Software Security (I): Bufger-overfmow Attacks Dawn Song 1 - PowerPoint PPT Presentation

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Software Security (I): Bufger-overfmow Attacks Dawn Song 1

Logistics • New offjce hour • Webcast – Calcentral: select cs161 Dawn Song 2

Intro HTTP REQUEST HTTP REQUEST HTTP RESPONSE CLIENT HTTP RESPONSE EXPLOIT EXPLOIT Remote Remote Shell Shell CLIENT ATTACKER SERVER Dawn Song 3

Linux (32-bit) process memory layout -0xFFFFFFFF Reserved for Kernel -0xC0000000 user stack $esp shared libraries -0x40000000 run time heap brk static data segment text segment (program) Loaded from exec unused -0x08048000 -0x00000000

Stack Frame -0xC0000000 T o previous stack user stack frame pointer arguments return address shared stack frame pointer libraries exception handlers T o the point at which run time -0x40000000 this function was called heap local variables static data segment callee saved registers text segment (program) unused -0x08048000 -0x00000000

Stack Frame 1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!=‘\n’) { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: out[i] = ‘\0’; 8:} 9:int parse(FILE *fp) { 10: char buf[5], *url, cmd[128]; 11: fread(cmd, 1, 128, fp); 12: int header_ok = 0; 13: if (cmd[0] == ‘G’) 14: if (cmd[1] == ‘E’) 15: if (cmd[2] == ‘T’) 16: if (cmd[3] == ‘ ’) 17: header_ok = 1; 18: if (!header_ok) return -1; 19: url = cmd + 4; 20: copy_lower(url, buf); 21: printf(“Location is %s\n”, buf); 22: return 0; } A quick example to illustrate multiple stack frames

Viewing Stack Frame with GDB Our example modifjed to include a main function Compile: parse.c parse.c gcc –g parse.c –o parse 1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!=‘\n’) Run: { 4: out[i] = tolower(in[i]); ./parse 5: i++; 6: } 7: out[i] = ‘\0’; 9:int parse(FILE *fp) { 8:} 10: char buf[5], *url, cmd[128]; Debug: 11: fread(cmd, 1, 128, fp); We can debug using gdb. 12: int header_ok = 0; 13: if (cmd[0] == ‘G’) gdb parse 14: if (cmd[1] == ‘E’) 15: if (cmd[2] == ‘T’) 16: if (cmd[3] == ‘ ’) Then we can take a look at the 17: header_ok = 1; 18: if (!header_ok) return -1; stack. 19: url = cmd + 4; 20: copy_lower(url, buf); (gdb) break 7 21: printf(“Location is %s\n”, buf); 22: return 0; } (gdb) run (gdb) x/64x $esp 23: /** main to load a file and run parse */

Viewing Stack Frame with GDB Our running example modifjed to illustrate multiple stack frames Debug: parse.c parse.c (gdb) x/64x $esp

What are bufger overfmows? parse’s parse.c parse.c frame BREAK 0x0804a008 1:void copy_lower (char* in, char* out) { 0x080485a2 args fp 0xbffff760 2: int i = 0; return address 0xbffff778 0xbffff75c ret address 3: while (in[i]!=‘\0’ && in[i]!=‘\n’) { stack frame ptr frame ptr 0xbffff6c4 0xbffff758 4: out[i] = tolower(in[i]); 0x00000001 5: i++; 0xbffff74c url 0xbfef20dc 6: } 0xbffff748 header_ok 0xbf02224c 7: out[i] = ‘\0’; 0xbffff744 buf[4] 9:int parse(FILE *fp) { 0x00000000 8:} local . 0xbffff740 buf[3,2,1,0] 10: char buf[5], *url, cmd[128]; . variables . 0xbffff73c cmd[127,126,125 11: fread(cmd, 1, 128, fp); . . 0x41414141 . 12: int header_ok = 0; . . . . 0x20544547 BREAK . 0xbffff6c4 . cmd[7,6,5,4] 19: url = cmd + 4; 0xbffff6c0 cmd[3,2,1,0] 20: copy_lower(url, buf); callee saved 21: printf(“Location is %s\n”, buf); registers 22: return 0; } BREAK 23: /** main to load a file and run out 0xbffff740 0xbffff6b4 parse */ args in 0xbffff6c4 (input fjle) 0xbffff6b0 fjle fjle ret address return address 0x080485a2 0xbffff6ac GET frame ptr 0xbffff758 stack frame ptr 0xbffff6a8 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA local variables 0x00000000 i 0xbffff69c callee saved copy_lower’s registers frame (Unallocated)

What are bufger overfmows? parse.c parse.c 0x0804a008 1:void copy_lower (char* in, char* out) { 0x080485a2 fp 0xbffff760 BREAK 2: int i = 0; return address 0xbffff778 0xbffff75c 3: while (in[i]!=‘\0’ && in[i]!=‘\n’) { stack frame ptr 0xbffff6c4 0xbffff758 4: out[i] = tolower(in[i]); 0x00000001 5: i++; 0xbffff74c url 0xbfef20dc 6: } 0xbffff748 header_ok 0xbf022261 7: out[i] = ‘\0’; 0xbffff744 buf[4] 9:int parse(FILE *fp) { 0x00000000 8:} . 0xbffff740 buf[3,2,1,0] 10: char buf[5], *url, cmd[128]; . . 0xbffff73c cmd[127,126,125 11: fread(cmd, 1, 128, fp); . . 0x41414141 . 12: int header_ok = 0; . . . . 0x20544547 . 0xbffff6c4 . cmd[7,6,5,4] 19: url = cmd + 4; 0xbffff6c0 cmd[3,2,1,0] 20: copy_lower(url, buf); 21: printf(“Location is %s\n”, buf); 22: return 0; } 23: /** main to load a file and run out 0xbffff740 0xbffff6b4 parse */ in 0xbffff6c4 (input fjle) 0xbffff6b0 fjle fjle return address 0x080485a2 0xbffff6ac GET 0xbffff758 stack frame ptr 0xbffff6a8 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0x00000000 i 0xbffff69c (Unallocated)

