riding the overflow riding the overflow then and now then
play

Riding the Overflow Riding the Overflow Then and Now Then and - PowerPoint PPT Presentation

Dec 08, 2022 •337 likes •634 views

Riding the Overflow Riding the Overflow Then and Now Then and Now Miroslav tampar Miroslav tampar (mstampar@zsis.hr ) (mstampar@zsis.hr ) tl;dr BalCCon2k14, Novi Sad (Serbia) September 6th,

  1. Riding the Overflow – Riding the Overflow – Then and Now Then and Now Miroslav Štampar Miroslav Štampar (mstampar@zsis.hr ) (mstampar@zsis.hr )

  2. tl;dr BalCCon2k14, Novi Sad (Serbia) September 6th, 2014 2

  3. Buffer overflow  (a.k.a.) Buffer overrun  An anomaly where a program, while writing data to the buffer, overruns its boundary, thus overwriting adjacent memory  Commonly associated with programming languages C and C++ (no bounds checking)  Stack-based (e.g. statically allocated built-in array at compile time) – overwriting stack elements  Heap-based (e.g. dynamically allocated malloc() array at run time) – overwriting heap internal structures (e.g. linked list pointers) BalCCon2k14, Novi Sad (Serbia) September 6th, 2014 3

  4. Stack-based overflow BalCCon2k14, Novi Sad (Serbia) September 6th, 2014 4

  5. Heap-based overflow BalCCon2k14, Novi Sad (Serbia) September 6th, 2014 5

  6. Vulnerable code (stack-based) BalCCon2k14, Novi Sad (Serbia) September 6th, 2014 6

  7. Vulnerable code (heap-based) BalCCon2k14, Novi Sad (Serbia) September 6th, 2014 7

  8. History  1961 - Burroughs 5000 (executable space protection)  1972 - Computer Security T echnology Planning Study (buffer overflow as an idea)  1988 - Morris worm (earliest exploitation – gets() in fingerd)  1995 - Buffer overflow rediscovered (Bugtraq)  1996 - “Smashing the Stack for Fun and Profit” (Aleph One)  1997 - “Return-into-lib(c) exploits” (Solar Designer)  2000 - The Linux PaX project  2001 - Code Red (IIS 5.0); Heap spraying (MS01-033 – Index Server ISAPI Extension)  2003 - SQL Slammer (MsSQL 2000); Microsoft VS 2003 flag /GS  2004 - NX on Linux (kernel 2.6.8); DEP on Windows (XP SP2); Egg hunting (skape)  2005 - ASLR on Linux (kernel 2.6.12); GCC flag -fstack-protector  2007 - ASLR on Windows (Vista); ROP (Sebastian Krahmer) BalCCon2k14, Novi Sad (Serbia) September 6th, 2014 8

  9. DEP/NX  Data Execution Prevention/No eXecute  (a.k.a.) Non-executable stack, Execute Disable, Exec Shield (Linux), W^X (FreeBSD)  Set of hardware and software technologies that perform additional checks on memory  Provides protection for all memory pages that are not specifically marked as executable  Processor must support hardware-enforced mechanism (NX/EVP/XD)  Executables and libraries have to be specifically linked (problems with older software) BalCCon2k14, Novi Sad (Serbia) September 6th, 2014 9

  10. ASLR  Address Space Layout Randomization  Introduces the randomness into the address space of process  Positions of key data areas are randomly scattered (i.e. dynamic/shared libraries, heap and stack)  Its strength is based upon the low chance of an attacker guessing the locations of randomly placed areas  Executables and dynamic/shared libraries have to be specifically linked (problems with older software) BalCCon2k14, Novi Sad (Serbia) September 6th, 2014 10

  11. Stack canaries  (a.k.a.) Stack cookies, Stack-Smashing Protector (SSP)  Named for analogy to a canary in a coal mine  Implemented by the compiler  Placing a small (e.g. random) integer value to stack just before the return pointer  In order to overwrite the return pointer (and thus take control of the process) the canary value would also be overwritten  This value is checked to make sure it has not changed before a routine uses the return pointer from the stack BalCCon2k14, Novi Sad (Serbia) September 6th, 2014 11

