lab 2: buffer overflowswebpages.eng.wayne.edu/~fy8421/17sp-csc4992/slides/lab2... · 2017. 1....
TRANSCRIPT
![Page 1: Lab 2: Buffer Overflowswebpages.eng.wayne.edu/~fy8421/17sp-csc4992/slides/lab2... · 2017. 1. 24. · How It Works • Applicaons define buffers in the memory – Unsigned char](https://reader035.vdocuments.mx/reader035/viewer/2022082021/60334941e61782575a044c8d/html5/thumbnails/1.jpg)
Lab2:BufferOverflows
FengweiZhang
WayneStateUniversity Course:CyberSecurityPrac@ce 1
![Page 2: Lab 2: Buffer Overflowswebpages.eng.wayne.edu/~fy8421/17sp-csc4992/slides/lab2... · 2017. 1. 24. · How It Works • Applicaons define buffers in the memory – Unsigned char](https://reader035.vdocuments.mx/reader035/viewer/2022082021/60334941e61782575a044c8d/html5/thumbnails/2.jpg)
BufferOverflows
• Oneofthemostcommonvulnerabili@esinsoEware
• ProgramminglanguagescommonlyassociatedwithbufferoverflowsincludingCandC++
• Opera@ngsystemsincludingWindows,LinuxandMacOSXarewriMeninCorC++
WayneStateUniversity Course:CyberSecurityPrac@ce 2
![Page 3: Lab 2: Buffer Overflowswebpages.eng.wayne.edu/~fy8421/17sp-csc4992/slides/lab2... · 2017. 1. 24. · How It Works • Applicaons define buffers in the memory – Unsigned char](https://reader035.vdocuments.mx/reader035/viewer/2022082021/60334941e61782575a044c8d/html5/thumbnails/3.jpg)
HowItWorks
• Applica@onsdefinebuffersinthememory– Unsignedchar[10]
• Applica@onsuseadjacentmemorytostorevariables,arguments,andreturnaddressofafunc@on.
• BufferOverflowsoccurswhendatawriMentoabufferexceedsitssize.
WayneStateUniversity Course:CyberSecurityPrac@ce 3
![Page 4: Lab 2: Buffer Overflowswebpages.eng.wayne.edu/~fy8421/17sp-csc4992/slides/lab2... · 2017. 1. 24. · How It Works • Applicaons define buffers in the memory – Unsigned char](https://reader035.vdocuments.mx/reader035/viewer/2022082021/60334941e61782575a044c8d/html5/thumbnails/4.jpg)
OverflowingABuffer
• DefiningabufferinC– charbuf[10];
• Overflowingthebuffer– Charbuf[10]=‘x’;– strcpy(buf,“AAAAAAAAAAAAAAAAAAAAAAA”)
WayneStateUniversity Course:CyberSecurityPrac@ce 4
![Page 5: Lab 2: Buffer Overflowswebpages.eng.wayne.edu/~fy8421/17sp-csc4992/slides/lab2... · 2017. 1. 24. · How It Works • Applicaons define buffers in the memory – Unsigned char](https://reader035.vdocuments.mx/reader035/viewer/2022082021/60334941e61782575a044c8d/html5/thumbnails/5.jpg)
WhyWeCare
• Becauseadjacentmemorystoresprogramvariables,parameters,andarguments
• AMackerscanchangethesevaluesthroughoverflowingabuffer
• AMackerscangaincontrolovertheprogramflowtoexecutearbitrarycode
WayneStateUniversity Course:CyberSecurityPrac@ce 5
