software security
play

Software Security: Buffer Overflow Attacks Fall 2016 Adam (Ada) - PowerPoint PPT Presentation

Oct 10, 2023 •142 likes •559 views

CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John

  1. CSE 484 / CSE M 584: Computer Security and Privacy Software Security: Buffer Overflow Attacks Fall 2016 Adam (Ada) Lerner lerner@cs.washington.edu Thanks to Franzi Roesner, Dan Boneh, Dieter Gollmann, Dan Halperin, Yoshi Kohno, John Manferdelli, John Mitchell, Vitaly Shmatikov, Bennet Yee, and many others for sample slides and materials ...

  2. Announcements • Sign the ethics form by today at 5! • Homework 1 is due on Monday. • Please start forming groups for lab 1 – You can use the forum to find group members 10/5/16 CSE 484 / CSE M 584 - Fall 2016 2

  3. Announcements • TA office hours have been moved to Mondays at 4:30 (after class), in the second floor breakout. – Sorry for the confusion! 10/5/16 CSE 484 / CSE M 584 - Fall 2016 3

  4. Security: Not Just for PCs smartphones EEG headsets voting machines medical devices RFID mobile sensing wearables cars platforms airplanes game platforms 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4

  5. Software Problems are Ubiquitous 10/5/16 CSE 484 / CSE M 584 - Fall 2016 5

  6. Software Problems are Ubiquitous 10/5/16 CSE 484 / CSE M 584 - Fall 2016 6

  7. Software Problems are Ubiquitous 10/5/16 CSE 484 / CSE M 584 - Fall 2016 7

  8. Software Problems are Ubiquitous • Other serious bugs (many others exist) – US Vincennes tracking software – MV-22 Osprey – Medtronic Model 8870 Software Application Card 10/5/16 CSE 484 / CSE M 584 - Fall 2016 8

  9. Adversarial Failures • Software bugs are bad – Consequences can be serious • Even worse when an intelligent adversary wishes to exploit them! – Intelligent adversaries: Force bugs into “worst possible” conditions/states – Intelligent adversaries: Pick their targets 10/5/16 CSE 484 / CSE M 584 - Fall 2016 9

  10. BUFFER OVERFLOWS 10/5/16 CSE 484 / CSE M 584 - Fall 2016 10

  11. Adversarial Failures • Buffer overflows bugs: Big class of bugs – Normal conditions: Can sometimes cause systems to fail – Adversarial conditions: Attacker able to violate security of your system (control, obtain private information, ...) 10/5/16 CSE 484 / CSE M 584 - Fall 2016 11

  12. Reference for Q1 Top Bottom Text region Heap Stack Addr 0x00...0 Addr 0xFF...F buf Saved FP ret/IP str Caller’s frame Addr 0xFF...F Local variables Args Execute code at this address after func() finishes 10/5/16 CSE 484 / CSE M 584 - Fall 2016 12

  13. A Bit of History: Morris Worm • Worm was released in 1988 by Robert Morris – Graduate student at Cornell, son of NSA chief scientist – Convicted under Computer Fraud and Abuse Act, sentenced to 3 years of probation and 400 hours of community service – Now an EECS professor at MIT • Worm was intended to propagate slowly and harmlessly measure the size of the Internet • Due to a coding error, it created new copies as fast as it could and overloaded infected machines • $10-100M worth of damage 10/5/16 CSE 484 / CSE M 584 - Fall 2016 13

  14. Morris Worm and Buffer Overflow • One of the worm’s propagation techniques was a buffer overflow attack against a vulnerable version of fingerd on VAX systems – By sending special string to finger daemon, worm caused it to execute code creating a new worm copy – Unable to determine remote OS version, worm also attacked fingerd on Suns running BSD, causing them to crash (instead of spawning a new copy) 10/5/16 CSE 484 / CSE M 584 - Fall 2016 14

  15. Famous Internet Worms • Buffer overflows: very common cause of Internet attacks – In 1998, over 50% of advisories published by CERT (computer security incident report team) were caused by buffer overflows • Morris worm (1988): overflow in fingerd – 6,000 machines infected • CodeRed (2001): overflow in MS-IIS server – 300,000 machines infected in 14 hours • SQL Slammer (2003): overflow in MS-SQL server – 75,000 machines infected in 10 minutes (!!) • Sasser (2005): overflow in Windows LSASS – Around 500,000 machines infected 10/5/16 CSE 484 / CSE M 584 - Fall 2016 15

