buffer overflow explained - ucys.ugr.es · fundamentals • buffer overflow definition: it’s a...
TRANSCRIPT
![Page 1: Buffer overflow explained - ucys.ugr.es · Fundamentals • Buffer overflow definition: It’s a bug that affects low-level code, typically in C and C++, with significant security](https://reader034.vdocuments.us/reader034/viewer/2022052309/5ba3bf8d09d3f210758c4519/html5/thumbnails/1.jpg)
Buffer overflow explained Gabriel Maciá Fernández
HACKING SCHOOL
![Page 2: Buffer overflow explained - ucys.ugr.es · Fundamentals • Buffer overflow definition: It’s a bug that affects low-level code, typically in C and C++, with significant security](https://reader034.vdocuments.us/reader034/viewer/2022052309/5ba3bf8d09d3f210758c4519/html5/thumbnails/2.jpg)
Fundamentals
• Buffer overflow definition:
It’s a bug that affects low-level code, typically in C and C++, with significant
security implications
![Page 3: Buffer overflow explained - ucys.ugr.es · Fundamentals • Buffer overflow definition: It’s a bug that affects low-level code, typically in C and C++, with significant security](https://reader034.vdocuments.us/reader034/viewer/2022052309/5ba3bf8d09d3f210758c4519/html5/thumbnails/3.jpg)
Fundamentals • C and C++ popularity
http://spectrum.ieee.org/static/interactive-the-top-programming-languages
![Page 4: Buffer overflow explained - ucys.ugr.es · Fundamentals • Buffer overflow definition: It’s a bug that affects low-level code, typically in C and C++, with significant security](https://reader034.vdocuments.us/reader034/viewer/2022052309/5ba3bf8d09d3f210758c4519/html5/thumbnails/4.jpg)
Fundamentals
• Critical systems in C/C++: – Most OS kernels and utilities – Many high performance servers
• Microsoft IIS, Apache httpd • Microsoft SQL Server, MySQL
– Many embedded systems
![Page 5: Buffer overflow explained - ucys.ugr.es · Fundamentals • Buffer overflow definition: It’s a bug that affects low-level code, typically in C and C++, with significant security](https://reader034.vdocuments.us/reader034/viewer/2022052309/5ba3bf8d09d3f210758c4519/html5/thumbnails/5.jpg)
Fundamentals
• Brief history: – 1988: Morris worm (fingerd)
• $10-100M damages
– 2001: CodeRed (MS-IIS) • 300.000 machines infected in 14 hours
– 2003: SQL Slammer (MS-SQL Server) • 75.000 machines infected in 10 minutes
![Page 6: Buffer overflow explained - ucys.ugr.es · Fundamentals • Buffer overflow definition: It’s a bug that affects low-level code, typically in C and C++, with significant security](https://reader034.vdocuments.us/reader034/viewer/2022052309/5ba3bf8d09d3f210758c4519/html5/thumbnails/6.jpg)
Fundamentals
![Page 7: Buffer overflow explained - ucys.ugr.es · Fundamentals • Buffer overflow definition: It’s a bug that affects low-level code, typically in C and C++, with significant security](https://reader034.vdocuments.us/reader034/viewer/2022052309/5ba3bf8d09d3f210758c4519/html5/thumbnails/7.jpg)
Fundamentals
• Trend
Source: http://web.nvd.nist.gov/view/vuln/statistics-results?adv_search=true&cves=on&cwe_id=CWE-119
0
1000
2000
3000
4000
5000
6000
7000
8000
9000
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
#Vulnerabilities
![Page 8: Buffer overflow explained - ucys.ugr.es · Fundamentals • Buffer overflow definition: It’s a bug that affects low-level code, typically in C and C++, with significant security](https://reader034.vdocuments.us/reader034/viewer/2022052309/5ba3bf8d09d3f210758c4519/html5/thumbnails/8.jpg)
Let’s go into more details
![Page 9: Buffer overflow explained - ucys.ugr.es · Fundamentals • Buffer overflow definition: It’s a bug that affects low-level code, typically in C and C++, with significant security](https://reader034.vdocuments.us/reader034/viewer/2022052309/5ba3bf8d09d3f210758c4519/html5/thumbnails/9.jpg)
Brief review of C concepts
• Int: 32 bits • Char: 8 bits • Pointer: 32 bits
int *p;
• Reference: int a = 3; int *p = &a; *p = 2;
![Page 10: Buffer overflow explained - ucys.ugr.es · Fundamentals • Buffer overflow definition: It’s a bug that affects low-level code, typically in C and C++, with significant security](https://reader034.vdocuments.us/reader034/viewer/2022052309/5ba3bf8d09d3f210758c4519/html5/thumbnails/10.jpg)
