a tool for pro-active defense against the buffer overrun attack d. bruschi, e. rosti, r. banfi...
TRANSCRIPT
![Page 1: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/1.jpg)
A Tool for Pro-active Defense Against the Buffer Overrun Attack
D. Bruschi, E. Rosti, R. Banfi
Presented By: Warshavsky Alex
![Page 2: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/2.jpg)
Overview
• Introduction• General Background• The Attack• Buffer Overrun Detector• Existing Solutions• Conclusions
![Page 3: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/3.jpg)
Computer Security Problems• Security unconscious design
• Programming errors– Buffer overruns– Buffer overflow– Stack smashing
![Page 4: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/4.jpg)
Why to let it happen ?
• Language Flexibility
• Language Efficiency
• As a result …Everything left to the programmer
![Page 5: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/5.jpg)
Motivation
• Login program, late 70’s• Internet Worm, November 1988• CERT- CC (Computer Emergency
Response Team Coordination Center) , 1997, 15 of 28 bugs
![Page 6: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/6.jpg)
What is needed to solve the problem ?
• Compiler tools
• Static analysis tools
• Buffer Overrun Detector
![Page 7: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/7.jpg)
Overview
• Introduction• General Background• The Attack• Buffer Overrun Detector• Existing Solutions• Conclusions
![Page 8: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/8.jpg)
General Background or Why Buffer Overruns are a security issue
• Unix Access Control System
• Function call execution model
• C Language
![Page 9: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/9.jpg)
Unix Access Control System
• Who owns the process ?– Real user identifier ( ruid )– Effective user identifier ( euid )
• setuid() system call
R W X R W X R W X suid sgid sticky Owner Group Other
![Page 10: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/10.jpg)
Function Call Execution Model
Low addresses
High addresses
text
initialized data
bss
heap
user stack
argc
argv pointers
env pointers
argv strings
env strings
Process in memoryFunction call:
• parameters
• return address
• stack pointer
• frame pointer
• local variables
![Page 11: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/11.jpg)
C Language
• Considered as a high level assembly
• Easy to make a mistake• Easy to forget …• Libraries aren’t safe
![Page 12: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/12.jpg)
Overview
• Introduction• General Background• The Attack• Buffer Overrun Detector• Existing Solutions• Conclusions
![Page 13: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/13.jpg)
The Attack
• Pass the execve(“/bin/sh”,NULL) object codechar shellcode[] = “\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\
x0b" "\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd”
"\x80\xe8\xdc\xff\xff\xff/bin/sh";
• Overwrite the return address
• Hope your code will be executed
• Don’t forget the SUID bit and super user privilege level
• Stack is executable !!!
![Page 14: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/14.jpg)
An example
Low addresses
High addresses argc
!!!\0low!
string verfer obuff
i = 5
heap bss
void my_func(int a, char *buff){char buf1[6];a = 4;strcpy(buf1,buff); }
void main(){char string=“buffer overflow!!!!”;int i;i = 5;my_func(i, string);i = 3;}
program counter
frame pointer
stack pointer
LIVELIVE
![Page 15: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/15.jpg)
An example
Low addresses
High addresses argc
!!!\0low!
string verfer obuff
i = 5 *buff a = 5return addressstack pointerframe pointer
buf1
heap bss
void my_func(int a, char *buff){char buf1[6];a = 4;strcpy(buf1,buff); }
void main(){char string=“buffer overflow!!!!”;int i;i = 5;my_func(i, string);i = 3;}
program counter
frame pointer
stack pointer
LIVELIVE
![Page 16: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/16.jpg)
An example
Low addresses
High addresses argc
!!!\0low!
string verfer obuff
i = 5 *buff a = 4return addressstack pointerframe pointer
buf1
heap bss
void my_func(int a, char *buff){char buf1[6];a = 4;strcpy(buf1,buff); }
void main(){char string=“buffer overflow!!!!”;int i;i = 5;my_func(i, string);i = 3;}
program counter
frame pointer
stack pointer
LIVELIVE
![Page 17: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/17.jpg)
An example
Low addresses
High addresses argc
!!!\0low!
