Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4...
Transcript of Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4...
![Page 1: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/1.jpg)
CSE484/CSEM584:ComputerSecurityandPrivacy
SoftwareSecurity:BufferOverflowAttacks
Fall2016
Adam(Ada)[email protected]
ThankstoFranziRoesner,DanBoneh,DieterGollmann,DanHalperin,YoshiKohno,JohnManferdelli,JohnMitchell,VitalyShmatikov,BennetYee,andmanyothersforsampleslidesandmaterials...
![Page 2: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/2.jpg)
Announcements
• Signtheethicsformbytodayat5!• Homework1isdueonMonday.
• Pleasestartforminggroupsforlab1– Youcanusetheforumtofindgroupmembers
10/5/16 CSE484/CSEM584-Fall2016 2
![Page 3: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/3.jpg)
Announcements
• TAofficehourshavebeenmovedtoMondaysat4:30(afterclass),inthesecondfloorbreakout.– Sorryfortheconfusion!
10/5/16 CSE484/CSEM584-Fall2016 3
![Page 4: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/4.jpg)
Security:NotJustforPCs
10/5/16 CSE484/CSEM584-Fall2016 4
smartphones
wearables
gameplatforms
cars
medicaldevicesEEGheadsetsvotingmachines
RFID mobilesensingplatforms
airplanes
![Page 5: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/5.jpg)
SoftwareProblemsareUbiquitous
10/5/16 CSE484/CSEM584-Fall2016 5
![Page 6: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/6.jpg)
SoftwareProblemsareUbiquitous
10/5/16 CSE484/CSEM584-Fall2016 6
![Page 7: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/7.jpg)
SoftwareProblemsareUbiquitous
10/5/16 CSE484/CSEM584-Fall2016 7
![Page 8: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/8.jpg)
SoftwareProblemsareUbiquitous
• Otherseriousbugs(manyothersexist)– USVincennestrackingsoftware– MV-22Osprey
– MedtronicModel8870SoftwareApplicationCard
10/5/16 CSE484/CSEM584-Fall2016 8
![Page 9: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/9.jpg)
AdversarialFailures
• Softwarebugsarebad– Consequencescanbeserious
• Evenworsewhenanintelligentadversarywishestoexploitthem!– Intelligentadversaries:Forcebugsinto“worstpossible”conditions/states
– Intelligentadversaries:Picktheirtargets
10/5/16 CSE484/CSEM584-Fall2016 9
![Page 10: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/10.jpg)
BUFFEROVERFLOWS
10/5/16 CSE484/CSEM584-Fall2016 10
![Page 11: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/11.jpg)
AdversarialFailures
• Bufferoverflowsbugs:Bigclassofbugs– Normalconditions:Cansometimescausesystemstofail
– Adversarialconditions:Attackerabletoviolatesecurityofyoursystem(control,obtainprivateinformation,...)
10/5/16 CSE484/CSEM584-Fall2016 11
![Page 12: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/12.jpg)
ReferenceforQ1
10/5/16 CSE484/CSEM584-Fall2016 12
Text region Heap StackAddr 0x00...0 Addr 0xFF...F
Top Bottom
ret/IP Caller’s frame
Addr 0xFF...F
Saved FP
Executecodeatthisaddressafterfunc()finishes
buf
Localvariables
str
Args
![Page 13: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/13.jpg)
ABitofHistory:MorrisWorm
• Wormwasreleasedin1988byRobertMorris– GraduatestudentatCornell,sonofNSAchiefscientist– ConvictedunderComputerFraudandAbuseAct,
sentencedto3yearsofprobationand400hoursofcommunityservice
– NowanEECSprofessoratMIT• Wormwasintendedtopropagateslowlyand
harmlesslymeasurethesizeoftheInternet• Duetoacodingerror,itcreatednewcopiesasfast
asitcouldandoverloadedinfectedmachines• $10-100Mworthofdamage
10/5/16 CSE484/CSEM584-Fall2016 13
![Page 14: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/14.jpg)
MorrisWormandBufferOverflow
• Oneoftheworm’spropagationtechniqueswasabufferoverflowattackagainstavulnerableversionoffingerdonVAXsystems– Bysendingspecialstringtofingerdaemon,worm
causedittoexecutecodecreatinganewwormcopy– UnabletodetermineremoteOSversion,wormalso
attackedfingerdonSunsrunningBSD,causingthemtocrash(insteadofspawninganewcopy)
10/5/16 CSE484/CSEM584-Fall2016 14
![Page 15: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/15.jpg)
FamousInternetWorms
• Bufferoverflows:verycommoncauseofInternetattacks– In1998,over50%ofadvisoriespublishedbyCERT(computer
securityincidentreportteam)werecausedbybufferoverflows
• Morrisworm(1988):overflowinfingerd– 6,000machinesinfected
• CodeRed(2001):overflowinMS-IISserver– 300,000machinesinfectedin14hours
• SQLSlammer(2003):overflowinMS-SQLserver– 75,000machinesinfectedin10minutes(!!)