![Page 6: Lab 2: Buffer Overflowswebpages.eng.wayne.edu/~fy8421/17sp-csc4992/slides/lab2... · 2017. 1. 24. · How It Works • Applicaons define buffers in the memory – Unsigned char](https://reader035.vdocuments.mx/reader035/viewer/2022082021/60334941e61782575a044c8d/html5/thumbnails/6.jpg)
ProcessMemoryLayout
WayneStateUniversity Course:CyberSecurityPrac@ce 6
Stack
Heap
DataSegment
TextSegment
Highmemory
Lowmemory
![Page 7: Lab 2: Buffer Overflowswebpages.eng.wayne.edu/~fy8421/17sp-csc4992/slides/lab2... · 2017. 1. 24. · How It Works • Applicaons define buffers in the memory – Unsigned char](https://reader035.vdocuments.mx/reader035/viewer/2022082021/60334941e61782575a044c8d/html5/thumbnails/7.jpg)
MemoryLayoutfor32-bitLinux
WayneStateUniversity Course:CyberSecurityPrac@ce 7
KernelSpace
Stack
Heap
BSSSegment
DataSegment
TextSegment(ELF)
1GB
3GB
Localvariable:inta
Func@onmalloc()
Unini@alizedsta@cvariables:sta@cchar*u
sta@cchar*s=“Helloworld”
Binaryoftheprogram
![Page 8: Lab 2: Buffer Overflowswebpages.eng.wayne.edu/~fy8421/17sp-csc4992/slides/lab2... · 2017. 1. 24. · How It Works • Applicaons define buffers in the memory – Unsigned char](https://reader035.vdocuments.mx/reader035/viewer/2022082021/60334941e61782575a044c8d/html5/thumbnails/8.jpg)
VirtualMemoryLayout
WayneStateUniversity Course:CyberSecurityPrac@ce 8
![Page 9: Lab 2: Buffer Overflowswebpages.eng.wayne.edu/~fy8421/17sp-csc4992/slides/lab2... · 2017. 1. 24. · How It Works • Applicaons define buffers in the memory – Unsigned char](https://reader035.vdocuments.mx/reader035/viewer/2022082021/60334941e61782575a044c8d/html5/thumbnails/9.jpg)
StackFrame
WayneStateUniversity Course:CyberSecurityPrac@ce 9
• Thestackcontainsac@va@onframesincludinglocalvariables,func@onparameters,andreturnaddress
• Star@ngatthehighestmemoryaddressandgrowingdownwards
• Lastinfirstout
![Page 10: Lab 2: Buffer Overflowswebpages.eng.wayne.edu/~fy8421/17sp-csc4992/slides/lab2... · 2017. 1. 24. · How It Works • Applicaons define buffers in the memory – Unsigned char](https://reader035.vdocuments.mx/reader035/viewer/2022082021/60334941e61782575a044c8d/html5/thumbnails/10.jpg)
WayneStateUniversity Course:CyberSecurityPrac@ce 10
Add(2,3)
32
RetAddressEBPC
Highmemory
Lowmemory ESP
intadd(inta,intb){
intc;c=1+b;returnc;
}
ASimpleProgram
![Page 11: Lab 2: Buffer Overflowswebpages.eng.wayne.edu/~fy8421/17sp-csc4992/slides/lab2... · 2017. 1. 24. · How It Works • Applicaons define buffers in the memory – Unsigned char](https://reader035.vdocuments.mx/reader035/viewer/2022082021/60334941e61782575a044c8d/html5/thumbnails/11.jpg)
AnotherProgramintfunc(char*str){
charmybuff[512];strcpy(myBuff,str);return1;
}intmain(intargc,char**argv){
func(argv[1]);return1;
}
WayneStateUniversity Course:CyberSecurityPrac@ce 11
DrawtheStackFrame!
