security exploiting overflows. introduction r see the following link for more info: ...
TRANSCRIPT
Security
Exploiting Overflows
Introduction
See the following link for more info: http://www.gfi.com/blog/most-vulnerable-operating-systems-and-applications-in-2014/
Introduction
Buffer overflows are a major vulnerability
When a security alert contains the phrase “The most severe of these vulnerabilities allows a remote attacker to execute arbitrary code.”, the underlying problem is probably a buffer overflow.
The Security Problem Security must consider external
environment of the system, and protect the system resources
Intruders (crackers) attempt to breach security
Threat is potential security violation Attack is attempt to breach security Attack can be accidental or malicious Easier to protect against accidental
than malicious misuse
Security Measure Levels
Security must occur at four levels to be effective:PhysicalHuman
• Avoid social engineering, phishing, dumpster diving
Operating SystemNetwork
Security is as weak as the weakest link in the chain
Background
Typical Attack Scenario: Users enter data into a Web form Web form is sent to server Server writes data to buffer, without
checking length of input data Data overflows from buffer Sometimes, overflow can enable an attack Web form attack could be carried out by
anyone with an Internet connection
Problem
void foo(char *str) {char buf[10];strcpy(buf,str);
}…foo(“thisstringistolongforfoo”);
What Happens
This will cause the program to abort Why? To understand this you need some
understanding of C functions and the stack A little knowledge of assembly How system calls are made
Process Memory Layout
Continuous memory space for all process Each with its physical space Pretends you are in the same in
virtual space
0xffffffff
0
Process Memory Layout
Program code and constant binary form loaded libraries
0xffffffff
0text
Process Memory Layout
Program code and constant binary form loaded libraries known as “text” segment space calculated at compile
time
0xffffffff
0text
Process Memory Layout
Data: initialized global data in the program Example: int size = 100;
BSS: un-initialized global data in the program Example: int length;
0xffffffff
0text
data
bss
Process Memory Layout
Heap: dynamically-allocated spaces Example: malloc, free OS knows nothing about it
• space• content
dynamically grows as program runs
0xffffffff
0text
data
bss
heap
Process Memory Layout
Stack: local variables in functions support function call/return and
recursive functions grow to low address Why?
• Historical
0xffffffff
0text
data
bss
heap
stack
What is a Stack?
A stack is a contiguous block of memory used by functions
A stack pointer points to the top of stack
The stack consists of frames which are pushed when a function is called and popped when a function if finished.
A frame pointer points to the current frame in use
Stack Buffers Suppose a web server contains the foo
function from several slides agovoid foo(char *str) {char buf[10];strcpy(buf,str);}
When this function is invoked, a new frame is pushed onto the stack
Top ofstack
Stack grows this way
buf sfpretaddr str
Local variables
Frame of thecalling function
Execute code at this addressafter func() finishes
ArgumentsPointer topreviousframe
Stack Buffer Memory pointed to by str is copied onto
stackvoid foo(char *str) {char buf[10];strcpy(buf,str);
} If a string is longer than 10 bytes it is
copied into buffer and will overwrite adjacent stack locations
strcpy does NOT check whether the string at *str contains fewer than 10 characters
buf str
This will beinterpretedas return address!
overflowTop ofstack
Frame of thecalling function
Exploitation
General idea: Provide servers very large strings that will overflow a buffer.
For a server with sloppy code: it’s easy to crash the server by overflowing a buffer.
Problem: No range checking
strcpy does not check input size strcpy (buf,str) simply copies memory
contents into bug starting from *str until “\0” is encountered,
Ignores the size of area allocated to buf Many C library functions are unsafe
strcpy, strcat,gets,scanf,printf
Does Range Checking Help?
What if we used strncpy instead of strcpy?
strncpy(char *dest, const char *src, size_t n)
Yes – assuming that the programmer has supplied the right value of “n”
Executing Attack Code
A variation of the buffer overflow would have the overflow change the return address to point to the attack code
The implication of this is that when the function returns, control is transferred to the attack code
Executing Attack Code Suppose buf contains attacker-created
string
code str Frame of thecalling functionret
Attacker puts actual assembly instructions into his input string, e.g.,binary code of execve(“/bin/sh”)
In the overflow, a pointer backinto the bufferr appears inthe location where the systemexpects to find return address
Top ofstack
When function exits, code in the buffer will be executed, giving attacker a shell Root shell depending on the victim program
Buffer Overflow Issue Executable attack code is stored on
stack, inside the buffer containing attacker’s string Stack memory is suppose to contain only
data, but .. For the basic attack, overflow portion
must contain correct address of attack code in the return position The value in the RET position must point to
the beginning of the attack assembly code– Otherwise you will have a crash
Attacker must correctly guess in which stack position the buffer will be in when the function is called
Safer Languages
Several modern languages have built-in protection against stack overflow.
Java and C# check every array reference to ensure that it is within bounds.
Java does not allow stack violations.