implementation flaws

© 2003 School of Computing, University of Leeds© 2003 School of Computing, University of LeedsSY32 Secure Computing, Lecture SY32 Secure Computing, Lecture 1313

Implementation FlawsImplementation Flaws

Part 1: Buffer OverrunsPart 1: Buffer Overruns

22SY32 Secure Computing, Lecture 13SY32 Secure Computing, Lecture 13

OutlineOutline

• BackgroundBackground

• Three generations of flawsThree generations of flaws Classic stack smashingClassic stack smashing Off-by-one errorsOff-by-one errors Format string bugs and heap overrunsFormat string bugs and heap overruns

• MitigationMitigation Coding practicesCoding practices Memory protectionMemory protection


BackgroundBackground

• What are buffer overruns?What are buffer overruns? Program allocates a contiguous chunk of memory of Program allocates a contiguous chunk of memory of

fixed size to store data (a fixed size to store data (a bufferbuffer)) Amount of data copied to buffer exceeds its capacity Amount of data copied to buffer exceeds its capacity

and overwrites other memoryand overwrites other memory

• Why are they a problem?Why are they a problem? Many critical programs are written in C/C++…Many critical programs are written in C/C++… ……but C/C++ have no run-time bounds checkingbut C/C++ have no run-time bounds checking


BackgroundBackground

• Problem known about since 1960sProblem known about since 1960s

• First seen widely in 1988 (Morris worm)First seen widely in 1988 (Morris worm)

• Infamous overruns:Infamous overruns: wu-ftpdwu-ftpd

• Several overruns discovered in 1999 & 2000Several overruns discovered in 1999 & 2000

• Some flaws up to 10 years old!Some flaws up to 10 years old! Code Red wormCode Red worm

• Exploited buffer overrun in IISExploited buffer overrun in IIS

• 359,000 machines infected within 14 hours359,000 machines infected within 14 hours

• Estimated worldwide cost of $2 billionEstimated worldwide cost of $2 billion


Public Enemy #1!Public Enemy #1!

0

5

10

15

20

25

30

35

40

1988 1990 1992 1994 1996 1998 2000 2002

CERT advisories Overruns


Public Enemy #1!Public Enemy #1!

0

10

20

30

40

50

60

70

80

1988 1990 1992 1994 1996 1998 2000 2002

% o

f C

ER

T a

dvi

sori

es


Possible OutcomesPossible Outcomes

• No effect on programNo effect on program

• Unpredictable behaviour (D)Unpredictable behaviour (D)

• Program crashes (D)Program crashes (D)

• Attack affects flow of execution (T,I,D)Attack affects flow of execution (T,I,D)

• Attacker executes arbitrary code (T,I,D,E)Attacker executes arbitrary code (T,I,D,E)


Memory Layout: A ReminderMemory Layout: A Reminder

• Text segment holds program Text segment holds program instructions (read-only)instructions (read-only)

• Data and BSS segments provide Data and BSS segments provide storage for static/global datastorage for static/global data

• Stack and heap change size as Stack and heap change size as program executesprogram executes

• Stack holds information about Stack holds information about context of function calls in a context of function calls in a stack framestack frame

Function parametersFunction parameters Local variablesLocal variables Saved register informationSaved register information Return address for callReturn address for call

Stack

Env. variables

Text

Data

BSS

Heap

Highmemory

Lowmemory


Stack SmashingStack Smashing

Buffer

Other localvariables

Saved frame pointer

Return address

Parameters

Caller’sstack frame

Stack pointer

Frame pointer

…and overwrites return address, gaining control of execution!

High memory

Low memory

Attacker overruns buffer…


DemoDemo


jmp 0x1fpopl %esimovl %esi,0x8(%esi)xorl %eax,%eaxmovb %eax,0x7(%esi)movl %eax,0xc(%esi)movb $0xb,%almovl %esi,%ebxleal 0x8(%esi),%ecxleal 0xc(%esi),%edxint $0x80xorl %ebx,%ebxmovl %ebx,%eaxinc %eaxint $0x80call -0x24.string \"/bin/sh\"

Crafting an ExploitCrafting an Exploit

void exploit(){ char* s = "/bin/sh"; execl(s, s, 0x0);}

int main(){ exploit();}

Must rewrite to remove nulls,or strcpy won’t work!

