buffer overflow or stack smashing
Post on 12-Sep-2021
8 Views
Preview:
TRANSCRIPT
ISS03©Rosti
Buffer Overflow1
Emilia Rosti
Dip. di Informatica e ComunicazioneUniv. degli Studi di Milano
Buffer Overflowor
Stack smashingWhere computer security meets computerorganization, operating systems, access
control, and programming
ISS03©Rosti
Buffer Overflow2
Buffer Overflow
• malicious code is injected in memory• how?
• the address of such a code is loaded ina code pointer• where?
• the injected code is executed eventually
ISS03©Rosti
Buffer Overflow3
Buffer Overflow
• main vulnerability exploited in local andremote intrusions leading to systemcompromise• most dangerous if even it leads to
unprivileged account compromise only
ISS03©Rosti
Buffer Overflow4
Buffer overflow - statistics
[Wagner et al. 2000]
Number of CERT-CC advisories regardingvulnerabilities due to buffer overflow
ISS03©Rosti
Buffer Overflow5
Buffer overflow - statistics
[Wagner et al. 2000]
Number of incidents reported to CERT-CC caused by buffer overflow vulnerabilities
ISS03©Rosti
Buffer Overflow6
Buffer overflow: how
• a buffer is written with an amount ofdata greater than its size containingmalicious code• neither static nor run-time checks
• input string
• environment parameters
• dynamic libraries
ISS03©Rosti
Buffer Overflow7
Buffer overflow: how
• the address of the code is copied into apointer• procedure return address
• old base pointer
• function pointer
• longjimp buffer
• the program might still work correctly• well known problem of C language
ISS03©Rosti
Buffer Overflow8
Buffer Overflow:new stuff?
• well known problem• ‘70: login.c• ‘80: Internet worm (1988)
• buffer overflow in fingerd with 536 (512)chars
• ‘90: more than half of CERT-CC advisories(www.cert.org) every year on bufferoverflows
ISS03©Rosti
Buffer Overflow9
Buffer overflow:where is the problem?
• with adequately crafted input, any codemay be executed• the attacker would compromise the
account of the user process
• if the victim program is setuid to root, aroot shell can be executed• the attacker gains complete control of the
host
ISS03©Rosti
Buffer Overflow10
Buffer overflow:where is the problem?
• the combination of• lack of checks on buffer sizes in C• ad hoc input crafting• procedure call execution model• Unix discretionary access control
• may lead to the acquisition of superuserprivileges
ISS03©Rosti
Buffer Overflow11
Buffer overflow:a simple recipe
• ingredients• process with root privileges• malicious code in the process address
space
• procedure• change a code pointer of the process so as
to point to the malicious code in order tohave it execute eventually
ISS03©Rosti
Buffer Overflow12
Buffer overflow:the result
• privilege escalation by an unauthorizeduser• root shell execution
ISS03©Rosti
Buffer Overflow13
Buffer overflow:where to inject the code
• data area• stack
• return address / old base pointer
• heap• dynamic variables
• BSS• function pointers
• text area• using code already present in memory (e.g.,
libraries)• with adequate parameters
ISS03©Rosti
Buffer Overflow14
Buffer overflow:forced jump
• the program control flow is altered• activation record
• overflow a buffer onto return address or oldbase pointer
• function pointer• anywhere in memory, change the content of the
pointer
• checkpoint/rollback• overflow the setjmp(buffer) so that the rollback
longjmp(buffer) will jump to the malicious code
ISS03©Rosti
Buffer Overflow15
A process in memoryhigh addresses
low addresses
text & datasymbol table
magic #
mass memory
Shell environment & command line parameters
kernel stack (per process)red zoneuser area
ps_string structuresignal codesenv stringsargv stringsenv pointersargv pointers
argcuser stack
heapbss
data areatext area
ISS03©Rosti
Buffer Overflow16
Stack frame
generic layout of a procedure stack frame
low addresses
high address
local variables
saved registers
calling parameters
ISS03©Rosti
Buffer Overflow17
Stack smashing
local variables
calling parameters
malicious code
return address ….
