Outline Where overflows come from, cont’d CSci 5271 More problems Introduction to Computer Security Announcements intermission Low-level vulnerabilities and attacks (combined lecture) Classic code injection attacks Stephen McCamant Shellcode techniques University of Minnesota, Computer Science & Engineering Exploiting other vulnerabilities Library funcs: dangerous Library funcs: bounded Big three unchecked string functions Just add “n”: str❝♣②✭❞❡st✱ sr❝✮ str♥❝♣②✭❞❡st✱ sr❝✱ ♥✮ str❝❛t✭❞❡st✱ sr❝✮ str♥❝❛t✭❞❡st✱ sr❝✱ ♥✮ s♣r✐♥t❢✭❜✉❢✱ ❢♠t✱ ✳✳✳✮ s♥♣r✐♥t❢✭❜✉❢✱ s✐③❡✱ ❢♠t✱ ✳✳✳✮ Must know lengths in advance to use Tricky points: safely (complicated for s♣r✐♥t❢ ) Buffer size vs. max characters to write Failing to terminate Similar pattern in other funcs returning str♥❝♣② zero-fill a string More library attempts Still a problem: truncation OpenBSD str❧❝♣② , str❧❝❛t Unexpectedly dropping characters from Easier to use safely than “n” versions the end of strings may still be a Non-standard, but widely copied vulnerability Microsoft-pushed str❝♣② s , etc. E.g., if attacker pads paths with Now standardized in C11, but not in glibc ✴✴✴✴✴✴✴ or ✴✳✴✳✴✳✴✳ Runtime checks that ❛❜♦rt Compute size and use ♠❡♠❝♣② Avoiding length limits is best, if implemented correctly C++ st❞✿✿str✐♥❣ , glib, etc.
Off-by-one bugs Even more buffer/size mistakes Inconsistent code changes (use str❧❡♥ does not include the terminator s✐③❡♦❢ ) Comparison with ❁ vs. ❁❂ Misuse of s✐③❡♦❢ (e.g., on pointer) Length vs. last index Bytes vs. wide chars (UCS-2) vs. multibyte chars (UTF-8) ①✰✰ vs. ✰✰① OS length limits (or lack thereof) Other array problems Outline Where overflows come from, cont’d More problems Missing/wrong bounds check One unsigned comparison suffices Announcements intermission Two signed comparisons needed Classic code injection attacks Beware of clever loops Premature optimization Shellcode techniques Exploiting other vulnerabilities Integer overflow Integer overflow example Fixed size result ✻ ❂ math result Sum of two positive ✐♥t s negative or ✐♥t ♥ ❂ r❡❛❞❴✐♥t✭✮❀ less than addend ♦❜❥ ✯♣ ❂ ♠❛❧❧♦❝✭♥ ✯ s✐③❡♦❢✭♦❜❥✮✮❀ ❢♦r ✭✐ ❂ ✵❀ ✐ ❁ ♥❀ ✐✰✰✮ Also multiplication, left shift, etc. ♣❬✐❪ ❂ r❡❛❞❴♦❜❥✭✮❀ Negation of most-negative value ✭❧♦✇ ✰ ❤✐❣❤✮✴✷
Signed and unsigned Mixing integer sizes Unsigned gives more range for, e.g., Complicated rules for implicit s✐③❡ t conversions Also includes signed vs. unsigned At machine level, many but not all Generally, convert before operation: operations are the same E.g., ✶❯▲▲ ❁❁ ✻✸ Most important difference: ordering Sign-extend vs. zero-extend In C, signed overflow is undefined ❝❤❛r ❝ ❂ ✵①❢❢❀ ✭✐♥t✮❝ behavior Null pointers Undefined behavior C standard “undefined behavior”: Vanilla null dereference is usually anything could happen non-exploitable (just a DoS) Can be unexpectedly bad for security But not if there could be an offset (e.g., field of struct) Most common problem: compiler optimizes assuming undefined behavior And not in the kernel if an untrusted cannot happen user has allocated the zero page Linux kernel example Format strings ♣r✐♥t❢ format strings are a little interpreter str✉❝t s♦❝❦ ✯s❦ ❂ t✉♥✲❃s❦❀ ♣r✐♥t❢✭❢♠t✮ with untrusted ❢♠t lets ✴✴ ✳✳✳ the attacker program it ✐❢ ✭✦t✉♥✮ Allows: r❡t✉r♥ P❖▲▲❊❘❘❀ Dumping stack contents ✴✴ ♠♦r❡ ✉s❡s ♦❢ t✉♥ ❛♥❞ s❦ Denial of service Arbitrary memory modifications!
