execution of stack memory Systems and Internet Infrastructure Security (SIIS) Laboratory Page 16

  17. Code Reuse • How would we use code reuse to disable DEP? • Goal is to allow execution of stack memory There’s a system call for that ‣ int mprotect(void *addr, size_t len, int prot); Sets protection for region of memory starting at address ‣ Invoke this system call to allow execution on stack and ‣ then start executing from the injected code Systems and Internet Infrastructure Security (SIIS) Laboratory Page 17

  18. Heap Overflows • Another region of memory that may be vulnerable to overflows is heap memory A buffer overflow of a buffer allocated on the heap is ‣ called a heap overflow int authenticated = 0; char *packet = (char *)malloc(1000); while (!authenticated) { PacketRead(packet); if (Authenticate(packet)) authenticated = 1; } if (authenticated) ProcessPacket(packet); Systems and Internet Infrastructure Security (SIIS) Laboratory Page 18

  19. Heap Overflows Morris Worm • Robert Morris, a 23 doctoral student from Cornell Overflows on heap also possible • Wrote a small (99 line) program ‣ char *packet = malloc(1000) ptr[1000] = ‘M’; Launched on November 3, 1988 ‣ “Classical” heap overflow • Simply disabled the Internet ‣ corrupts metadata • Used a buffer overflow in a program called fingerd Heap metadata maintains chunk ‣ size, previous and next pointers, ... To get adversary-controlled code running ‣ • Heap metadata is inline with • Then spread to other hosts – cracked passwords heap data and leverage open LAN configurations And waits for heap management ‣ functions ( malloc, free ) to • Covered its tracks (set is own process name to sh, write corrupted metadata to target locations prevented accurate cores, re-forked itself) � X Systems and Internet Infrastructure Security (SIIS) Laboratory CSE543 - Introduction to Computer and Network Security Page 19 Page

  20. Heap Overflows Process Address Space • Heap allocators maintain a doubly-linked list of allocated and free chunks higher • Text: static code • malloc () and free () modify this list memory Stack • Data: also called heap address static variables ‣ Data dynamically allocated data ‣ (malloc, new) lower Text • Stack: program memory execution stacks address http://www.sans.edu/student-files/presentations/heap_overflows_notes.pdf • � X Systems and Internet Infrastructure Security (SIIS) Laboratory CSE543 - Introduction to Computer and Network Security Page Page

  21. Heap Overflows Program Stack • free() removes a chunk from allocated list chunk2-> bk->fd = chunk2-> fd chunk2->bk->fd = chunk2->fd • For implementing procedure calls and returns chunk2-> fd->bk = chunk2-> bk chunk2->fd->bk = chunk2->bk • Keep track of program execution and state by • By overflowing chunk2, attacker controls bk and fd storing ‣ Controls both where and what data is written! Arbitrarily change memory (e.g., function pointers) • local variables ‣ arguments to the called procedure (callee) ‣ return address of the calling procedure (caller) ‣ ... ‣ � X Systems and Internet Infrastructure Security (SIIS) Laboratory CSE543 - Introduction to Computer and Network Security Page Page

  22. Heap Overflows Program Stack • By overflowing chunk2, attacker controls bk and fd Controls both where and what data is written! ‣ Assign chunk2->fd to value to want to write • Assign chunk2->bk to address X (where you want to write) • Less an offset of the fd field in the structure • • Free() removes a chunk from allocated list chunk2-> bk->fd = chunk2-> fd chunk2-> fd->bk = chunk2-> bk • What’s the result? *Slide by Robert Seacord � X Systems and Internet Infrastructure Security (SIIS) Laboratory CSE543 - Introduction to Computer and Network Security Page Page

Recommend

CMPSC 497 Buffer Overflow Vulnerabilities Trent Jaeger Systems and Internet Infrastructure

CMPSC 497 Buffer Overflow Vulnerabilities Trent Jaeger Systems and Internet Infrastructure

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Buffer Overflow Vulnerabilities Trent Jaeger

739 views • 38 slides
Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Integer Overflow Vulnerabilities * slides adapted from those by Seacord 3 Integer Overflows An integer overflow occurs

639 views • 52 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Last time We finished up By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow defenses (and workarounds) Format string vulnerabilities Integer overflow vulnerabilities This time

1.29k views • 80 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow

Last time We continued By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow attacks & other vulnerabilities Overflow defenses Everything youve always wanted to know about

2.41k views • 197 slides
Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * some slides adapted from those by Trent Jaeger Overflow Vulnerabilities Despite

901 views • 46 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

1.49k views • 117 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

1.23k views • 95 slides
CMPSC 497 Other Memory Vulnerabilities Trent Jaeger Systems and Internet Infrastructure

