Buffer Overflow - The University of Edinburgh · Buffer Overflow KAMI VANIEA JANUARY 28TH 2016 Some...
Transcript of Buffer Overflow - The University of Edinburgh · Buffer Overflow KAMI VANIEA JANUARY 28TH 2016 Some...
![Page 1: Buffer Overflow - The University of Edinburgh · Buffer Overflow KAMI VANIEA JANUARY 28TH 2016 Some slides copied from Myrto Arapinis’ talk last year KAMI VANIEA 1](https://reader034.fdocuments.in/reader034/viewer/2022042922/5f6e90d14458ed3c953e89d8/html5/thumbnails/1.jpg)
Buffer OverflowKAMI VANIEA
JANUARY 28TH 2016
Som e s l ides cop ied f rom M yr to A ra p in i s ’ ta l k l a st yea r
KAMI VANIEA 1
![Page 2: Buffer Overflow - The University of Edinburgh · Buffer Overflow KAMI VANIEA JANUARY 28TH 2016 Some slides copied from Myrto Arapinis’ talk last year KAMI VANIEA 1](https://reader034.fdocuments.in/reader034/viewer/2022042922/5f6e90d14458ed3c953e89d8/html5/thumbnails/2.jpg)
First, the news…Heartbleed
• https://xkcd.com/1354/
• http://heartbleed.com/
• https://www.us-cert.gov/ncas/alerts/TA14-098A
KAMI VANIEA 2
![Page 3: Buffer Overflow - The University of Edinburgh · Buffer Overflow KAMI VANIEA JANUARY 28TH 2016 Some slides copied from Myrto Arapinis’ talk last year KAMI VANIEA 1](https://reader034.fdocuments.in/reader034/viewer/2022042922/5f6e90d14458ed3c953e89d8/html5/thumbnails/3.jpg)
Data != Code
Poor programing decisions can lead to the computer executing the contents of data
KAMI VANIEA 3
![Page 4: Buffer Overflow - The University of Edinburgh · Buffer Overflow KAMI VANIEA JANUARY 28TH 2016 Some slides copied from Myrto Arapinis’ talk last year KAMI VANIEA 1](https://reader034.fdocuments.in/reader034/viewer/2022042922/5f6e90d14458ed3c953e89d8/html5/thumbnails/4.jpg)
Secure programming is really all about those bad programming practices we told you not to do back in your first programming class.
• Check for divide by 0
• Integers have a maximum size, don’t go over it
• If you allocate an array of 128 things don’t put 129 things in it
• If you are a reading from an array of 128 things, don’t try and read the 129th
• Users put bad stuff into the input, always check the input
• Other people write poor code, if you get a value back from a library, check it
KAMI VANIEA 4
![Page 5: Buffer Overflow - The University of Edinburgh · Buffer Overflow KAMI VANIEA JANUARY 28TH 2016 Some slides copied from Myrto Arapinis’ talk last year KAMI VANIEA 1](https://reader034.fdocuments.in/reader034/viewer/2022042922/5f6e90d14458ed3c953e89d8/html5/thumbnails/5.jpg)
Simple (complex) example• The following is a worked example of how memory accesses of
the stack are supposed to work
• I want you to understand three facts from this example:
1. Return addresses locations are not special, any assembly code can write to them
2. At assembly level, code looks like a pile of GoTo statements
3. Memory boundaries between variables are not strongly enforced
KAMI VANIEA 5
![Page 6: Buffer Overflow - The University of Edinburgh · Buffer Overflow KAMI VANIEA JANUARY 28TH 2016 Some slides copied from Myrto Arapinis’ talk last year KAMI VANIEA 1](https://reader034.fdocuments.in/reader034/viewer/2022042922/5f6e90d14458ed3c953e89d8/html5/thumbnails/6.jpg)
KAMI VANIEA
Compiled Code
Caller
pushl arg2
pushl arg1
call f
// push address of mov instruction
// %eip <- address of f()
mov1 %ecx, %edx // unrelated b=a code
…
Callee
pushl %ebp // save caller base pointer
movl %esp, %ebp // %ebp <- %esp
movl 12(%ebp), %eax // store arg2 in %eax
addl 8(%ebp), %eax // add arg1 to %eax
popl %ebp
// %ebp <- (%esp)
// %esp <- %esp + 4
ret
// %eip <- (%esp)
// %esp <- %esp + 4
Original Code Snippets
Caller
f(arg1, arg2);
b = a;
Callee
f(arg1, arg2){
return arg1 + arg2;
}
Original code snippets (left) compile into the assembly
code (bottom).
