yet more bufger overfmows
play

Yet More Bufger Overfmows 1 Changelog Corrections made in this - PowerPoint PPT Presentation

Feb 28, 2024 •462 likes •1.25k views

Yet More Bufger Overfmows 1 Changelog Corrections made in this version not in fjrst posting: 1 April 2017: slide 41: a few more %cs would be needed to skip format string part 1 last time: pointer subterfuge pointer subterfuge

  1. Yet More Bufger Overfmows 1

  2. Changelog Corrections made in this version not in fjrst posting: 1 April 2017: slide 41: a few more %c’s would be needed to skip format string part 1

  3. last time: pointer subterfuge “pointer subterfuge” overwrite a pointer overwritten pointer used to overwrite/access somewhere else many ways this translates into exploit 3

  4. last time: targets for pointers many “targets” for attacker change important data directly change return addresses, then have return happen change function pointer, then have it called typically: rely on code address being used soon same as stack smashing — but not necessairily return address which is used — depends on context difgerent situations will make difgerent ones easier/possible 4

  5. last time: frame pointer overwrite way ofg-by-one errors were a problem many idea: frame pointer often next to bufger frame pointer used to locate return address changing frame pointer efgectively changes return address 5

  6. beyond normal bufger overfmows pretty much every memory error is a problem will look at exploiting: ofg-by-one bufger overfmows (!) heap bufger overfmows double-frees use-after-free integer overfmows in size calculations 6

  7. beyond normal bufger overfmows pretty much every memory error is a problem will look at exploiting: ofg-by-one bufger overfmows (!) heap bufger overfmows double-frees use-after-free integer overfmows in size calculations 7

  8. easy heap overfmows struct foo { char buffer[100]; void (*func_ptr)( void ); }; increasing addresses buffer func_ptr 8

  9. heap overfmow: adjacent allocations the heap bufger overfmowing result of first ’s vtable first ’s buffer second ’s vtable second ’s buffer increasing addresses attacker_controlled); class V { V *second = new V(...); V *first = new V(...); ... }; ... virtual void ...; public : char buffer[100]; 9 strcpy(first − >buffer,

  10. heap overfmow: adjacent allocations the heap bufger overfmowing result of first ’s vtable first ’s buffer second ’s vtable second ’s buffer increasing addresses attacker_controlled); class V { V *second = new V(...); V *first = new V(...); ... }; ... virtual void ...; public : char buffer[100]; 9 strcpy(first − >buffer,

  11. heap smashing “lucky” adjancent objects same things possible on stack but stack overfmows had nice generic “stack smashing” is there an equivalent for the heap? yes (mostly) 10

  12. diversion: implementing malloc/new many ways to implement malloc/new we will talk about one common technique 11

  13. heap object size/free size/free prev next free space free size/free prev next free space new’d object struct AllocInfo { size/free prev next (deleted obj.) free space }; AllocInfo *next; AllocInfo *prev; int size; bool free; 12

  14. implementing free() int free( void *object) { ... block_after = object + object_size; /* unlink from list */ } ... } arbitrary memory write 13 if (block_after − >free) { new_block − >size += block_after − >size; block_after − >prev − >next = block_after − >next; block_after − >next − >prev = block_after − >prev;

  15. implementing free() int free( void *object) { ... block_after = object + object_size; /* unlink from list */ } ... } arbitrary memory write 13 if (block_after − >free) { new_block − >size += block_after − >size; block_after − >prev − >next = block_after − >next; block_after − >next − >prev = block_after − >prev;

  16. vulnerable code next next prev size/free (or system() ?) shellcode GOT entry: fopen GOT entry: printf GOT entry: malloc GOT entry: free size/free prev free space char *buffer = malloc(100); size/free alloc’d object size/free prev next free space ... free(other_thing); free(buffer); ... strcpy(buffer, attacker_supplied); ... 14

  17. vulnerable code next next prev size/free (or system() ?) shellcode GOT entry: fopen GOT entry: printf GOT entry: malloc GOT entry: free size/free prev free space char *buffer = malloc(100); size/free alloc’d object size/free prev next free space ... free(other_thing); free(buffer); ... strcpy(buffer, attacker_supplied); ... 14

  18. vulnerable code next next prev size/free (or system() ?) shellcode GOT entry: fopen GOT entry: printf GOT entry: malloc GOT entry: free size/free prev free space char *buffer = malloc(100); size/free alloc’d object size/free prev next free space ... free(other_thing); free(buffer); ... strcpy(buffer, attacker_supplied); ... 14

  19. beyond normal bufger overfmows pretty much every memory error is a problem will look at exploiting: ofg-by-one bufger overfmows (!) heap bufger overfmows double-frees use-after-free integer overfmows in size calculations 15

  20. double-frees ... because double-free made loop in linked list malloc returns something still on free list size next prev thing alloc’d object size alloc’d object size prev next free space strcpy(q, attacker_controlled2); free(thing); chosen address // // q points to attacker- char *q = malloc(...); malloc(...); strcpy(p, attacker_controlled); blocks // on list of avail. // // p points to next/prev char *p = malloc(...); free(thing); 16

  21. double-frees ... because double-free made loop in linked list malloc returns something still on free list size next prev thing/p alloc’d object size alloc’d object size prev next free space strcpy(q, attacker_controlled2); free(thing); chosen address // // q points to attacker- char *q = malloc(...); malloc(...); strcpy(p, attacker_controlled); blocks // on list of avail. // // p points to next/prev char *p = malloc(...); free(thing); 16