The Intel 80x86 CPU
• Registers: – General purpose: %eax, %ebx, %ecx, %edx – (Extended) instruction pointer: %eip – (Extended) stack pointer: %esp – (Extended) frame pointer: %ebp – Flags: %eflags (ZF, SF, CF, …)
![Page 11: Buffer overflow explained - ucys.ugr.es · Fundamentals • Buffer overflow definition: It’s a bug that affects low-level code, typically in C and C++, with significant security](https://reader034.vdocuments.us/reader034/viewer/2022052309/5ba3bf8d09d3f210758c4519/html5/thumbnails/11.jpg)
Process memory layout
• Memory addressing (80x86 family): 32 bit
![Page 12: Buffer overflow explained - ucys.ugr.es · Fundamentals • Buffer overflow definition: It’s a bug that affects low-level code, typically in C and C++, with significant security](https://reader034.vdocuments.us/reader034/viewer/2022052309/5ba3bf8d09d3f210758c4519/html5/thumbnails/12.jpg)
Process memory layout
• Intel uses little endian ordering – 0x03020100 starting at address 0x00F67B40
![Page 13: Buffer overflow explained - ucys.ugr.es · Fundamentals • Buffer overflow definition: It’s a bug that affects low-level code, typically in C and C++, with significant security](https://reader034.vdocuments.us/reader034/viewer/2022052309/5ba3bf8d09d3f210758c4519/html5/thumbnails/13.jpg)
Process memory layout
![Page 14: Buffer overflow explained - ucys.ugr.es · Fundamentals • Buffer overflow definition: It’s a bug that affects low-level code, typically in C and C++, with significant security](https://reader034.vdocuments.us/reader034/viewer/2022052309/5ba3bf8d09d3f210758c4519/html5/thumbnails/14.jpg)
Stack and heap
• Stack and heap grow in opposite directions
Stack
0x00000000 0xffffffff
Heap
Apportioned by the OS; managed in-process
by malloc
![Page 15: Buffer overflow explained - ucys.ugr.es · Fundamentals • Buffer overflow definition: It’s a bug that affects low-level code, typically in C and C++, with significant security](https://reader034.vdocuments.us/reader034/viewer/2022052309/5ba3bf8d09d3f210758c4519/html5/thumbnails/15.jpg)
Stack and heap
Stack
0x00000000 0xffffffff
Heap
Stack Pointer %esp
push 1 push 2 push 3 return
1 2 3
![Page 16: Buffer overflow explained - ucys.ugr.es · Fundamentals • Buffer overflow definition: It’s a bug that affects low-level code, typically in C and C++, with significant security](https://reader034.vdocuments.us/reader034/viewer/2022052309/5ba3bf8d09d3f210758c4519/html5/thumbnails/16.jpg)
Basic stack layout
%esp 0xffffffff
caller’s data arg3 arg2 arg1 ??? ??? loc1 …
Arguments are pushed in reverse
order of code
Local variables are pushed in the
same order
void func(char *arg1, int arg2, int arg3) { char loc1[4]; int loc2; ... }
loc2
![Page 17: Buffer overflow explained - ucys.ugr.es · Fundamentals • Buffer overflow definition: It’s a bug that affects low-level code, typically in C and C++, with significant security](https://reader034.vdocuments.us/reader034/viewer/2022052309/5ba3bf8d09d3f210758c4519/html5/thumbnails/17.jpg)
Basic buffer overflow
• Buffer: – Contiguous memory associated with a variable or field – Common in C
• All strings are (NULL-terminated) arrays of chars • Overflow:
– Put more into the buffer that it can hold • How?:
– Bugs. E.g. Use of strcpy function
• Let’s go for an example: overflow_example
char *strcpy (char *dest, char *src)
![Page 18: Buffer overflow explained - ucys.ugr.es · Fundamentals • Buffer overflow definition: It’s a bug that affects low-level code, typically in C and C++, with significant security](https://reader034.vdocuments.us/reader034/viewer/2022052309/5ba3bf8d09d3f210758c4519/html5/thumbnails/18.jpg)
Accessing variables
%esp 0xffffffff
caller’s data arg3 arg2 arg1 ??? ??? loc1 …
Can’t guess absolute address at compile time
0xbffff323
void func(char *arg1, int arg2, int arg3) { ... loc2++; ... }
loc2
But can know the relative address loc2 is always 8B before ???s
Stack frame for func %ebp
Frame pointer loc2 is at -8(%ebp)
Where is loc2?
