stuartstaniford( …...formatstring(vulnerabili;es(• class(of(vulnerabili;es(in(c(prin /sprin...
TRANSCRIPT
![Page 1: StuartStaniford( …...FormatString(Vulnerabili;es(• Class(of(vulnerabili;es(in(C(prin /sprin /etc(– Discovered(atend(of(1990s(– Almostthirty(years(aer(C(invented(• Also(can](https://reader033.vdocuments.us/reader033/viewer/2022041920/5e6b7e09228bbe684d14c4e6/html5/thumbnails/1.jpg)
Defending Computer Networks Lecture 3: More On Vulnerabili3es
Stuart Staniford Adjunct Professor of Computer Science
![Page 2: StuartStaniford( …...FormatString(Vulnerabili;es(• Class(of(vulnerabili;es(in(C(prin /sprin /etc(– Discovered(atend(of(1990s(– Almostthirty(years(aer(C(invented(• Also(can](https://reader033.vdocuments.us/reader033/viewer/2022041920/5e6b7e09228bbe684d14c4e6/html5/thumbnails/2.jpg)
Logis;cs
• First Homework Today – Find on class website – Due next Wednesday 9/11 5pm in 317 lab
• Try not to all come at last minute
• Office hour change – Permanent:
• Tues is 1:30-‐2:45pm (not 3pm) – Temporary
• Weds 9/11 will be 1:30-‐5pm for HW1 grading – Could be TA in part, if dept can find one by then
• Tues office hours will be in lab next week also
![Page 3: StuartStaniford( …...FormatString(Vulnerabili;es(• Class(of(vulnerabili;es(in(C(prin /sprin /etc(– Discovered(atend(of(1990s(– Almostthirty(years(aer(C(invented(• Also(can](https://reader033.vdocuments.us/reader033/viewer/2022041920/5e6b7e09228bbe684d14c4e6/html5/thumbnails/3.jpg)
More Logis;cs
![Page 4: StuartStaniford( …...FormatString(Vulnerabili;es(• Class(of(vulnerabili;es(in(C(prin /sprin /etc(– Discovered(atend(of(1990s(– Almostthirty(years(aer(C(invented(• Also(can](https://reader033.vdocuments.us/reader033/viewer/2022041920/5e6b7e09228bbe684d14c4e6/html5/thumbnails/4.jpg)
Main Goals for Today
• Understand format string vulnerabili;es • Introduc;on to CVE/CWE -‐ enumera;ng and classifying vulnerabili;es
• The economic/social big picture: why is the Internet riddled with vulnerabili;es?
• Understand stack canary defenses against buffer overflows
![Page 5: StuartStaniford( …...FormatString(Vulnerabili;es(• Class(of(vulnerabili;es(in(C(prin /sprin /etc(– Discovered(atend(of(1990s(– Almostthirty(years(aer(C(invented(• Also(can](https://reader033.vdocuments.us/reader033/viewer/2022041920/5e6b7e09228bbe684d14c4e6/html5/thumbnails/5.jpg)
Interes;ng News This Time
![Page 6: StuartStaniford( …...FormatString(Vulnerabili;es(• Class(of(vulnerabili;es(in(C(prin /sprin /etc(– Discovered(atend(of(1990s(– Almostthirty(years(aer(C(invented(• Also(can](https://reader033.vdocuments.us/reader033/viewer/2022041920/5e6b7e09228bbe684d14c4e6/html5/thumbnails/6.jpg)
Refresh: Example 2
void myFunc(char *str) { char buffer[64]; strcpy(buffer, str); } int main(int argc, char* argv[]) { char large_string[256]; int i; for( i = 0; i < 255; i++) large_string[i] = 'A’; myFunc (large_string); }
![Page 7: StuartStaniford( …...FormatString(Vulnerabili;es(• Class(of(vulnerabili;es(in(C(prin /sprin /etc(– Discovered(atend(of(1990s(– Almostthirty(years(aer(C(invented(• Also(can](https://reader033.vdocuments.us/reader033/viewer/2022041920/5e6b7e09228bbe684d14c4e6/html5/thumbnails/7.jpg)
Top of Memory
Top of Stack
large_string_ LS ptr
new Ret SFP Buffer[64] contains shellcode
Stack Pointer %esp Frame Pointer %ebp
Saved Frame Pointer
Refresh: Stack Before Strcpy
