Software Security III

Vergelijkbare documenten
COMP 4580 Computer Security

Deel 1: schriftelijk deel

After that, the digits are written after each other: first the row numbers, followed by the column numbers.

Calculator spelling. Assignment

z x 1 x 2 x 3 x 4 s 1 s 2 s 3 rij rij rij rij

ALGORITMIEK: answers exercise class 7

Classification of triangles

SAMPLE 11 = + 11 = + + Exploring Combinations of Ten + + = = + + = + = = + = = 11. Step Up. Step Ahead

MyDHL+ Van Non-Corporate naar Corporate

Settings for the C100BRS4 MAC Address Spoofing with cable Internet.

Machine-Level Programming III: Procedures

General info on using shopping carts with Ingenico epayments

Group work to study a new subject.

B1 Woordkennis: Spelling

Tentamen Objectgeorienteerd Programmeren

L.Net s88sd16-n aansluitingen en programmering.

Handleiding Installatie ADS

Daylight saving time. Assignment

Basic operations Implementation options

FOR DUTCH STUDENTS! ENGLISH VERSION NEXT PAGE. Toets Inleiding Kansrekening 1 8 februari 2010


Add the standing fingers to get the tens and multiply the closed fingers to get the units.

Esther Lee-Varisco Matt Zhang

0515 DUTCH (FOREIGN LANGUAGE)

AE1103 Statics. 25 January h h. Answer sheets. Last name and initials:

How to install and use dictionaries on the ICARUS Illumina HD (E652BK)

[BP-ebMS-H-000] Welke versie van Hermes moet er gebruikt worden?

L.Net s88sd16-n aansluitingen en programmering.

Demo document template available on the Rapptorlab website

CS 202 Fundamental Structures of Computer Science II Bilkent University Computer Engineering Department

RECEPTEERKUNDE: PRODUCTZORG EN BEREIDING VAN GENEESMIDDELEN (DUTCH EDITION) FROM BOHN STAFLEU VAN LOGHUM

(1) De hoofdfunctie van ons gezelschap is het aanbieden van onderwijs. (2) Ons gezelschap is er om kunsteducatie te verbeteren

Handleiding Zuludesk Parent

Ontpopping. ORGACOM Thuis in het Museum

Four-card problem. Input

2000 Volkswagen Passat GLS

Introductie in flowcharts

Demultiplexing reads FASTA format genome sequencing reads run

The first line of the input contains an integer $t \in \mathbb{n}$. This is followed by $t$ lines of text. This text consists of:

Hoe met Windows 8 te verbinden met NDI Remote Office (NDIRO) How to connect With Windows 8 to NDI Remote Office (NDIRO

Agilent EEsof EDA. Waveform Bridge to FlexDCA and Infiniium. New Features for Solving HSD Challenges with ADS Heidi Barnes June 17/18/20, 2013

Quality requirements concerning the packaging of oak lumber of Houthandel Wijers vof ( )

Pointers and References

Example. >>> rowkey('u') 1 >>> rowkey('a') 2 >>> rowkey('z') 3 >>> rowkey('?')

CHROMA STANDAARDREEKS

FOR DUTCH STUDENTS! ENGLISH VERSION NEXT PAGE

2019 SUNEXCHANGE USER GUIDE LAST UPDATED

MyDHL+ Uw accountnummer(s) delen

Installatie van Windows 10 op laptops. Windows 10 installation on laptops

Het beheren van mijn Tungsten Network Portal account NL 1 Manage my Tungsten Network Portal account EN 14

0515 DUTCH (FOREIGN LANGUAGE)

Travel Getting Around

Luister alsjeblieft naar een opname als je de vragen beantwoordt of speel de stukken zelf!

Travel Survey Questionnaires

My Inspiration I got my inspiration from a lamp that I already had made 2 years ago. The lamp is the you can see on the right.

Duurzaam projectmanagement - De nieuwe realiteit van de projectmanager (Dutch Edition)

Het is geen open boek tentamen. Wel mag gebruik gemaakt worden van een A4- tje met eigen aantekeningen.

DALISOFT. 33. Configuring DALI ballasts with the TDS20620V2 DALI Tool. Connect the TDS20620V2. Start DALISOFT

8+ 60 MIN Alleen te spelen in combinatie met het RIFUGIO basisspel. Only to be played in combination with the RIFUGIO basicgame.

Pure Bending. A beam satisfying above given requirements are shown below: Why this surface is called neutral will be explained later in the lecture.

Example. Dutch language lesson. Dutch & German Language Education Pieter Wielick

OUTDOOR HD BULLET IP CAMERA PRODUCT MANUAL

SEO Content. Creditcard aanvragen? Dé beste creditcards vergelijken.

CBSOData Documentation

Shipment Centre EU Quick Print Client handleiding [NL]

Firewall van de Speedtouch 789wl volledig uitschakelen?

LDAP Server on Yeastar MyPBX & tiptel 31xx/32xx series

! GeoNetwork INSPIRE Atom!

