Security

Exploiting Overflows

Introduction

See the following link for more info: http://www.gfi.com/blog/most-vulnerable-operating-systems-and-applications-in-2014/

Introduction

Buffer overflows are a major vulnerability

When a security alert contains the phrase “The most severe of these vulnerabilities allows a remote attacker to execute arbitrary code.”, the underlying problem is probably a buffer overflow.

The Security Problem Security must consider external

environment of the system, and protect the system resources

Intruders (crackers) attempt to breach security

Threat is potential security violation Attack is attempt to breach security Attack can be accidental or malicious Easier to protect against accidental

than malicious misuse

Security Measure Levels

Security must occur at four levels to be effective:PhysicalHuman

• Avoid social engineering, phishing, dumpster diving

Operating SystemNetwork

Security is as weak as the weakest link in the chain

Background

Typical Attack Scenario: Users enter data into a Web form Web form is sent to server Server writes data to buffer, without

checking length of input data Data overflows from buffer Sometimes, overflow can enable an attack Web form attack could be carried out by

anyone with an Internet connection

Problem

void foo(char *str) {char buf[10];strcpy(buf,str);

}…foo(“thisstringistolongforfoo”);

What Happens

This will cause the program to abort Why? To understand this you need some

understanding of C functions and the stack A little knowledge of assembly How system calls are made

Process Memory Layout

Continuous memory space for all process Each with its physical space Pretends you are in the same in

virtual space

0xffffffff

0

Process Memory Layout

Program code and constant binary form loaded libraries

0xffffffff

0text

Process Memory Layout

Program code and constant binary form loaded libraries known as “text” segment space calculated at compile

time

0xffffffff

0text

Process Memory Layout

Data: initialized global data in the program Example: int size = 100;

BSS: un-initialized global data in the program Example: int length;

0xffffffff

0text

data

bss

Process Memory Layout

Heap: dynamically-allocated spaces Example: malloc, free OS knows nothing about it

• space• content

dynamically grows as program runs

0xffffffff

0text

data

bss

heap

Process Memory Layout

Stack: local variables in functions support function call/return and

recursive functions grow to low address Why?

• Historical

0xffffffff

0text

data

bss

heap

stack

What is a Stack?

A stack is a contiguous block of memory used by functions

A stack pointer points to the top of stack

The stack consists of frames which are pushed when a function is called and popped when a function if finished.

A frame pointer points to the current frame in use

Stack Buffers Suppose a web server contains the foo

function from several slides agovoid foo(char *str) {char buf[10];strcpy(buf,str);}

When this function is invoked, a new frame is pushed onto the stack

Top ofstack

Stack grows this way

buf sfpretaddr str

Local variables

Frame of thecalling function

Execute code at this addressafter func() finishes

ArgumentsPointer topreviousframe

Stack Buffer Memory pointed to by str is copied onto

stackvoid foo(char *str) {char buf[10];strcpy(buf,str);

} If a string is longer than 10 bytes it is

copied into buffer and will overwrite adjacent stack locations

strcpy does NOT check whether the string at *str contains fewer than 10 characters

buf str

This will beinterpretedas return address!

overflowTop ofstack

Frame of thecalling function

Exploitation

General idea: Provide servers very large strings that will overflow a buffer.

For a server with sloppy code: it’s easy to crash the server by overflowing a buffer.

Problem: No range checking

strcpy does not check input size strcpy (buf,str) simply copies memory

contents into bug starting from *str until “\0” is encountered,

Ignores the size of area allocated to buf Many C library functions are unsafe

strcpy, strcat,gets,scanf,printf

Does Range Checking Help?

What if we used strncpy instead of strcpy?

strncpy(char *dest, const char *src, size_t n)

Yes – assuming that the programmer has supplied the right value of “n”

Executing Attack Code

A variation of the buffer overflow would have the overflow change the return address to point to the attack code

The implication of this is that when the function returns, control is transferred to the attack code

Executing Attack Code Suppose buf contains attacker-created

string

code str Frame of thecalling functionret

Attacker puts actual assembly instructions into his input string, e.g.,binary code of execve(“/bin/sh”)

In the overflow, a pointer backinto the bufferr appears inthe location where the systemexpects to find return address

Top ofstack

When function exits, code in the buffer will be executed, giving attacker a shell Root shell depending on the victim program

Buffer Overflow Issue Executable attack code is stored on

stack, inside the buffer containing attacker’s string Stack memory is suppose to contain only

data, but .. For the basic attack, overflow portion

must contain correct address of attack code in the return position The value in the RET position must point to

the beginning of the attack assembly code– Otherwise you will have a crash

Attacker must correctly guess in which stack position the buffer will be in when the function is called

Safer Languages

Several modern languages have built-in protection against stack overflow.

Java and C# check every array reference to ensure that it is within bounds.

Java does not allow stack violations.