![Page 8: StuartStaniford( …...FormatString(Vulnerabili;es(• Class(of(vulnerabili;es(in(C(prin /sprin /etc(– Discovered(atend(of(1990s(– Almostthirty(years(aer(C(invented(• Also(can](https://reader033.vdocuments.us/reader033/viewer/2022041920/5e6b7e09228bbe684d14c4e6/html5/thumbnails/8.jpg)
Format String Vulnerabili;es
• Class of vulnerabili;es in C prinp/sprinp/etc – Discovered at end of 1990s – Almost thirty years aqer C invented
• Also can affect syslog(), warn(), err() • Core issue is when the format string is (par;ally) user supplied, not sta;c – prinp(userData,…) is bad – prinp(“%s”, userData,…) doesn’t have the issue
• Note that ‘…’ arguments are on the stack • And format string controls powerful func;onality to do stuff with the prinp arguments (ie the stack)
• Bypass any compile ;me checks when user supplied
![Page 9: StuartStaniford( …...FormatString(Vulnerabili;es(• Class(of(vulnerabili;es(in(C(prin /sprin /etc(– Discovered(atend(of(1990s(– Almostthirty(years(aer(C(invented(• Also(can](https://reader033.vdocuments.us/reader033/viewer/2022041920/5e6b7e09228bbe684d14c4e6/html5/thumbnails/9.jpg)
prinpVulnerability.c
#include <stdio.h> int main(int argc, char* argv[]) { prinp(argv[1]); return 0; }
![Page 10: StuartStaniford( …...FormatString(Vulnerabili;es(• Class(of(vulnerabili;es(in(C(prin /sprin /etc(– Discovered(atend(of(1990s(– Almostthirty(years(aer(C(invented(• Also(can](https://reader033.vdocuments.us/reader033/viewer/2022041920/5e6b7e09228bbe684d14c4e6/html5/thumbnails/10.jpg)
So let’s try…
• ./prinpVulnerability foo • ./prinpVulnerability “foo \n” • ./prinpVulnerability “%08x.%08x.%08x.%08x ”
![Page 11: StuartStaniford( …...FormatString(Vulnerabili;es(• Class(of(vulnerabili;es(in(C(prin /sprin /etc(– Discovered(atend(of(1990s(– Almostthirty(years(aer(C(invented(• Also(can](https://reader033.vdocuments.us/reader033/viewer/2022041920/5e6b7e09228bbe684d14c4e6/html5/thumbnails/11.jpg)
Stack in prinpVulnerability
Top of Memory
Top of Stack
fmtptr
pf Ret
pf SFP Prinp local variables
Stack Pointer %esp Frame Pointer %ebp
mn Ret
mnSFP
S;ll in the no-‐defense, old-‐style, slightly fic;onalized view of the world
Prinp arg
![Page 12: StuartStaniford( …...FormatString(Vulnerabili;es(• Class(of(vulnerabili;es(in(C(prin /sprin /etc(– Discovered(atend(of(1990s(– Almostthirty(years(aer(C(invented(• Also(can](https://reader033.vdocuments.us/reader033/viewer/2022041920/5e6b7e09228bbe684d14c4e6/html5/thumbnails/12.jpg)
The Really Big Problem The ‘%n’ format direc;ve. From ‘man 3 prinp’:
This allows us to write on the stack at a loca;on we can control! by doing ./prinpVulnerability “%08x.%08x… %n” we can move around the stack posi;on where the %n will write to. By doing “aaaaa…%08x.%08x… %n” we can control what number is wri}en into that stack address. By doing this repeatedly with small width fields, we can write one byte at a ;me, and overwrite an address (eg a saved IP)
![Page 13: StuartStaniford( …...FormatString(Vulnerabili;es(• Class(of(vulnerabili;es(in(C(prin /sprin /etc(– Discovered(atend(of(1990s(– Almostthirty(years(aer(C(invented(• Also(can](https://reader033.vdocuments.us/reader033/viewer/2022041920/5e6b7e09228bbe684d14c4e6/html5/thumbnails/13.jpg)
Common Vulnerabili;es and Exposures List (CVE)
• Ini;a;ve by Mitre Corp to create a common dic;onary of known vulnerabili;es – US govt funded