  16. … And More • Conficker (2008-08): overflow in Windows RPC – Around 10 million machines infected (estimates vary) • Stuxnet (2009-10): several zero-day overflows + same Windows RPC overflow as Conficker – Windows print spooler service – Windows LNK shortcut display – Windows task scheduler • Flame (2010-12): same print spooler and LNK overflows as Stuxnet – Targeted cyperespionage virus • Still ubiquitous, especially in embedded systems 10/5/16 CSE 484 / CSE M 584 - Fall 2016 16

  17. Attacks on Memory Buffers • Buffer is a pre-defined data storage area inside computer memory (stack or heap) • Typical situation: – A function takes some input that it writes into a pre- allocated buffer. – The developer forgets to check that the size of the input isn’t larger than the size of the buffer. – Uh oh. • “Normal” bad input: crash • “Adversarial” bad input : take control of execution 10/5/16 CSE 484 / CSE M 584 - Fall 2016 17

  18. Stack Buffers buf uh oh! • Suppose Web server contains this function void func(char *str) { char buf[126]; ... strcpy(buf,str); ... } • No bounds checking on strcpy() • If str is longer than 126 bytes – Program may crash – Attacker may change program behavior 10/5/16 CSE 484 / CSE M 584 - Fall 2016 18

  19. Answer Q2 buf uh oh! • Suppose Web server contains this function void func(char *str) { char buf[126]; ... strcpy(buf,str); ... } • No bounds checking on strcpy() • If str is longer than 126 bytes – Program may crash – Attacker may change program behavior 10/5/16 CSE 484 / CSE M 584 - Fall 2016 19

  20. Example: Changing Flags buf authenticated 1 ( :-) ! ) 1 • authenticated variable 10/5/16 CSE 484 / CSE M 584 - Fall 2016 20

  21. Example: Changing Flags buf authenticated 1 ( :-) ! ) 1 • authenticated variable • Morris worm also overflowed a buffer to overwrite an authenticated flag in fingerd 10/5/16 CSE 484 / CSE M 584 - Fall 2016 21

  22. Memory Layout • Text region: Executable code of the program • Heap: Dynamically allocated data • Stack: Local variables, function return addresses; grows and shrinks as functions are called and return Top Bottom Text region Heap Stack Addr 0x00...0 Addr 0xFF...F 10/5/16 CSE 484 / CSE M 584 - Fall 2016 22

  23. Redirecting Program Flow • Instead of “normal” string, attacker sends 2 things as input: – Assembly code she wants to execute – The address where she expects that code to appear 10/5/16 CSE 484 / CSE M 584 - Fall 2016 23

  24. Redirecting Program Flow • Instead of “normal” string, attacker sends 2 things as input: “ Shellcode ” – Assembly code she wants to execute – The address where she expects that code to appear 10/5/16 CSE 484 / CSE M 584 - Fall 2016 24

  25. Stack Buffers • Suppose Web server contains this func3on: void func(char *str) { Allocate local buffer (126 bytes reserved on stack) char buf[126]; strcpy(buf,str); Copy argument into local buffer } • When this func3on is invoked, a new frame (ac3va3on record) is pushed onto the stack. buf Saved FP ret/IP str Caller’s frame Addr 0xFF...F Local variables Args Execute code at this address after func() finishes 10/5/16 CSE 484 / CSE M 584 - Fall 2016 25

  26. What if Buffer is Overstuffed? • Memory pointed to by str is copied onto stack… void func(char *str) { char buf[126]; strcpy does NOT check whether the string at *str contains fewer than 126 characters strcpy(buf,str); } • If a string longer than 126 bytes is copied into buffer, it will overwrite adjacent stack locations. This will be interpreted as return address! buf Saved FP ret/IP str Caller’s frame Addr 0xFF...F Local variables Args 10/5/16 CSE 484 / CSE M 584 - Fall 2016 26