![Page 7: Buffer Overflow - The University of Edinburgh · Buffer Overflow KAMI VANIEA JANUARY 28TH 2016 Some slides copied from Myrto Arapinis’ talk last year KAMI VANIEA 1](https://reader034.fdocuments.in/reader034/viewer/2022042922/5f6e90d14458ed3c953e89d8/html5/thumbnails/7.jpg)
KAMI VANIEA
Compiled Code
Caller
pushl arg2
pushl arg1
call f
// push address of mov instruction
// %eip <- address of f()
mov1 %ecx, %edx // unrelated b=a code
…
Callee
pushl %ebp // save caller base pointer
movl %esp, %ebp // %ebp <- %esp
movl 12(%ebp), %eax // store arg2 in %eax
addl 8(%ebp), %eax // add arg1 to %eax
popl %ebp
// %ebp <- (%esp)
// %esp <- %esp + 4
ret
// %eip <- (%esp)
// %esp <- %esp + 4
Original Code Snippets
Caller
f(arg1, arg2);
b = a;
Callee
f(arg1, arg2){
return arg1 + arg2;
}
Note that this code is intended to provide a clear
example and makes somewhat liberal use of
pseudocode.
![Page 8: Buffer Overflow - The University of Edinburgh · Buffer Overflow KAMI VANIEA JANUARY 28TH 2016 Some slides copied from Myrto Arapinis’ talk last year KAMI VANIEA 1](https://reader034.fdocuments.in/reader034/viewer/2022042922/5f6e90d14458ed3c953e89d8/html5/thumbnails/8.jpg)
KAMI VANIEA
Compiled Code
Caller
pushl arg2
pushl arg1
call f
// push address of mov instruction
// %eip <- address of f()
mov1 %ecx, %edx // unrelated b=a code
…
Callee
pushl %ebp // save caller base pointer
movl %esp, %ebp // %ebp <- %esp
movl 12(%ebp), %eax // store arg2 in %eax
addl 8(%ebp), %eax // add arg1 to %eax
popl %ebp
// %ebp <- (%esp)
// %esp <- %esp + 4
ret
// %eip <- (%esp)
// %esp <- %esp + 4
Original Code Snippets
Caller
f(arg1, arg2);
b = a;
Callee
f(arg1, arg2){
return arg1 + arg2;
}
Address Value
128
…
64
60
56
52
48
Stack
The stack (right) grows downwards, starting with a high memory address and
progressing towards a smaller memory address.
![Page 9: Buffer Overflow - The University of Edinburgh · Buffer Overflow KAMI VANIEA JANUARY 28TH 2016 Some slides copied from Myrto Arapinis’ talk last year KAMI VANIEA 1](https://reader034.fdocuments.in/reader034/viewer/2022042922/5f6e90d14458ed3c953e89d8/html5/thumbnails/9.jpg)
KAMI VANIEA
9
Compiled Code
Caller
pushl arg2
pushl arg1
call f
// push address of mov instruction
// %eip <- address of f()
mov1 %ecx, %edx // unrelated b=a code
…
Callee
pushl %ebp // save caller base pointer
movl %esp, %ebp // %ebp <- %esp
movl 12(%ebp), %eax // store arg2 in %eax
addl 8(%ebp), %eax // add arg1 to %eax
popl %ebp
// %ebp <- (%esp)
// %esp <- %esp + 4
ret
// %eip <- (%esp)
// %esp <- %esp + 4
Original Code Snippets
Caller
f(arg1, arg2);
b = a;
Callee
f(arg1, arg2){
return arg1 + arg2;
}
Address Value
128
…
64
60
56
52
48
%ebp
%esp
%eip
%eax
Stack
Register Values
Our example uses four registry values (bottom
right).
