Buffer Overflow or Stack smashing

ISS03©Rosti

Buffer Overflow1

Emilia Rosti

Dip. di Informatica e ComunicazioneUniv. degli Studi di Milano

Buffer Overflowor

Stack smashingWhere computer security meets computerorganization, operating systems, access

control, and programming

ISS03©Rosti

Buffer Overflow2

Buffer Overflow

• malicious code is injected in memory• how?

• the address of such a code is loaded ina code pointer• where?

• the injected code is executed eventually

ISS03©Rosti

Buffer Overflow3

Buffer Overflow

• main vulnerability exploited in local andremote intrusions leading to systemcompromise• most dangerous if even it leads to

unprivileged account compromise only

ISS03©Rosti

Buffer Overflow4

Buffer overflow - statistics

[Wagner et al. 2000]

Number of CERT-CC advisories regardingvulnerabilities due to buffer overflow

ISS03©Rosti

Buffer Overflow5

Buffer overflow - statistics

[Wagner et al. 2000]

Number of incidents reported to CERT-CC caused by buffer overflow vulnerabilities

ISS03©Rosti

Buffer Overflow6

Buffer overflow: how

• a buffer is written with an amount ofdata greater than its size containingmalicious code• neither static nor run-time checks

• input string

• environment parameters

• dynamic libraries

ISS03©Rosti

Buffer Overflow7

Buffer overflow: how

• the address of the code is copied into apointer• procedure return address

• old base pointer

• function pointer

• longjimp buffer

• the program might still work correctly• well known problem of C language

ISS03©Rosti

Buffer Overflow8

Buffer Overflow:new stuff?

• well known problem• ‘70: login.c• ‘80: Internet worm (1988)

• buffer overflow in fingerd with 536 (512)chars

• ‘90: more than half of CERT-CC advisories(www.cert.org) every year on bufferoverflows

ISS03©Rosti

Buffer Overflow9

Buffer overflow:where is the problem?

• with adequately crafted input, any codemay be executed• the attacker would compromise the

account of the user process

• if the victim program is setuid to root, aroot shell can be executed• the attacker gains complete control of the

host

ISS03©Rosti

Buffer Overflow10

Buffer overflow:where is the problem?

• the combination of• lack of checks on buffer sizes in C• ad hoc input crafting• procedure call execution model• Unix discretionary access control

• may lead to the acquisition of superuserprivileges

ISS03©Rosti

Buffer Overflow11

Buffer overflow:a simple recipe

• ingredients• process with root privileges• malicious code in the process address

space

• procedure• change a code pointer of the process so as

to point to the malicious code in order tohave it execute eventually

ISS03©Rosti

Buffer Overflow12

Buffer overflow:the result

• privilege escalation by an unauthorizeduser• root shell execution

ISS03©Rosti

Buffer Overflow13

Buffer overflow:where to inject the code

• data area• stack

• return address / old base pointer

• heap• dynamic variables

• BSS• function pointers

• text area• using code already present in memory (e.g.,

libraries)• with adequate parameters

ISS03©Rosti

Buffer Overflow14

Buffer overflow:forced jump

• the program control flow is altered• activation record

• overflow a buffer onto return address or oldbase pointer

• function pointer• anywhere in memory, change the content of the

pointer

• checkpoint/rollback• overflow the setjmp(buffer) so that the rollback

longjmp(buffer) will jump to the malicious code

ISS03©Rosti

Buffer Overflow15

A process in memoryhigh addresses

low addresses

text & datasymbol table

magic #

mass memory

Shell environment & command line parameters

kernel stack (per process)red zoneuser area

ps_string structuresignal codesenv stringsargv stringsenv pointersargv pointers

argcuser stack

heapbss

data areatext area

ISS03©Rosti

Buffer Overflow16

Stack frame

generic layout of a procedure stack frame

low addresses

high address

local variables

saved registers

calling parameters

ISS03©Rosti

Buffer Overflow17

Stack smashing

local variables

calling parameters

malicious code

return address ….

