lab 2: buffer overflowswebpages.eng.wayne.edu/~fy8421/17sp-csc4992/slides/lab2... · 2017. 1....
TRANSCRIPT
Lab2:BufferOverflows
FengweiZhang
WayneStateUniversity Course:CyberSecurityPrac@ce 1
BufferOverflows
• Oneofthemostcommonvulnerabili@esinsoEware
• ProgramminglanguagescommonlyassociatedwithbufferoverflowsincludingCandC++
• Opera@ngsystemsincludingWindows,LinuxandMacOSXarewriMeninCorC++
WayneStateUniversity Course:CyberSecurityPrac@ce 2
HowItWorks
• Applica@onsdefinebuffersinthememory– Unsignedchar[10]
• Applica@onsuseadjacentmemorytostorevariables,arguments,andreturnaddressofafunc@on.
• BufferOverflowsoccurswhendatawriMentoabufferexceedsitssize.
WayneStateUniversity Course:CyberSecurityPrac@ce 3
OverflowingABuffer
• DefiningabufferinC– charbuf[10];
• Overflowingthebuffer– Charbuf[10]=‘x’;– strcpy(buf,“AAAAAAAAAAAAAAAAAAAAAAA”)
WayneStateUniversity Course:CyberSecurityPrac@ce 4
WhyWeCare
• Becauseadjacentmemorystoresprogramvariables,parameters,andarguments
• AMackerscanchangethesevaluesthroughoverflowingabuffer
• AMackerscangaincontrolovertheprogramflowtoexecutearbitrarycode
WayneStateUniversity Course:CyberSecurityPrac@ce 5
ProcessMemoryLayout
WayneStateUniversity Course:CyberSecurityPrac@ce 6
Stack
Heap
DataSegment
TextSegment
Highmemory
Lowmemory
MemoryLayoutfor32-bitLinux
WayneStateUniversity Course:CyberSecurityPrac@ce 7
KernelSpace
Stack
Heap
BSSSegment
DataSegment
TextSegment(ELF)
1GB
3GB
Localvariable:inta
Func@onmalloc()
Unini@alizedsta@cvariables:sta@cchar*u
sta@cchar*s=“Helloworld”
Binaryoftheprogram
VirtualMemoryLayout
WayneStateUniversity Course:CyberSecurityPrac@ce 8
StackFrame
WayneStateUniversity Course:CyberSecurityPrac@ce 9
• Thestackcontainsac@va@onframesincludinglocalvariables,func@onparameters,andreturnaddress
• Star@ngatthehighestmemoryaddressandgrowingdownwards
• Lastinfirstout
WayneStateUniversity Course:CyberSecurityPrac@ce 10
Add(2,3)
32
RetAddressEBPC
Highmemory
Lowmemory ESP
intadd(inta,intb){
intc;c=1+b;returnc;
}
ASimpleProgram
AnotherProgramintfunc(char*str){
charmybuff[512];strcpy(myBuff,str);return1;
}intmain(intargc,char**argv){
func(argv[1]);return1;
}
WayneStateUniversity Course:CyberSecurityPrac@ce 11
DrawtheStackFrame!
Overflowing“myBuff”
WayneStateUniversity Course:CyberSecurityPrac@ce 12
(A)str(A)
Retaddr(A)EBP(A)
A
AAA
AA
Highmemory
Lowmemory ESP
BufferOverflowDefenses• TheaMackdescribedisaclassicalstacksmashingaMackwhichexecutethecodeonthestack
• Itdoesnotworktoday– NX–non-executablestack.Mostcompilersnowdefaulttoanon-executablestack.Meaningasegmenta@onfaultoccursifrunningcodefromthestack(i.e.,DataExecu@onPreven@on-DEP)• Disableitwith–zexecstackop@on• Checkitwithreadelf–e<PROGRAM>|grepSTACK
– StackGuard:Cannaries• Disableitwith–fno-stack-protectorop@on• Enableitwith–fstack-protectorop@on
WayneStateUniversity Course:CyberSecurityPrac@ce 13
StackCanaries
• StacksmashingaMacksdotwothings– Overwritethereturnaddress– WaitforalgorithmtocompleteandcallRET
• StackCanaries:StackSmashingProtector(SSP)– Placingaintegervaluetostackjustbeforethereturnaddress
– Tooverwritethereturnaddress,thecanaryvaluewouldalsobemodified
– Checkingthisvaluebeforethefunc@onreturns
WayneStateUniversity Course:CyberSecurityPrac@ce 14
StackCanaries(cont’d)
WayneStateUniversity Course:CyberSecurityPrac@ce 15
(A)str(A)
Retaddr(A)EBP(A)
Canary(A)
AAA
AA
Highmemory
Lowmemory ESP
BypassingNXandCanaries
• NX-non-executablestack– Execu@ngcodeintheheap– DataExecu@onPreven@on(DEP)– ReturnOrientedProgramming(ROP)
• StackCanaries– Overwri@ngtheCanarywiththesamevalue– BruteforceaMack(e.g.,DynaGuardinACSAC’15)
WayneStateUniversity Course:CyberSecurityPrac@ce 16
• Lab0– Turnintheclassagreement
• Lab1– Duetodayat11:59pm– Lateassignmentpolicy– SubmititviaBlackboard
• Lab2instruc@ons
WayneStateUniversity Course:CyberSecurityPrac@ce 17
Reminders