• Sasser(2005):overflowinWindowsLSASS– Around500,000machinesinfected
10/5/16 CSE484/CSEM584-Fall2016 15
![Page 16: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/16.jpg)
…AndMore
• Conficker(2008-08):overflowinWindowsRPC– Around10millionmachinesinfected(estimatesvary)
• Stuxnet(2009-10):severalzero-dayoverflows+sameWindowsRPCoverflowasConficker– Windowsprintspoolerservice– WindowsLNKshortcutdisplay– Windowstaskscheduler
• Flame(2010-12):sameprintspoolerandLNKoverflowsasStuxnet– Targetedcyperespionagevirus
• Stillubiquitous,especiallyinembeddedsystems
10/5/16 CSE484/CSEM584-Fall2016 16
![Page 17: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/17.jpg)
AttacksonMemoryBuffers
• Bufferisapre-defineddatastorageareainsidecomputermemory(stackorheap)
• Typicalsituation:– Afunctiontakessomeinputthatitwritesintoapre-
allocatedbuffer.– Thedeveloperforgetstocheckthatthesizeoftheinput
isn’tlargerthanthesizeofthebuffer.– Uhoh.
• “Normal”badinput:crash• “Adversarial”badinput:takecontrolofexecution
10/5/16 CSE484/CSEM584-Fall2016 17
![Page 18: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/18.jpg)
StackBuffers
10/5/16 CSE484/CSEM584-Fall2016 18
• SupposeWebservercontainsthisfunction void func(char *str) {
char buf[126]; ... strcpy(buf,str); ... }
• Noboundscheckingonstrcpy()• Ifstrislongerthan126bytes– Programmaycrash– Attackermaychangeprogrambehavior
buf uh oh!
![Page 19: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/19.jpg)
AnswerQ2
10/5/16 CSE484/CSEM584-Fall2016 19
• SupposeWebservercontainsthisfunction void func(char *str) {
char buf[126]; ... strcpy(buf,str); ... }
• Noboundscheckingonstrcpy()• Ifstrislongerthan126bytes– Programmaycrash– Attackermaychangeprogrambehavior
buf uh oh!
![Page 20: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/20.jpg)
Example:ChangingFlags
10/5/16 CSE484/CSEM584-Fall2016 20
• authenticated variable
buf authenticated11 ( :-) ! )
![Page 21: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/21.jpg)
Example:ChangingFlags
10/5/16 CSE484/CSEM584-Fall2016 21
• authenticated variable
• Morriswormalsooverflowedabuffertooverwriteanauthenticatedflaginfingerd
buf authenticated11 ( :-) ! )
![Page 22: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/22.jpg)
MemoryLayout
• Textregion:Executablecodeoftheprogram• Heap:Dynamicallyallocateddata• Stack:Localvariables,functionreturnaddresses;
growsandshrinksasfunctionsarecalledandreturn
10/5/16 CSE484/CSEM584-Fall2016 22
Text region Heap StackAddr 0x00...0 Addr 0xFF...F
Top Bottom
![Page 23: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/23.jpg)
RedirectingProgramFlow
• Insteadof“normal”string,attackersends2thingsasinput:– Assemblycodeshewantstoexecute– Theaddresswheresheexpectsthatcodetoappear
10/5/16 CSE484/CSEM584-Fall2016 23
![Page 24: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/24.jpg)
RedirectingProgramFlow
• Insteadof“normal”string,attackersends2thingsasinput:– Assemblycodeshewantstoexecute– Theaddresswheresheexpectsthatcodetoappear
10/5/16 CSE484/CSEM584-Fall2016 24
“Shellcode”
![Page 25: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/25.jpg)
StackBuffers
• SupposeWebservercontainsthisfunc3on: void func(char *str) {
char buf[126]; strcpy(buf,str); }
• Whenthisfunc3onisinvoked,anewframe(ac3va3onrecord)ispushedontothestack.