  27. What if Buffer is Overstuffed? • What if the string is read in from an attacker on the network? This will be interpreted as return address! buf Saved FP ret/IP str Caller’s frame Addr 0xFF...F Local variables Args 10/5/16 CSE 484 / CSE M 584 - Fall 2016 27

  28. What if Buffer is Overstuffed? exec(“/bin/sh”) asdf…asdf 0xFFFFFFA2 This will be interpreted as return address! buf Saved FP ret/IP str Caller’s frame Addr 0xFF...F Local variables Args 10/5/16 CSE 484 / CSE M 584 - Fall 2016 28

  29. Executing Attack Code exec(“/bin/sh”) buf Saved FP ret/IP Caller’s stack frame str Caller’s frame Addr 0xFF...F Attacker puts actual assembly In the overflow, a pointer back into the instructions into his input string, e.g., buffer appears in the location where the binary code of execve(“/bin/sh”) system expects to find return address • When func3on exits, code in the buffer will be executed, giving aAacker a shell – Root shell if the vic3m program is setuid root 10/5/16 CSE 484 / CSE M 584 - Fall 2016 29

  30. Stretch Break exec(“/bin/sh”) buf Saved FP ret/IP Caller’s stack frame str Caller’s frame Addr 0xFF...F Attacker puts actual assembly In the overflow, a pointer back into the instructions into his input string, e.g., buffer appears in the location where the binary code of execve(“/bin/sh”) system expects to find return address • When func3on exits, code in the buffer will be executed, giving aAacker a shell – Root shell if the vic3m program is setuid root 10/5/16 CSE 484 / CSE M 584 - Fall 2016 30

Recommend

deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security

Software and Web Security deel 2 sws1 1 Software and Web Security - 1 & 2 Software is the main source of security vulnerabilities esp in systems accessible via a network part 1 security problems in machine code, compiled from C(++)

1.35k views • 67 slides
Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software

Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software

1 Software and Web Security deel 2 deel 2 sws1 Software and Web Security - 1 & 2 y Software is the main source of security vulnerabilities esp in systems accessible via a network i t ibl i t k part 1 part 1 security problems

672 views • 65 slides
Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software

Software Security By Hunter Stevenson Khalid Alharbi CSCI 5828 Foundations of Software Engineering Spring 2012 What is the talk NOT about? Cryptography. Database security. Operating Systems security. Network security.

1.37k views • 121 slides
Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs:

Software Security: Defenses & Principles CS 161: Computer Security Prof. Vern Paxson TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin http://inst.eecs.berkeley.edu/~cs161/ January 25, 2011 Testing for Software Security Issues

444 views • 42 slides
Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust

Engineering Secure Software The Basics of Software Security Terminology Vulnerabilities Trust Boundary Attacks Threats Application Attacker Exploit Vulnerability : a software defect with security consequences Threat : a potential danger to

1.54k views • 80 slides
Software In-Security Buffer overflows Overview Web Application security Malware OS

Software In-Security Buffer overflows Overview Web Application security Malware OS

Lecture overview Table of contents: Introduction to SW security Software In-Security Buffer overflows Overview Web Application security Malware OS security topics Code scanning Emmanuel Benoist Taught by Ulrich

479 views • 13 slides
CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412

CS-412 Software Security Introduction Mathias Payer EPFL, Spring 2019 Mathias Payer CS-412 Software Security Course outline Secure software lifecycle Security policies Attack vectors Defense strategies: mitigations and testing Case

681 views • 49 slides
CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer

CS412 Software Security Secure Software Lifecycle Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are cost/labor

449 views • 23 slides
CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Web Security Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Web (and internet) security: two views Just a long running network service Complex application with multiple layers and components.

