buffer overflows
DESCRIPTION
A short presentation I gave summarizing a project I completed for a graduate course in Network SecurityTRANSCRIPT
An analysis of stack based vulnerabilities
1972: First recorded overflow vulnerability by the Computer Security Technology Planning Study
1988: The Morris worm becomes the first major Internet Worm
2001: Red Code I & II Infect hundreds of thousands of hosts
2003: SQL Slammer (aka Sapphire) becomes the fastest spreading worm in modern history
Overflow vulnerabilities are not obvious from source code inspection alone
Linking to any vulnerable library effectively makes an application vulnerable
Effective protection may require special OS and compiler configuration
Major CPU elements include: Memory
• Paged, Hardware protected Registers
• Move data from memory to other hardware Control Unit
• Send OpCodes, Operands, HW Signals ALU
• Perform OpCodes, set status flags
Standardized mnemonic references for hardware supported operations• Hardware OpCode: 0x0305000000• Assembly Instruction: ADD R0, R1
All high level languages ultimately compiled, assembled, linked, and loaded
Stack: First in, last out data structure implemented on reserved memory page
Every procedure is given a stack frame Procedures allocate space for local
variables within their frame New frame is pushed onto the stack
when a procedure is called, popped off on return
1. Write malicious payload assembly program
2. Compile, determine OpCodes, encode in hexadecimal string
3. Overflow target buffer with addresses pointing to injected code
Key Defensive Goals:• Make target address guess difficult• Detect or prevent the attempt at run-time
Developers:• Safe Libraries• Stack Protecting Compilers• Static Code Analysis
Hardware• NX Memory Page Bit (Sun SPARC, IBM
PowerPC, newer Intel x86-64)
Operating System• Address Space Randomization (Linux,
Windows Vista/Server2008, some support in Mac OS 10.5)
• Memory Page protection (OpenBSD derivatives, Windows if harware supports it)
• The combination of these two techniques has great potential
Defenses are being developed in a wide cross section of areas
Rate of new attack ideas is limited in scope and incidence • return-to-libc, format string errors
Operating system defenses will probably remove this threat one day
Best present advice: Deploy all important patches!
[1] Alan Clements. Principles of Computer Hardware. OxfordUniversity Press, Inc., New York, NY, USA, 2000.
[2] John L. Hennessy and David A. Patterson. Computer architecture:a quantitative approach. Morgan Kaufmann PublishersInc., San Francisco, CA, USA, 2002.
[3] Intel. Intel Architecture Software Developers Manual. Volume1: Basic Architecture, 1999.
[4] Intel. Intel Architecture Software Developers Manual. Volume2: Instruction Set Reference, 1999
[5] Elias Levy. Smashing the stack for fun and profit. InternetArticle, 1996. Accessed on November 11, 2008 from http://insecure.org/stf/smashstack.html.