• Now an industry standard • Guided by an editorial board from across industry/academia/government
• Excellent Place to Start Looking for Publicly Known Vulnerabili;es in something – h}p://cve.mitre.org/cgi-‐bin/cvekey.cgi?keyword=excel
![Page 14: StuartStaniford( …...FormatString(Vulnerabili;es(• Class(of(vulnerabili;es(in(C(prin /sprin /etc(– Discovered(atend(of(1990s(– Almostthirty(years(aer(C(invented(• Also(can](https://reader033.vdocuments.us/reader033/viewer/2022041920/5e6b7e09228bbe684d14c4e6/html5/thumbnails/14.jpg)
‘Excel’ Vulnerabili;es
![Page 15: StuartStaniford( …...FormatString(Vulnerabili;es(• Class(of(vulnerabili;es(in(C(prin /sprin /etc(– Discovered(atend(of(1990s(– Almostthirty(years(aer(C(invented(• Also(can](https://reader033.vdocuments.us/reader033/viewer/2022041920/5e6b7e09228bbe684d14c4e6/html5/thumbnails/15.jpg)
Example Entry
![Page 16: StuartStaniford( …...FormatString(Vulnerabili;es(• Class(of(vulnerabili;es(in(C(prin /sprin /etc(– Discovered(atend(of(1990s(– Almostthirty(years(aer(C(invented(• Also(can](https://reader033.vdocuments.us/reader033/viewer/2022041920/5e6b7e09228bbe684d14c4e6/html5/thumbnails/16.jpg)
CVE Counts By Year
![Page 17: StuartStaniford( …...FormatString(Vulnerabili;es(• Class(of(vulnerabili;es(in(C(prin /sprin /etc(– Discovered(atend(of(1990s(– Almostthirty(years(aer(C(invented(• Also(can](https://reader033.vdocuments.us/reader033/viewer/2022041920/5e6b7e09228bbe684d14c4e6/html5/thumbnails/17.jpg)
Is That All The Vulnerabili;es?
• No! – Anecdote/single datapoint (8000 vs 122)
• Basically, we have no idea how many soqware vulnerabili;es exist in total – Probably millions at least, – Probably not billions
![Page 18: StuartStaniford( …...FormatString(Vulnerabili;es(• Class(of(vulnerabili;es(in(C(prin /sprin /etc(– Discovered(atend(of(1990s(– Almostthirty(years(aer(C(invented(• Also(can](https://reader033.vdocuments.us/reader033/viewer/2022041920/5e6b7e09228bbe684d14c4e6/html5/thumbnails/18.jpg)
Common Weakness Enumera;on(CWE)
• More recent effort by Mitre – cwe.mitre.org
• Idea is to classify vulnerabili;es into general types – See the recurring pa}erns – Priori;ze what’s most important – Learn not to generate more and more of these things
• Excellent place to look for general issues when you get into a new domain
![Page 19: StuartStaniford( …...FormatString(Vulnerabili;es(• Class(of(vulnerabili;es(in(C(prin /sprin /etc(– Discovered(atend(of(1990s(– Almostthirty(years(aer(C(invented(• Also(can](https://reader033.vdocuments.us/reader033/viewer/2022041920/5e6b7e09228bbe684d14c4e6/html5/thumbnails/19.jpg)
CWE Top 25
940 CWE’s in total – another 37 pages like this
![Page 20: StuartStaniford( …...FormatString(Vulnerabili;es(• Class(of(vulnerabili;es(in(C(prin /sprin /etc(– Discovered(atend(of(1990s(– Almostthirty(years(aer(C(invented(• Also(can](https://reader033.vdocuments.us/reader033/viewer/2022041920/5e6b7e09228bbe684d14c4e6/html5/thumbnails/20.jpg)
Example From a Different Domain
![Page 21: StuartStaniford( …...FormatString(Vulnerabili;es(• Class(of(vulnerabili;es(in(C(prin /sprin /etc(– Discovered(atend(of(1990s(– Almostthirty(years(aer(C(invented(• Also(can](https://reader033.vdocuments.us/reader033/viewer/2022041920/5e6b7e09228bbe684d14c4e6/html5/thumbnails/21.jpg)
Why So Many Vulnerabili;es?
