buffer overflow lecture 15a - cs.auckland.ac.nz...& buffer overflow some languages allow buffer...

Slide title

In CAPITALS

Slide subtitle

Muhammad Rizwan Asghar

August 28, 2020

BUFFER OVERFLOW

Lecture 15a

COMPSCI 316

Cyber Security

Adapted from: David Wheeler

Top right

corner for

customer or

partner logotypes.

See Best practice

for example.

Slide title

Slide subtitle

FOCUS OF THIS LECTURE

Learn buffer overflow

Discuss defence against buffer overflow

Top right

corner for

customer or

partner logotypes.

See Best practice

for example.

Slide title

Slide subtitle

BUFFER OVERFLOW

Providing input to a program more than the

memory allocated

This can overwrite other information in memory

Attackers exploit buffer overflow to insert

crafted code

– Inserted code can let them gain control of the

system

Top right

corner for

customer or

partner logotypes.

See Best practice

for example.

Slide title

Slide subtitle

SOME FAMOUS ATTACKS

In 1988, Morris worm took down the Internet

– Exploited buffer overflow via gets()

In 2001, Code Red worm exploited a buffer overflow in

Microsoft IIS 5.0

In 2003, Slammer worm exploited a buffer overflow in

Microsoft SQL Server 2000

In 2004, Sasser worm exploited a buffer overflow in

Microsoft Windows 2000/XP LSASS

– LSASS deals with user authentication

Top right

corner for

customer or

partner logotypes.

See Best practice

for example.

Slide title

Slide subtitle

PROGRAMMING LANGUAGES

& BUFFER OVERFLOW

Some languages allow buffer overflow

– Not memory safe

– Examples are C, C++, and Objective-C

Other languages counter buffer overflow

– Memory safe

– Examples are Java, Python, and Perl

We might not have a free choice

– Device drivers are typically written, e.g., in C, etc.

Top right

corner for

customer or

partner logotypes.

See Best practice

for example.

Slide title

Slide subtitle

SOME C BASICS: NUL

Strings in C terminate with NUL character

– NUL represents ‘\0’, i.e., byte value 0

Note that NUL occupies one character

Representation of “Hello” string

Top right

corner for

customer or

partner logotypes.

See Best practice

for example.

Slide title

Slide subtitle

SOME C BASICS: ARRAY

C arrays allocate a fixed size of memory

char is a data type used for string of characters

char s[6] allocates array s

– An array of 6 chars

– Enough to store 5 chars and terminating NUL

Top right

corner for

customer or

partner logotypes.

See Best practice

for example.

Slide title

Slide subtitle

BUFFER OVERFLOW:

TRIVIAL C PROGRAM

$myprog

Your command? Test

Your command was: Test

$myprog

Your command? 12345678901234567890

Top right

corner for

customer or

partner logotypes.

See Best practice

for example.

Slide title

Slide subtitle

PROCESS MEMORY MAP

Stack (function / procedure / method calls)

Heap(dynamically allocated)

Heap grows, e.g.,

due to “new” or malloc()

Stack grows

Stack pointer (SP)

(current top of stack)

Heap pointer

Lower-numbered

addresses

Higher-numbered

addresses

Text (compiled program code)Often

Initialisedglobal “data”

Uninitialisedglobal “data”

for global

constants

& variables

Set on

Top right

corner for

customer or

partner logotypes.

See Best practice

for example.

Slide title

Slide subtitle

SOME BASICS: STACK

An abstract concept

The last object placed will be removed first

Last In First Out (LIFO)

Stack operations

– Push(e): Add an element e to the stack

– Pop(): Remove the top element from the stack

Top right

corner for

customer or

partner logotypes.

See Best practice

for example.

Slide title

Slide subtitle

STACK IN PROCESS MEMORY MAP

Stack is used to implement control flow

Stack is also used for other data

– Passing parameters to functions (or methods)

– Local variables in a function

– Return values

Top right

corner for

customer or

partner logotypes.

See Best practice

for example.

Slide title

Slide subtitle

CALLING C FUNCTION

Given the following C program

void main() {

int a = 1, b = 2, c = 3;

fun(a, b, c); }

The invocation of this function will produce the following assembly:

Push c

Push b

Push a

Call fun

“Call” instruction pushes Instruction Pointer (IP) onto stack

– In this case, the position in main() just after fun(…)

– Saved IP, named the return address (RET)

– Control jumps to fun(…)

Top right

corner for

customer or

partner logotypes.

See Best practice

for example.

Slide title

Slide subtitle

STACK AFTER PUSHING C

Lower-numbered

addresses

Higher-numbered

addresses

Stack pointer (SP)

(current top of stack)c

Top right

corner for

customer or

partner logotypes.

See Best practice

for example.

Slide title

Slide subtitle

STACK AFTER PUSHING B

Lower-numbered

addresses

Higher-numbered

addresses

bStack pointer (SP)

c Stack grows

Top right

corner for

customer or

partner logotypes.

See Best practice

for example.

Slide title

Slide subtitle

STACK AFTER PUSHING A

Lower-numbered

addresses

Higher-numbered

addresses

Stack pointer (SP)

c Stack grows

Top right

corner for

customer or

partner logotypes.

See Best practice

for example.