string verfer obuff
i = 5 *buff a = 4
return address !!!\0stack pointer low!frame pointer verf
er obuf1 buff
heap bss
void my_func(int a, char *buff){char buf1[6];a = 4;strcpy(buf1,buff); }
void main(){char string=“buffer overflow!!!!”;int i;i = 5;my_func(i, string);i = 3;}
program counter
frame pointer
stack pointer
LIVELIVE
![Page 18: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/18.jpg)
Another examplevoid __stdcall foo(int a, int b);main(){ int num; num = 5; foo(num,num+1); num = 1; printf("num is now %d \n",num);}
void __stdcall foo(int a, int b){ int * p; p = &b ; p -= 2 ; (*p)+= 7; } Output: num is now 5
![Page 19: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/19.jpg)
Overview
• Introduction• General Background• The Attack• Buffer Overrun Detector• Existing Solutions• Conclusions
![Page 20: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/20.jpg)
Buffer Overrun Detector
• Finding Critical Programs
• Searching for Segmentation Violation
• Exploiting Segmentation Violation
![Page 21: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/21.jpg)
Finding Critical Programs
• setuid to root programs• accept input parameters• access environment variables
• configuration file
![Page 22: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/22.jpg)
Searching for Segmentation Violation
• Large inputs
• Brute force approach
![Page 23: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/23.jpg)
Exploiting Segmentation Violation
• Finding the stack location containing the return address
• Finding the new value for the return address
![Page 24: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/24.jpg)
Overview
• Introduction• General Background• The Attack• Buffer Overrun Detector• Existing Solutions• Conclusions
![Page 25: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/25.jpg)
Existing Solutions
• Compiler patchesCompiler patches
• Library patchesLibrary patches
• Operating System PatchesOperating System Patches
• Writing safe code !Writing safe code !
![Page 26: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/26.jpg)
Compiler Patches
• Compile time bound checks• Run time checks on pointer
manipulation• Examples
– GCC patch at Imperial College (2-3,30)– Purify , memory accesses (5)– StackGuard - return address– MemGuard - memory accesses
![Page 27: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/27.jpg)
StackGuard
Low addresses
High addresses!!!\0low!
string verf
er obuff
i = 5 *buff a = 4return addressCANARYstack pointerframe pointer
buf1
heap bss
void my_func(int a, char *buff){char buf1[2];a = 4;strcpy(buf1,buff); }
void main(){char string=“buffer overflow!!!!”;int i;i = 5;my_func(i, string);i = 3;}
program counter
frame pointer
stack pointer
LIVELIVE
![Page 28: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/28.jpg)
StackGuard
Low addresses
High addresses!!!\0low!
string verf
er obuff
i = 5 *buff a = 4
return address !!!\0CANARY low!stack pointer verfframe pointer er obuf1 buff
heap bss
void my_func(int a, char *buff){char buf1[2];a = 4;strcpy(buf1,buff); }
void main(){char string=“buffer overflow!!!!”;int i;i = 5;my_func(i, string);i = 3;}
program counter
frame pointer
stack pointer
LIVELIVE
![Page 29: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/29.jpg)
Library Patches
• Assembly coded integrity checks• Almost no performance impact• But …
User function aren’t checked !
Portability is limited
![Page 30: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/30.jpg)
Operating System Patches
• Making stack non executable • Program protection at no cost• But ...
• Kernel has to be patched
• GCC relies on executable stack
• Functional languages need it
![Page 31: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/31.jpg)
Conclusions
• A tool for automatic detection of buffer overruns was presented
• Nothing beats writing a good code
![Page 32: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/32.jpg)
It almostThe End
![Page 33: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/33.jpg)
Fuzz Revisited: A Re-examination of the
Reliability of
UNIX Utilities and Services
By: Miller, Koski, Lee, Maganty, Murthy, Natarjan, Steidl. University of Wisconsin
![Page 34: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/34.jpg)
Introduction
• Fuzz Generator• Test over 80 utility programs on 9
UNIX platforms• Test Network Services• Test X-Windows apps• Test checking return values of
system calls
![Page 35: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/35.jpg)
Conclusions
• The failure rate of commercial versions of UNIX (Sun, IBM, SGI, DEC, NEXT) - 18%-23%
• The failure rate of Linux - 9%, GNU - 6 %• Network services are robust• X-Windows more than 50% on random
input, more than 25% on legal inputs• X servers are robust• malloc() - 25 out of 53 (47%) crashed
![Page 36: A Tool for Pro-active Defense Against the Buffer Overrun Attack D. Bruschi, E. Rosti, R. Banfi Presented By: Warshavsky Alex](https://reader036.vdocuments.mx/reader036/viewer/2022062518/5697bf7c1a28abf838c84316/html5/thumbnails/36.jpg)
THE END