part iii counter measures the best defense is proper bounds checking but there are many c/c++...
TRANSCRIPT
![Page 1: Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget Are there any](https://reader037.vdocuments.site/reader037/viewer/2022110321/56649cdf5503460f949a8dd2/html5/thumbnails/1.jpg)
![Page 2: Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget Are there any](https://reader037.vdocuments.site/reader037/viewer/2022110321/56649cdf5503460f949a8dd2/html5/thumbnails/2.jpg)
Part IIICounter measures
![Page 3: Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget Are there any](https://reader037.vdocuments.site/reader037/viewer/2022110321/56649cdf5503460f949a8dd2/html5/thumbnails/3.jpg)
• The best defense is proper bounds checking• but there are many C/C++ programmers
and some are bound to forget
Are there any system defenses that can help?
HOW DO WE STOP THE ATTACKS?
![Page 4: Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget Are there any](https://reader037.vdocuments.site/reader037/viewer/2022110321/56649cdf5503460f949a8dd2/html5/thumbnails/4.jpg)
HOW DO WE STOP THE ATTACKS?
• A variety of tricks in combination NX bit Canaries ASLR
fin
![Page 5: Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget Are there any](https://reader037.vdocuments.site/reader037/viewer/2022110321/56649cdf5503460f949a8dd2/html5/thumbnails/5.jpg)
III.ACanaries
![Page 6: Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget Are there any](https://reader037.vdocuments.site/reader037/viewer/2022110321/56649cdf5503460f949a8dd2/html5/thumbnails/6.jpg)
• Goal: make sure we detect overflow of return address– The functions' prologues insert a canary on the stack– The canary is a 32-bit value inserted between the return
address and local variables• Types of canaries:
1. Terminator2. Random3. Random XOR
• The epilogue checks if the canary has been altered• Drawback: requires recompilation
Compiler-level techniquesCanaries
![Page 7: Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget Are there any](https://reader037.vdocuments.site/reader037/viewer/2022110321/56649cdf5503460f949a8dd2/html5/thumbnails/7.jpg)
Canaries
![Page 8: Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget Are there any](https://reader037.vdocuments.site/reader037/viewer/2022110321/56649cdf5503460f949a8dd2/html5/thumbnails/8.jpg)
How good are they?
• Assume random canaries protect the stack
![Page 9: Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget Are there any](https://reader037.vdocuments.site/reader037/viewer/2022110321/56649cdf5503460f949a8dd2/html5/thumbnails/9.jpg)
Can you still exploit this?
![Page 10: Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget Are there any](https://reader037.vdocuments.site/reader037/viewer/2022110321/56649cdf5503460f949a8dd2/html5/thumbnails/10.jpg)
III.B“DEP”
![Page 11: Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget Are there any](https://reader037.vdocuments.site/reader037/viewer/2022110321/56649cdf5503460f949a8dd2/html5/thumbnails/11.jpg)
DEP / NX bit / W⊕X
• Idea: separate executable memory locations from writable ones– A memory page cannot be both writable and
executable at the same time• “Data Execution Prevention (DEP)”
![Page 12: Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget Are there any](https://reader037.vdocuments.site/reader037/viewer/2022110321/56649cdf5503460f949a8dd2/html5/thumbnails/12.jpg)
Bypassing W⊕X
• Return into libc• Three assumptions:
– We can manipulate a code pointer– The stack is writable– We know the address of a “suitable" library
function (e.g., system())
![Page 13: Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget Are there any](https://reader037.vdocuments.site/reader037/viewer/2022110321/56649cdf5503460f949a8dd2/html5/thumbnails/13.jpg)
Stack
• Why the “ret address”?• What could we do with it?