Allocatelocalbuffer(126bytesreservedonstack)
Copyargumentintolocalbuffer
ret/IP Caller’s frame
Addr 0xFF...F
Saved FP
Executecodeatthisaddressafterfunc()finishes
buf
Localvariables
str
Args
10/5/16 CSE484/CSEM584-Fall2016 25
![Page 26: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/26.jpg)
WhatifBufferisOverstuffed?
• Memorypointedtobystriscopiedontostack… void func(char *str) {
char buf[126]; strcpy(buf,str); }
• Ifastringlongerthan126bytesiscopiedintobuffer,itwilloverwriteadjacentstacklocations.
strcpydoesNOTcheckwhetherthestringat*strcontainsfewerthan126characters
Thiswillbeinterpretedasreturnaddress!
ret/IP Caller’s frame
Addr 0xFF...F
Saved FPbuf
Localvariables
str
Args
10/5/16 CSE484/CSEM584-Fall2016 26
![Page 27: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/27.jpg)
WhatifBufferisOverstuffed?
• Whatifthestringisreadinfromanattackeronthenetwork?
Thiswillbeinterpretedasreturnaddress!
ret/IP Caller’s frame
Addr 0xFF...F
Saved FPbuf
Localvariables
str
Args
10/5/16 CSE484/CSEM584-Fall2016 27
![Page 28: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/28.jpg)
WhatifBufferisOverstuffed?
exec(“/bin/sh”) asdf…asdf 0xFFFFFFA2
Thiswillbeinterpretedasreturnaddress!
ret/IP Caller’s frame
Addr 0xFF...F
Saved FPbuf
Localvariables
str
Args
10/5/16 CSE484/CSEM584-Fall2016 28
![Page 29: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/29.jpg)
ExecutingAttackCode
• Whenfunc3onexits,codeinthebufferwillbeexecuted,givingaAackerashell– Rootshellifthevic3mprogramissetuidroot
ret/IPSaved FPbuf Caller’s stack frame
Addr 0xFF...F
Attackerputsactualassemblyinstructionsintohisinputstring,e.g.,binarycodeofexecve(“/bin/sh”)
exec(“/bin/sh”)
Intheoverflow,apointerbackintothebufferappearsinthelocationwherethesystemexpectstofindreturnaddress
Caller’s framestr
10/5/16 CSE484/CSEM584-Fall2016 29
![Page 30: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/30.jpg)
StretchBreak
• Whenfunc3onexits,codeinthebufferwillbeexecuted,givingaAackerashell– Rootshellifthevic3mprogramissetuidroot
ret/IPSaved FPbuf Caller’s stack frame
Addr 0xFF...F
Attackerputsactualassemblyinstructionsintohisinputstring,e.g.,binarycodeofexecve(“/bin/sh”)
exec(“/bin/sh”)
Intheoverflow,apointerbackintothebufferappearsinthelocationwherethesystemexpectstofindreturnaddress
Caller’s framestr
10/5/16 CSE484/CSEM584-Fall2016 30
![Page 31: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/31.jpg)
BufferOverflowscanbeHard
• OverflowportionofthebuffermustcontaincorrectaddressofattackcodeintheRETposition– ThevalueintheRETpositionmustpointtothebeginningofattackassemblycodeinthebuffer• Otherwiseapplicationwill(probably)crashwithsegmentationviolation
– Attackermustcorrectlyguessinwhichstackpositionhis/herbufferwillbewhenthefunctioniscalled
10/5/16 CSE484/CSEM584-Fall2016 31
![Page 32: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/32.jpg)
Problem:NoBoundsChecking
• strcpydoesnotcheckinputsize– strcpy(buf,str)simplycopiesmemorycontentsintobuf
startingfrom*struntil“\0”isencountered,ignoringthesizeofareaallocatedtobuf
• ManyClibraryfunctionsareunsafe– strcpy(char*dest,constchar*src)– strcat(char*dest,constchar*src)– gets(char*s)– scanf(constchar*format,…)– printf(constchar*format,…)
10/5/16 CSE484/CSEM584-Fall2016 32
![Page 33: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/33.jpg)
• strncpy(char*dest,constchar*src,size_tn)– Ifstrncpyisusedinsteadofstrcpy,nomorethanncharacterswill
becopiedfrom*srcto*dest• Programmerhastosupplytherightvalueofn
• Potentialoverflowinhtpasswd.c(Apache1.3):strcpy(record,user); strcat(record,”:”); strcat(record,cpw);
• Publishedfix:strncpy(record,user,MAX_STRING_LEN-1); strcat(record,”:”) strncat(record,cpw,MAX_STRING_LEN-1);
DoesBoundsCheckingHelp?
