buffer overflow lecture 15a - cs.auckland.ac.nz...& buffer overflow some languages allow buffer...
TRANSCRIPT
Slide title
In CAPITALS
50 pt
Slide subtitle
32 pt
Muhammad Rizwan Asghar
August 28, 2020
BUFFER OVERFLOW
Lecture 15a
COMPSCI 316
Cyber Security
Adapted from: David Wheeler
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
2
FOCUS OF THIS LECTURE
Learn buffer overflow
Discuss defence against buffer overflow
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
3
BUFFER OVERFLOW
Providing input to a program more than the
memory allocated
This can overwrite other information in memory
Attackers exploit buffer overflow to insert
crafted code
– Inserted code can let them gain control of the
system
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
4
SOME FAMOUS ATTACKS
In 1988, Morris worm took down the Internet
– Exploited buffer overflow via gets()
In 2001, Code Red worm exploited a buffer overflow in
Microsoft IIS 5.0
In 2003, Slammer worm exploited a buffer overflow in
Microsoft SQL Server 2000
In 2004, Sasser worm exploited a buffer overflow in
Microsoft Windows 2000/XP LSASS
– LSASS deals with user authentication
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
5
PROGRAMMING LANGUAGES
& BUFFER OVERFLOW
Some languages allow buffer overflow
– Not memory safe
– Examples are C, C++, and Objective-C
Other languages counter buffer overflow
– Memory safe
– Examples are Java, Python, and Perl
We might not have a free choice
– Device drivers are typically written, e.g., in C, etc.
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
6
SOME C BASICS: NUL
Strings in C terminate with NUL character
– NUL represents ‘\0’, i.e., byte value 0
Note that NUL occupies one character
Representation of “Hello” string
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
7
SOME C BASICS: ARRAY
C arrays allocate a fixed size of memory
char is a data type used for string of characters
char s[6] allocates array s
– An array of 6 chars
– Enough to store 5 chars and terminating NUL
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
8
BUFFER OVERFLOW:
TRIVIAL C PROGRAM
$myprog
Your command? Test
Your command was: Test
$myprog
Your command? 12345678901234567890
???
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
9
PROCESS MEMORY MAP
Stack (function / procedure / method calls)
Heap(dynamically allocated)
Heap grows, e.g.,
due to “new” or malloc()
Stack grows
Stack pointer (SP)
(current top of stack)
Heap pointer
Lower-numbered
addresses
Higher-numbered
addresses
Text (compiled program code)Often
read-
only
Initialisedglobal “data”
Uninitialisedglobal “data”
Used
for global
constants
& variables
Set on
code
load
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
10
SOME BASICS: STACK
An abstract concept
The last object placed will be removed first
Last In First Out (LIFO)
Stack operations
– Push(e): Add an element e to the stack
– Pop(): Remove the top element from the stack
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
11
STACK IN PROCESS MEMORY MAP
Stack is used to implement control flow
Stack is also used for other data
– Passing parameters to functions (or methods)
– Local variables in a function
– Return values
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
12
CALLING C FUNCTION
Given the following C program
void main() {
int a = 1, b = 2, c = 3;
fun(a, b, c); }
The invocation of this function will produce the following assembly:
Push c
Push b
Push a
Call fun
“Call” instruction pushes Instruction Pointer (IP) onto stack
– In this case, the position in main() just after fun(…)
– Saved IP, named the return address (RET)
– Control jumps to fun(…)
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
13
STACK AFTER PUSHING C
Lower-numbered
addresses
Higher-numbered
addresses
Stack pointer (SP)
(current top of stack)c
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
14
STACK AFTER PUSHING B
Lower-numbered
addresses
Higher-numbered
addresses
bStack pointer (SP)
(current top of stack)
c Stack grows
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
15
STACK AFTER PUSHING A
Lower-numbered
addresses
Higher-numbered
addresses
a
b
Stack pointer (SP)
(current top of stack)
c Stack grows
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
16
STACK AFTER CALL INSTRUCTION
Lower-numbered