Base
Stack
Instruction
Returned val
![Page 10: Buffer Overflow - The University of Edinburgh · Buffer Overflow KAMI VANIEA JANUARY 28TH 2016 Some slides copied from Myrto Arapinis’ talk last year KAMI VANIEA 1](https://reader034.fdocuments.in/reader034/viewer/2022042922/5f6e90d14458ed3c953e89d8/html5/thumbnails/10.jpg)
KAMI VANIEA
10
Compiled Code
Caller
pushl arg2
pushl arg1
call f
// push address of mov instruction
// %eip <- address of f()
mov1 %ecx, %edx // unrelated b=a code
…
Callee
pushl %ebp // save caller base pointer
movl %esp, %ebp // %ebp <- %esp
movl 12(%ebp), %eax // store arg2 in %eax
addl 8(%ebp), %eax // add arg1 to %eax
popl %ebp
// %ebp <- (%esp)
// %esp <- %esp + 4
ret
// %eip <- (%esp)
// %esp <- %esp + 4
Original Code Snippets
Caller
f(arg1, arg2);
b = a;
Callee
f(arg1, arg2){
return arg1 + arg2;
}
Address Value
128 return address
…
64 arg2
60
56
52
48
%ebp 128
%esp 64
%eip
%eax ?
Stack
Register Values
1. Push arguments onto the stack (in reverse)
Base
Stack
Instruction
Returned val
![Page 11: Buffer Overflow - The University of Edinburgh · Buffer Overflow KAMI VANIEA JANUARY 28TH 2016 Some slides copied from Myrto Arapinis’ talk last year KAMI VANIEA 1](https://reader034.fdocuments.in/reader034/viewer/2022042922/5f6e90d14458ed3c953e89d8/html5/thumbnails/11.jpg)
KAMI VANIEA
11
Compiled Code
Caller
pushl arg2
pushl arg1
call f
// push address of mov instruction
// %eip <- address of f()
mov1 %ecx, %edx // unrelated b=a code
…
Callee
pushl %ebp // save caller base pointer
movl %esp, %ebp // %ebp <- %esp
movl 12(%ebp), %eax // store arg2 in %eax
addl 8(%ebp), %eax // add arg1 to %eax
popl %ebp
// %ebp <- (%esp)
// %esp <- %esp + 4
ret
// %eip <- (%esp)
// %esp <- %esp + 4
Original Code Snippets
Caller
f(arg1, arg2);
b = a;
Callee
f(arg1, arg2){
return arg1 + arg2;
}
Address Value
128 return address
…
64 arg2
60 arg1
56
52
48
%ebp 128
%esp 60
%eip
%eax ?
Stack
Register Values
1. Push arguments onto the stack (in reverse)
Base
Stack
Instruction
Returned val
![Page 12: Buffer Overflow - The University of Edinburgh · Buffer Overflow KAMI VANIEA JANUARY 28TH 2016 Some slides copied from Myrto Arapinis’ talk last year KAMI VANIEA 1](https://reader034.fdocuments.in/reader034/viewer/2022042922/5f6e90d14458ed3c953e89d8/html5/thumbnails/12.jpg)
KAMI VANIEA
12
Compiled Code
Caller
pushl arg2
pushl arg1
call f
// push address of mov instruction
// %eip <- address of f()
mov1 %ecx, %edx // unrelated b=a code
…
Callee
pushl %ebp // save caller base pointer
movl %esp, %ebp // %ebp <- %esp
movl 12(%ebp), %eax // store arg2 in %eax
addl 8(%ebp), %eax // add arg1 to %eax
popl %ebp
// %ebp <- (%esp)
// %esp <- %esp + 4
ret
// %eip <- (%esp)
// %esp <- %esp + 4
Original Code Snippets
Caller
f(arg1, arg2);
b = a;
Callee
f(arg1, arg2){
return arg1 + arg2;
}
Address Value
128 return address
…
64 arg2
60 arg1
56 Return address
52
48
%ebp 128
%esp 60
%eip
%eax ?
