review: software security david brumley dbrumley@cmu.edu carnegie mellon university

Review: Software Security

David Brumleydbrumley@cmu.eduCarnegie Mellon University

2

Basic Execution Model

ProcessMemory

Stack

Heap

Processor

Fetch, decode, execute

read and write

Code

Data

...

3

cdecl – the default for Linux & gccint orange(int a, int b){ char buf[16]; int c, d; if(a > b) c = a;

else c = b;

d = red(c, buf); return d;}

…

b

a

return addr

caller’s ebp

callee-save

locals(buf, c, d ≥ 28 bytes if stored

on stack)

caller-save

buf

c

return addr

orange’s ebp

…

%ebpframe

%espstack

parameterarea (caller)

orange’sinitialstack

frame

to be createdbefore

calling red

after red hasbeen called

grow

4

Be prepared to draw and analyze stack diagrams

5

Control Flow Hijack: Always Computation + Control

computation + control

shellcode (aka payload) padding &buf

• code injection• return-to-libc• Heap metadata overwrite• return-oriented programming• ...

Same principle,different

mechanism

6

Channeling Vulnerabilities

... arise when control and dataare mixed into one channel.

Situation Data Channel Control Channel Security

Format Strings Output string Format parameters

Disclose or write to memory

malloc buffers malloc data Heap metadata info

Control hijack/write to memory

Stack Stack data Return address Control hijack

Phreaking Voice or data Operator tones Seize line control

7

Buffer overflows

• Gaining control through...– Overwriting saved return addresses– Overwriting function pointers

8

format strings

• For non-variadic functions, the compiler:– knows number and types of arguments– emits instructions for caller to push arguments

right to left– emits instructions for callee to access arguments

via frame pointer (or stack pointer [advanced])

• For variadic functions, the compiler emits instructions for the program towalk the stack at runtime for arguments

9

format string exploits

• Occur when the user can control the format string specifier

• Can be used to:1. View memory (e.g., information disclosure)2. Write to specific addresses3. sprintf: expand user input to cause a buffer

overflow

10

Defenses

computation + control

shellcode (aka payload) padding &buf

Primarily DEP Primarily ASLR

11

How to attack with ASLR?

Attack

Brute Force

Non-randomized

memory

Stack Juggling

ret2text

Func ptr

ret2ret

ret2pop

GOTHijacking

ret2got

12

Return-Oriented Programming (ROP)how it works and when it is needed

Desired Shellcode

Mem[v2] = v1…

argv

argc

return addr

caller’s ebp

buf(64 bytes)

argv[1]

buf

%ebp

%esp

a3

v2

a2

v1

a1

a1: pop eax; ret

a2: pop ebx; ret

a3: mov [ebx], eax

Desired store executed!

13

CFI

• Sound/Complete

• Sensitivity in program analysis

• CFI instrumentation

• CFI assumptions

14

Test

• In-class

• Timed

• Closed book, closed note, closed computer

Good Luck!

15

Questions?

END

17

Thought