CS 475: Lecture 3 Software Vulnerabilities. Rachel Greenstadt April 14, 2015

Similar documents
Introduction to Information Security

Software Vulnerabilities

Buffer Overflows. Code Security: Buffer Overflows. Buffer Overflows are everywhere. 13 Buffer Overflow 12 Nov 2015

Software security. Buffer overflow attacks SQL injections. Lecture 11 EIT060 Computer Security

CSCE 465 Computer & Network Security

Design of a secure system. Example: trusted OS. Bell-La Pdula Model. Evaluation: the orange book. Buffer Overflow Attacks

Format string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc

CSE331: Introduction to Networks and Security. Lecture 15 Fall 2006

Defense in Depth: Protecting Against Zero-Day Attacks

Unix Security Technologies. Pete Markowsky <peterm[at] ccs.neu.edu>

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering

Assembly Language: Function Calls" Jennifer Rexford!

Bypassing Memory Protections: The Future of Exploitation

Bypassing Browser Memory Protections in Windows Vista

Stack Overflows. Mitchell Adair

Where s the FEEB? The Effectiveness of Instruction Set Randomization

telnetd exploit FreeBSD Telnetd Remote Exploit Für Compass Security AG Öffentliche Version 1.0 Januar 2012

Hacking Techniques & Intrusion Detection. Ali Al-Shemery arabnix [at] gmail

SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING. Presented by: Dave Kennedy Eric Smith

Defending Computer Networks Lecture 3: More On Vulnerabili3es. Stuart Staniford Adjunct Professor of Computer Science

Malware: Malicious Code

Exploiting Format String Vulnerabilities

Computer Systems Architecture

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 20: Stack Frames 7 March 08

Sapphire/Slammer Worm. Code Red v2. Sapphire/Slammer Worm. Sapphire/Slammer Worm. Sapphire/Slammer Worm. Why Was Slammer So Fast?

Cataloguing and Avoiding the Buffer Overflow Attacks in Network Operating Systems

Introduction to computer and network security. Session 2 : Examples of vulnerabilities and attacks pt1

Working with Buffers

How to Sandbox IIS Automatically without 0 False Positive and Negative

Lecture 7: Machine-Level Programming I: Basics Mohamed Zahran (aka Z)

I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich

EECS 354 Network Security. Introduction

Advanced IBM AIX Heap Exploitation. Tim Shelton V.P. Research & Development HAWK Network Defense, Inc. tshelton@hawkdefense.com

Exceptions in MIPS. know the exception mechanism in MIPS be able to write a simple exception handler for a MIPS machine

GSM. Global System for Mobile Communications, Security in mobile phones. System used all over the world. Sikkerhed04, Aften Trusler

Return-oriented programming without returns

CSC 2405: Computer Systems II

Module 26. Penetration Testing

SECURITY APPLICATIONS OF DYNAMIC BINARY TRANSLATION DINO DAI ZOVI THESIS. Submitted in Partial Fulfillment of the Requirements for the Degree of

X86-64 Architecture Guide

Hotpatching and the Rise of Third-Party Patches

X05. An Overview of Source Code Scanning Tools. Loulwa Salem. Las Vegas, NV. IBM Corporation IBM System p, AIX 5L & Linux Technical University

From SQL Injection to MIPS Overflows

Custom Penetration Testing

Chapter 7D The Java Virtual Machine

CVE Adobe Flash Player Integer Overflow Vulnerability Analysis

Last Class: OS and Computer Architecture. Last Class: OS and Computer Architecture

Exploiting nginx chunked overflow bug, the undisclosed attack vector

FINAL DoIT v.4 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS APPLICATION DEVELOPMENT AND MAINTENANCE PROCEDURES

Attacking Host Intrusion Prevention Systems. Eugene Tsyrklevich

MUTATION-BASED TESTING OF BUFFER OVERFLOWS, SQL INJECTIONS, AND FORMAT STRING BUGS

Syscall Proxying - Simulating remote execution Maximiliano Caceres <maximiliano.caceres@corest.com> Copyright 2002 CORE SECURITY TECHNOLOGIES

CS61: Systems Programing and Machine Organization

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

Embedded Systems. Review of ANSI C Topics. A Review of ANSI C and Considerations for Embedded C Programming. Basic features of C