577 views • 47 slides
Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a

Introduction Gang Tan Penn State University Spring 2019 CMPSC 447: Software Security Why a course on software security? Software plays a major role in the modern society But is a major source of security problems. Software is the

659 views • 30 slides
Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr

Secure Software Development TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Agenda Securing the software

1.91k views • 65 slides
Chapter 11 Software Security Secure programs Security implies some degree of trust that the

Chapter 11 Software Security Secure programs Security implies some degree of trust that the

Chapter 11 Software Security Secure programs Security implies some degree of trust that the program enforces expected C onfidentiality I ntegrity A vailability How can we look at software component and assess its

837 views • 49 slides
CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018

CS527 Software Security Secure Software Lifecycle Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Software liveliness Software is not a one-shot effort Software development, production, and maintenance are

725 views • 23 slides
Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA)

Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA)

Web Security TDDC90 Software Security Ulf Kargn Institutionen fr Datavetenskap (IDA) Avdelningen fr Databas- och Informationsteknik (ADIT) Original slides by Marcus Bendtsen Some recent attacks 2 A game changer The Internet

1.17k views • 87 slides
Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in

Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in

Software Security Return to Libc and ROP Jan Nordholz Prof. Jean-Pierre Seifert Security in Telecommunications TU Berlin SoSe 2014 jan (sect) Software Security SoSe 2014 1 / 13 Recap: Overflow Bugs Ingredients: fixed-size buffer on the

429 views • 13 slides
CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer

CS527 Software Security Web Security Mathias Payer Purdue University, Spring 2018 Mathias Payer CS527 Software Security Daemons / Services / Servers A daemon is a long running service that serves outside requests. A web server, a mail

503 views • 31 slides
CS590-SWS/527 Software Security OS Security Asst. Prof. Mathias Payer Department of Computer

CS590-SWS/527 Software Security OS Security Asst. Prof. Mathias Payer Department of Computer

CS590-SWS/527 Software Security OS Security Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/16-527-SoftSec/ Spring 2016 Unix security model Table of Contents

505 views • 27 slides
CS-527 Software Security Basic Security Principles Asst. Prof. Mathias Payer Department of

CS-527 Software Security Basic Security Principles Asst. Prof. Mathias Payer Department of

CS-527 Software Security Basic Security Principles Asst. Prof. Mathias Payer Department of Computer Science Purdue University TA: Kyriakos Ispoglou https://nebelwelt.net/teaching/17-527-SoftSec/ Spring 2017 Security goals Table of Contents

794 views • 26 slides
Buffer Software Security overflows and other memory safety vulnerabilities History

Buffer Software Security overflows and other memory safety vulnerabilities History

This time We will begin By investigating our 1st section: Buffer Software Security overflows and other memory safety vulnerabilities History Memory layouts Buffer overflow fundamentals Software security Security is a form

2.11k views • 190 slides
Who we are Eshard - Embedded Security Company Software & Hardware Security What do we

Who we are Eshard - Embedded Security Company Software & Hardware Security What do we

Who we are Eshard - Embedded Security Company Software & Hardware Security What do we do: @eshardNews Tools: Side Channel / Code Analysis Consultancy https://www.eshard.com Audit contact@eshard.com Training

752 views • 54 slides
Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1314/ Chapter 10: 1 Chapter

Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1314/ Chapter 10: 1 Chapter

Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1314/ Chapter 10: 1 Chapter 10: Software Security Chapter 10: 2 Secure Software Software is secure if it can handle intentionally malformed input; the attacker picks (the

792 views • 42 slides
Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1516/ Chapter 10: 1 Chapter

Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1516/ Chapter 10: 1 Chapter

Computer Security 3e Dieter Gollmann Security.di.unimi.it/sicurezza1516/ Chapter 10: 1 Chapter 10: Software Security Chapter 10: 2 Secure Software Software is secure if it can handle intentionally malformed input; the attacker picks (the

708 views • 33 slides
Binary-Level Software Security Gang Tan Department of CSE, Lehigh University For Joint Summer

Binary-Level Software Security Gang Tan Department of CSE, Lehigh University For Joint Summer

Binary-Level Software Security Gang Tan Department of CSE, Lehigh University For Joint Summer Schools on Cryptography and Principles of Software Security @ Penn State; Jun 1st, 2012 High-Level Languages for Safety/Security 2 Java, C#,

1.54k views • 98 slides
CS412 Software Security Mitigations Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Mitigations Mathias Payer EPFL, Spring 2019 Mathias Payer CS412

CS412 Software Security Mitigations Mathias Payer EPFL, Spring 2019 Mathias Payer CS412 Software Security Model for Control-Flow Hijack Attacks Figure 1 Mathias Payer CS412 Software Security Widely-adopted defense mechanisms Hundreds of

1.34k views • 57 slides

More recommend