Lecture Outline. Beyond compilers. Language Security. Lecture 18. C Design Principles. Platitudes

Similar documents
Bypassing Browser Memory Protections in Windows Vista

Software Vulnerabilities

Software security. Buffer overflow attacks SQL injections. Lecture 11 EIT060 Computer Security

COMP 356 Programming Language Structures Notes for Chapter 10 of Concepts of Programming Languages Implementing Subprograms.

Quiz I Solutions MASSACHUSETTS INSTITUTE OF TECHNOLOGY Fall Department of Electrical Engineering and Computer Science

Bypassing Memory Protections: The Future of Exploitation

How to Sandbox IIS Automatically without 0 False Positive and Negative

GSM. Global System for Mobile Communications, Security in mobile phones. System used all over the world. Sikkerhed04, Aften Trusler

Stack Allocation. Run-Time Data Structures. Static Structures

SECURITY B-SIDES: ATLANTA STRATEGIC PENETRATION TESTING. Presented by: Dave Kennedy Eric Smith

Unix Security Technologies. Pete Markowsky <peterm[at] ccs.neu.edu>

Memory management. Announcements. Safe user input. Function pointers. Uses of function pointers. Function pointer example

Static Analysis of Virtualization- Obfuscated Binaries

Semantic Analysis: Types and Type Checking

Cataloguing and Avoiding the Buffer Overflow Attacks in Network Operating Systems

Transparent Monitoring of a Process Self in a Virtual Environment

Logistics. Software Testing. Logistics. Logistics. Plan for this week. Before we begin. Project. Final exam. Questions?

I Control Your Code Attack Vectors Through the Eyes of Software-based Fault Isolation. Mathias Payer, ETH Zurich

A Test Suite for Basic CWE Effectiveness. Paul E. Black.

CSCE 465 Computer & Network Security

Format string exploitation on windows Using Immunity Debugger / Python. By Abysssec Inc

Static Checking of C Programs for Vulnerabilities. Aaron Brown

Lecture Notes on Linear Search

Compiling Object Oriented Languages. What is an Object-Oriented Programming Language? Implementation: Dynamic Binding

Custom Penetration Testing

Secure Programming with Static Analysis. Jacob West

CS 6371: Advanced Programming Languages

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering

Introduction to Information Security

Stack Overflows. Mitchell Adair

Buffer Overflows. Code Security: Buffer Overflows. Buffer Overflows are everywhere. 13 Buffer Overflow 12 Nov 2015

Design of a secure system. Example: trusted OS. Bell-La Pdula Model. Evaluation: the orange book. Buffer Overflow Attacks

Embedded Programming in C/C++: Lesson-1: Programming Elements and Programming in C

Lecture 10: Dynamic Memory Allocation 1: Into the jaws of malloc()

CS 106 Introduction to Computer Science I

Lecture 22: C Programming 4 Embedded Systems

Static Taint-Analysis on Binary Executables

CS412/CS413. Introduction to Compilers Tim Teitelbaum. Lecture 20: Stack Frames 7 March 08

Oracle Solaris Studio Code Analyzer

Týr: a dependent type system for spatial memory safety in LLVM

Embedded Systems. Review of ANSI C Topics. A Review of ANSI C and Considerations for Embedded C Programming. Basic features of C

Crash Course in Java

Implementation Aspects of OO-Languages

Malware and Attacks Further reading:

Operator Overloading. Lecture 8. Operator Overloading. Running Example: Complex Numbers. Syntax. What can be overloaded. Syntax -- First Example

Illustration 1: Diagram of program function and data flow

Improving Software Security at the. Source

DEVELOPING SECURE SOFTWARE

Moving from CS 61A Scheme to CS 61B Java

Object-Oriented Design Lecture 4 CSU 370 Fall 2007 (Pucella) Tuesday, Sep 18, 2007

Testing for Security

How to Avoid an Attack - Security Testing as Part of Your Software Testing Process

EECS 354 Network Security. Introduction

How I Learned to Stop Fuzzing and Find More Bugs

Software Security Analysis - Execution Phase Audit

Lab Experience 17. Programming Language Translation

ASSURE: Automatic Software Self- Healing Using REscue points. Automatically Patching Errors in Deployed Software (ClearView)

Lecture 12: Software protection techniques. Software piracy protection Protection against reverse engineering of software

CSCI E 98: Managed Environments for the Execution of Programs

Habanero Extreme Scale Software Research Project

Molecular Dynamics Simulations with Applications in Soft Matter Handout 7 Memory Diagram of a Struct

SAFECode Security Development Lifecycle (SDL)

Some Anti-Worm Efforts at Microsoft. Acknowledgements

Scoping (Readings 7.1,7.4,7.6) Parameter passing methods (7.5) Building symbol tables (7.6)