Outline Project meeting scheduling Where overflows come from, cont’d For pre-proposal due Wednesday night: More problems Will pick a half-hour meeting slot, use Announcements intermission for three different meetings Classic code injection attacks List of about 65 slots on the web page Choose ordered list in pre-proposal, Shellcode techniques length inverse to popularity Exploiting other vulnerabilities HA1 still delayed Outline Where overflows come from, cont’d BCMTA implementation and VM setup More problems still not finished, but close We’ve gotten many group registrations: Announcements intermission response will come when the VM is Classic code injection attacks ready Shellcode techniques Still aiming for a first easy vulnerability this week, but it will not be required Exploiting other vulnerabilities Overwriting the return address Collateral damage
Collateral damage Other code injection targets Function pointers Stop the program from crashing early Local, global, on heap ‘Overwrite’ with same value, or another ❧♦♥❣❥♠♣ buffers legal one GOT (PLT) / import tables Minimize time between overwrite and Exception handlers use Indirect overwrites Non-sequential writes Change a data pointer used to access E.g. missing bounds check, corrupted a code pointer pointer Can be more flexible and targeted Easiest if there are few other uses E.g., a write-what-where primitve Common examples More likely needs an absolute location Frame pointer C++ object vtable pointer May have less control of value written Unexpected-size writes Outline Where overflows come from, cont’d More problems Attacks don’t need to obey normal conventions Announcements intermission Overwrite one byte within a pointer Classic code injection attacks Use mis-aligned word writes to isolate a byte Shellcode techniques Exploiting other vulnerabilities
Basic definition Classic execve ✴❜✐♥✴s❤ Shellcode: attacker supplied instructions ❡①❡❝✈❡✭❢♥❛♠❡✱ ❛r❣✈✱ ❡♥✈♣✮ implementing malicious functionality system call Name comes from example of starting Specialized syscall calling conventions a shell Omit unneeded arguments Often requires attention to Doable in under 25 bytes for Linux/x86 machine-language encoding Avoiding zero bytes More restrictions Common requirement for shellcode in C No newlines string Only printable characters Analogy: broken 0 key on keyboard Only alphanumeric characters May occur in other parts of encoding “English Shellcode” (CCS’09) as well Transformations Multi-stage approach Initially executable portion unpacks rest Fold case, escapes, Latin1 to Unicode, from another format etc. Improves efficiency in restricted Invariant: unchanged by transformation environments Pre-image: becomes shellcode only after transformation But self-modifying code has pitfalls
NOP sleds Where to put shellcode? Goal: make the shellcode an easier In overflowed buffer, if big enough target to hit Anywhere else you can get it Long sequence of no-op instructions, Nice to have: predictable location real shellcode at the end Convenient choice of Unix local x86: 0x90 0x90 0x90 0x90 0x90 exploits: . . . shellcode Where to put shellcode? Code reuse Environment variables If can’t get your own shellcode, use existing code Classic example: s②st❡♠ implementation in C library “Return to libc” attack More variations on this later Outline Non-control data overwrite Where overflows come from, cont’d More problems Overwrite other security-sensitive data Announcements intermission No change to program control flow Set user ID to 0, set permissions to all, Classic code injection attacks etc. Shellcode techniques Exploiting other vulnerabilities
Heap meta-data Heap meta-data Boundary tags similar to doubly-linked list Overwritten on heap overflow Arbitrary write triggered on ❢r❡❡ Simple version stopped by sanity checks Use after free Integer overflows Easiest to use: overflow in small (8-, Write to new object overwrites old, or 16-bit) value, or only overflowed value vice-versa used Key issue is what heap object is 2GB write in 100 byte buffer reused for Find some other way to make it stop Influence by controlling other heap Arbitrary single overwrite operations Use math to figure out overflowing value Null pointer dereference Format string attack Add offset to make a predictable Attacker-controlled format: little pointer interpreter On Windows, interesting address start low Step one: add extra integer specifiers, Allocate data on the zero page dump stack Most common in user-space to kernel attacks Already useful for information disclosure Read more dangerous than a write
Format string attack layout Format string attack layout Format string attack: overwrite Next time ✪♥ specifier: store number of chars written so far to pointer arg Advance format arg pointer to other Defenses and counter-attacks attacker-controlled data Control number of chars written with padding On x86, use unaligned stores to create pointer
Recommend
More recommend