addresses
Higher-numbered
addresses
Return address in main()
a
b
Stack pointer (SP)
(current top of stack)
c Stack grows
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
17
OUR FUNCTION FUN(…)
Imagine we have a function fun in C
void fun(int a, int b, int c) {
char buffer1[15];
char buffer2[10];
gets(buffer2);
}
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
18
STACK: CONTROL WITH FUN(…)
Lower-numbered
addresses
Higher-numbered
addresses
Frame pointer (FP) –
use this to access
local variables &
parametersReturn address in main()
a
b
Saved (old) frame pointer
Local array “buffer1”
Local array “buffer2”
Stack pointer (SP)
(current top of stack)
c Stack grows
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
19
STACK: BUFFER OVERFLOWN
Lower-numbered
addresses
Higher-numbered
addresses
Frame pointer (FP) –
use this to access
local variables &
parametersReturn address in main()
a
b
Saved (old) frame pointer
Local array “buffer1”
Local array “buffer2”
Stack pointer (SP)
(current top of stack)
c Stack grows
Overw
rite
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
20
CONSEQUENCE OF OVERFLOW
Overwrites whatsoever is past buffer2
Impact depends on system details
In our example, this can overwrite
– Local values (buffer1)
– Saved frame pointer
– Return value
– Parameters to function
– …
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
21
STACK: AFTER ATTACK
Lower-numbered
addresses
Higher-numbered
addresses
Frame pointer (FP) –
use this to access
local variables &
parametersReturn address in main()
a
b
Saved (old) frame pointer
Local array “buffer1”
Local array “buffer2”
Stack pointer (SP)
(current top of stack)
c Stack grows
Malicious code
Ptr to malicious code
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
22
STACK: ATTACKED!
Lower-numbered
addresses
Higher-numbered
addresses
Frame pointer (FP) –
use this to access
local variables &
parametersReturn address in main()
a
b
Saved (old) frame pointer
Local array “buffer1”
Local array “buffer2”
Stack pointer (SP)
(current top of stack)
c Stack grows
Ptr to malicious code
Shellcode: \xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40
\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh
NOP sled: \x90\x90\x90\x90\x90….NOP sleds let attacker
jump anywhere to
attack; real ones often
more complex (to
evade detection)
Shellcode often has
odd constraints, e.g.,
no byte 0
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
23
UNSAFE C ROUTINES
gets(buffer2)
– Reads input without checking
strcpy(buffer2, buffer1)
– Copies from buffer1 to buffer2
strcat(buffer2, buffer1)
– Appends buffer1 to buffer2
Many others
– scanf(.) family
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
24
BUFFER OVERFLOW DEFENCES
Use safe C routines
– strncpy(dest, src, length)
– strncat(dest, src, length)
Check memory and bounds
– Tools for memory debugging: Valgrind and Electric Fence
Stackguard
– Using canary values placed between buffer and control data
– Canary values should be random and hard to forge
Address Space Layout Randomisation
– Loading code in memory at random addresses
– Harder to locate code
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
25
SAMPLE QUESTION
For writing secure C code, which one of the
following is an unsafe choice?
a) gets(.)
b) strncpy(.)
c) strncat(.)
d) None of the above
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
26
SAMPLE QUESTION: ANSWER
For writing secure C code, which one of the
following is an unsafe choice?
a) gets(.)
b) strncpy(.)
c) strncat(.)
d) None of the above
Answer) a
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
27
SUMMARY
Buffer overflow is a serious concern!
There are several CVE entries related to buffer
overflow
Always use safe routines
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
28
RESOURCES
Read Chapters 10 & 11 of
Computer Security: Principles and Practice
Fourth Edition
William Stallings and Lawrie Brown
Pearson Higher Ed USA
ISBN 1292220635
Alef One, Smashing the Modern Stack for Fun and
Profit, available at: http://www-
inst.eecs.berkeley.edu/~cs161/fa08/papers/stack_sma
shing.pdf
Top right
corner for
field
customer or
partner logotypes.
See Best practice
for example.
Slide title
40 pt
Slide subtitle
24 pt
Text
24 pt
5
20 pt
29
Questions?
Thanks for your attention!