1. Wri;ng secure code is hard 2. Soqware engineers are poorly trained in
security (but not you guys!) 3. Economic incen;ves at soqware companies
do not priori;ze doing things right
![Page 22: StuartStaniford( …...FormatString(Vulnerabili;es(• Class(of(vulnerabili;es(in(C(prin /sprin /etc(– Discovered(atend(of(1990s(– Almostthirty(years(aer(C(invented(• Also(can](https://reader033.vdocuments.us/reader033/viewer/2022041920/5e6b7e09228bbe684d14c4e6/html5/thumbnails/22.jpg)
Wri;ng Secure Code is Hard
• 940 CWEs (and coun;ng) • Large numbers of different categories of things to do wrong – Hard to know about all of them
• Humans are error prone at best – Most of us write a no;ceable number of bugs/kloc – Significant frac;on of bugs turn out to be exploitable – Tes;ng all code-‐paths is both theore;cally and prac;cally impossible
![Page 23: StuartStaniford( …...FormatString(Vulnerabili;es(• Class(of(vulnerabili;es(in(C(prin /sprin /etc(– Discovered(atend(of(1990s(– Almostthirty(years(aer(C(invented(• Also(can](https://reader033.vdocuments.us/reader033/viewer/2022041920/5e6b7e09228bbe684d14c4e6/html5/thumbnails/23.jpg)
Soqware Engineers Untrained in Security
You are here
Source: h}p://grad-‐schools.usnews.rankingsandreviews.com/best-‐graduate-‐schools/ top-‐science-‐schools/computer-‐science-‐rankings
![Page 24: StuartStaniford( …...FormatString(Vulnerabili;es(• Class(of(vulnerabili;es(in(C(prin /sprin /etc(– Discovered(atend(of(1990s(– Almostthirty(years(aer(C(invented(• Also(can](https://reader033.vdocuments.us/reader033/viewer/2022041920/5e6b7e09228bbe684d14c4e6/html5/thumbnails/24.jpg)
Undergraduate Security Course @Top 10
![Page 25: StuartStaniford( …...FormatString(Vulnerabili;es(• Class(of(vulnerabili;es(in(C(prin /sprin /etc(– Discovered(atend(of(1990s(– Almostthirty(years(aer(C(invented(• Also(can](https://reader033.vdocuments.us/reader033/viewer/2022041920/5e6b7e09228bbe684d14c4e6/html5/thumbnails/25.jpg)
Economic Incen;ves
• Most tech market categories have a winner-‐take-‐all structure – Microsoq in opera;ng systems and office suites – Google in search – Apple/Google in smartphones – Oracle in databases – Cisco in routers/switches
• Company execu;ves/VCs know this – So very strong pressure to ship code fast
• Dominate the market, then solve problems later
![Page 26: StuartStaniford( …...FormatString(Vulnerabili;es(• Class(of(vulnerabili;es(in(C(prin /sprin /etc(– Discovered(atend(of(1990s(– Almostthirty(years(aer(C(invented(• Also(can](https://reader033.vdocuments.us/reader033/viewer/2022041920/5e6b7e09228bbe684d14c4e6/html5/thumbnails/26.jpg)
Typical Life of a Vulnerability
![Page 27: StuartStaniford( …...FormatString(Vulnerabili;es(• Class(of(vulnerabili;es(in(C(prin /sprin /etc(– Discovered(atend(of(1990s(– Almostthirty(years(aer(C(invented(• Also(can](https://reader033.vdocuments.us/reader033/viewer/2022041920/5e6b7e09228bbe684d14c4e6/html5/thumbnails/27.jpg)
Economic Incen;ves
• Not wri;ng vulnerabili;es in the first place is – Hard – Therefore expensive and slow
• Finding vulnerabili;es takes lots of QA/test – Also, expensive and slow
• So companies have a strong incen;ve to not worry about it too much – Fix it later, when it becomes a PR problem
![Page 28: StuartStaniford( …...FormatString(Vulnerabili;es(• Class(of(vulnerabili;es(in(C(prin /sprin /etc(– Discovered(atend(of(1990s(– Almostthirty(years(aer(C(invented(• Also(can](https://reader033.vdocuments.us/reader033/viewer/2022041920/5e6b7e09228bbe684d14c4e6/html5/thumbnails/28.jpg)
In Today’s New York Times…
![Page 29: StuartStaniford( …...FormatString(Vulnerabili;es(• Class(of(vulnerabili;es(in(C(prin /sprin /etc(– Discovered(atend(of(1990s(– Almostthirty(years(aer(C(invented(• Also(can](https://reader033.vdocuments.us/reader033/viewer/2022041920/5e6b7e09228bbe684d14c4e6/html5/thumbnails/29.jpg)
Top of Memory
Top of Stack
large_string_ LS ptr Ret SFP Buffer[64] contains shellcode
Stack Pointer %esp Frame Pointer %ebp
Saved Frame Pointer
Canary-‐based Overflow Defense
Canary
Not invincible. Eg h}p://phrack.org/issues.html?issue=56&id=5