Shellcode


Crafting an ExploitCrafting an Exploit

"\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07 \x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d \x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80 \xe8\xdc\xff\xff\xff/bin/sh"

"\x90\x90..."

No-ops Shellcode Addresses

"\x58\x6f\xff\xbf..."(0xbffff658)

Address chosen to ensure jump into no-ops

at start of shellcode


DemoDemo


QuestionsQuestions

• Are very small buffers susceptible to attack?Are very small buffers susceptible to attack?

• By how much must we overrun a buffer to By how much must we overrun a buffer to execute shellcode?execute shellcode?


Off-By-One ErrorsOff-By-One Errors

void doSomething(const char* input){ char buffer[256];

strncpy(buffer, input, sizeof(buffer)); buffer[sizeof(buffer)] = '\0'; ...}

• Sensible choice of Sensible choice of strncpystrncpy in place of in place of strcpystrcpy• ……but attempt to null-terminate the copied string but attempt to null-terminate the copied string

results in a one-byte overrunresults in a one-byte overrun


Exploiting Off-by-One ErrorsExploiting Off-by-One Errors

Buffer

Saved EBP

Saved EIP

Parameters

Caller’sstack frame

ESP

EBP

• PreconditionsPreconditions Buffer next to saved EBPBuffer next to saved EBP 32-bit alignment32-bit alignment Little-endian architectureLittle-endian architecture

• EventEvent Attempt to null-terminate buffer Attempt to null-terminate buffer

contents, resulting in one-byte contents, resulting in one-byte overrunoverrun

• ConsequencesConsequences LSB of saved EBP now zeroLSB of saved EBP now zero Saved EBP now points lower Saved EBP now points lower

in memory—possibly into in memory—possibly into buffer itselfbuffer itself

0


Exploiting Off-by-One ErrorsExploiting Off-by-One Errors

• Just before function exit, saved EBP is popped Just before function exit, saved EBP is popped off stack into EBP registeroff stack into EBP register

• On function exit, saved EIP is restored to EIP On function exit, saved EIP is restored to EIP register and control returns to callerregister and control returns to caller

• Just before caller exits, stack pointer is moved to Just before caller exits, stack pointer is moved to address in EBP register, with aim of restoring address in EBP register, with aim of restoring the saved EIP…the saved EIP…

• ……instead, attacker-supplied address is loaded instead, attacker-supplied address is loaded into EIP register, and we have control!into EIP register, and we have control!


Third-Generation FlawsThird-Generation Flaws

• Format string vulnerabilitiesFormat string vulnerabilities First appeared in Summer 2000First appeared in Summer 2000 Affect the Affect the *printf*printf family of functions family of functions Allow reading from & writing to arbitrary addressesAllow reading from & writing to arbitrary addresses Easy to exploit, but also easy to find and fixEasy to exploit, but also easy to find and fix

• Heap overrunsHeap overruns Less standardized than format string bugsLess standardized than format string bugs Allow writing of arbitrary data to arbitrary addressesAllow writing of arbitrary data to arbitrary addresses Hard to exploit, but also hard to detectHard to exploit, but also hard to detect


Format String BugsFormat String Bugs

• Two ways of printing a string in C:Two ways of printing a string in C: printf(printf(""%s%s"", input), input) printf(input)printf(input)

• Lazy programmers may do the latter, but what if Lazy programmers may do the latter, but what if inputinput contains format specifiers? contains format specifiers?

