CS Computer Security Thirteenth topic: System attacks. defenses

Transcription

1 Overflows... Security case studies CS Computer Security Thirteenth topic: System attacks and defenses Hugh Anderson National University of Singapore School of Computing March/April, 2016 Hugh Anderson CS Computer Security Thirteenth topic: System attacks

2 System attacks

3 Outline Overflows... Security case studies 1 Overflows... Buffer overflow attacks Heartbleed (April 2014) 2 Security case studies DVD security Hugh Anderson CS Computer Security Thirteenth topic: System attacks

4 Outline Overflows... Security case studies 1 Overflows... Buffer overflow attacks Heartbleed (April 2014) 2 Security case studies DVD security Hugh Anderson CS Computer Security Thirteenth topic: System attacks

5 Outline Overflows... Security case studies Buffer overflow attacks Heartbleed (April 2014) 1 Overflows... Buffer overflow attacks Heartbleed (April 2014) 2 Security case studies DVD security Hugh Anderson CS Computer Security Thirteenth topic: System attacks

6 Windows (32-bit) memory allocation Several space options 0xffffffff 2G Option 3G Option 0xffffffff kernel 0xc xbfffffff 0x x7fffffff user 0x x The Kernel area of memory has the HAL, drivers, page tables... The User area contains your exe code, dlls, stacks...

7 Linux (32-bit) memory allocation 3G before kernel v2.6, 4G afterwards 0xffffffff 3G (before v2.6) 4G (after v2.6) 0xffffffff 0xc xbfffffff kernel 0x x7fffffff user 0x x The Kernel area of memory has drivers, system stacks, page tables... The User area contains executable code, libraries, stacks...

8 Windows process memory allocation...for 2G model... Windows user memory 0x x guard user 0x7fffffff 0x7ffeffff TEB, PEB, guard TEB and PEB are thread and process environment blocks. The 64K guard blocks are sacrificial... against bad pointer references.

9 Linux ELF format user segments Program, shared libraries, stack... Linux/ELF user memory stack bss data code malloc bss data code 0x x guard Program 0x C libraries 0x stack 0xbfffffff guard The malloc ed memory is above the program. As always, the stack grows downwards.

10 Memory attack 1: simple program (CS2107) Normal operation Buffer (512 bytes) Computer s Memory Arguments Variables Stack grows down... Stack Return address Overwrite the end of an array, with an "EGG" Computer s Memory Stack Arguments Variables Stack grows down... Return address

11 Smashing the stack - the payload! (CS2107) Contents of the payload Computer s Memory Stack The payload Multiple no op machine code Machine code for the exploit Multiple copies of Malicious return address

12 Payload code for an exploit A C program which calls a shell... #include <stdio.h> void main() { char *nm[2]; nm[0] = "/bin/sh"; nm[1] = NULL; execve(nm[0], nm, NULL); } movl string,string_addr movb $0x0,null_byte movl $0x0,null_addr movl $0xb,%eax movl string,%ebx leal string,%ecx leal null_string,%edx int $0x80 // OS call /bin/sh string goes here. At the left we see some C source code for running the program /bin/sh. On the right we see assembler code with extra OS nonsense removed. Note that the binary code program has zeroes in it, and these will have to be removed if strcpy is to copy the program onto the stack. We can use translations like: movb $0x0,null_byte xorl %eax,%eax movb eax, null_byte

13 Using the buffer overflow attack 3 examples of situations in which we can use it 1 A server (say a web server) that expects a query, and returns a response. The demo buffer overflow attack done in CS2107 was one of these. 2 A CGI/ASP or perl script inside a web server 3 A SUID root program on a UNIX system Example attack Find a program that has a buffer,... and that does not check its bounds. Then deliver an EGG to it to overflow the buffer. Overwrite stack return address with address of OUR code. The program then runs OUR code. Many attacks on Microsoft systems are based on various buffer overflow problems. CA W32/Blaster worm: The W32/Blaster worm exploits a vulnerability in Microsoft s DCOM RPC interface as described in VU# and CA Upon successful execution...

14 Overflows... Security case studies Buffer overflow attacks Heartbleed (April 2014) Memory attack 2: heap overflow (CS2107) The normal free() and merge... Chunk of free Chunk of free Merged (bigger) Chunk of free p[1] p[0] m[p[1]] is location that p1 points to. Chunk of in use Return this one: free() m[p[1]][1] Chunk of free Then merge the links (garbage collection) m[p[1]][0] is the forward pointer m[p[1]][1] is the backward pointer m[p[1]][0] Chunk of in use Chunk of in use Chunk of in use Note that merging involves setting m[p[1]][0] to have the value in p[0] The OS heap management software automatically rewrites the values of the forward and backward links, using the values in the next links. Hugh Anderson CS Computer Security Thirteenth topic: System attacks