  12. ASCII armor  Generally maps important library addresses (e.g. libc) to a memory range containing a NULL byte (e.g. 0x00****** - 0x0100****** )  Makes it hard to construct address or pass arguments by exploiting string functions (e.g. strcpy() )  Not effective when NULL byte is not an issue  Easily bypassable by using PLT (Procedure Language T able) entries in case of position independent binary BalCCon2k14, Novi Sad (Serbia) September 6th, 2014 12

  13. SEH  Structured Exception Handler  Implemented by the compiler  Pointer to the exception handler is added to the stack in the form of the “Exception Registration Record” (SEH) and “Next Exception Registration Record” (nSEH)  If the buffer is overflown and (junk) data is written to the SEH (located eight bytes after ESP), invalid handler is called due to the inherently raised exception (i.e. STATUS_ACCESS_VIOLATION), thus preventing us from successful execution of our payload BalCCon2k14, Novi Sad (Serbia) September 6th, 2014 13

  14. SEH (chain) BalCCon2k14, Novi Sad (Serbia) September 6th, 2014 14

  15. SEHOP  Structured Exception Handler Overwrite Protection  Blocks exploits that use (highly popular) SEH overwrite method  Enabled by default on Windows Server 2008, disabled on Windows Vista SP1 and Windows 7  Symbolic exception registration record appended to the end of exception handler list  Integrity of exception handler chain is broken if symbolic record can't be reached and/or if it's found to be invalid BalCCon2k14, Novi Sad (Serbia) September 6th, 2014 15

  16. SafeSEH  Safe Structured Exception Handling  (a.k.a.) Software-enforced DEP  All exception handlers' entry points collected to a designated read-only table collected at the compilation time  Safe Exception Handler T able  Attempt to execute any unregistered exception handler will result in the immediate program termination BalCCon2k14, Novi Sad (Serbia) September 6th, 2014 16

  17. Safe functions  Well-written functions that automatically perform buffer management (including bounds checking), reducing the occurrence and impact of buffer overflows  Usually by introducing explicit parameter size BalCCon2k14, Novi Sad (Serbia) September 6th, 2014 17

  18. NOP sled  (a.k.a.) NOP slide, NOP ramp  oldest and most widely known method for stack buffer overflow exploitation  large sequence of NOP (no-operation) instructions meant to "slide" the CPU's execution flow  used when jump location has to be given (payload), while it's impossible to be exactly predicted  |buffer| = |NOP sled| + |payload| + |guessed address from inside NOP sled (EIP)| BalCCon2k14, Novi Sad (Serbia) September 6th, 2014 18

  19. ret2libc  (a.k.a.) ret2system, arc injection  Overwriting the return address with location of a function that is already loaded in the binary or via shared library  Also, providing required arguments through stack overwrite  Shared library libc is always linked to executables on UNIX style systems and provides useful calls (e.g. system() )  |buffer| = |junk| + |address of function system() (EIP)| + |address of function exit()| + |address of string “/bin/sh”| BalCCon2k14, Novi Sad (Serbia) September 6th, 2014 19

  20. ret2reg  Return-to-register (e.g. ESP, EAX, etc.)  (a.k.a.) Trampolining  Also, variants like ret2pop, ret2ret, etc.  We overwrite the EIP with the address of an existing instruction that would jump to the location of a register  Preferred choice is the register pointing to the location inside our buffer (usually ESP)  Much more reliable method than NOP sled  |buffer| = |junk| + |address of JMP ESP or CALL ESP instruction (EIP)| + |compensating NOPs| + |payload| BalCCon2k14, Novi Sad (Serbia) September 6th, 2014 20

  21. Egg hunting  Used in reduced buffer space situations  Allows usage of a small payload (“egg hunter”) to find the actual (bigger) payload  The final payload must be somewhere in memory (stack, heap or secondary buffer)  Final payload must be prepended with the unique marking string (2x4 bytes) called “egg”  Egg hunter types: SEH, IsBadReadPtr, NtDisplayString, NtAccessCheckAndAuditAlarm  |buffer| = |junk| + |egg hunter| + |address of JMP ESP or CALL ESP instruction (EIP)| + |JMP to egg hunter| + |junk| + |egg| + |egg| + | payload| BalCCon2k14, Novi Sad (Serbia) September 6th, 2014 21

Recommend

Contemporary Attitudes Toward Motorcycle Riding Safety and Riding Risk Factors Part 2

Contemporary Attitudes Toward Motorcycle Riding Safety and Riding Risk Factors Part 2