old Stack pointerold Frame pointer
procedure activation record of a victim
saved registers
ISS03©Rosti
Buffer Overflow18
Example
void my_funct(int a, int *b, char *buf){char buf1[6];*b = a;strcpy(buf1, buf);}
ISS03©Rosti
Buffer Overflow19
Example
void main(){char string = “buffer overflow!!!!”;int i, j;i = 5;j = 8;my_funct(i, &j, string);j = i;}
ISS03©Rosti
Buffer Overflow20
User process inmemory
void my_funct(int a, int *b, char *buf){char buf1[6];*b = a;strcpy(buf1, buf);}
void main(){char string = “buffer overflow!!!!”;int i, j;i = 5;j = 8;my_funct(i, &j, string);j = i;}
text
static dataheap
buf1
prec. frame pointerprec. stack pointer
return address
*buf*b
a 5
i 5j 8
string
buffer overf
low!!!!\0
argcargv pointers
env pointers
stack pointer
program counter
frame pointer
when my_function is called
ISS03©Rosti
Buffer Overflow21
User process inmemory
void my_funct(int a, int *b, char *buf){char buf1[6];*b = a;strcpy(buf1, buf);}
void main(){char string = “buffer overflow!!!!”;int i, j;i = 5;j = 8;my_funct(i, &j, string);j = i;}
after strcpy(), returning from my_function
text
static dataheap
buf1
prec. frame pointerprec. stack pointer
return address
*buf*b
a 5
i 5j 8
string
buffer overf
low!!!!\0
argcargv pointers
env pointers
buffer overf
low!!!!\0
ISS03©Rosti
Buffer Overflow22
Buffer overflow:the issues
• C language• not strongly typed• no array bound checks (either statically, or
dynamically)• free pointer aritmethic• dangerous data structures (function
pointers)• vulnerable libraries
ISS03©Rosti
Buffer Overflow23
Buffer overflow:the issues
• Unix discretionary access control• r w x bits• real/effective userID• setuid/setgid bit• process privileges (realUID) vs program
privileges (effectiveUID)
• procedure execution model• executable stack
ISS03©Rosti
Buffer Overflow24
Access control in Unix
• real userid: the owner of the process• effective userid: the owner of the
program• a process executes with the privileges
of the user that launched the program
ISS03©Rosti
Buffer Overflow25
Access control in Unix
• a process may need higher privilegesduring execution (eg., those of theowner of the program)
• setuid(setgid): system call to change aprocess user(group)-id
ISS03©Rosti
Buffer Overflow26
Solutions
• write safe code• use strncpy, snprintf, etc.
• check input size and destination size
• 1-800-YOU-WISH
• use strongly typed languages• Java
• JVM is a C program
• what with existing code?• legacy and source
ISS03©Rosti
Buffer Overflow27
Solutions
• static analysis• prevention and/or detection
• analyze and/or modify source code looking forknown vulnerabilities
• dynamic analysis• prevention and/or detection
• change the run-time environment or systemfunctionality to make vulnerable program harmless
• protect known target
ISS03©Rosti
Buffer Overflow28
Solutions
• static code analyzer• BOON
• call graph with constraints on buffer sizes
• ITS4• dangerous library calls
• dynamic code analyzer• STOBO
• instrumented code is executed and alarms raised
ISS03©Rosti
Buffer Overflow29
Solutions
• C compiler patches that add• array bound checking
• performance degradation
• run-time checks on a selected set of pointers• StackGuard (return address, canary)• Stack Shield (return address and function pointers,
separate )• ProPolice (return address and old base pointer)
• run-time checks on all pointers• PointGuard
• major performance issues
ISS03©Rosti
Buffer Overflow30
Solutions
• patches• Libsafe/Libverify• Return Address Defender• Ccured• Cyclone• non executable stack (Openwall patch)
• fault injection• FIST
ISS03©Rosti
Buffer Overflow31
Solutions
• what if the source code is not available?• automatic search of the vulnerability in object
code• different sources of input
• keyboard, network, file
• input size
• no absolute guarantee of success
ISS03©Rosti
Buffer Overflow32
OBOE• Object-code Buffer Overrun Evaluator• controlled execution of object code• exhaustive scan of command line
arguments• input string crafted ad hoc• first search for segmentation fault, then for
illegal instruction• search for return address location with
shell code
ISS03©Rosti
Buffer Overflow33
OBOE• very labour intensive• no guarantee• only command line input
ISS03©Rosti
Buffer Overflow34
References
C. Cowan et al., Buffer overflows: Attacks and defenses for thevulnerability of the decade, DISCEX 00.
J. Wilander, M. Kamkar, A comparison of publicly available tools fordynamic buffer overflow prevention, NDSS 03.
R. Banfi, D. Bruschi, E. Rosti, A tool for pro-active defense againstthe buffer overrun attack, ESORICS 98.
All the references in the first two papers.
top related