MIPS Assembly Code Layout

MWR InfoSecurity Advisory. Interwoven Worksite ActiveX Control Remote Code Execution. 10 th March Contents

CS Computer Security Thirteenth topic: System attacks. defenses

Buffer Overflows. Security 2011

How To Protect Your Computer From Being Copied On A Microsoft X86 Microsoft Microsoft System (X86) On A Linux System (Amd) On An X (Amd2) (X64) (Amd

Hands-on Hacking Unlimited

Practical taint analysis for protecting buggy binaries

More MIPS: Recursion. Computer Science 104 Lecture 9

Stack machines The MIPS assembly language A simple source language Stack-machine implementation of the simple language Readings:

Application. Application Layer Security. Protocols. Some Essentials. Attacking the Application Layer. SQL Injection

Topics. Virus Protection and Intrusion Detection. What is a Virus? Three related ideas

Advanced Systems Security

Bypassing Windows Hardware-enforced Data Execution Prevention

How To Port A Program To Dynamic C (C) (C-Based) (Program) (For A Non Portable Program) (Un Portable) (Permanent) (Non Portable) C-Based (Programs) (Powerpoint)

Learning Course Curriculum

The C Programming Language course syllabus associate level

Instruction Set Architecture

Off-by-One exploitation tutorial

1) The postfix expression for the infix expression A+B*(C+D)/F+D*E is ABCD+*F/DE*++

An Implementation of a Tool to Detect Vulnerabilities in Coding C and C++

Leak Check Version 2.1 for Linux TM

Exploiting Format String Vulnerabilities

CEN 559 Selected Topics in Computer Engineering. Dr. Mostafa H. Dahshan KSU CCIS

Combining Static Source Code Analysis and Threat Assessment Modeling For Testing Open Source Software Security

KEN VAN WYK. Fundamentals of Secure Coding and how to break Software MARCH 19-23, 2007 RESIDENZA DI RIPETTA - VIA DI RIPETTA, 231 ROME (ITALY)

Example of Standard API

The programming language C. sws1 1

CS 161 Computer Security

Computer security Lecture 06

風 水. Heap Feng Shui in JavaScript. Alexander Sotirov.

Informatica e Sistemi in Tempo Reale

Summary of the SEED Labs For Authors and Publishers

BLENDED ATTACKS EXPLOITS, VULNERABILITIES AND BUFFER-OVERFLOW TECHNIQUES IN COMPUTER VIRUSES

CS 155 Final Exam. CS 155: Spring 2013 June 11, 2013

Operating System Structures

MSc Computer Science Dissertation

Exploits: XSS, SQLI, Buffer Overflow

Return-oriented Programming: Exploitation without Code Injection

Enlisting Hardware Architecture to Thwart Malicious Code Injection

Certified Ethical Hacker (CEH) Ethical Hacking & Counter Measures Course 9962; 5 Days, Instructor-Led

How To Understand How A Process Works In Unix (Shell) (Shell Shell) (Program) (Unix) (For A Non-Program) And (Shell).Orgode) (Powerpoint) (Permanent) (Processes

3. Broken Account and Session Management. 4. Cross-Site Scripting (XSS) Flaws. Web browsers execute code sent from websites. Account Management

Malware and Attacks Further reading:

It is the thinnest layer in the OSI model. At the time the model was formulated, it was not clear that a session layer was needed.

Betriebssysteme KU Security

Transcription:

CS 475: Lecture 3 Software Vulnerabilities Rachel Greenstadt April 14, 2015

Types of Software Vulnerabilities Databases : SQL Injection Web apps : XSS Broken crypto Buffer overflows (and related bugs) And more

History : Morris Worm Worm was released in 1988 by Robert Morris Graduate student at Cornell, son of NSA chief scientist Convicted under Computer Fraud and Abuse Act, sentenced to 3 years of probation and 400 hours of community service Now an EECS professor at MIT (advised my Masters thesis) Worm was intended to propagate slowly and harmlessly measure the size of the Internet Due to a coding error, it created new copies as fast as it could and overloaded infected machines $10-100M worth of damage

Buffer Overflows and Morris Work One of the worm s propagation techniques was a buffer overflow attack against a vulnerable version of fingerd on VAX systems By sending special string to finger daemon, worm caused it to execute code creating a new worm copy Unable to determine remote OS version, worm also attacked fingerd on Suns running BSD, causing them to crash (instead of spawning a new copy) CERT formed to deal with the new threat of software vulnerabilities