Contemporary Attitudes Toward Motorcycle Riding Safety and Riding Risk Factors Part 2 International Motorcycle Safety Conference March 30, 2006 Robert J. Rowe Executive Vice President Irwin Broh & Associates Motorcycle Riding Risk

317 views • 12 slides
Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack

Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack

Re-arquitetando o Re-arquitetando o Stack Overflow Stack Overflow ou como construmos o Stack Overflow for Teams Roberta Arcoverde 1 /whois /whois recifense programadora h 15 anos principal software developer na stack overflow

711 views • 52 slides
History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood

History of the Stack Overflow Buffer Overflow Understood as early as 1972 Computer Security Technology Planning Study Morris Worm First

1.07k views • 42 slides
Evolution of Stack Overflow Discussions Using Sentimental Analysis on Comments in Stack Overflow

Evolution of Stack Overflow Discussions Using Sentimental Analysis on Comments in Stack Overflow

Evolution of Stack Overflow Discussions Using Sentimental Analysis on Comments in Stack Overflow Posts Presented by Norbert Eke and Saraj Manes Motivation SOTorrent 2018 : Reconstructing and Analyzing the Evolution of Stack Overflow

547 views • 17 slides
Kindergarten students to another location). Overflow does become an added cost to the district

Kindergarten students to another location). Overflow does become an added cost to the district

Fishkill ES can continue to function/operate as is and overflow students to another school when reaching capacity. (Please note since we moved into a K-6 configuration and reduced class sizes, we have yet had to overflow Fishkill ES

172 views • 4 slides
Contemporary Attitudes Toward Motorcycle Riding Safety and Riding Risk Factors Part 1

Contemporary Attitudes Toward Motorcycle Riding Safety and Riding Risk Factors Part 1

Contemporary Attitudes Toward Motorcycle Riding Safety and Riding Risk Factors Part 1 International Motorcycle Safety Conference March 28, 2006 Robert J. Rowe Executive Vice President Irwin Broh & Associates Irwin Broh &

575 views • 24 slides
Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by

Chapter 10 Buffer Overflow Buffer Overflow Common attack mechanism first wide use by the Morris Worm in 1988 Prevention techniques known NX bit, stack canaries, ASLR Still of major concern Recent examples:

354 views • 21 slides
Riding Through Transition How to Utilize a Connection Between Therapeutic Riding Centers and

Riding Through Transition How to Utilize a Connection Between Therapeutic Riding Centers and

Riding Through Transition How to Utilize a Connection Between Therapeutic Riding Centers and Schools Andrea Suk Malarie Deardorff Our Credentials Outcomes Identify Identify Learn Identify ways to Identify ways to Learn how to use

787 views • 58 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow

Last time We continued By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Finish overflow attacks & other vulnerabilities Overflow defenses Everything youve always wanted to know about

2.41k views • 197 slides
Overflow Handling Linear Probing Get And Put An overflow occurs when the home bucket for

Overflow Handling Linear Probing Get And Put An overflow occurs when the home bucket for

Overflow Handling Linear Probing Get And Put An overflow occurs when the home bucket for a divisor = b (number of buckets) = 17. new pair (key, element) is full. Home bucket = key % 17. We may handle overflows by:

242 views • 3 slides
Overflow Handling Linear Probing Get And Put An overflow occurs when the home bucket for

Overflow Handling Linear Probing Get And Put An overflow occurs when the home bucket for

Overflow Handling Linear Probing Get And Put An overflow occurs when the home bucket for a divisor = b (number of buckets) = 17. new pair (key, element) is full. Home bucket = key % 17. We may handle overflows by:

374 views • 4 slides
13-Apr-10 Implementing Best Practices in a Therapeutic Riding setting at the Colorado

13-Apr-10 Implementing Best Practices in a Therapeutic Riding setting at the Colorado

13-Apr-10 Implementing Best Practices in a Therapeutic Riding setting at the Colorado Therapeutic Riding Center, inc. Longmont, CO Moving from study design and theory to action! Amy Shoffner, MSW NARHA Advanced Instructor NARHA

661 views • 15 slides
Overflow in addition and subtraction can happen if?? ta7 What can