![Page 19: Buffer overflow explained - ucys.ugr.es · Fundamentals • Buffer overflow definition: It’s a bug that affects low-level code, typically in C and C++, with significant security](https://reader034.vdocuments.us/reader034/viewer/2022052309/5ba3bf8d09d3f210758c4519/html5/thumbnails/19.jpg)
Returning from functions
%esp 0xffffffff
caller’s data arg3 arg2 arg1 ??? ??? loc1 …
Int main() { ... func (“Hello”, 10, -3); ... }
loc2
1. Update %esp 2. Push %ebp before locals Set %ebp to current (%ebp)
Stack frame for func %ebp %ebp
How do we restore %esp and %ebp? Push %eip before call Set %eip=4(%ebp)
How do we resume?
%eip %ebp
![Page 20: Buffer overflow explained - ucys.ugr.es · Fundamentals • Buffer overflow definition: It’s a bug that affects low-level code, typically in C and C++, with significant security](https://reader034.vdocuments.us/reader034/viewer/2022052309/5ba3bf8d09d3f210758c4519/html5/thumbnails/20.jpg)
0xffffffff
caller’s data arg3 arg2 arg1 ??? ??? loc1 … loc2
Stack frame for func %ebp
%eip %ebp
Let’s have fun with this
![Page 21: Buffer overflow explained - ucys.ugr.es · Fundamentals • Buffer overflow definition: It’s a bug that affects low-level code, typically in C and C++, with significant security](https://reader034.vdocuments.us/reader034/viewer/2022052309/5ba3bf8d09d3f210758c4519/html5/thumbnails/21.jpg)
Defenses against buffer overflow
• Very quickly: – Stack canaries (StackGuard) – Non executable stack (NX) – Address Space Layout Randomization (ASLR)
• It is still possible to attack
![Page 22: Buffer overflow explained - ucys.ugr.es · Fundamentals • Buffer overflow definition: It’s a bug that affects low-level code, typically in C and C++, with significant security](https://reader034.vdocuments.us/reader034/viewer/2022052309/5ba3bf8d09d3f210758c4519/html5/thumbnails/22.jpg)
Reto Buffer Overflow
• Programa a analizar: reto.c • Instrucciones y pistas • Pruebas offline • Pruebas online
– Instrucciones por email a inscritos en el reto – Periodo de estudio 1 semana – Periodo de ataque: 2 días – Aplicación en puertos TCP 5000 a 5015
• Se restablece cada minuto en caso de crash
![Page 23: Buffer overflow explained - ucys.ugr.es · Fundamentals • Buffer overflow definition: It’s a bug that affects low-level code, typically in C and C++, with significant security](https://reader034.vdocuments.us/reader034/viewer/2022052309/5ba3bf8d09d3f210758c4519/html5/thumbnails/23.jpg)
Thanks for your attention
• Thanks to: – Michael Hicks for its nice examples about overflow