0x08048430
buf
System()0xbfffeedc
0xbfffeeb0
0xbfffeeb4
0xbfffeeb8
0xbfffeebc
0xbfffeec0
0xbfffeec4
0xbfffeec8
0xbfffeecc
0xbfffeed0
0xbfffeed4
0xbfffeed8
0xbfffeea4
0xbfffeea8
0xbfffeeac
“ret address”
arg
arg0xbfffeee8
0xbfffeee0
0xbfffeee4
![Page 14: Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget Are there any](https://reader037.vdocuments.site/reader037/viewer/2022110321/56649cdf5503460f949a8dd2/html5/thumbnails/14.jpg)
Return Oriented Programming• ROP chains:
– Small snippets of code ending with a RET– Can be chained together
![Page 15: Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget Are there any](https://reader037.vdocuments.site/reader037/viewer/2022110321/56649cdf5503460f949a8dd2/html5/thumbnails/15.jpg)
Return Oriented Programming• ROP chains
– Small snippets of code ending with a RET– Can be chained together
&gadget1
&gadget2
&gadget3
--……ret
…ret
stack
![Page 16: Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget Are there any](https://reader037.vdocuments.site/reader037/viewer/2022110321/56649cdf5503460f949a8dd2/html5/thumbnails/16.jpg)
How good are they?
• Assume random canaries protect the stack• Assume DEP prevents execution of the stack
![Page 17: Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget Are there any](https://reader037.vdocuments.site/reader037/viewer/2022110321/56649cdf5503460f949a8dd2/html5/thumbnails/17.jpg)
Can you still exploit this?
![Page 18: Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget Are there any](https://reader037.vdocuments.site/reader037/viewer/2022110321/56649cdf5503460f949a8dd2/html5/thumbnails/18.jpg)
III.CASLR
![Page 19: Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget Are there any](https://reader037.vdocuments.site/reader037/viewer/2022110321/56649cdf5503460f949a8dd2/html5/thumbnails/19.jpg)
Let us make it a little harder still…
![Page 20: Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget Are there any](https://reader037.vdocuments.site/reader037/viewer/2022110321/56649cdf5503460f949a8dd2/html5/thumbnails/20.jpg)
Address Space Layout Randomisation
• Idea:– Re-arrange the position of key data areas
randomly (stack, .data, .text, shared libraries, . . . )– Buffer overflow: the attacker does not know the
address of the shellcode– Return-into-libc: the attacker can't predict the
address of the library function– Implementations: Linux kernel > 2.6.11, Windows
Vista, . . .
![Page 21: Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget Are there any](https://reader037.vdocuments.site/reader037/viewer/2022110321/56649cdf5503460f949a8dd2/html5/thumbnails/21.jpg)
ASLR: Problems
• 32-bit implementations use few randomisation bits• An attacker can still exploit non-randomised areas, or
rely on other information leaks (e.g., format bug)
• So… (I bet you saw this one coming)….
![Page 22: Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget Are there any](https://reader037.vdocuments.site/reader037/viewer/2022110321/56649cdf5503460f949a8dd2/html5/thumbnails/22.jpg)
How good are they?
• Assume random canaries protect the stack• Assume DEP prevents execution of the stack• Assume ASLR randomized the stack and the
start address of the code– but let us assume that all functions are still at the
same relative offset from start address of code– (in other words: need only a single code pointer)
![Page 23: Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget Are there any](https://reader037.vdocuments.site/reader037/viewer/2022110321/56649cdf5503460f949a8dd2/html5/thumbnails/23.jpg)
Can you still exploit this?
![Page 24: Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget Are there any](https://reader037.vdocuments.site/reader037/viewer/2022110321/56649cdf5503460f949a8dd2/html5/thumbnails/24.jpg)
Finally
![Page 25: Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget Are there any](https://reader037.vdocuments.site/reader037/viewer/2022110321/56649cdf5503460f949a8dd2/html5/thumbnails/25.jpg)
We constructed “weird machines”
• New spin on fundamental questions: “What is computable?”
• Shellcode, ROP, Ret2Libc Turing Complete
![Page 26: Part III Counter measures The best defense is proper bounds checking but there are many C/C++ programmers and some are bound to forget Are there any](https://reader037.vdocuments.site/reader037/viewer/2022110321/56649cdf5503460f949a8dd2/html5/thumbnails/26.jpg)
That is all folks!
• We have covered quite a lot:– Simple buffer overflows– Counter measures– Counter counter measures
• Research suggests that buffer overflows will be with us for quite some time
• Best avoid them in your code!