  22. double-frees ... because double-free made loop in linked list malloc returns something still on free list size next prev thing/p alloc’d object size alloc’d object size prev next free space strcpy(q, attacker_controlled2); free(thing); chosen address // // q points to attacker- char *q = malloc(...); malloc(...); strcpy(p, attacker_controlled); blocks // on list of avail. // // p points to next/prev char *p = malloc(...); free(thing); 16

  23. double-free expansion // malloc/new 3: third malloc first/second malloc GOT entry: free (original fjrst free) (global) fjrst_free size next / double free’d object strcpy(result3, ...); result3 = first_free; 17 // free/delete 1: // malloc/new 2: strcpy(result1, ...); // + overwrite: result1 = first_free; // malloc/new 1: first_free = chunk // free/delete 2: first_free = chunk; double_freed − >next = first_free; double_freed − >next = first_free; first_free = first_free − >next; first_free = first_free − >next;

  24. double-free expansion // malloc/new 3: third malloc first/second malloc GOT entry: free (original fjrst free) (global) fjrst_free size next / double free’d object strcpy(result3, ...); result3 = first_free; 17 // free/delete 1: // malloc/new 2: strcpy(result1, ...); // + overwrite: result1 = first_free; // malloc/new 1: first_free = chunk // free/delete 2: first_free = chunk; double_freed − >next = first_free; double_freed − >next = first_free; first_free = first_free − >next; first_free = first_free − >next;

  25. double-free expansion // malloc/new 3: third malloc first/second malloc GOT entry: free (original fjrst free) (global) fjrst_free size next / double free’d object strcpy(result3, ...); result3 = first_free; 17 // free/delete 1: // malloc/new 2: strcpy(result1, ...); // + overwrite: result1 = first_free; // malloc/new 1: first_free = chunk // free/delete 2: first_free = chunk; double_freed − >next = first_free; double_freed − >next = first_free; first_free = first_free − >next; first_free = first_free − >next;

  26. double-free expansion // malloc/new 3: third malloc first/second malloc GOT entry: free (original fjrst free) (global) fjrst_free size next / double free’d object strcpy(result3, ...); result3 = first_free; 17 // free/delete 1: // malloc/new 2: strcpy(result1, ...); // + overwrite: result1 = first_free; // malloc/new 1: first_free = chunk // free/delete 2: first_free = chunk; double_freed − >next = first_free; double_freed − >next = first_free; first_free = first_free − >next; first_free = first_free − >next;

  27. double-free expansion // malloc/new 3: third malloc first/second malloc GOT entry: free (original fjrst free) (global) fjrst_free size next / double free’d object strcpy(result3, ...); result3 = first_free; 17 // free/delete 1: // malloc/new 2: strcpy(result1, ...); // + overwrite: result1 = first_free; // malloc/new 1: first_free = chunk // free/delete 2: first_free = chunk; double_freed − >next = first_free; double_freed − >next = first_free; first_free = first_free − >next; first_free = first_free − >next;

  28. double-free notes this attack has apparently not been possible for a while most malloc/new’s check for double-frees explicitly (e.g., look for a bit in size data) prevents this issue — also catches programmer errors pretty cheap 18

  29. beyond normal bufger overfmows pretty much every memory error is a problem will look at exploiting: ofg-by-one bufger overfmows (!) heap bufger overfmows double-frees use-after-free integer overfmows in size calculations 19

Recommend

13 - Computer Security Bufger Overfmows 1 Context

13 - Computer Security Bufger Overfmows 1 Context

13 - Computer Security Bufger Overfmows 1 Context General problem : unsanitized user input Low level language (eg C): overfmow a local array (bufger) Write over the stack! Overwrite

641 views • 24 slides
More Bufger Overfmows 1 midterm 1 kernel density plot; red lines: 25/50/75th perecentile; green

More Bufger Overfmows 1 midterm 1 kernel density plot; red lines: 25/50/75th perecentile; green

More Bufger Overfmows 1 midterm 1 kernel density plot; red lines: 25/50/75th perecentile; green line: mean 2 50 60 70 80 90 100 last time stack smashing particular exploit technique for bufger overfmows bufger overfmow = out-of-bounds

1.4k views • 71 slides
More Bufger Overfmows 1 on the homework due Friday + 1 week questions? big hint in assignment:

More Bufger Overfmows 1 on the homework due Friday + 1 week questions? big hint in assignment:

More Bufger Overfmows 1 on the homework due Friday + 1 week questions? big hint in assignment: gets is what does bufger overfmow reading the assembly should be fairly straightforward probably easiest strategy in this case debugger can fjnd

1.36k views • 98 slides
Software Security (I): Bufger-overfmow Attacks Dawn Song 1 Logistics New offjce hour

Software Security (I): Bufger-overfmow Attacks Dawn Song 1 Logistics New offjce hour

Computer Security Course. Dawn Computer Security Course. Dawn Song Song Software Security (I): Bufger-overfmow Attacks Dawn Song 1 Logistics New offjce hour Webcast Calcentral: select cs161 Dawn Song 2 Intro HTTP REQUEST

1.74k views • 41 slides
I/O / Filesystems 1 1 last time when LRU fails special-case for single-access fjle data

I/O / Filesystems 1 1 last time when LRU fails special-case for single-access fjle data

I/O / Filesystems 1 1 last time when LRU fails special-case for single-access fjle data readahead handle scans by predicting reads device driver halfs top: from system call, use bufger, request data, wait for data bottom: from interrupt,

1.13k views • 84 slides

More recommend