Stack
Register Values
2. Push the return address. i.e. the address of the instruction to run after
control returns
Base
Stack
Instruction
Returned val
![Page 13: Buffer Overflow - The University of Edinburgh · Buffer Overflow KAMI VANIEA JANUARY 28TH 2016 Some slides copied from Myrto Arapinis’ talk last year KAMI VANIEA 1](https://reader034.fdocuments.in/reader034/viewer/2022042922/5f6e90d14458ed3c953e89d8/html5/thumbnails/13.jpg)
KAMI VANIEA
13
Compiled Code
Caller
pushl arg2
pushl arg1
call f
// push address of mov instruction
// %eip <- address of f()
mov1 %ecx, %edx // unrelated b=a code
…
Callee
pushl %ebp // save caller base pointer
movl %esp, %ebp // %ebp <- %esp
movl 12(%ebp), %eax // store arg2 in %eax
addl 8(%ebp), %eax // add arg1 to %eax
popl %ebp
// %ebp <- (%esp)
// %esp <- %esp + 4
ret
// %eip <- (%esp)
// %esp <- %esp + 4
Original Code Snippets
Caller
f(arg1, arg2);
b = a;
Callee
f(arg1, arg2){
return arg1 + arg2;
}
Address Value
128 return address
…
64 arg2
60 arg1
56 Return address
52
48
%ebp 128
%esp 60
%eip
%eax ?
Stack
Register Values
3. Jump to the function’s address
Base
Stack
Instruction
Returned val
![Page 14: Buffer Overflow - The University of Edinburgh · Buffer Overflow KAMI VANIEA JANUARY 28TH 2016 Some slides copied from Myrto Arapinis’ talk last year KAMI VANIEA 1](https://reader034.fdocuments.in/reader034/viewer/2022042922/5f6e90d14458ed3c953e89d8/html5/thumbnails/14.jpg)
KAMI VANIEA
14
Compiled Code
Caller
pushl arg2
pushl arg1
call f
// push address of mov instruction
// %eip <- address of f()
mov1 %ecx, %edx // unrelated b=a code
…
Callee
pushl %ebp // save caller base pointer
movl %esp, %ebp // %ebp <- %esp
movl 12(%ebp), %eax // store arg2 in %eax
addl 8(%ebp), %eax // add arg1 to %eax
popl %ebp
// %ebp <- (%esp)
// %esp <- %esp + 4
ret
// %eip <- (%esp)
// %esp <- %esp + 4
Original Code Snippets
Caller
f(arg1, arg2);
b = a;
Callee
f(arg1, arg2){
return arg1 + arg2;
}
Address Value
128 return address
…
64 arg2
60 arg1
56 Return address
52 Caller %ebp //128
48
%ebp 128
%esp 52
%eip
%eax ?
Stack
Register Values
4. Push the old fame pointer to the stack
Base
Stack
Instruction
Returned val
![Page 15: Buffer Overflow - The University of Edinburgh · Buffer Overflow KAMI VANIEA JANUARY 28TH 2016 Some slides copied from Myrto Arapinis’ talk last year KAMI VANIEA 1](https://reader034.fdocuments.in/reader034/viewer/2022042922/5f6e90d14458ed3c953e89d8/html5/thumbnails/15.jpg)
KAMI VANIEA
15
Compiled Code
Caller
pushl arg2
pushl arg1
call f
// push address of mov instruction
// %eip <- address of f()
mov1 %ecx, %edx // unrelated b=a code
…
Callee
pushl %ebp // save caller base pointer
movl %esp, %ebp // %ebp <- %esp
movl 12(%ebp), %eax // store arg2 in %eax
addl 8(%ebp), %eax // add arg1 to %eax
popl %ebp
// %ebp <- (%esp)
// %esp <- %esp + 4
ret
// %eip <- (%esp)
// %esp <- %esp + 4
Original Code Snippets
Caller
f(arg1, arg2);
b = a;
Callee
f(arg1, arg2){
return arg1 + arg2;
}
Address Value
128 return address
…
64 arg2
60 arg1
56 Return address
52 Caller %ebp //128
48
%ebp 52
%esp 52
%eip
%eax ?
