review: software security david brumley [email protected] carnegie mellon university
TRANSCRIPT
![Page 2: Review: Software Security David Brumley dbrumley@cmu.edu Carnegie Mellon University](https://reader031.vdocuments.net/reader031/viewer/2022032200/56649cca5503460f949927da/html5/thumbnails/2.jpg)
2
Basic Execution Model
ProcessMemory
Stack
Heap
Processor
Fetch, decode, execute
read and write
Code
Data
...
![Page 3: Review: Software Security David Brumley dbrumley@cmu.edu Carnegie Mellon University](https://reader031.vdocuments.net/reader031/viewer/2022032200/56649cca5503460f949927da/html5/thumbnails/3.jpg)
3
cdecl – the default for Linux & gccint orange(int a, int b){ char buf[16]; int c, d; if(a > b) c = a;
else c = b;
d = red(c, buf); return d;}
…
b
a
return addr
caller’s ebp
callee-save
locals(buf, c, d ≥ 28 bytes if stored
on stack)
caller-save
buf
c
return addr
orange’s ebp
…
%ebpframe
%espstack
parameterarea (caller)
orange’sinitialstack
frame
to be createdbefore
calling red
after red hasbeen called
grow
![Page 4: Review: Software Security David Brumley dbrumley@cmu.edu Carnegie Mellon University](https://reader031.vdocuments.net/reader031/viewer/2022032200/56649cca5503460f949927da/html5/thumbnails/4.jpg)
4
Be prepared to draw and analyze stack diagrams
![Page 5: Review: Software Security David Brumley dbrumley@cmu.edu Carnegie Mellon University](https://reader031.vdocuments.net/reader031/viewer/2022032200/56649cca5503460f949927da/html5/thumbnails/5.jpg)
5
Control Flow Hijack: Always Computation + Control
computation + control
shellcode (aka payload) padding &buf
• code injection• return-to-libc• Heap metadata overwrite• return-oriented programming• ...
Same principle,different
mechanism
![Page 6: Review: Software Security David Brumley dbrumley@cmu.edu Carnegie Mellon University](https://reader031.vdocuments.net/reader031/viewer/2022032200/56649cca5503460f949927da/html5/thumbnails/6.jpg)
6
Channeling Vulnerabilities
... arise when control and dataare mixed into one channel.
Situation Data Channel Control Channel Security
Format Strings Output string Format parameters
Disclose or write to memory
malloc buffers malloc data Heap metadata info
Control hijack/write to memory
Stack Stack data Return address Control hijack
Phreaking Voice or data Operator tones Seize line control
![Page 7: Review: Software Security David Brumley dbrumley@cmu.edu Carnegie Mellon University](https://reader031.vdocuments.net/reader031/viewer/2022032200/56649cca5503460f949927da/html5/thumbnails/7.jpg)
7
Buffer overflows
• Gaining control through...– Overwriting saved return addresses– Overwriting function pointers
![Page 8: Review: Software Security David Brumley dbrumley@cmu.edu Carnegie Mellon University](https://reader031.vdocuments.net/reader031/viewer/2022032200/56649cca5503460f949927da/html5/thumbnails/8.jpg)
8
format strings
• For non-variadic functions, the compiler:– knows number and types of arguments– emits instructions for caller to push arguments
right to left– emits instructions for callee to access arguments
via frame pointer (or stack pointer [advanced])
• For variadic functions, the compiler emits instructions for the program towalk the stack at runtime for arguments
![Page 9: Review: Software Security David Brumley dbrumley@cmu.edu Carnegie Mellon University](https://reader031.vdocuments.net/reader031/viewer/2022032200/56649cca5503460f949927da/html5/thumbnails/9.jpg)
9
format string exploits
• Occur when the user can control the format string specifier
• Can be used to:1. View memory (e.g., information disclosure)2. Write to specific addresses3. sprintf: expand user input to cause a buffer
overflow
![Page 10: Review: Software Security David Brumley dbrumley@cmu.edu Carnegie Mellon University](https://reader031.vdocuments.net/reader031/viewer/2022032200/56649cca5503460f949927da/html5/thumbnails/10.jpg)
10
Defenses
computation + control
shellcode (aka payload) padding &buf
Primarily DEP Primarily ASLR
![Page 11: Review: Software Security David Brumley dbrumley@cmu.edu Carnegie Mellon University](https://reader031.vdocuments.net/reader031/viewer/2022032200/56649cca5503460f949927da/html5/thumbnails/11.jpg)
11
How to attack with ASLR?
Attack
Brute Force
Non-randomized
memory
Stack Juggling
ret2text
Func ptr
ret2ret
ret2pop
GOTHijacking
ret2got
![Page 12: Review: Software Security David Brumley dbrumley@cmu.edu Carnegie Mellon University](https://reader031.vdocuments.net/reader031/viewer/2022032200/56649cca5503460f949927da/html5/thumbnails/12.jpg)
12
Return-Oriented Programming (ROP)how it works and when it is needed
Desired Shellcode
Mem[v2] = v1…
argv
argc
return addr
caller’s ebp
buf(64 bytes)
argv[1]
buf
%ebp
%esp
a3
v2
a2
v1
a1
a1: pop eax; ret
a2: pop ebx; ret
a3: mov [ebx], eax
Desired store executed!
![Page 13: Review: Software Security David Brumley dbrumley@cmu.edu Carnegie Mellon University](https://reader031.vdocuments.net/reader031/viewer/2022032200/56649cca5503460f949927da/html5/thumbnails/13.jpg)
13
CFI
• Sound/Complete
• Sensitivity in program analysis
• CFI instrumentation
• CFI assumptions
![Page 14: Review: Software Security David Brumley dbrumley@cmu.edu Carnegie Mellon University](https://reader031.vdocuments.net/reader031/viewer/2022032200/56649cca5503460f949927da/html5/thumbnails/14.jpg)
14
Test
• In-class
• Timed
• Closed book, closed note, closed computer
Good Luck!
![Page 15: Review: Software Security David Brumley dbrumley@cmu.edu Carnegie Mellon University](https://reader031.vdocuments.net/reader031/viewer/2022032200/56649cca5503460f949927da/html5/thumbnails/15.jpg)
15
Questions?
![Page 16: Review: Software Security David Brumley dbrumley@cmu.edu Carnegie Mellon University](https://reader031.vdocuments.net/reader031/viewer/2022032200/56649cca5503460f949927da/html5/thumbnails/16.jpg)
END
![Page 17: Review: Software Security David Brumley dbrumley@cmu.edu Carnegie Mellon University](https://reader031.vdocuments.net/reader031/viewer/2022032200/56649cca5503460f949927da/html5/thumbnails/17.jpg)
17
Thought