• %n specifier will write data onto the stack%n specifier will write data onto the stack Value could be address of some shellcode…Value could be address of some shellcode… ……which could overwrite saved EIP in stack framewhich could overwrite saved EIP in stack frame


MitigationMitigation

• Coding practicesCoding practices Choice of languageChoice of language Use of library functionsUse of library functions

• Memory protectionMemory protection Recompilation of applications requiredRecompilation of applications required No recompilation requiredNo recompilation required


Coding PracticesCoding Practices

• If possible, use languages with intrinsic run-time If possible, use languages with intrinsic run-time bounds checking instead of C or C++bounds checking instead of C or C++ Java, C#, Python, Perl, etcJava, C#, Python, Perl, etc

• When writing C++, use its features rather than When writing C++, use its features rather than those of C standard librarythose of C standard library std::stringstd::string class, not class, not char*char* and and strcpystrcpy, etc, etc

• Use C library functions Use C library functions veryvery carefully carefully Never, ever, use Never, ever, use getsgets!! Prefer ‘safe’ versions of other functionsPrefer ‘safe’ versions of other functions


C Library RisksC Library Risks

• High-risk functions includeHigh-risk functions include strcatstrcat, , strcpystrcpy

• Use Use strncatstrncat, , strncpystrncpy – carefully! – carefully! printfprintf, , sprintfsprintf, , vsprintfvsprintf

• Always use a format string; use Always use a format string; use snprintfsnprintf, not , not sprintfsprintf scanfscanf, , sscanfsscanf, , vscanfvscanf, , vsscanfvsscanf getoptgetopt, , getpassgetpass, , realpathrealpath, , syslogsyslog

• Truncate string arguments before passing them inTruncate string arguments before passing them in

• Some risk with other functionsSome risk with other functions See WSC2 or BSS for more informationSee WSC2 or BSS for more information Always check destination buffer is as big as you are claiming, Always check destination buffer is as big as you are claiming,

and watch out for off-by-one errors!and watch out for off-by-one errors!


Safety Through RecompilationSafety Through Recompilation

• Compile against safer version of C libraryCompile against safer version of C library

• Use compiler support for array bounds checkingUse compiler support for array bounds checking Patches for GCC:Patches for GCC:

• http://http://web.inter.nl.net/hcc/Haj.Ten.Bruggeweb.inter.nl.net/hcc/Haj.Ten.Brugge// /RTCs compiler option in Visual C++ .NET/RTCs compiler option in Visual C++ .NET

• Protect return address on stack with a Protect return address on stack with a canarycanary StackGuard, StackGuard, http://http://www.immunix.org/stackguard.htmlwww.immunix.org/stackguard.html

/GS compiler option in Visual C++ .NET/GS compiler option in Visual C++ .NET


Transparent ProtectionTransparent Protection

• Non-executable stackNon-executable stack Example: Example: http://http://www.openwall.com/linuxwww.openwall.com/linux//

• Requires kernel patchRequires kernel patch Won’t trap overruns in heap, data or BSS segmentsWon’t trap overruns in heap, data or BSS segments

• libverifylibverify Binary rewriting of process memory to force stack Binary rewriting of process memory to force stack

verification prior to useverification prior to use

• libsafe, libsafe, http://http://www.research.avayalabs.com/project/libsafewww.research.avayalabs.com/project/libsafe// Estimates safe upper limit on buffer size at run timeEstimates safe upper limit on buffer size at run time Intercepts dangerous library calls, substituting Intercepts dangerous library calls, substituting

versions that respect buffer size limitversions that respect buffer size limit


SummarySummary

• Buffer overruns and related flaws are the major Buffer overruns and related flaws are the major cause of security problems in softwarecause of security problems in software

• Attacks are varied, but typically involve transfer Attacks are varied, but typically involve transfer of control to shellcode supplied by attackerof control to shellcode supplied by attacker

• Partial solutions existPartial solutions exist Compilation of run-time checks into codeCompilation of run-time checks into code Transparent memory protectionTransparent memory protection

• Best solution is to avoid C/C++ if possible, or Best solution is to avoid C/C++ if possible, or avoid dangerous C library function callsavoid dangerous C library function calls

implementation flaws

Documents

x movl

x movb

esi movl

x leal 0x8

esi xorl

esi movb

buffer overruns

buffer contents