cmpsc 497 other memory vulnerabilities
play

CMPSC 497 Other Memory Vulnerabilities Trent Jaeger Systems and - PowerPoint PPT Presentation

Oct 30, 2023 •374 likes •827 views

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Other Memory Vulnerabilities Trent Jaeger

  1. Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 � Other Memory � Vulnerabilities Trent Jaeger Systems and Internet Infrastructure Security (SIIS) Lab Computer Science and Engineering Department Pennsylvania State University Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1

  2. Memory Error • A memory error allows a program statement to access memory beyond that allocated for the variables processed in the statement • Common case: Buffer overflow • But, there are other ways to exploit memory errors to access unauthorized memory No need to overflow a buffer ‣ • Two examples Use-after-free ‣ Type confusion ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 2

  3. Use After Free • Flaw: Program frees data on the heap, but then references that memory as if it were still valid • Accessible: Adversary can control data written using the freed pointer • Exploit: Another “write-what-where” vulnerability Systems and Internet Infrastructure Security (SIIS) Laboratory Page 3

  4. Use After Free • What happens here? int main(int argc, char **argv) { char *buf1R1; char *buf2R1; char *buf2R2; char *buf3R2; buf1R1 = (char *) malloc(BUFSIZER1); buf2R1 = (char *) malloc(BUFSIZER1); free(buf2R1); buf2R2 = (char *) malloc(BUFSIZER2); buf3R2 = (char *) malloc(BUFSIZER2); strncpy(buf2R1, argv[1], BUFSIZER1-1); free(buf1R1); free(buf2R2); free(buf3R2); } Systems and Internet Infrastructure Security (SIIS) Laboratory Page 4

  5. Use After Free • When the second R1 buffer (buf2R1) is freed that memory is available for reuse right away buf1R1 = (char *) malloc(BUFSIZER1); buf2R1 = (char *) malloc(BUFSIZER1); free(buf2R1); • Then, the R2 buffers are allocated within that memory region (buf2R1s) buf2R2 = (char *) malloc(BUFSIZER2); buf3R2 = (char *) malloc(BUFSIZER2); • Finally, the write using the freed pointer will overwrite the R2 buffers (and metadata between) strncpy(buf2R1, argv[1], BUFSIZER1-1); Systems and Internet Infrastructure Security (SIIS) Laboratory Page 5

  6. Use After Free • Most effective attacks exploit data of another type struct A { void (*fnptr)(char *arg); char buffer[40]; }; struct B { int B1; int B2; char info[32]; }; Systems and Internet Infrastructure Security (SIIS) Laboratory Page 6

  7. Use After Free • Free A, and allocate B does what? struct A { x = (struct A *)malloc(sizeof(struct A)); void (*fnptr)(char *arg); free(x); char buffer[40]; y = (struct B *)malloc(sizeof(struct B)); }; struct B { int B1; int B2; char info[32]; }; Systems and Internet Infrastructure Security (SIIS) Laboratory Page 7

  8. Use After Free • How do you think you exploit this? struct A { x = (struct A *)malloc(sizeof(struct A)); void (*fnptr)(char *arg); free(x); char buffer[40]; y = (struct B *)malloc(sizeof(struct B)); }; struct B { int B1; int B2; char info[32]; }; Systems and Internet Infrastructure Security (SIIS) Laboratory Page 8

  9. Use After Free • How do you think you exploit this? struct A { x = (struct A *)malloc(sizeof(struct A)); void (*fnptr)(char *arg); free(x); char buffer[40]; y = (struct B *)malloc(sizeof(struct B)); }; y->B1 = 0xDEADBEEF; x->fnptr(buf); struct B { int B1; int B2; char info[32]; }; Systems and Internet Infrastructure Security (SIIS) Laboratory Page 9

  10. Use After Free • Adversary chooses function pointer value • Adversary may also choose address for buf • To implement a write-what-where struct A { x = (struct A *)malloc(sizeof(struct A)); void (*fnptr)(char *arg); free(x); char buffer[40]; y = (struct B *)malloc(sizeof(struct B)); }; y->B1 = 0xDEADBEEF; x->fnptr(buf); struct B { int B1; int B2; char info[32]; }; Systems and Internet Infrastructure Security (SIIS) Laboratory Page 10