![Page 12: Lab 2: Buffer Overflowswebpages.eng.wayne.edu/~fy8421/17sp-csc4992/slides/lab2... · 2017. 1. 24. · How It Works • Applicaons define buffers in the memory – Unsigned char](https://reader035.vdocuments.mx/reader035/viewer/2022082021/60334941e61782575a044c8d/html5/thumbnails/12.jpg)
Overflowing“myBuff”
WayneStateUniversity Course:CyberSecurityPrac@ce 12
(A)str(A)
Retaddr(A)EBP(A)
A
AAA
AA
Highmemory
Lowmemory ESP
![Page 13: Lab 2: Buffer Overflowswebpages.eng.wayne.edu/~fy8421/17sp-csc4992/slides/lab2... · 2017. 1. 24. · How It Works • Applicaons define buffers in the memory – Unsigned char](https://reader035.vdocuments.mx/reader035/viewer/2022082021/60334941e61782575a044c8d/html5/thumbnails/13.jpg)
BufferOverflowDefenses• TheaMackdescribedisaclassicalstacksmashingaMackwhichexecutethecodeonthestack
• Itdoesnotworktoday– NX–non-executablestack.Mostcompilersnowdefaulttoanon-executablestack.Meaningasegmenta@onfaultoccursifrunningcodefromthestack(i.e.,DataExecu@onPreven@on-DEP)• Disableitwith–zexecstackop@on• Checkitwithreadelf–e<PROGRAM>|grepSTACK
– StackGuard:Cannaries• Disableitwith–fno-stack-protectorop@on• Enableitwith–fstack-protectorop@on
WayneStateUniversity Course:CyberSecurityPrac@ce 13
![Page 14: Lab 2: Buffer Overflowswebpages.eng.wayne.edu/~fy8421/17sp-csc4992/slides/lab2... · 2017. 1. 24. · How It Works • Applicaons define buffers in the memory – Unsigned char](https://reader035.vdocuments.mx/reader035/viewer/2022082021/60334941e61782575a044c8d/html5/thumbnails/14.jpg)
StackCanaries
• StacksmashingaMacksdotwothings– Overwritethereturnaddress– WaitforalgorithmtocompleteandcallRET
• StackCanaries:StackSmashingProtector(SSP)– Placingaintegervaluetostackjustbeforethereturnaddress
– Tooverwritethereturnaddress,thecanaryvaluewouldalsobemodified
– Checkingthisvaluebeforethefunc@onreturns
WayneStateUniversity Course:CyberSecurityPrac@ce 14
![Page 15: Lab 2: Buffer Overflowswebpages.eng.wayne.edu/~fy8421/17sp-csc4992/slides/lab2... · 2017. 1. 24. · How It Works • Applicaons define buffers in the memory – Unsigned char](https://reader035.vdocuments.mx/reader035/viewer/2022082021/60334941e61782575a044c8d/html5/thumbnails/15.jpg)
StackCanaries(cont’d)
WayneStateUniversity Course:CyberSecurityPrac@ce 15
(A)str(A)
Retaddr(A)EBP(A)
Canary(A)
AAA
AA
Highmemory
Lowmemory ESP
![Page 16: Lab 2: Buffer Overflowswebpages.eng.wayne.edu/~fy8421/17sp-csc4992/slides/lab2... · 2017. 1. 24. · How It Works • Applicaons define buffers in the memory – Unsigned char](https://reader035.vdocuments.mx/reader035/viewer/2022082021/60334941e61782575a044c8d/html5/thumbnails/16.jpg)
BypassingNXandCanaries
• NX-non-executablestack– Execu@ngcodeintheheap– DataExecu@onPreven@on(DEP)– ReturnOrientedProgramming(ROP)
• StackCanaries– Overwri@ngtheCanarywiththesamevalue– BruteforceaMack(e.g.,DynaGuardinACSAC’15)
WayneStateUniversity Course:CyberSecurityPrac@ce 16
![Page 17: Lab 2: Buffer Overflowswebpages.eng.wayne.edu/~fy8421/17sp-csc4992/slides/lab2... · 2017. 1. 24. · How It Works • Applicaons define buffers in the memory – Unsigned char](https://reader035.vdocuments.mx/reader035/viewer/2022082021/60334941e61782575a044c8d/html5/thumbnails/17.jpg)
• Lab0– Turnintheclassagreement
• Lab1– Duetodayat11:59pm– Lateassignmentpolicy– SubmititviaBlackboard
• Lab2instruc@ons
WayneStateUniversity Course:CyberSecurityPrac@ce 17
Reminders