Linux Kernel. Security Report

CS-XXX: Graduate Programming Languages. Lecture 25 Multiple Inheritance and Interfaces. Dan Grossman 2012

language 1 (source) compiler language 2 (target) Figure 1: Compiling a program

Organization of Programming Languages CS320/520N. Lecture 05. Razvan C. Bunescu School of Electrical Engineering and Computer Science

Java Interview Questions and Answers

Where s the FEEB? The Effectiveness of Instruction Set Randomization

Keil C51 Cross Compiler

Replication on Virtual Machines

Chapter 5 Names, Bindings, Type Checking, and Scopes

Homeland Security Red Teaming

Memory management basics (1) Requirements (1) Objectives. Operating Systems Part of E1.9 - Principles of Computers and Software Engineering

Chapter 15 Operating System Security

Return-oriented programming without returns

No no-argument constructor. No default constructor found

Fundamentals of Software Engineering

Bachelors of Computer Application Programming Principle & Algorithm (BCA-S102T)

Securing software by enforcing data-flow integrity

The programming language C. sws1 1

Off-by-One exploitation tutorial

Review and Exploit Neglected Attack Surface in ios 8. Tielei Wang, Hao Xu, Xiaobo Chen of TEAM PANGU

C# and Other Languages

Integrated Network Vulnerability Scanning & Penetration Testing SAINTcorporation.com

CSE 373: Data Structure & Algorithms Lecture 25: Programming Languages. Nicki Dell Spring 2014

Web application security: automated scanning versus manual penetration testing.

Sample Size and Power in Clinical Trials

Programming Project 1: Lexical Analyzer (Scanner)

D. Best Practices D.1. Assurance The 5 th A

Multithreading and Java Native Interface (JNI)!

Debugging. Common Semantic Errors ESE112. Java Library. It is highly unlikely that you will write code that will work on the first go

Data Structure Reverse Engineering

Why Do Software Assurance Tools Have Problems Finding Bugs Like Heartbleed?

Department of Electrical Engineering and Computer Science MASSACHUSETTS INSTITUTE OF TECHNOLOGY Operating System Engineering: Fall 2005

1) The postfix expression for the infix expression A+B*(C+D)/F+D*E is ABCD+*F/DE*++

Recursion. Definition: o A procedure or function that calls itself, directly or indirectly, is said to be recursive.

A Strategic Approach to Web Application Security

Transcription:

Lecture Outline Language Security Lecture 18 Beyond compilers Looking at other issues in programming language design and tools C Arrays Exploiting buffer overruns Detecting buffer overruns Prof. Aiken CS 143 Lecture 18 1 Prof. Aiken CS 143 Lecture 18 2 Platitudes Language design has influence on Safety Efficiency Security C Design Principles Small language Maximum efficiency Safety less important Designed for the world in 1972 Weak machines Trusted networks Prof. Aiken CS 143 Lecture 18 3 Prof. Aiken CS 143 Lecture 18 4 Arrays in C char buffer[100]; C Array Operations char buf1[100], buf2[100]; Declares and allocates an array of 100 chars 0 1 2 99 Write: buf1[0] = a ; Read: return buf2[0]; Prof. Aiken CS 143 Lecture 18 5 Prof. Aiken CS 143 Lecture 18 6 1!

What s Wrong with this Picture? Indexing Out of Bounds int i = 0; for(i = 0; buf1[i]!= \0 ; i++) { buf2[i] = buf1[i]; } buf2[i] = \0 ; The following are all legal C and may generate no run-time errors char buffer[100]; buffer[-1] = a ; buffer[100] = a ; buffer[100000] = a ; Prof. Aiken CS 143 Lecture 18 7 Prof. Aiken CS 143 Lecture 18 8 Why? Code Generation for Arrays Why does C allow out of bounds array references? Proving at compile-time that all array references are in bounds is very difficult (impossible in C) Checking at run-time that all array references are in bounds is expensive buf1[i] = 1; /* buf1 has type int[] */ r1 = load &buf1; r2 = load i; r3 = r2 * 4; r4 = r1 + r3 store r4, 1 Prof. Aiken CS 143 Lecture 18 9 Prof. Aiken CS 143 Lecture 18 10 Discussion 5 instructions worst case Often &buf1 and i already in registers Saves 2 instructions Many machines have indirect loads/stores store r1[r3], 1 Saves 1 instruction Best case 2 instructions Offset calculation and memory operation Code Generation for Arrays with Bounds Checks buf1[i] = 1; /* buf1 has type int[] */ r1 = load &buf1; r2 = load i; r3 = r2 * 4; if r3 < 0 then error; r5 = load limit of buf1; if r3 >= r5 then error; r4 = r1 + r3 store r4, 1 Prof. Aiken CS 143 Lecture 18 11 Prof. Aiken CS 143 Lecture 18 12 2!