Concept of Feedback. P.S. Gandhi Mechanical Engineering IIT Bombay

Online request form for requesting articles, books and / or theses: Erasmus MC - employees

Cambridge Assessment International Education Cambridge International General Certificate of Secondary Education. Published

Ir. Herman Dijk Ministry of Transport, Public Works and Water Management

Deel 8: stappenmotoren en interrupts

Contents. An Augmented Backus-Naur Format, (ABNF), Parser Generator for Erlang. Anders Nygren ABNF Using abnfc Implementation Todo

Understanding and being understood begins with speaking Dutch

FOR DUTCH STUDENTS! ENGLISH VERSION NEXT PAGE

Genetic code. Assignment

COGNITIEVE DISSONANTIE EN ROKERS COGNITIVE DISSONANCE AND SMOKERS

Intermax backup exclusion files

Function checklist for the ML-350 or XL-350 with a print set. Missing loop.

voltooid tegenwoordige tijd


ANGSTSTOORNISSEN EN HYPOCHONDRIE: DIAGNOSTIEK EN BEHANDELING (DUTCH EDITION) FROM BOHN STAFLEU VAN LOGHUM

Meetkunde en Lineaire Algebra

Chromosomal crossover

Solar system. Assignment

3HUIRUPDQFH0HDVXUHPHQW RI'\QDPLFDOO\&RPSLOHG -DYD([HFXWLRQV

Never trust a bunny. D. J. Bernstein University of Illinois at Chicago. Tanja Lange Technische Universiteit Eindhoven

EM7580 Firmware Update by Micro SD card

Bijlage 2: Informatie met betrekking tot goede praktijkvoorbeelden in Londen, het Verenigd Koninkrijk en Queensland

Find Neighbor Polygons in a Layer

Rhythm of Light. Susanne de Graef, Montagehandleiding / Instruction manual

THE WORK HET WERK HARALD BERKHOUT

CTI SUITE TSP DETAILS

Nieuwsbrief NRGD. Editie 11 Newsletter NRGD. Edition 11. pagina 1 van 5.

Welkom. Digitale programma: #cmdag18. Dagvoorzitter Prof. dr. Arjan van Weele NEVI hoogleraar inkoopmanagement.

FOR DUTCH STUDENTS! ENGLISH VERSION NEXT PAGE

Opgave 2 Geef een korte uitleg van elk van de volgende concepten: De Yield-to-Maturity of a coupon bond.

MyDHL+ Tarief berekenen

0503 FIRST LANGUAGE DUTCH

Transcriptie:

COMP 4580 Computer Security Software Security III Dr. Noman Mohammed Winter 2019 Including slides from: David Brumley & others!

Outline Assembly Language Memory Layout Control Flow Hijacking Methods Buffer Overflow Attack Format String Attack n Reading from memory n Writing to memory Countermeasures 2

Format Strings printf( The number is: %d, 100); A format string is just a character string with special escape sequences that tell the function to insert variables printed in a specific format in place of the escape sequence. These escape sequences are also called format parameters, and for each one found in the format string, the function is expected to take an additional argument. 3

Format Parameters Parameter Output type Passed as %d Decimal Value %u Unsigned decimal Value %x Hexadecimal Value %s String Reference %n # of bytes written so far Reference 4

Format Strings in C Proper use of printf format string: int foo=1234; printf( foo = %d in decimal, %X in hex,foo,foo); n This will print foo = 1234 in decimal, 4D2 in hex Sloppy use of printf format string: char buf[13]= Hello, world! ; printf(buf); n should ve used printf( %s, buf); 5

Stack Diagram callee caller arg n arg 2 arg 1 return addr caller s ebp callee-save locals n-1 th specified argument 1 st specified argument format string 6

Example arg 4 42 printf caller arg 3 arg 2 arg 1 return addr caller s ebp callee-save locals address of world address of hello address of %s %s %u char s1[] = hello ; char s2[] = world ; printf( %s %s %u, s1, s2, 42); 7

Outline Assembly Language Memory Layout Control Flow Hijacking Methods Buffer Overflow Attack Format String Attack n Reading from memory n Writing to memory Countermeasures 8

Example 1. int foo(char *fmt) { 2. char buf[32]; 3. strcpy(buf, fmt); 4. printf(buf); 5. } 080483d4 <foo>: 80483d4: push %ebp 80483d5: mov %esp,%ebp 80483d7: sub $0x28,%esp ; allocate 40 bytes on stack 80483da: mov 0x8(%ebp),%eax ; eax := M[ebp+8] - addr of fmt 80483dd: mov %eax,0x4(%esp) ; M[esp+4] := eax - push as arg 2 80483e1: lea - 0x20(%ebp),%eax ; eax := ebp- 32 - addr of buf 80483e4: mov %eax,(%esp) ; M[esp] := eax - push as arg 1 80483e7: call 80482fc <strcpy@plt> 80483ec: lea - 0x20(%ebp),%eax ; eax := ebp- 32 - addr of buf again 80483ef: mov %eax,(%esp) ; M[esp] := eax - push as arg 1 80483f2: call 804830c <printf@plt> 80483f7: leave 80483f8: ret 9

