Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides ›...
Transcript of Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides ›...
![Page 1: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/1.jpg)
Memory Corruption Vulnerabilities, Part I
Gang TanPenn State UniversitySpring 2019
CMPSC 447, Software Security
![Page 2: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/2.jpg)
Some Terminology
Software error A programming mistake that make the software not meet its expectation
Software vulnerability A software error that can lead to possible attacks
Attack The process of exploiting a vulnerability An attack can exploit a vulnerability to achieve additional functionalities for attackers• E.g., privilege escalation, arbitrary code execution
3
![Page 3: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/3.jpg)
Software, One of the Weakest Links in the Security Chain
Cryptographic algorithms are strong Nobody attacks it Even for crypto hash
However, even for the best crypto algorithms Software has to implement them correctly A huge of amount of software for other purposes
• Access control; authentication; ...
Which programming language to use also matters
4
![Page 4: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/4.jpg)
Language of Choice for System Programming: C/C++
Systems software OS; hypervisor; web servers; firmware; network controllers; device drivers; compilers; …
Benefits of C/C++: programming model close to the machine model; flexible; efficient
BUT error‐prone Debugging memory errors is a headache
• Perhaps on par with debugging multithreaded programs
Huge security risk
5
![Page 5: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/5.jpg)
Agenda
Compare C to Java Common errors for handling C‐style buffers How to exploit buffer overflows: stack smashing
6
![Page 6: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/6.jpg)
Comparing C to Java: language matters for security
7
![Page 7: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/7.jpg)
Comparing C to Java Their syntax very similar Type safety
Safety: something “bad” won’t happen “No untrapped errors”
Java is type safe Static type system + runtime checks + garbage collection
C is type unsafe Out‐of‐bound array accesses Manual memory management Bad type casts ...
8
![Page 8: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/8.jpg)
Java: Runtime Array Bounds Checking Example:
int a[10];a[10] = 3;• An exception is raised• The length of the array is stored at runtime (the length never changes)
9
![Page 9: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/9.jpg)
Java: Runtime Array Bounds Checking Java optimizer can optimize away lots of unnecessary array bounds checksint sum = 0;for (i = 0; i<a.length; i++) {sum += a[i];
}
10
bounds checking unnecessary
![Page 10: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/10.jpg)
C: No Array Bounds Checking
int a[10];a[10] = 3;
Result in a silent error in C (buffer overflow) After that, anything can happenMysterious crash depending on what was overwritten
A security risk as well: if the data written can be controlled by an attacker, then he can possibly exploit this for an attack
11
![Page 11: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/11.jpg)
12
Memory Management
C: manual memory management malloc/free Memory mismanagement problems: use after free; memory leak; double frees
Java: Garbage Collection No “free” operations for programmers GC collects memory of objects that are no longer used
Java has no problems such as use after free, as long as the GC is correct
![Page 12: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/12.jpg)
13
Non‐Null Checking and Initialization Checking in Java An object reference is either valid or null Automatic non‐null checking whenever it’s used• once again, optimizers can eliminate many non‐null checks
• Example: A a = new A(); a.f = 3;
A variable is always initialized before used Java has a static verifier (at the bytecode level) that guarantees this
![Page 13: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/13.jpg)
Java Strings
Similar to an array of chars, but immutable The length of the string is stored at runtime to perform bounds checking
All string operations do not modify the original string (a la functional programming) E.g., s.toLowerCase() returns a new string
14
![Page 14: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/14.jpg)
15
C‐Style Strings
C‐style strings consist of a contiguous sequence of characters, terminated by and including the first null character. String length is the number of bytes preceding the null character.
The number of bytes required to store a string is the number of characters plus one (times the size of each character).
h e l l o \0
![Page 15: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/15.jpg)
C Strings: Usage and Pitfalls
16
![Page 16: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/16.jpg)
Using Strings in C
C provides many string functions in its libraries (libc)
For example, we use the strcpy function to copy one string to another:
#include <string.h> char string1[] = "Hello, world!"; char string2[20]; strcpy(string2, string1);
CSE 411: Programming Methods 17
![Page 17: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/17.jpg)
Using Strings in C
Another lets us compare strings
char string3[] = "this is"; char string4[] = "a test"; if(strcmp(string3, string4) == 0) printf("strings are equal\n"); else printf("strings are different\n")
This code fragment will print "strings are different". Notice that strcmp does not return a boolean result.