old Stack pointerold Frame pointer

procedure activation record of a victim

saved registers

ISS03©Rosti

Buffer Overflow18

Example

void my_funct(int a, int *b, char *buf){char buf1[6];*b = a;strcpy(buf1, buf);}

ISS03©Rosti

Buffer Overflow19

Example

void main(){char string = “buffer overflow!!!!”;int i, j;i = 5;j = 8;my_funct(i, &j, string);j = i;}

ISS03©Rosti

Buffer Overflow20

User process inmemory



text

static dataheap

buf1

prec. frame pointerprec. stack pointer

return address

*buf*b

a 5

i 5j 8

string

buffer overf

low!!!!\0

argcargv pointers

env pointers

stack pointer

program counter

frame pointer

when my_function is called

ISS03©Rosti

Buffer Overflow21

User process inmemory



after strcpy(), returning from my_function

text

static dataheap

buf1

prec. frame pointerprec. stack pointer

return address

*buf*b

a 5

i 5j 8

string

buffer overf

low!!!!\0

argcargv pointers

env pointers

buffer overf

low!!!!\0

ISS03©Rosti

Buffer Overflow22

Buffer overflow:the issues

• C language• not strongly typed• no array bound checks (either statically, or

dynamically)• free pointer aritmethic• dangerous data structures (function

pointers)• vulnerable libraries

ISS03©Rosti

Buffer Overflow23

Buffer overflow:the issues

• Unix discretionary access control• r w x bits• real/effective userID• setuid/setgid bit• process privileges (realUID) vs program

privileges (effectiveUID)

• procedure execution model• executable stack

ISS03©Rosti

Buffer Overflow24

Access control in Unix

• real userid: the owner of the process• effective userid: the owner of the

program• a process executes with the privileges

of the user that launched the program

ISS03©Rosti

Buffer Overflow25

Access control in Unix

• a process may need higher privilegesduring execution (eg., those of theowner of the program)

• setuid(setgid): system call to change aprocess user(group)-id

ISS03©Rosti

Buffer Overflow26

Solutions

• write safe code• use strncpy, snprintf, etc.

• check input size and destination size

• 1-800-YOU-WISH

• use strongly typed languages• Java

• JVM is a C program

• what with existing code?• legacy and source

ISS03©Rosti

Buffer Overflow27

Solutions

• static analysis• prevention and/or detection

• analyze and/or modify source code looking forknown vulnerabilities

• dynamic analysis• prevention and/or detection

• change the run-time environment or systemfunctionality to make vulnerable program harmless

• protect known target

ISS03©Rosti

Buffer Overflow28

Solutions

• static code analyzer• BOON

• call graph with constraints on buffer sizes

• ITS4• dangerous library calls

• dynamic code analyzer• STOBO

• instrumented code is executed and alarms raised

ISS03©Rosti

Buffer Overflow29

Solutions

• C compiler patches that add• array bound checking

• performance degradation

• run-time checks on a selected set of pointers• StackGuard (return address, canary)• Stack Shield (return address and function pointers,

separate )• ProPolice (return address and old base pointer)

• run-time checks on all pointers• PointGuard

• major performance issues

ISS03©Rosti

Buffer Overflow30

Solutions

• patches• Libsafe/Libverify• Return Address Defender• Ccured• Cyclone• non executable stack (Openwall patch)

• fault injection• FIST

ISS03©Rosti

Buffer Overflow31

Solutions

• what if the source code is not available?• automatic search of the vulnerability in object

code• different sources of input

• keyboard, network, file

• input size

• no absolute guarantee of success

ISS03©Rosti

Buffer Overflow32

OBOE• Object-code Buffer Overrun Evaluator• controlled execution of object code• exhaustive scan of command line

arguments• input string crafted ad hoc• first search for segmentation fault, then for

illegal instruction• search for return address location with

shell code

ISS03©Rosti

Buffer Overflow34

References

C. Cowan et al., Buffer overflows: Attacks and defenses for thevulnerability of the decade, DISCEX 00.

J. Wilander, M. Kamkar, A comparison of publicly available tools fordynamic buffer overflow prevention, NDSS 03.

R. Banfi, D. Bruschi, E. Rosti, A tool for pro-active defense againstthe buffer overrun attack, ESORICS 98.

All the references in the first two papers.

Buffer Overflow or Stack smashing

Documents

Transcript of Buffer Overflow or Stack smashing