Discussion Lower bounds check can often be removed Easy to prove statically that index is positive Upper bounds check hard to remove Leaves a conditional in instruction stream In C, array limits not stored with array Knowing the array limit for a given reference is non-trivial C vs. Java C array reference typical case Offset calculation Memory operation (load or store) Java array reference typical case Offset calculation Memory operation (load or store) Array bounds check Type compatibility check (for stores) Prof. Aiken CS 143 Lecture 18 13 Prof. Aiken CS 143 Lecture 18 14 Buffer Overruns A buffer overrun writes past the end of an array Buffer usually refers to a C array of char But can be any array So who s afraid of a buffer overrun? Can damage data structures Cause a core dump What else? Prof. Aiken CS 143 Lecture 18 15 Stack Smashing Buffer overruns can alter the control flow of your program! char buffer[100]; /* stack allocated array */ Prof. Aiken CS 143 Lecture 18 16 An Overrun Vulnerability An Interesting Idea void foo(char buf1[]) { char buf2[100]; int i = 0; } for(i = 0; buf1[i]!= \0 ; i++) { buf2[i] = buf1[i]; } buf2[i] = \0 ; Prof. Aiken CS 143 Lecture 18 17 char buf[104] = {,,, magic 4 chars } foo(buf); (**) Foo entry (**) Foo exit magic 4 chars Prof. Aiken CS 143 Lecture 18 18 3!

Discussion The Rest of the Story So we can make foo jump wherever we like. How is this possible? Unanticipated interaction of two features: Unchecked array operations Stack-allocated arrays Knowledge of frame layout allows prediction of where array and return address are stored Note the magic cast from char s to an address Prof. Aiken CS 143 Lecture 18 19 We can make foo jump anywhere. But where is a useful place to jump? Idea: Put our own code in the buffer and jump there! Prof. Aiken CS 143 Lecture 18 20 The Plan char buf[104] = { 104 magic chars } foo(buf); Details exec /bin/sh Easy to write in assembly code Make all jumps relative Foo exit exec /bin/sh Be careful not to have null s in the code (why?) Prof. Aiken CS 143 Lecture 18 21 Prof. Aiken CS 143 Lecture 18 22 More Details Overwrite return address with start of buffer Harder Need to guess where buffer in called routine starts (trial & error) Pad front of buffer with NOPs Guess need not be exact; just land somewhere in NOPs And More Details Overwrite return address Don t need to know exactly where return address is Just pad end of buffer with multiple copies of new return address X char buf[104] = NOPS /bin/exec sh XXXXXXXXXX foo(buf); Prof. Aiken CS 143 Lecture 18 23 Prof. Aiken CS 143 Lecture 18 24 4!

The State of C Programming Buffer overruns are common Programmers must do their own bounds checking Easy to forget or be off-by-one or more Program still appears to work correctly In C wrt to buffer overruns Easy to do the wrong thing Hard to do the right thing The State of Hacking Buffer overruns widely known since the 1980 s Remain a popular attack today Highly automated toolkits available to exploit known buffer overruns Search for buffer overruns yields > 100,000 hits Prof. Aiken CS 143 Lecture 18 25 Prof. Aiken CS 143 Lecture 18 26 The Sad Reality Even well-known buffer overruns are still exploited Hard to get people to upgrade millions of vulnerable machines We assume that there are many more unknown buffer overrun vulnerabilities At least unknown to the good guys How Do We Prevent Buffer Overruns? Many proposed techniques! A research Rorschach test A brief survey Language design Static analysis Dynamic analysis Prof. Aiken CS 143 Lecture 18 27 Prof. Aiken CS 143 Lecture 18 28 Language Design Enforce data abstractions! How? Type safety The guarantee that if e:t, then e evaluates to a value of type T No unsafe casts Memory safety Array bounds checking No computation on pointers Automatic memory management Prof. Aiken CS 143 Lecture 18 29 Tools for Static Memory Safety Bug finding tools Detect common patters of buffer overruns Use heuristics Focus on scenarios likely to be real overruns, rather than obscure scenarios that might not be Avoid false positives Verification Formally prove memory safety Can require deep understanding of the program s semantics Prof. Aiken CS 143 Lecture 18 30 5!

Dynamic Memory Safety Summary Many proposals Sandboxing Confine all memory references in the program to it s own data space Guarantees damage is limited to the program itself Code and data randomization Give everyone a slightly different binary and data layout Variation minimizes chances an attack can work on all copies of a program Programming language knowledge useful beyond compilers Useful for programmers Understand what you are doing! Useful for tools other than compilers Big research direction Prof. Aiken CS 143 Lecture 18 31 Prof. Aiken CS 143 Lecture 18 32 6!

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information