Stack
Register Values
5. Set frame pointer to where the end of the stack is
right now
Base
Stack
Instruction
Returned val
![Page 16: Buffer Overflow - The University of Edinburgh · Buffer Overflow KAMI VANIEA JANUARY 28TH 2016 Some slides copied from Myrto Arapinis’ talk last year KAMI VANIEA 1](https://reader034.fdocuments.in/reader034/viewer/2022042922/5f6e90d14458ed3c953e89d8/html5/thumbnails/16.jpg)
KAMI VANIEA
16
Compiled Code
Caller
pushl arg2
pushl arg1
call f
// push address of mov instruction
// %eip <- address of f()
mov1 %ecx, %edx // unrelated b=a code
…
Callee
pushl %ebp // save caller base pointer
movl %esp, %ebp // %ebp <- %esp
movl 12(%ebp), %eax // store arg2 in %eax
addl 8(%ebp), %eax // add arg1 to %eax
popl %ebp
// %ebp <- (%esp)
// %esp <- %esp + 4
ret
// %eip <- (%esp)
// %esp <- %esp + 4
Original Code Snippets
Caller
f(arg1, arg2);
b = a;
Callee
f(arg1, arg2){
return arg1 + arg2;
}
Address Value
128 return address
…
64 arg2
60 arg1
56 Return address
52 Caller %ebp //128
48
%ebp 52
%esp 52
%eip
%eax arg2
Stack
Register Values
6. Do the local computation (addition in this example)
Base
Stack
Instruction
Returned val
![Page 17: Buffer Overflow - The University of Edinburgh · Buffer Overflow KAMI VANIEA JANUARY 28TH 2016 Some slides copied from Myrto Arapinis’ talk last year KAMI VANIEA 1](https://reader034.fdocuments.in/reader034/viewer/2022042922/5f6e90d14458ed3c953e89d8/html5/thumbnails/17.jpg)
KAMI VANIEA
17
Compiled Code
Caller
pushl arg2
pushl arg1
call f
// push address of mov instruction
// %eip <- address of f()
mov1 %ecx, %edx // unrelated b=a code
…
Callee
pushl %ebp // save caller base pointer
movl %esp, %ebp // %ebp <- %esp
movl 12(%ebp), %eax // store arg2 in %eax
addl 8(%ebp), %eax // add arg1 to %eax
popl %ebp
// %ebp <- (%esp)
// %esp <- %esp + 4
ret
// %eip <- (%esp)
// %esp <- %esp + 4
Original Code Snippets
Caller
f(arg1, arg2);
b = a;
Callee
f(arg1, arg2){
return arg1 + arg2;
}
Address Value
128 return address
…
64 arg2
60 arg1
56 Return address
52 Caller %ebp //128
48
%ebp 52
%esp 52
%eip
%eax arg2+arg1
Stack
Register Values
6. Do the local computation (addition in this example)
Base
Stack
Instruction
Returned val
![Page 18: Buffer Overflow - The University of Edinburgh · Buffer Overflow KAMI VANIEA JANUARY 28TH 2016 Some slides copied from Myrto Arapinis’ talk last year KAMI VANIEA 1](https://reader034.fdocuments.in/reader034/viewer/2022042922/5f6e90d14458ed3c953e89d8/html5/thumbnails/18.jpg)
KAMI VANIEA
18
Compiled Code
Caller
pushl arg2
pushl arg1
call f
// push address of mov instruction
// %eip <- address of f()
mov1 %ecx, %edx // unrelated b=a code
…
Callee
pushl %ebp // save caller base pointer
movl %esp, %ebp // %ebp <- %esp
movl 12(%ebp), %eax // store arg2 in %eax
addl 8(%ebp), %eax // add arg1 to %eax
popl %ebp
// %ebp <- (%esp)
// %esp <- %esp + 4
ret
// %eip <- (%esp)
// %esp <- %esp + 4
Original Code Snippets
Caller
f(arg1, arg2);
b = a;
Callee
f(arg1, arg2){
return arg1 + arg2;
}
Address Value
128 return address
…
64 arg2
60 arg1
56 Return address
52 Caller %ebp //128
48
%ebp 128
%esp 52
%eip
%eax arg2+arg1
Stack