Slide title

Slide subtitle

STACK AFTER CALL INSTRUCTION

Lower-numbered

addresses

Higher-numbered

addresses

Return address in main()

Stack pointer (SP)

c Stack grows

Top right

corner for

customer or

partner logotypes.

See Best practice

for example.

Slide title

Slide subtitle

OUR FUNCTION FUN(…)

Imagine we have a function fun in C

void fun(int a, int b, int c) {

char buffer1[15];

char buffer2[10];

gets(buffer2);

Top right

corner for

customer or

partner logotypes.

See Best practice

for example.

Slide title

Slide subtitle

STACK: CONTROL WITH FUN(…)

Lower-numbered

addresses

Higher-numbered

addresses

Frame pointer (FP) –

use this to access

local variables &

parametersReturn address in main()

Saved (old) frame pointer

Local array “buffer1”

Stack pointer (SP)

c Stack grows

Top right

corner for

customer or

partner logotypes.

See Best practice

for example.

Slide title

Slide subtitle

STACK: BUFFER OVERFLOWN

Lower-numbered

addresses

Higher-numbered

addresses

use this to access

local variables &

Stack pointer (SP)

c Stack grows

Top right

corner for

customer or

partner logotypes.

See Best practice

for example.

Slide title

Slide subtitle

CONSEQUENCE OF OVERFLOW

Overwrites whatsoever is past buffer2

Impact depends on system details

In our example, this can overwrite

– Local values (buffer1)

– Saved frame pointer

– Return value

– Parameters to function

– …

Top right

corner for

customer or

partner logotypes.

See Best practice

for example.

Slide title

Slide subtitle

STACK: AFTER ATTACK

Lower-numbered

addresses

Higher-numbered

addresses

use this to access

local variables &

Stack pointer (SP)

c Stack grows

Malicious code

Ptr to malicious code

Top right

corner for

customer or

partner logotypes.

See Best practice

for example.

Slide title

Slide subtitle

STACK: ATTACKED!

Lower-numbered

addresses

Higher-numbered

addresses

use this to access

local variables &

Stack pointer (SP)

c Stack grows

Ptr to malicious code

Shellcode: \xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40

\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh

NOP sled: \x90\x90\x90\x90\x90….NOP sleds let attacker

jump anywhere to

attack; real ones often

more complex (to

evade detection)

Shellcode often has

odd constraints, e.g.,

no byte 0

Top right

corner for

customer or

partner logotypes.

See Best practice

for example.

Slide title

Slide subtitle

UNSAFE C ROUTINES

gets(buffer2)

– Reads input without checking

strcpy(buffer2, buffer1)

– Copies from buffer1 to buffer2

strcat(buffer2, buffer1)

– Appends buffer1 to buffer2

Many others

– scanf(.) family

Top right

corner for

customer or

partner logotypes.

See Best practice

for example.

Slide title

Slide subtitle

BUFFER OVERFLOW DEFENCES

Use safe C routines

– strncpy(dest, src, length)

– strncat(dest, src, length)

Check memory and bounds

– Tools for memory debugging: Valgrind and Electric Fence

Stackguard

– Using canary values placed between buffer and control data

– Canary values should be random and hard to forge

Address Space Layout Randomisation

– Loading code in memory at random addresses

– Harder to locate code

Top right

corner for

customer or

partner logotypes.

See Best practice

for example.

Slide title

Slide subtitle

SAMPLE QUESTION

For writing secure C code, which one of the

following is an unsafe choice?

a) gets(.)

b) strncpy(.)

c) strncat(.)

d) None of the above

Top right

corner for

customer or

partner logotypes.

See Best practice

for example.

Slide title

Slide subtitle

SAMPLE QUESTION: ANSWER

For writing secure C code, which one of the

following is an unsafe choice?

a) gets(.)

b) strncpy(.)

c) strncat(.)

d) None of the above

Answer) a

Top right

corner for

customer or

partner logotypes.

See Best practice

for example.

Slide title

Slide subtitle

SUMMARY

Buffer overflow is a serious concern!

There are several CVE entries related to buffer

overflow

Always use safe routines

Top right

corner for

customer or

partner logotypes.

See Best practice

for example.

Slide title

Slide subtitle

RESOURCES

Read Chapters 10 & 11 of

Computer Security: Principles and Practice

Fourth Edition

William Stallings and Lawrie Brown

Pearson Higher Ed USA

ISBN 1292220635

Alef One, Smashing the Modern Stack for Fun and

Profit, available at: http://www-

inst.eecs.berkeley.edu/~cs161/fa08/papers/stack_sma

shing.pdf

Top right

corner for

customer or

partner logotypes.

See Best practice

for example.

Slide title

Slide subtitle

Questions?

Thanks for your attention!

buffer overflow lecture 15a - cs.auckland.ac.nz...& buffer overflow some languages allow buffer...

Documents

advanced buffer overflow exploits

unix executable buffer overflow

démonstration buffer overflow

sécurité et buffer overflow

buffer overflow

buffer overflow attacks

lecture 8: buffer overflow

buffer overflow

buffer overflow en windows

windows buffer overflow exploitation walkthrough ... ·...

buffer overflow(bao cao)

20 buffer overflow

stack buffer overflow attack

buffer overflow exploits

lecture 16 buffer overflow

ec312 chapter 7: the buffer overflow - united states naval...

buffer overflow walk-through

lecture 16 buffer overflow

buffer overflow explanation

buffer overflow exploit