cscd 303 essential computer security spring 2013 lecture 17 buffer overflow attacks
TRANSCRIPT
CSCD 303Essential ComputerSecuritySpring 2013
Lecture 17Buffer Overflow Attacks
Overview
• What are they?• Look at most common
– Stack Overflow• Example• Some Solutions
Buffer Overflow life Cycle
1. A malicious user finds vulnerability in a highly privileged program
2. User might be able to gain access to the system by overflowing a buffer and pushing code into return address space of a function call
3. Fixes are then made by patching code to prevent future attacks
4. Usually fix is to limit length of buffer
Question
Are they still happening? YES !!!
National Cyber Alert System
Technical Cyber Security Alert TA09-161A
Adobe Acrobat and Reader Vulnerabilities
Original release date: June 10, 2009
Last revised: --
Source: US-CERT
Systems Affected
* Adobe Reader versions 9.1.1 and earlier
* Adobe Acrobat versions 9.1.1 and earlier
Overview
Adobe has released Security Bulletin APSB09-07, which describes several buffer overflow vulnerabilities that could allow a remote attacker to execute arbitrary code.
Buffer Overflows as Percent of Total Vulnerabilities
DHS National Cyber Security Division/US-CERT National Vulnerability Database
The “Buffer Overflow” Problem
Buffer is a contiguous block of memory, of a fixed size
Buffer overflow is a spill, fill over the top, or bounds.
Buffers can be over flown with too much data, if not checked
This can be exploited by malicious program to change the flow of control to the malicious code
Anatomy of a Buffer Overflow
Buffer Memory used to store user input, has fixed maximum size
Buffer overflow When user input exceeds max buffer sizeExtra input goes into unexpected memory locations
A Small Example
void get_input() { char buf[1024]; gets(buf);}void main(int argc, char*argv[]){ get_input();}
Malicious user enters > 1024 chars, but can only store 1024 charsExtra chars overflow buffer
10
More Examples
void foo(char *s) {char buf[10];strcpy(buf,s);printf(“buf is %s\n”,s);
}…foo(“thisstringistolongforfoo”);
11
Address Space
0x000000000x08048000code
static data
bss
heap
shared library
stack
kernel space
0x42000000
0xC0000000
0xFFFFFFFF
Background-layout of the Virtual Space of a
Process
The layout of the virtual space of a process in Linux
Memory Explained
Code and data consist of instructions and initialized , uninitialized global and static data respectively
Runtime heap is used for dynamically allocated memory(malloc());
The stack is used whenever a function call is made
– Think of the stack and temporary or scratch memory
http://www.geeksforgeeks.org/memory-layout-of-c-program/
Stack Basics
So, what is a stack? A stack is contiguous block of memory containing data Stack pointer (SP) – a register that points to the top of the stack The bottom of the stack is at fixed address Its size is dynamically adjusted by kernel at run time CPU implements instructions to PUSH onto and POP
off the stack
15
C Call Stack
C Call Stack When a function call is made Return address is put on the stack.
Values of parameters are put on the stack Function saves stack frame pointer
Local variables are put on the stack.
16
ParametersReturn AddressCalling Frame
PointerLocal Variables
A Stack Frame
00000000
Addresses
SP
BP
BP = Base Pointer SP = Stack Pointer
17
Example – Buffer of A's
Try to overflow a buffer and inject A's Proof of concept !!! See what happens
More Detail
/* test buffer program */#include <unistd.h> void Test(){ char buff[4]; printf("Some input: "); gets(buff); puts(buff);} int main(int argc, char *argv[ ]){ Test(); return 0;}
ebp is stack frame pointer to previous frame
Top of Stack
http://www.tenouk.com/Bufferoverflowc/Bufferoverflow4.html
More Detail – gets(“AAA”)
More Detail – gets(“AAAAA”)
More Detail – gets(“AAAAAAAAAAAA”)
22
“Smashing the Stack”
The general idea is to overflow a buffer so that it overwrites the return address.
When the function is done it will jump to whatever address is on the stack.
We put some code in the buffer and set the return address to point to it!
23
Before and Aftervoid foo(char *s) {
char buf[100];
strcpy(buf,s);
…
address of sreturn-address
saved sp
buf
address of spointer to pgm
Small Program
24
Issues
• How do we know what value the pointer should have (the new “return address”).– It’s the address of the buffer, but how
do we know what address this is?
• How do we build the “small program” and put it in a string?
25
Guessing Addresses
• Typically you need the source code so you can estimate the address of both the buffer and the return-address.