CSE 411: Programming Methods 18
![Page 18: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/18.jpg)
Other Common String Functions
strlen: getting the length of a string strncpy: copying with a bound strcat/strncat: string concatenation gets, fgets: receive input to a string …
CSE 411: Programming Methods 19
![Page 19: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/19.jpg)
20
Common String Manipulation Errors
Programming with C‐style strings, in C or C++, is error prone
Common errors include Buffer overflows null‐termination errors off‐by‐one errors …
![Page 20: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/20.jpg)
21
gets: Unbounded String Copies
Occur when data is copied from an unbounded source to a fixed‐length character array
void main(void) {char Password[8];puts("Enter a 8‐character password:");gets(Password);printf("Password=%s\n",Password);}
![Page 21: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/21.jpg)
22
strcpy and strcat
The standard string library functions do not know the size of the destination buffer
int main(int argc, char *argv[]) {char name[2048];strcpy(name, argv[1]);strcat(name, " = ");strcat(name, argv[2]);...
}
![Page 22: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/22.jpg)
Better String Library Functions
Functions that restrict the number of bytes are often recommended
Never use gets(buf) Use fgets(buf, size, stdin) instead
23
![Page 23: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/23.jpg)
From gets to fgets
char *fgets(char *BUF, int N, FILE *FP); “Reads at most N‐1 characters from FP until a newline is found. The characters including to the newline are stored in BUF. The buffer is terminated with a 0.”
void main(void) {char Password[8];puts("Enter a 8‐character password:");fgets(Password, 8, stdin);...
}
24
9
9
![Page 24: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/24.jpg)
Better String Library Functions
Instead of strcpy(), use strncpy() Instead of strcat(), use strncat() Instead of sprintf(), use snprintf()
25
![Page 25: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/25.jpg)
But Still Need Care
char *strncpy(char *s1, const char *s2, size_t n); “Copy not more than n characters (including the null character) from the array pointed to by s2 to the array pointed to by s1; If the string pointed to by s2 is shorter than n characters, null characters are appended to the destination array until a total of n characters have been written.”
What happens if the size of s2 is n or greater• It gets truncated• And s1 may not be null‐terminated!
26
![Page 26: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/26.jpg)
27
Null‐Termination Errors
int main(int argc, char* argv[]) {char a[16], b[16];strncpy(a, "0123456789abcdef", sizeof(a));printf(“%s\n”,a);strcpy(b, a);
}
a[] not properly terminated. Possible segmentation fault if printf(“%s\n”,a);
How to fix it?
![Page 27: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/27.jpg)
strcpy to strncpy
Don’t replacestrcpy(dest, src)
by strncpy(dest, src, sizeof(dest))
but bystrncpy(dest, src, sizeof(dest)‐1)dst[sizeof(dest)‐1] = `\0`;
if dest should be null‐terminated!
You never have this headache in Java
28
![Page 28: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/28.jpg)
29
Signed vs Unsigned Numbers
char buf[N];int i, len;
read(fd, &len, sizeof(len));if (len > N)
{error (“invalid length"); return; }read(fd, buf, len);
We forget to check for negative lengths
len cast to unsigned and negative length overflows
*slide by Eric Poll
![Page 29: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/29.jpg)
30
Checking for Negative Lengths
char buf[N];
int i, len;
read(fd, &len, sizeof(len));if (len > N || len < 0)
{error (“invalid length"); return; }read(fd, buf, len);
*slide by Eric Poll
It still has a problem if the buf is going to be treated as a C string.