10/5/16 CSE484/CSEM584-Fall2016 33
Copiesusername(“user”)intobuffer(“record”),thenappends“:”andhashedpassword(“cpw”)
![Page 34: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/34.jpg)
• strncpy(char*dest,constchar*src,size_tn)– Ifstrncpyisusedinsteadofstrcpy,nomorethanncharacterswill
becopiedfrom*srcto*dest• Programmerhastosupplytherightvalueofn
• Potentialoverflowinhtpasswd.c(Apache1.3):strcpy(record,user); strcat(record,”:”); strcat(record,cpw);
• Publishedfix:strncpy(record,user,MAX_STRING_LEN-1); strcat(record,”:”) strncat(record,cpw,MAX_STRING_LEN-1);
AnswerQ3
10/5/16 CSE484/CSEM584-Fall2016 34
Copiesusername(“user”)intobuffer(“record”),thenappends“:”andhashedpassword(“cpw”)
![Page 35: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/35.jpg)
Misuseofstrncpyinhtpasswd“Fix”
• Published“fix”forApachehtpasswdoverflow:strncpy(record,user,MAX_STRING_LEN-1); strcat(record,”:”) strncat(record,cpw,MAX_STRING_LEN-1);
10/5/16 CSE484/CSEM584-Fall2016 35
MAX_STRING_LENbytesallocatedforrecordbuffer
contentsof*user
PutuptoMAX_STRING_LEN-1charactersintobuffer
:
Put“:”
contentsof*cpw
AgainputuptoMAX_STRING_LEN-1charactersintobuffer
![Page 36: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/36.jpg)
WhatAboutThis?
• Home-brewedrange-checkingstringcopy
void mycopy(char *input) { char buffer[512]; int i; for (i=0; i<=512; i++) buffer[i] = input[i]; } void main(int argc, char *argv[]) { if (argc==2) mycopy(argv[1]); }
• 1-byteoverflow:can’tchangeRET,butcanchangepointertopreviousstackframe– Onlittle-endianarchitecture,makeitpointintobuffer– RETforpreviousfunctionwillbereadfrombuffer!
10/5/16 CSE484/CSEM584-Fall2016 36
![Page 37: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/37.jpg)
Off-By-OneOverflow
• Home-brewedrange-checkingstringcopy
void mycopy(char *input) { char buffer[512]; int i; for (i=0; i<=512; i++) buffer[i] = input[i]; } void main(int argc, char *argv[]) { if (argc==2) mycopy(argv[1]); }
• 1-byteoverflow:can’tchangeRET,butcanchangepointertopreviousstackframe– Onlittle-endianarchitecture,makeitpointintobuffer– RETforpreviousfunctionwillbereadfrombuffer!
10/5/16 CSE484/CSEM584-Fall2016 37
Thiswillcopy513charactersintobuffer.Oops!
![Page 38: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/38.jpg)
FramePointerOverflow
ret/IP Caller’s frame
Addr 0xFF...F
Saved FPbuf
Localvariables
str
Args
Fake RETFake FPATTACKCODE
10/5/16 CSE484/CSEM584-Fall2016 38
![Page 39: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/39.jpg)
AnotherVariant:FunctionPointerOverflow
• Cusesfunctionpointersforcallbacks:ifpointertoFisstoredinmemorylocationP,thenanotherfunctionGcancallFas(*P)(…)
10/5/16 CSE484/CSEM584-Fall2016 39
attackcode
Bufferwithattacker-suppliedinputstring
Callbackpointer
Heap
LegitimatefunctionF
overflow
(elsewhereinmemory)
![Page 40: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/40.jpg)
OtherOverflowTargets
• FormatstringsinC– Moredetailsnexttime
• Heapmanagementstructuresusedbymalloc()– Moredetailsinsection
• TheseareallattacksyoucanlookforwardtoinLab#1J
10/5/16 CSE484/CSEM584-Fall2016 40
![Page 41: Software Security: Buffer Overflow Attacks€¦ · 10/5/16 CSE 484 / CSE M 584 - Fall 2016 4 smartphones wearables game platforms cars medical devices voting machines EEG headsets](https://reader034.fdocuments.in/reader034/viewer/2022050207/5f59ecce4545c77f04719b80/html5/thumbnails/41.jpg)
LookingForward
• Ethicsformdueat5!• Homework#1dueMonday,Oct10• Nextfewclasses:– Friday:guestlecturebyDavidAucsmith– Monday:morebufferoverflows– Wednesday:guestlecturebyEmilyMcReynolds
• SectiontomorrowaboutLab1
10/5/16 CSE484/CSEM584-Fall2016 41