15 Overflows... Security case studies Buffer overflow attacks Heartbleed (April 2014) Memory attack 2: heap overflow (CS2107) Consider the scenario where attacker changes pointers... Chunk of free Chunk of free Links all messed up now... Address of bad code Address of return vector Address of bad code Address of return vector The garbage collector writes the address of the bad code into the return vector. Chunk of in use Return this one: free() Chunk of in use Then merge the links (garbage collection) Later the return instruction is done (same as in buffer overflow), and the system starts executing bad code. Chunk of in use Chunk of in use Chunk of in use The attacker uses the OS GC to write the address of malicious code into a return-address location, as for the buffer overflow. Hugh Anderson CS Computer Security Thirteenth topic: System attacks

16 Stack, heap protection Three methods to make buffer overflow attacks harder: 1 Not allow execution of code in the stack segment (as in MacOSX/openBSD). 2 Randomly move the starting stack for processes. 3 Put a value just below the return address (a canary), and check it before doing a return from subroutine. It is hard to overwrite the return address without overwriting the canary. The Memory/Mitigations paper from CS2107 is relevant here - I will bring a copy of it to class. Windows 7 includes a wide range of protection against stack/heap overflows: They include the removal of commonly targeted data structures, heap entry metadata randomization, header is more complex, there are randomized heap base addresses, function pointer are encoded, as well as the normal DEP and ASLR.

17 Outline Overflows... Security case studies Buffer overflow attacks Heartbleed (April 2014) 1 Overflows... Buffer overflow attacks Heartbleed (April 2014) 2 Security case studies DVD security Hugh Anderson CS Computer Security Thirteenth topic: System attacks

18 OpenSSL Heartbeat What is a heartbeat in openssl? A heartbeat is a recent (February 2012) extension to TLS, to allow a client to check if a TLS server is still alive (rather than tearing down a connection and renegotiating). It is described in The general idea is that clients can request a heartbeat, sending a heartbeat_request message with this structure: struct { HeartbeatMessageType type; uint16 payload_length; opaque payload[payload_length];... } HeartbeatMessage; The server will send back the payload in a matching heartbeat_response. What is the issue? What if the client lied about the payload_length?

19 OpenSSL Heartbeat, Hearts bleed Request and response different...

20 OpenSSL Heartbeat Original openssl-1.0.1f/ssl/d1_both.c... /* Read type and payload length first */ hbtype = *p++; n2s(p, payload); pl = p;... The original source gets the type from the record that p points to, and puts it into hbtype. It then copies the next two bytes into the variable payload. This is the length of the payload, and is done without checking. The variable pl is the actual payload, which is later echoed, using the length value without any more checking. Fixed openssl-1.0.1g/ssl/d1_both.c... /* Read type and payload length first */ hbtype = *p++; n2s(p, payload); if ( payload + 16 > s->s3->rrec.length) return 0; /* silently discard */ pl = p;... (There is a little more, but that is the general idea).

21 Outline Overflows... Security case studies DVD security 1 Overflows... Buffer overflow attacks Heartbleed (April 2014) 2 Security case studies DVD security Hugh Anderson CS Computer Security Thirteenth topic: System attacks

22 DVD security What is the point of DVD regions? The DVD CSS is a Content Scrambling System - data encryption scheme, developed by commercial interests to stop copying... but it is easy to copy a DVD: CSS only prevents decrypting, changing and re-recording. The CSS algorithm details are a trade secret. There is a master set of 400 keys stored on every DVD, and the DVD player uses these to generate a key needed to decrypt data from the disc. LINUX and the CSS Linux users were excluded from access to CSS licenses because of the open-source nature of Linux. The source code for decoding DVDs is available on a T-shirt, because in October 1999, hobbyists/hackers in Europe cracked the CSS algorithm. Since then DVD industry players have been trying to prevent distribution of any software

23 DVD security What do we learn? The lesson to learn from this is that security-through-obscurity is a very poor strategy. The source code and detailed descriptions for a CSS descrambler is available at: dst/decss/gallery/ Description of the key/descrambling process: First one must have a master key, which is unique to the DVD player manufacturer. It is also known as a player key. The player reads an encrypted disk key from the DVD, and uses its player key to decrypt the disk key. Then the player reads the encrypted title key for the file to be played. (The DVD will likely contain multiple files, typically 4 to 8, each with its own title key.) It uses the decrypted disk key (DK) to decrypt the title key. Finally, the decrypted title key, TK, is used to descramble the actual content.

24 DVD security Confusion and diffusion... #define m(i)(x[i]^s[i+84])<< unsigned char x[5],y,s[2048];main(n){for(read(0,x,5);read(0,s,n=2048); write(1,s,n))if(s[y=s[13]%8+20]/16%4==1){int i=m(1)17^256+m(0)8,k=m(2) 0,j=m(4)17^m(3)9^k *2-k%8^8,a=0,c=26;for(s[y]-=16;--c;j*=2) a=a*2^i&1,i=i/2^j&1<<24;for(j=127;++j<n ;c=c>y)c+=y=i^i/8^i>>4^ i>>12,i=i>>8^y<<17,a^=a>>14,y=a^a*8^a<<6,a=a>>8^y<<9,k=s [j],k="7 Wo~ G_\216"[k&7]+2^"cr3sfw6v;*k+>/n."[k>>4]*2^k*257/8,s[j]=k^(k&k *2&34) *6^c+~y;}}