  11. Use After Free • Flaw: program frees data on the heap, but then references that memory as if it were still valid • Accessible: Adversary can control data written using the freed pointer • Exploit: Another “write-what-where” vulnerability • Become a popular vulnerability to exploit – over 60% of CVEs http://blog.tempest.com.br/breno-cunha/perspectives- ‣ on-exploit-development-and-cyber-attacks.html Systems and Internet Infrastructure Security (SIIS) Laboratory Page 11

  12. Prevent Use After Free • Difficult to detect because these often occur in complex runtime states Allocate in one function ‣ Free in another function ‣ Use in a third function ‣ Are all uses accessing a valid (not freed) reference? • In all possible runtime states • • It is not fun to check source code for all possible pointers Systems and Internet Infrastructure Security (SIIS) Laboratory Page 12

  13. Prevent Use After Free • What can you do that is not too complex? Systems and Internet Infrastructure Security (SIIS) Laboratory Page 13

  14. Prevent Use After Free • What can you do that is not too complex? You can set all freed pointers to NULL ‣ Then, no one can use them after they are freed ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 14

  15. Related Problem: Double Free • What is going on here? main(int argc, char **argv) { … buf1R1 = (char *) malloc(BUFSIZE2); buf2R1 = (char *) malloc(BUFSIZE2); free(buf1R1); free(buf2R1); buf1R2 = (char *) malloc(BUFSIZE1); strncpy(buf1R2, argv[1], BUFSIZE1-1); free(buf2R1); free(buf1R2); } Systems and Internet Infrastructure Security (SIIS) Laboratory Page 15

  16. Double Free • Free the R1 buffers free(buf1R1); free(buf2R1); • Allocate a new buffer R2 and supply data buf1R2 = (char *) malloc(BUFSIZE1); strncpy(buf1R2, argv[1], BUFSIZE1-1); • Free the R1 again, which uses R2 data as metadata free(buf2R1); • Then, free R2 which uses really messed up metadata enabling a write-what-where attack (like heap overflow) free(buf1R2); Systems and Internet Infrastructure Security (SIIS) Laboratory Page 16

  17. Double Free • So, “double free” achieves the same effect as the heap overflow vulnerabilities So, can be addressed in the same way ‣ But, you can also save yourself some headache by setting ‣ freed pointers to NULL But, we are only still talking about this • https://wiki.sei.cmu.edu/confluence/pages/viewpage.action? • pageId=87152148 Hopefully, will be part of systems in the near future, but ‣ people don’t like to tinker with the C language spec Systems and Internet Infrastructure Security (SIIS) Laboratory Page 17

  18. Type Confusion • Cause the program to process data of one type when it expects data of another type Provides same affect as we did with use-after-free ‣ But, without the “free” – just need an ambiguous “use” ‣ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 18

  19. Type Confusion • Cause the program to process data of one type when it expects data of another type Provides same affect as we did with use-after-free ‣ But, without the “free” – just need an ambiguous “use” ‣ Where’s the error below? • class Ancestor { int x; } class Descendent : Ancestor { int y; } Ancestor *A = new A; Descendant *D = static cast <Ancestor *> A; D->y = 7; HexType – Jeon et al. ACM CCS 2017 Systems and Internet Infrastructure Security (SIIS) Laboratory Page 19

  20. Type Confusion • Cause the program to process data of one type when it expects data of another type Provides same affect as we did with use-after-free ‣ But, without the “free” – just need an ambiguous “use” ‣ Where’s the error below? • class Ancestor { int x; } class Descendent : Ancestor { int y; } Ancestor *A = new A; Descendant *D = static cast <Ancestor *> A; D->y = 7; // not part of memory referenced by D cast from A HexType – Jeon et al. ACM CCS 2017 Systems and Internet Infrastructure Security (SIIS) Laboratory Page 20

  21. Type Hierarchies • C++ allows you to construct type hierarchies Upcast Downcast HexType – Jeon et al. ACM CCS 2017 Systems and Internet Infrastructure Security (SIIS) Laboratory Page 21