What are bufger overfmows? parse.c parse.c 0x0804a008 1:void copy_lower (char* in, char* out) { 0x080485a2 fp 0xbffff760 BREAK 2: int i = 0; return address 0xbffff778 0xbffff75c 3: while (in[i]!=‘\0’ && in[i]!=‘\n’) { stack frame ptr 0xbffff6c4 0xbffff758 4: out[i] = tolower(in[i]); 0x00000001 5: i++; 0xbffff74c url 0xbfef20dc 6: } 0xbffff748 header_ok 0xbf026161 7: out[i] = ‘\0’; 0xbffff744 buf[4] 9:int parse(FILE *fp) { 0x00000000 8:} . 0xbffff740 buf[3,2,1,0] 10: char buf[5], *url, cmd[128]; . . 0xbffff73c cmd[127,126,125 11: fread(cmd, 1, 128, fp); . . 0x41414141 . 12: int header_ok = 0; . . . . 0x20544547 . 0xbffff6c4 . cmd[7,6,5,4] 19: url = cmd + 4; 0xbffff6c0 cmd[3,2,1,0] 20: copy_lower(url, buf); 21: printf(“Location is %s\n”, buf); 22: return 0; } 23: /** main to load a file and run out 0xbffff740 0xbffff6b4 parse */ in 0xbffff6c4 (input fjle) 0xbffff6b0 fjle fjle return address 0x080485a2 0xbffff6ac GET 0xbffff758 stack frame ptr 0xbffff6a8 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0x00000001 i 0xbffff69c (Unallocated)

What are bufger overfmows? parse.c parse.c 0x0804a008 1:void copy_lower (char* in, char* out) { 0x080485a2 fp 0xbffff760 BREAK 2: int i = 0; return address 0xbffff778 0xbffff75c 3: while (in[i]!=‘\0’ && in[i]!=‘\n’) { stack frame ptr 0xbffff6c4 0xbffff758 4: out[i] = tolower(in[i]); 0x00000001 5: i++; 0xbffff74c url 0xbfef20dc 6: } 0xbffff748 header_ok 0xbf616161 7: out[i] = ‘\0’; 0xbffff744 buf[4] 9:int parse(FILE *fp) { 0x00000000 8:} . 0xbffff740 buf[3,2,1,0] 10: char buf[5], *url, cmd[128]; . . 0xbffff73c cmd[127,126,125 11: fread(cmd, 1, 128, fp); . . 0x41414141 . 12: int header_ok = 0; . . . . 0x20544547 . 0xbffff6c4 . cmd[7,6,5,4] 19: url = cmd + 4; 0xbffff6c0 cmd[3,2,1,0] 20: copy_lower(url, buf); 21: printf(“Location is %s\n”, buf); 22: return 0; } 23: /** main to load a file and run out 0xbffff740 0xbffff6b4 parse */ in 0xbffff6c4 (input fjle) 0xbffff6b0 fjle fjle return address 0x080485a2 0xbffff6ac GET 0xbffff758 stack frame ptr 0xbffff6a8 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0x00000002 i 0xbffff69c (Unallocated)

What are bufger overfmows? parse.c parse.c 0x0804a008 1:void copy_lower (char* in, char* out) { 0x080485a2 fp 0xbffff760 BREAK 2: int i = 0; return address 0xbffff778 0xbffff75c 3: while (in[i]!=‘\0’ && in[i]!=‘\n’) { stack frame ptr 0xbffff6c4 0xbffff758 4: out[i] = tolower(in[i]); 0x00000001 5: i++; 0xbffff74c url 0xbfef20dc 6: } 0xbffff748 header_ok 0x61616161 7: out[i] = ‘\0’; 0xbffff744 buf[4] 9:int parse(FILE *fp) { 0x00000000 8:} . 0xbffff740 buf[3,2,1,0] 10: char buf[5], *url, cmd[128]; . . 0xbffff73c cmd[127,126,125 11: fread(cmd, 1, 128, fp); . . 0x41414141 . 12: int header_ok = 0; . . . . 0x20544547 . 0xbffff6c4 . cmd[7,6,5,4] 19: url = cmd + 4; 0xbffff6c0 cmd[3,2,1,0] 20: copy_lower(url, buf); 21: printf(“Location is %s\n”, buf); 22: return 0; } 23: /** main to load a file and run out 0xbffff740 0xbffff6b4 parse */ in 0xbffff6c4 (input fjle) 0xbffff6b0 fjle fjle return address 0x080485a2 0xbffff6ac GET 0xbffff758 stack frame ptr 0xbffff6a8 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 0x00000003 i 0xbffff69c (Unallocated)