![Page 30: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/30.jpg)
31
A Good Version
char buf[N];
int i, len;
read(fd, &len, sizeof(len));if (len > N-1 || len < 0)
{error (“invalid length"); return; }read(fd, buf, len);buf[len] = '\0'; // null terminate buf
*slide by Eric Poll
![Page 31: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/31.jpg)
Buffer Overflows
32
![Page 32: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/32.jpg)
Problems Caused by Buffer Overflows
The first Internet worm, and many subsequent ones (CodeRed, Blaster, ...), exploited buffer overflows
Buffer overflows cause in the order of 50% of all security alerts E.g., check out CERT, cve.mitre.org, or bugtraq
Trends Attacks are getting cleverer
• defeating ever more clever countermeasures Attacks are getting easier to do, by script kiddies
33
![Page 33: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/33.jpg)
34
How Can Buffer Overflow Errors Lead to Software Vulnerabilities?
All the examples look like simple programming bugs
How can they possibly enable attackers to do bad things? Stack smashing to exploit buffer overflows Illustrate the technique using the Intel x86‐64 architecture
![Page 34: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/34.jpg)
35
Compilation, Program, and Process
Compilation From high‐level programs to low‐level machine code
Program: static code and data Process: a run of a program
![Page 35: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/35.jpg)
36
Process Memory Region
Text: static code Data: also called heap static variables dynamically allocated data (malloc, new)
Stack: program execution stacksText
Data
Stack
lowermemoryaddress
highermemoryaddress
![Page 36: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/36.jpg)
37
Program Stack
For implementing procedure calls and returns Keep track of program execution and state by storing local variables Some arguments to the called procedure (callee)• Depending on the calling convention
return address of the calling procedure (caller)
...
![Page 37: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/37.jpg)
38*Slide by Robert Seacord
![Page 38: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/38.jpg)
39
Stack Frames
Stack grows from high mem to low mem The stack pointer points to the top of the stack
RSP in Intel x86‐64 The frame pointer points to the end of the current
frame also called the base pointer RBP in Intel x86‐64
The stack is modified during function calls function initialization returning from a function
![Page 39: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/39.jpg)
40
A Running Example
void function(int a, int b) {char buffer[12];gets(buffer);return;
}
void main() {int x;x = 0;function(1,2);x = 1;printf("%d\n",x);
}
Run “gcc –S –o example.s example.c” to see its assembly code
• The exact assembly code will depend on many factors (the target architecture, optimization levels, compiler options, etc);
• We show the case for unoptimized x86-64
![Page 40: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/40.jpg)
41
Function Calls
function (1,2)
movl $2, %esimovl $1, %edicall function
pass the 2nd argpass the 1st arg
push the ret addr onto the stack, and jumps to the function
Note: in x86-64, the first 6 args are passed via registers (rdi, rsi, rdx, rcx, r8, r9)
![Page 41: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/41.jpg)
42
Function Calls: Stacks
Before After
stack framefor mainrbp
rspstack frame
for mainrbp
rspret
![Page 42: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/42.jpg)
43
Function Initialization
void function(int a, int b) {
pushq %rbpmovq %rsp, %rbpsubq $32, %rsp
save the frame pointer set the new frame pointer
allocate space for local variables
Procedure prologue
![Page 43: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/43.jpg)
44
Function Initialization: Stacks
Before After
stack framefor mainrbp
rspret
stack framefor main
rsp
rbp
retold rbp
buffer
![Page 44: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/44.jpg)
45
Function Return
return;
movq %rbp, %rsppopq %rbpret
restores the old stack pointer restores the old frame pointer
gets the return address, and jumps to it
![Page 45: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/45.jpg)
46
Function Return: Stacks
Before After
stack framefor mainrbp
rsp retold rbp
buffer
stack framefor main
rsp
rbp
retold rbp
buffer
![Page 46: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/46.jpg)
47
A Running Example
void function(int a, int b) {char buffer[12];gets(buffer);return;
}
void main() {int x;x = 0;function(1,2);x = 1;printf("%d\n",x);
}
stack framefor main
rsp
rbp
retold rbp
buffer
![Page 47: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/47.jpg)
48
Overwriting the Return Address
void function(int a, int b) {char buffer[12];gets(buffer);
long* ret = (long *) ((long)buffer+?);