  22. Type Hierarchies • C++ allows you to construct type hierarchies Which type of cast is safe and why? ‣ Upcast Downcast HexType – Jeon et al. ACM CCS 2017 Systems and Internet Infrastructure Security (SIIS) Laboratory Page 22

  23. Type Confusion Safety • Upcasts are always safe because they only reduce the type structure That is, subtypes extend the structure definitions only ‣ • Thus, downcasts (as in the example) and arbitrary casts (that do not follow the hierarchy) are unsafe However, programming environments trust ‣ programmers to do the right thing Systems and Internet Infrastructure Security (SIIS) Laboratory Page 23

  24. Type Confusion (Flash) • Flash is notorious for type confusion vulnerabilities • From reading https://googleprojectzero.blogspot.com/2015/07/one- ‣ perfect-bug-exploiting-type_20.html var filter = new flash.filters.BlurFilter(); object.filters = [filter]; flash.filters.BlurFilter = flash.filters.ConvolutionFilter; var f = object.filters; var d = f[0]; Systems and Internet Infrastructure Security (SIIS) Laboratory Page 24

Recommend

Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part II Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Integer Overflow Vulnerabilities * slides adapted from those by Seacord 3 Integer Overflows An integer overflow occurs

639 views • 52 slides
Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC

Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security Some Terminology Software error A programming mistake that make the software not meet its expectation Software

726 views • 59 slides
Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State

Defending against Memory Corruption Vulnerabilities and Advanced Attacks Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * some slides adapted from those by Trent Jaeger Overflow Vulnerabilities Despite

901 views • 46 slides
NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2

1 NECESSARY BACKGROUND ON MEMORY EXPLOITS AND WEB APPLICATION VULNERABILITIES Outline 2 Memory safety attacks Buffer overruns Format string vulnerabilities Web application vulnerabilities SQL injections Cross-site

901 views • 39 slides
CMPSC 497 More on Overflow Vulnerabilities Trent Jaeger Systems and Internet Infrastructure

CMPSC 497 More on Overflow Vulnerabilities Trent Jaeger Systems and Internet Infrastructure

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 More on Overflow Vulnerabilities Trent Jaeger

634 views • 45 slides
CMPSC 497 Buffer Overflow Vulnerabilities Trent Jaeger Systems and Internet Infrastructure

CMPSC 497 Buffer Overflow Vulnerabilities Trent Jaeger Systems and Internet Infrastructure

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA CMPSC 497 Buffer Overflow Vulnerabilities Trent Jaeger

739 views • 38 slides
Operating Systems Operating Systems CMPSC 473 CMPSC 473 Virtual Memory Virtual Memory March

Operating Systems Operating Systems CMPSC 473 CMPSC 473 Virtual Memory Virtual Memory March

Operating Systems Operating Systems CMPSC 473 CMPSC 473 Virtual Memory Virtual Memory March 18, 2008 - Lecture 16 16 March 18, 2008 - Lecture Instructor: Trent Jaeger Instructor: Trent Jaeger Last class: Paging Today:

672 views • 39 slides
Operating Systems Operating Systems CMPSC 473 CMPSC 473 Memory Management Memory Management

Operating Systems Operating Systems CMPSC 473 CMPSC 473 Memory Management Memory Management

Operating Systems Operating Systems CMPSC 473 CMPSC 473 Memory Management Memory Management March 4, 2008 - Lecture 14 14 March 4, 2008 - Lecture Instructor: Trent Jaeger Instructor: Trent Jaeger Last class: Deadlocks

562 views • 33 slides
Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to

Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to

Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to Computer Security Logistics announcements Day 3: Low-level vulnerabilities Basic memory-safety problems Stephen McCamant Where overflows come from

521 views • 9 slides
Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to

Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to

Outline Vulnerabilities in OS interaction Low-level view of memory CSci 5271 Introduction to Computer Security Intermission: gdb demo Day 3: Low-level vulnerabilities Basic memory-safety problems Stephen McCamant Where overflows come from

401 views • 8 slides
CMPSC 311- Introduction to Systems Programming Module: Strings Professor Patrick McDaniel Fall

CMPSC 311- Introduction to Systems Programming Module: Strings Professor Patrick McDaniel Fall

CMPSC 311- Introduction to Systems Programming Module: Strings Professor Patrick McDaniel Fall 2016 CMPSC 311 - Introduction to Systems Programming Copying memory memcpy copies one memory region to another Copy from source buffer