Stack Diagram @ printf printf foo return addr caller s ebp buf (32 bytes) stale arg 2 arg 1 return addr foo s ebp locals addr of fmt addr of buf 1. int foo(char *fmt) { 2. char buf[32]; 3. strcpy(buf, fmt); => printf(buf); 5. } 10

Viewing Stack printf foo return addr caller s ebp buf (32 bytes) stale arg 2 arg 1 return addr foo s ebp locals 1. int foo(char *fmt) { 2. char buf[32]; 3. strcpy(buf, fmt); => printf(buf); 5. } What are the effects if fmt is: %x%x...%x 11 times 11

Viewing Specific Address 1 printf foo return addr caller s ebp buf (32 bytes) stale arg 2 arg 1 return addr foo s ebp locals 1. int foo(char *fmt) { 2. char buf[32]; 3. strcpy(buf, fmt); => printf(buf); 5. } Observe: buf is below (higher address) printf on the call stack, thus we can walk to it with the correct parameters. What if fmt is %x%s? 12

Viewing Specific Address 2 printf foo return addr caller s ebp (buf s other 28 bytes) 0xbffff747 stale arg 2 arg 1 return addr foo s ebp locals 1. int foo(char *fmt) { 2. char buf[32]; 3. strcpy(buf, fmt); => printf(buf); 5. } Encode address to peek in buf first. Address 0xbffff747 is \x47\xf7\xff\xbf in little endian. \x47\xf7\xff\xbf%x%s 13

Outline Assembly Language Memory Layout Control Flow Hijacking Methods Buffer Overflow Attack Format String Attack n Reading from memory n Writing to memory Countermeasures 14

Writing Stack with Format Strings %n format symbol tells printf to write the number of characters that have been printed printf( Overflow this!%n,&myvar); n Argument of printf is interpeted as destination address n This writes 14 into myvar ( Overflow this! has 14 characters) What if printf does not have an argument? char buf[16]= Overflow this!%n ; printf(buf); n Stack location pointed to by printf s internal stack pointer will be interpreted as address into which the number of characters will be written! 15

Specifying Length What does: int a; print? printf( - %10u- %n", 7350, &a); Print argument padded to 10 digits - 7350-16

Writing to Specific Address Encode address in format string: "\xc0\xc8\xff\xbf_%08x.%08x.%08x.%08x.%08x.%n" pop 5 dwords from stack to reach format string Writes a small num at destination 0xbfffc8c0 Can use four carefully-controlled writes to create an address at destination 17

Buffer Overflow vs. Format String Buffer Overflow Format String Public since Mid 1980 s June 1999 Danger realized 1990 s June 2000 Bu er Overflow Format String public since mid 1980 s June 1999 danger realized 1990 s June 2000 number of exploits a few thousand a few dozen considered as security threat programming bug techniques evolved and advanced basic techniques visibility sometimes very di cult to spot easy to find Number of exploits A few thousand A few dozen Considered as Security threat Programming bug Techniques Evolved and advanced Basic techniques Visibility Sometimes very difficult to spot Easy to find Source: Exploiting Format String Vulnerabilities by Team Teso. 18

Outline Assembly Language Memory Layout Control Flow Hijacking Methods Buffer Overflow Attack Format String Attack Countermeasures 19

Defenses Bugs are the root cause of hijacks! Safe programming practice strncpy instead of strcpy printf( %s, buf) instead of printf(buf) Find bugs with analysis tools Mitigation Techniques: StackGuard Address Space Randomization Non-executable stack 20

StackGuard Idea: prologue introduces a canary word between return addr and locals epilogue checks canary before function returns arg 2 arg 1 return addr caller s ebp callee-save CANARY locals %ebp Wrong Canary => Overflow 21 %esp

Address Space Randomization Traditional exploits need precise addresses stack-based overflows: location of shell code Problem: program s memory layout is fixed stack, heap, etc. Solution: randomize addresses of each region! Makes it difficult for hacker to predict beginning of inserted code 22

Address Space Randomization addr of buf (0xffffd5d8) addr of buf (0xffffd5d8) buf[63] caller s ebp buf 0xffffd618 caller s ebp buf 0xffffe428 Shellcode Shellcode 0xffffe3f8 Randomize! buf[0] 0xffffd5d8 23 Oops 0xffffd5d8

Non-executable Stack We can configure the stack to be non-executable, and thus preventing the malicious code from being executed. shellcode padding &buf CRASH Still a Denial-of-Service attack! 24

Recap Control Flow Hijacks happen when an attacker gains control of the instruction pointer. Two common hijack methods: buffer overflows format string attacks 25

2024 © DocPlayer.nl Privacy Policy | Terms of Service | Feedback