• An estimate is often good enough! (more on this in a bit).
26
Building the small program
• Typically, the small program stuffed in to the buffer does an exec().
• Sometimes it changes the password db or other files…
27
exec()
• In Unix, the way to run a new program is with the exec() system call.– There is actually a family of exec()
system calls…– This doesn't create a new process, it
changes the current process to a new program.
– To create a new process you need something else ( fork() ).
28
exec() example
#include <stdio.h>
char *args[] = {"/bin/ls", NULL};
void execls(void) { execv("/bin/ls",args); printf(“I’m not printed\n");}
This is more a more Typical Program
#include<stdio.h> void main() { char *name[2]; name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL); }
30
Generating a String• You can take code like previous slide, and generate machine language
• Copy down the individual byte values and build a string– Use GDB, see reference at end of slides
• To do a simple exec requires less than 100 bytes• Result is “Shellcode”
A shellcode is an assembly language program which executes a shell, such as the '/bin/sh' for Unix/Linux shell, or the command.com shell on DOS and Microsoft Windows
This is what goes into the buffer for injecting into the victim program
31
A Sample Program/String
• Does an exec() of /bin/ls:
unsigned char cde[] =
"\xeb\x1f\x5e\x89\x76\x08\x31\xc0”
“\x88\x46\x07\x89\x46\x0c\xb0\x0b"
"\x89\xf3\x8d\x4e\x08\x8d\x56\x0c”
“\xcd\x80\x31\xdb\x89\xd8\x40\xcd"
"\x80\xe8\xdc\xff\xff\xff/bin/ls";
32
Some important issues
• Small program should be position-independent – able to run at any memory location.
• It can’t be too large, or we can’t fit program and new return-address on stack!
33
Attacking a real program
• Recall ... idea is to feed a server a string that is too big for a buffer
• This string overflows buffer and overwrites the return address on stack
• Assuming we put our small program in the string, we need to know it’s address
• Not always easy to guess exact address of buffer in memory
34
NOPs
• Most CPUs have a No-Operation instruction – it does nothing but advance the instruction pointer.
• Usually we can put a bunch of these ahead of our program (in the string).
• As long as the new return-address points to a NOP we are OK.
35
Using NOPs
Real program (exec /bin/ls or
whatever)
new return address
nop instructions
Can point
anywhere
in here
36
Some Solutions
Prevent Stack Overwriting StackGuardProPolice
StackGuard
Canary: random value, unpredictable to attackerCompiler technique: inserts canary before return address on stackCorrupt Canary: code halts program to thwart a possible attack Not comprehensive protection
Source: C. Cowan et. al., StackGuard,
Canary Protection In General ... Canary words known values placed between a buffer
and control data on stack to monitor buffer overflows When buffer overflows, first data to be corrupted will
be canary, and failed verification of canary data is therefore an alert of an overflow
Idea references historic practice of using canaries in coal mines
– Since they would be affected
by toxic gases earlier than miners,
thus providing a biological warning system
GCC Extension Pro-Police The "Stack-Smashing Protector" or SSP, also known as ProPolice,
is an enhancement of the StackGuard concept written and maintained by Hiroaki Etoh of IBM
Its name derives from the word propolis. ProPolice differs from StackGuard in three ways:
ProPolice moves canary code generation from the back-end to the front-end of the compiler
ProPolice also protects all saved registers , for example the frame pointer not only Return Address
ProPolice, in addition to canary protection, also sorts array variables (where possible) to the highest part of the stack frame, to make it more difficult to overflow them and corrupt other variables
It also creates copies of arguments of the function, and relocates them together with local variables, effectively protecting the arguments
Teaching Stack Overflow Threats• Most Students
– Are not attuned into dangers of buffer overflows
– Can't recognize a buffer overflow vulnerability when they see it, so they don’t even think of it when coding
– Do not inspect or test their code as well as one would like
– Are often not made aware of buffer overflows by instructors or textbooks
– Want you all to be the exceptions !!!!
41
References Classic Paper by Aleph One
http://www-inst.eecs.berkeley.edu/~cs161/
fa08/papers/stack_smashing.pdf Creating Shellcode Here
http://www.tenouk.com/Bufferoverflowc/Bufferoverflow5.html Prabhaker Mateti Buffer Overflow
http://www.cs.wright.edu/~pmateti/InternetSecurity/Lectures/BufferOverflow/#References
Wikipedia Buffer Overflowshttp://en.wikipedia.org/wiki/
Buffer_overflow_protection#GCC_Stack-Smashing_Protector_.28ProPolice.29
End