Overflow in addition and subtraction can happen if?? ta7 What can

Overflows Overflow in addition and subtraction can happen if?? ta7 What can we do if there is an overflow?? Spring 2006 MIPS support two kinds of arithmetic operations in order to support the two choices

50 views • 4 slides
Horse riding & Fly fishing in Private Ranch in Patagonia Horse Riding & Fly fishing in

Horse riding & Fly fishing in Private Ranch in Patagonia Horse Riding & Fly fishing in

Horse riding & Fly fishing in Private Ranch in Patagonia Horse Riding & Fly fishing in Private Ranch in Patagonia A 20,000 hectare private estancia nestled in the foothills of the Andes in Argentine Patagonia, close to the border with

594 views • 33 slides
Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow

Last time We finished up By looking at Buffer Overflow overflows Defenses and other memory safety vulnerabilities Buffer overflow defenses (and workarounds) Format string vulnerabilities Integer overflow vulnerabilities This time

1.29k views • 80 slides
Buffer Overflow CS461/ECE422 Spring 2012 Reading Material

Buffer Overflow CS461/ECE422 Spring 2012 Reading Material

Buffer Overflow CS461/ECE422 Spring 2012 Reading Material Based on Chapter 11 of the text Outline Buffer Overflow Stack Buffer Overflow Shell

783 views • 28 slides
Riding the

Riding the

S. Scholtes 30/10/2003 Judge Institute of Management University of Cambridge Riding the waves of change: Simulating Risky Investments S. Scholtes Judge

359 views • 21 slides
CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking

CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking

CS241 Computer Organization Spring 2015 Buffer Overflow 4-022015 Outline Linking & Loading, continued Buffer Overflow Read: CSAPP2: section 3.12: out-of-bounds memory references & buffer overflow K&R:

775 views • 43 slides
How to be safe when riding your bike School Presentation March 2019 How to be safe when riding

How to be safe when riding your bike School Presentation March 2019 How to be safe when riding

How to be safe when riding your bike School Presentation March 2019 How to be safe when riding your bike. March 2019 | 1 Hands up if you have ever ridden your bike? Keep your hand up if you: Have ridden a bike in the past year? In

338 views • 12 slides
A Project Approach to Horse Riding Trails Page 15 Agenda Item 5 Page 16 Page 17 Page 18 Page

A Project Approach to Horse Riding Trails Page 15 Agenda Item 5 Page 16 Page 17 Page 18 Page

A Project Approach to Horse Riding Trails Page 15 Agenda Item 5 Page 16 Page 17 Page 18 Page 19 A Project ect Approa roach ch to Facilita tatin ting g & Promoti moting g Horse e Riding g Route tes Blue/Green = Creation of

218 views • 10 slides
Illegal sanitary sewer overflow near Glenwood Road. Sewage

Illegal sanitary sewer overflow near Glenwood Road. Sewage

Illegal sanitary sewer overflow near Glenwood Road. Sewage flowing to Grassy Creek, 2011. Illegal sanitary sewer overflow along Dixie Highway, January 2011. Illegal sanitary sewer overflow along

381 views • 19 slides
So much is riding on your DTC commercials Are your viewers watching them? Today, it is even more

So much is riding on your DTC commercials Are your viewers watching them? Today, it is even more

So much is riding on your DTC commercials Are your viewers watching them? Today, it is even more important to address the question of How can I make my DTC marketing more efficient and impactful? While many factors impact DTC sales

689 views • 43 slides
Software Vulnerability I Presenter: Yinzhi Cao Lehigh University Overview Buffer Overflow

Software Vulnerability I Presenter: Yinzhi Cao Lehigh University Overview Buffer Overflow

CSE350/450 Lehigh University Fall 2016 Software Vulnerability I Presenter: Yinzhi Cao Lehigh University Overview Buffer Overflow Shellcode Heap Overflow Format Strings Return-oriented Programming Metasploit 101 Anatomy of the Stack

1.83k views • 124 slides
Cyber Security and E-Safety Event 23 January 2019 Presented in Partnership with East Riding of

Cyber Security and E-Safety Event 23 January 2019 Presented in Partnership with East Riding of

Cyber Security and E-Safety Event 23 January 2019 Presented in Partnership with East Riding of Yorkshire Council & KCOM East Riding KCOM Paul Johnston, ICT Manager Terry Kent, Product Manager David Cox, Security Manager Leanne Gill,

588 views • 22 slides

More recommend