CMPSC 497 Other Memory Vulnerabilities Trent Jaeger Systems and Internet Infrastructure

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Other Memory Vulnerabilities Trent Jaeger

827 views • 44 slides
Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow

Last time We continued By launching our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities Buffer overflow fundamentals This time We will finish up By looking at Buffer Overflow overflows

1.33k views • 103 slides
Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Some Terminology Software error A programming mistake that make the software not meet its expectation Software

726 views • 59 slides
Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter

Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter

Buffer Overflow Vulnerabilities Exploits and Defensive Techniques Adam Butcher and Peter Buchlovsky 8. March 2004 University of Birmingham 1 Contents 1. Call-stacks, shellcode, gets 2. Exploits stack-based, heap-based 3. Defensive

1.56k views • 123 slides
More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester

More Vulnerabilities (buffer overreads, format string, integer overflow, heap overflows) Chester Rebeiro Indian Institute of Technology Madras Buffer Overreads 2 Buffer Overread Example 3 Buffer Overread Example len read from command line

906 views • 76 slides
Testing and Fuzzing Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security *

Testing and Fuzzing Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security *

Testing and Fuzzing Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some slides adapted from those by Trent Jaeger Our Goal Develop techniques to detect vulnerabilities automatically before they are exploited

1.17k views • 61 slides
Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack

Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack

Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack Overflow for Teams Roberta Arcoverde 1 /whois /whois recifense programadora h 15 anos principal software developer na stack overflow

711 views • 52 slides
History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood as early as 1972 Computer Security Technology Planning Study Morris Worm First

1.07k views • 42 slides
Evolution of Stack Overflow Discussions Using Sentimental Analysis on Comments in Stack Overflow

Evolution of Stack Overflow Discussions Using Sentimental Analysis on Comments in Stack Overflow

Evolution of Stack Overflow Discussions Using Sentimental Analysis on Comments in Stack Overflow Posts Presented by Norbert Eke and Saraj Manes Motivation SOTorrent 2018 : Reconstructing and Analyzing the Evolution of Stack Overflow

547 views • 17 slides
Kindergarten students to another location). Overflow does become an added cost to the district

Kindergarten students to another location). Overflow does become an added cost to the district

Fishkill ES can continue to function/operate as is and overflow students to another school when reaching capacity. (Please note since we moved into a K-6 configuration and reduced class sizes, we have yet had to overflow Fishkill ES

172 views • 4 slides
Buffer Software Security overflows and other memory safety vulnerabilities History

Buffer Software Security overflows and other memory safety vulnerabilities History

This time We will begin By investigating our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Analyzing security Security

1.41k views • 107 slides
Buffer Software Security overflows and other memory safety vulnerabilities History

Buffer Software Security overflows and other memory safety vulnerabilities History

This time We will begin By investigating our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Software security Security is a form

2.11k views • 190 slides
Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by the Morris Worm in 1988 Prevention techniques known NX bit, stack canaries, ASLR Still of major concern Recent examples:

354 views • 21 slides
Overflow Handling Linear Probing Get And Put An overflow occurs when the home bucket for

Overflow Handling Linear Probing Get And Put An overflow occurs when the home bucket for

Overflow Handling Linear Probing Get And Put An overflow occurs when the home bucket for a divisor = b (number of buckets) = 17. new pair (key, element) is full. Home bucket = key % 17. We may handle overflows by:

242 views • 3 slides
Overflow Handling Linear Probing Get And Put An overflow occurs when the home bucket for

Overflow Handling Linear Probing Get And Put An overflow occurs when the home bucket for

Overflow Handling Linear Probing Get And Put An overflow occurs when the home bucket for a divisor = b (number of buckets) = 17. new pair (key, element) is full. Home bucket = key % 17. We may handle overflows by:

374 views • 4 slides
Overflow in addition and subtraction can happen if?? ta7 What can

Overflow in addition and subtraction can happen if?? ta7 What can

Overflows Overflow in addition and subtraction can happen if?? ta7 What can we do if there is an overflow?? Spring 2006 MIPS support two kinds of arithmetic operations in order to support the two choices

50 views • 4 slides
CMPSC 311- Introduction to Systems Programming Module: Studying Professor Patrick McDaniel Fall

CMPSC 311- Introduction to Systems Programming Module: Studying Professor Patrick McDaniel Fall

CMPSC 311- Introduction to Systems Programming Module: Studying Professor Patrick McDaniel Fall 2014 CMPSC 311 - Introduction to Systems Programming Oops . Easy C class implementation CMPSC 311 - Introduction to Systems Programming Page

441 views • 19 slides

More recommend