buffer overflows

15
An analysis of stack based vulnerabilities

Upload: justanotherabstraction

Post on 01-Jul-2015

926 views

Category:

Technology


2 download

DESCRIPTION

A short presentation I gave summarizing a project I completed for a graduate course in Network Security

TRANSCRIPT

Page 1: Buffer Overflows

An analysis of stack based vulnerabilities

Page 2: Buffer Overflows

1972: First recorded overflow vulnerability by the Computer Security Technology Planning Study

1988: The Morris worm becomes the first major Internet Worm

2001: Red Code I & II Infect hundreds of thousands of hosts

2003: SQL Slammer (aka Sapphire) becomes the fastest spreading worm in modern history

Page 3: Buffer Overflows

Overflow vulnerabilities are not obvious from source code inspection alone

Linking to any vulnerable library effectively makes an application vulnerable

Effective protection may require special OS and compiler configuration

Page 4: Buffer Overflows

Major CPU elements include: Memory

• Paged, Hardware protected Registers

• Move data from memory to other hardware Control Unit

• Send OpCodes, Operands, HW Signals ALU

• Perform OpCodes, set status flags

Page 5: Buffer Overflows

Standardized mnemonic references for hardware supported operations• Hardware OpCode: 0x0305000000• Assembly Instruction: ADD R0, R1

All high level languages ultimately compiled, assembled, linked, and loaded

Page 6: Buffer Overflows

Stack: First in, last out data structure implemented on reserved memory page

Every procedure is given a stack frame Procedures allocate space for local

variables within their frame New frame is pushed onto the stack

when a procedure is called, popped off on return

Page 7: Buffer Overflows
Page 8: Buffer Overflows

1. Write malicious payload assembly program

2. Compile, determine OpCodes, encode in hexadecimal string

3. Overflow target buffer with addresses pointing to injected code

Page 9: Buffer Overflows
Page 10: Buffer Overflows
Page 11: Buffer Overflows

Key Defensive Goals:• Make target address guess difficult• Detect or prevent the attempt at run-time

Developers:• Safe Libraries• Stack Protecting Compilers• Static Code Analysis

Hardware• NX Memory Page Bit (Sun SPARC, IBM

PowerPC, newer Intel x86-64)

Page 12: Buffer Overflows

Operating System• Address Space Randomization (Linux,

Windows Vista/Server2008, some support in Mac OS 10.5)

• Memory Page protection (OpenBSD derivatives, Windows if harware supports it)

• The combination of these two techniques has great potential

Page 13: Buffer Overflows

Defenses are being developed in a wide cross section of areas

Rate of new attack ideas is limited in scope and incidence • return-to-libc, format string errors

Operating system defenses will probably remove this threat one day

Best present advice: Deploy all important patches!

Page 14: Buffer Overflows

[1] Alan Clements. Principles of Computer Hardware. OxfordUniversity Press, Inc., New York, NY, USA, 2000.

[2] John L. Hennessy and David A. Patterson. Computer architecture:a quantitative approach. Morgan Kaufmann PublishersInc., San Francisco, CA, USA, 2002.

[3] Intel. Intel Architecture Software Developers Manual. Volume1: Basic Architecture, 1999.

[4] Intel. Intel Architecture Software Developers Manual. Volume2: Instruction Set Reference, 1999

[5] Elias Levy. Smashing the stack for fun and profit. InternetArticle, 1996. Accessed on November 11, 2008 from http://insecure.org/stf/smashstack.html.

Page 15: Buffer Overflows