501 views • 21 slides
Pr Preve venting exploits against memo memory-co corruption vulnerabilities Chengyu Song

Pr Preve venting exploits against memo memory-co corruption vulnerabilities Chengyu Song

Pr Preve venting exploits against memo memory-co corruption vulnerabilities Chengyu Song Georgia Tech Agenda Memory corruption vulnerability Thesis Statement Approaches SDCG Kenali HDFI Conclusion Memory

737 views • 72 slides
Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory

Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory

Cling: A Memory Allocator to Mitigate Dangling Pointers Periklis Akritidis --2010 Use-after-free Vulnerabilities Accessing Memory Through Dangling Pointers Techniques : Heap Spraying, Feng Shui Manual memory management is error prone

574 views • 35 slides
Exploiting Memory Corruption Vulnerabilities in the Java Runtime Joshua J. Drake Inaugural

Exploiting Memory Corruption Vulnerabilities in the Java Runtime Joshua J. Drake Inaugural

Exploiting Memory Corruption Vulnerabilities in the Java Runtime Joshua J. Drake Inaugural DerbyCon October 2 nd 2011 About the Presenter Joshua J. Drake, aka jduck Employed with Accuvant LABS Research Vulnerabilities &amp;

750 views • 45 slides
Operating Systems Operating Systems CMPSC 473 CMPSC 473 Virtual Memory - Multiprogramming -

Operating Systems Operating Systems CMPSC 473 CMPSC 473 Virtual Memory - Multiprogramming -

Operating Systems Operating Systems CMPSC 473 CMPSC 473 Virtual Memory - Multiprogramming - Multiprogramming Virtual Memory March 25, 2008 - Lecture 17 17 March 25, 2008 - Lecture Instructor: Trent Jaeger Instructor: Trent Jaeger

249 views • 22 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Last time We finished up By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow defenses (and workarounds) Format string vulnerabilities Integer overflow vulnerabilities This time

1.29k views • 80 slides
Buffer Software Security overflows and other memory safety vulnerabilities History

Buffer Software Security overflows and other memory safety vulnerabilities History

This time We will begin By investigating our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Analyzing security Security

1.41k views • 107 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

1.49k views • 117 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything

This time We will continue By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Everything youve always wanted to know about gdb but were too afraid to ask Overflow defenses Other memory

1.23k views • 95 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow

Last time We continued By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow attacks &amp; other vulnerabilities Overflow defenses Everything youve always wanted to know about

2.41k views • 197 slides
Buffer Software Security overflows and other memory safety vulnerabilities History

Buffer Software Security overflows and other memory safety vulnerabilities History

This time We will begin By investigating our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Software security Security is a form

2.11k views • 190 slides
Testing and Fuzzing Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security *

Testing and Fuzzing Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security *

Testing and Fuzzing Gang Tan Penn State University Spring 2019 CMPSC 447, Software Security * Some slides adapted from those by Trent Jaeger Our Goal Develop techniques to detect vulnerabilities automatically before they are exploited

1.17k views • 61 slides
Operating Systems Operating Systems CMPSC 473 CMPSC 473 Files Files March 27, 2008 - Lecture

Operating Systems Operating Systems CMPSC 473 CMPSC 473 Files Files March 27, 2008 - Lecture

Operating Systems Operating Systems CMPSC 473 CMPSC 473 Files Files March 27, 2008 - Lecture March 27, 2008 - Lecture 18 18 Instructor: Trent Jaeger Instructor: Trent Jaeger Last class: Virtual Memory Today: Files A

387 views • 35 slides
Operating Systems Operating Systems CMPSC 473 CMPSC 473 Paging Paging March 6, 2008 - Lecture

Operating Systems Operating Systems CMPSC 473 CMPSC 473 Paging Paging March 6, 2008 - Lecture

Operating Systems Operating Systems CMPSC 473 CMPSC 473 Paging Paging March 6, 2008 - Lecture 15 15 March 6, 2008 - Lecture Instructor: Trent Jaeger Instructor: Trent Jaeger Last class: Memory Management Today: Paging

418 views • 31 slides

More recommend