Buffer Overflows Common type of vulnerability Often most common (depending on how you measure it) Tend to be critical as well enable machine compromise

Memory buffer vulnerabilities Buffer is a data storage area inside computer memory (stack or heap) Intended to hold pre-defined amount of data If more data is stuffed into it, it spills into adjacent memory If executable code is supplied as data, victim s machine may be fooled into executing it we ll see how Code will self-propagate or give attacker control over machine First generation exploits: stack smashing Second gen: heaps, function pointers, off-by-one Third generation: format strings and heap management structures

Software exploits/ Project 1 Before you can understand stack exploits, you have to know something about computer architecture For project 1, you have to know x86 (IA-32) So we ll do some review

Procedures Operating system runs programs as concurrently executed procedures The OS calls a program as a procedure to execute the program and the program returns control to the OS when it completes. The call to execute the procedure is a branch instruction to the beginning of the procedure. When the procedure finishes, a second branch instruction returns to the instruction immediately following the procedure call. The return address must be saved before the procedure is called. The steps in the transfer of control to execute a procedure are 1. Save the return address 2. Call procedure (using a branch instruction). 3. Execute the procedure. 4. Return from the procedure (branch to the return address).

Nested procedure jal: jump and link jr: jump register $ra return address When the jal B instruction is executed, the return address in register $ra for procedure A will be overwritten with the return address for procedure B. Procedure B will return correctly to A, but when procedure A executes the jr instruction, it will return again to the return address for B, which is the next instruction after jal B in procedure A. This puts procedure A in an infinite loop. To implement the linkage for nested procedures, the return address for each procedure must be saved somewhere other than register $ra. Note that the procedure call/return sequence is a LIFO process: the last procedure called is the first to return. A stack is the natural data structure for saving the return addresses for nested procedure calls.

System Stack The system stack provides a convenient mechanism for dynamically allocating storage for the various data associated with the execution of a procedure including: parameters saved registers local variables return address The system stack is located at the top of the user memory space and grows downward toward smaller memory addresses. Register $esp is the stack pointer to the system stack. It contains the address of the first empty location at the top of the stack.

Linux process memory layout %esp user stack 0xC0000000 brk Loaded from exec shared libraries run time heap unused 0x40000000 0x08048000 0

System stack The frame pointer is stored in register $ebp, also called $fp. A stack frame consists of the memory on the stack between the frame pointer and the stack pointer.

IA-32 Registers $esp : Stack Pointer (SP) : points to the top of the stack (lowest mem addr) Points to last used word in stack or next available word location on stack (implementation dependent) $ebp : Frame Pointer (FP) : points to fixed location within an activation record (stack frame) If $ebp for some stack frame is stored at addr X then $eip for that frame is stored at addr X + 4 Used to reference local vars and parameters since the distance from those to the frame pointer will not change whereas the distance from those to the stack pointer will (as other functions are called and the stack pointer is decrem d ) $eip : instruction pointer (aka $ra) The instruction pointer (EIP) register contains the offset in the current code segment for the next instruction to be executed.

Calling procedures (IA-32) When CALL procedure p() Push eip : the return address ($ra) Push ebp : saves previous frame pointer Copy sp into fp : ebp = esp The new stack frame s frame pointer will be the previous value of the stack pointer Advance sp (esp) for allocations on stack (that is, decrement it) When LEAVE procedure p(), This process is reversed Load ebp into esp Restore ebp from the stack

Interaction between EIP, EBP, ESP During CALL, value of eip register pushed onto stack Before RET, programmer should make sure that stack pointer (esp) is pointing to the eip on the stack; does this via: Move contents of $ebp into $esp Increment $esp by 4 $esp should now point to (contain addy of) $eip RET will load the value stored in $esp into the $eip

Linux process memory layout %esp user stack 0xC0000000 brk Loaded from exec shared libraries run time heap unused 0x40000000 0x08048000 0

What are buffer overflows? Suppose a web server contains a function: void func(char *str) { char buf[128]; /* Allocate local buffer 128 bytes reserved on stack */ strcpy(buf, str); /* Copy argument into local buffer */ d o - s o m e t h i n g ( b u f ) ; } When the function is invoked, a new frame with local variables is pushed onto the stack:

What if buffer is overstuffed? Memory pointed to by str is copied onto the stack void func(char *str) { char buf[128]; strcpy(buf, str); /*strcpy does not check sizeof buf */ d o - s o m e t h i n g ( b u f ) ; } If a string longer than 128 byes is written into buf it will overwrite adjacent memory locations: These are often the saved registers!