Register Values
7. Reset the previous stack frame
Base
Stack
Instruction
Returned val
![Page 19: Buffer Overflow - The University of Edinburgh · Buffer Overflow KAMI VANIEA JANUARY 28TH 2016 Some slides copied from Myrto Arapinis’ talk last year KAMI VANIEA 1](https://reader034.fdocuments.in/reader034/viewer/2022042922/5f6e90d14458ed3c953e89d8/html5/thumbnails/19.jpg)
KAMI VANIEA
19
Compiled Code
Caller
pushl arg2
pushl arg1
call f
// push address of mov instruction
// %eip <- address of f()
mov1 %ecx, %edx // unrelated b=a code
…
Callee
pushl %ebp // save caller base pointer
movl %esp, %ebp // %ebp <- %esp
movl 12(%ebp), %eax // store arg2 in %eax
addl 8(%ebp), %eax // add arg1 to %eax
popl %ebp
// %ebp <- (%esp)
// %esp <- %esp + 4
ret
// %eip <- (%esp)
// %esp <- %esp + 4
Original Code Snippets
Caller
f(arg1, arg2);
b = a;
Callee
f(arg1, arg2){
return arg1 + arg2;
}
Address Value
128 return address
…
64 arg2
60 arg1
56 Return address
52 Caller %ebp //128
48
%ebp 128
%esp 56
%eip
%eax arg2+arg1
Stack
Register Values
7. Reset the previous stack frame
Base
Stack
Instruction
Returned val
![Page 20: Buffer Overflow - The University of Edinburgh · Buffer Overflow KAMI VANIEA JANUARY 28TH 2016 Some slides copied from Myrto Arapinis’ talk last year KAMI VANIEA 1](https://reader034.fdocuments.in/reader034/viewer/2022042922/5f6e90d14458ed3c953e89d8/html5/thumbnails/20.jpg)
20
Compiled Code
Caller
pushl arg2
pushl arg1
call f
// push address of mov instruction
// %eip <- address of f()
mov1 %ecx, %edx // unrelated b=a code
…
Callee
pushl %ebp // save caller base pointer
movl %esp, %ebp // %ebp <- %esp
movl 12(%ebp), %eax // store arg2 in %eax
addl 8(%ebp), %eax // add arg1 to %eax
popl %ebp
// %ebp <- (%esp)
// %esp <- %esp + 4
ret
// %eip <- (%esp)
// %esp <- %esp + 4
Original Code Snippets
Caller
f(arg1, arg2);
b = a;
Callee
f(arg1, arg2){
return arg1 + arg2;
}
Address Value
128 return address
…
64 arg2
60 arg1
56 Return address
52 Caller %ebp //128
48
%ebp 128
%esp 60
%eip
%eax arg2+arg1
Stack
Register Values
8. Jump back to the return address
Base
Stack
Instruction
Returned val
![Page 21: Buffer Overflow - The University of Edinburgh · Buffer Overflow KAMI VANIEA JANUARY 28TH 2016 Some slides copied from Myrto Arapinis’ talk last year KAMI VANIEA 1](https://reader034.fdocuments.in/reader034/viewer/2022042922/5f6e90d14458ed3c953e89d8/html5/thumbnails/21.jpg)
21
Compiled Code
Caller
pushl arg2
pushl arg1
call f
// push address of mov instruction
// %eip <- address of f()
mov1 %ecx, %edx // unrelated b=a code
…
Callee
pushl %ebp // save caller base pointer
movl %esp, %ebp // %ebp <- %esp
movl 12(%ebp), %eax // store arg2 in %eax
addl 8(%ebp), %eax // add arg1 to %eax
popl %ebp
// %ebp <- (%esp)
// %esp <- %esp + 4
ret
// %eip <- (%esp)
// %esp <- %esp + 4
Original Code Snippets
Caller
f(arg1, arg2);
b = a;
Callee
f(arg1, arg2){
return arg1 + arg2;
}
Address Value
128 return address
…
64 arg2
60 arg1
56 Return address
52 Caller %ebp //128
48
%ebp 128
%esp 60
%eip
%eax arg2+arg1
Stack
Register Values
9. Start executing line after the original call
Base
Stack
Instruction
Returned val