*ret = *ret + ?;
return;}
stack framefor main
rsp
rbp
retold rbp
buffer
![Page 48: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/48.jpg)
49
Overwriting the Return Address
void function(int a, int b) {char buffer[12];gets(buffer);
long* ret = (long *) ((long)buffer+40);*ret = *ret + 7;
return;}
void main() {int x;x = 0;function(1,2);x = 1;printf("%d\n",x);
}
the original return addressthe new return address
The output will be 0
![Page 49: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/49.jpg)
50
The Previous Attack
Not very realistic Attackers are usually not allowed to modify code
Threat model: the only thing they can affect is the input
Can they still carry out similar attacks?• YES, because of possible buffer overflows
![Page 50: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/50.jpg)
51
Buffer Overflow
A buffer overflow occurs when data is written outside of the boundaries of the memory allocated to a particular data structure
Happens when buffer boundaries are neglected and unchecked
Can be exploited to modify return address on the stack local variable heap data structures function pointer
![Page 51: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/51.jpg)
52
Smashing the Stack
Occurs when a buffer overflow overwrites data in the program stack
Successful exploits can overwrite the return address on the stack Allowing execution of arbitrary code on the targeted machine
![Page 52: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/52.jpg)
53
Smashing the Stack: example.c
What happens if we input a large string?./exampleffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffSegmentation fault
![Page 53: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/53.jpg)
54
What Happened? The Stack is Smashed
void function(int a, int b) {char buffer[12];gets(buffer);return;
}
stack framefor main
retold rbp
buffer
If the input is large, then gets(buffer) will write outside the bound of buffer, and the return address is overwritten
ff
f⁞
![Page 54: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/54.jpg)
55
Figure Out A Nasty Input
void function (int a, int b) {char buffer[12];gets(buffer);return;
}
void main() {int x;x = 0;function(1,2);x = 1;printf("%d\n",x);
} A nasty input puts the return
address after x=1.Arc injection
stack framefor main
ret
![Page 55: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/55.jpg)
56
Injecting Code
void function (int a, int b) {char buffer[12];gets(buffer);return;
}
void main() {int x;x = 0;function(1,2);x = 1;printf("%d\n",x);
}
The injected code can do anything. E.g., download and
install a worm
stack framefor main
ret
Injectedcode
![Page 56: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/56.jpg)
57
Code Injection
Attacker creates a malicious argument—a specially crafted string that contains a pointer to malicious code provided by the attacker
When the function returns, control is transferred to the malicious code Injected code runs with the permission of the vulnerable program when the function returns.
Programs running with root or other elevated privileges are normally targeted• Programs with the setuid bit on
![Page 57: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/57.jpg)
58
Injecting Shell Code
stack framefor main
ret
execve(“/bin/sh”)
This brings up a shell Attacker can execute any
command in the shell The shell has the same
privilege as the process Usually a process with the
root privilege is attacked
![Page 58: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/58.jpg)
59
Morris Worm (1988)
Worked by exploiting known buffer‐overflow vulnerabilities in sendmail, fingerd, rsh/rexec and weak passwords. e.g., it exploited a gets call in fingerd
Infected machines probe other machines for vulnerabilities
6000 Unix machines were infected; $10M‐$100M cost of damage
Robert Morris was tried and convicted of violation of Computer Fraud and Abuse Act 3 years of probation; 400 hours of community service; $10k fine
Had to quit his Cornell PhD
![Page 59: Memory Corruption Vulnerabilities, Part I › ~gxt29 › teaching › cs447s19 › slides › 02memVul… · Memory Corruption Vulnerabilities, Part I Gang Tan Penn State University](https://reader034.fdocuments.in/reader034/viewer/2022050715/5f10c2f87e708231d44ab11b/html5/thumbnails/59.jpg)
Any C(++) code acting on untrusted input is at risk
code taking input over untrusted network eg. sendmail, web browser, wireless network driver,...
code taking input from untrusted user on multi‐user system, esp. services running with high privileges (as ROOT on Unix/Linux, as SYSTEM on Windows)
code processing untrusted files that have been downloaded or emailed
also embedded software, eg. in devices with (wireless) network connection such as mobile phones with Bluetooth, wireless smartcards in new passport or OV card, airplane navigation systems, ...
60