Buffer Overflows void function(char *str) { char buffer[8]; strcpy(buffer,str); } void main() { char large_string[256]; int i; for( i = 0; i < 255; i++) large_string[i] = 'A'; function(large_string); }

Buffer Overflows

Buffer Overflows

Buffer Overflows

Buffer Overflows

Buffer Overflows

Buffer Overflows

Buffer Overflows

Buffer Overflows

Executing Attack Code Suppose buffer contains attacker-created string For example, *str contains a string read from the network as input to network daemon When function exits, code in the buffer will be executed, giving attacker a shell Root shell if the victim program is setuid root

Exploiting a Real Program It s easy to execute our attack when we have the source code What about when we don t? How will we know what our return address should be?

How to find Shellcode 1.Guess - time consuming - being wrong by 1 byte will lead to segmentation fault or invalid instruction

How to find Shellcode 2. Pad shellcode with NOP s then guess - we don t need to be exactly on - much more efficient

Small Buffer Overflows If the buffer is smaller than our shellcode, we will overwrite the return address with instructions instead of the address of our code Solution: place shellcode in an environment variable then overflow the buffer with the address of this variable in memory Can make environment variable as large as you want Only works if you have access to environment variables

Many unsafe C lib functions strcpy (char *dest, const char *src) strcat (char *dest, const char *src) gets (char *s) scanf ( const char *format, ) Safe versions strncpy(), strncat() are misleading strncpy() may leave buffer unterminated. strncpy(), strncat() encourage off by 1 bugs.

Exploiting buffer overflows Suppose web server calls func() with given URL. Some complications: Sample remote buffer overflows of this type: Attacker sends a 200 byte URL. Gets shell on web server Program P should not contain the \0 character. Overflow should not crash program before func() exists. (2005) Overflow in MIME type field in MS Outlook. (2005) Overflow in Symantec Virus Detection Set test = CreateObject("Symantec.SymVAFileQuery.1") test.getprivateprofilestring "file", [long string]

/* Allocate memory for the response, size is 1 byte * message type, plus 2 bytes payload length, plus * payload, plus padding */ buffer = OPENSSL_malloc(1 + 2 + payload + padding); bp = buffer; /* Enter response type, length and copy payload */ *bp++ = TLS1_HB_RESPONSE; s2n(payload, bp); memcpy(bp, pl, payload); bp += payload; /* Random padding */ RAND_pseudo_bytes(bp, padding); r = dtls1_write_bytes(s, TLS1_RT_HEARTBEAT, buffer, 3 + payload + padding);

Off-by-one Overflow 1-byte overflow: can t change RET, but can change pointer to previous stack frame On little-endian architecture, make it point into buffer RET for previous function will be read from buffer!

Other types of overflow attacks Integer overflows: (e.g. MS DirectX MIDI Lib) Phrack60 void func(int a, char v) { char buf[128]; init(buf); buf[a] = v; } Problem: a can point to `ret-addr on stack. Double free: double free space on heap. Can cause mem mgr to write data to specific location Examples: CVS server (2003) Other heap bugs seen in IE 2008 and adobe PDF zero days

Format string problem int func(char *user) { } fprintf( stdout, user); Problem: what if user = %s%s%s%s%s%s%s?? Most likely program will crash: DoS. If not, program will print memory contents. Privacy? Full exploit using user = %n Correct form: int func(char *user) { fprintf( stdout, %s, user); }

History First exploit discovered in June 2000. Examples: wu-ftpd 2.* : Linux rpc.statd: IRIX telnetd: BSD chpass: remote root remote root remote root local root

Vulnerable functions Any function using a format string. Printing: printf, fprintf, sprintf, vprintf, vfprintf, vsprintf,

Exploit Dumping arbitrary memory: Walk up stack until desired pointer is found. printf( %08x.%08x.%08x.%08x %s ) Writing to arbitrary memory: printf( hello %n, &temp) -- writes 6 into temp. printf( %08x.%08x.%08x.%08x.%n )

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information