understand stack buffer overflow attack and defense controls against program threats
TRANSCRIPT
Understand stackBuffer overflow attack and defense
Controls against program threats
Computer Emergency Response Team (CERT)
At the Carnegie Mellon University http://www.cert.org Formed after Morris Worm (after 1988)
A long report on Morris Worm by Eugene Spafford of Purdue CERIAS http://portal.acm.org/citation.cfm?id=66093.66095
Year Total vulnerabilities2007 7,236
2006 8,064
2005 5,990
2004 3,780
2003 3,784
2002 4,129
2001 2,437
2000 1,090
1999 417
1998 262
1997 311
1996 345
1995 171
No silver bullet to achieve security effortlessly 1. exhaustive testing of all program states is infeasible 2. software engineering techniques evolve rapidly
Program control – specification & verification typical approach: specify a should-do list security needs: a shouldn’t-do list
Some definitions and Types of flaws Program security flaw: unexpected behavior Error: human mistake Fault: an incorrect step, command, process, data
definition in a program Failure: departure from system’s required behavior
A taxonomy of program flaws
Intentional flaws Inadvertent flaws
Malicious Non-malicious Validation, domain, serialization/aliasing,Identification/authenticationBoundary condition violationLogic errors
Landwehr [LAN93]
Buffer overflows
Figure 3-1 Places Where a Buffer Can Overflow.
A buffer (or array or string) is a space in which data can be held In memory, finite capacity Checking bound takes
time/space
char sample[10];for(i=0;i<=9;i++)
sample[i]=‘A ’;sample[10]=‘B’;
Replace code in system space with kernel privilege
Java checks array bound – no buffer overflow
Process memory region
Stack is for procedure call – jump and returnUse stack for:
dynamically allocate local varspass parameters to functionsreturn values from functions
Text
Initialized)Data
(uninitialized)
Stack
Text region: code, read-only data
Static variables. If data region expands or stack space runs out, new memory is added between data and stack segments
Stack: an abstract data type.Last in, first out (LIFO)PUSH: add an element at top of stackPOP: remove element at top of stack
Aleph One. Smashing the stack for fun and profit. 96.http://www.phrack.com/issues.html?issue=49&id=14
How a process uses its stack: Call stack, stack pointer
Stack buffer overflow occurs when information is written into the memory allocated to a variable on a stack, but the size of this information exceeds what was allocated at compile time. HEAP buffer overflow – used in many drive-by downloads
Run-time stack, call stack, control stack, execution stack (all the same): What a process uses to keep track of the sequence of
subroutines called and local variables encountered
Stack frame: the consecutive stack space for each calling function that has not yet finished execution
Top stack frame: for function that just got called and is being executed
Stack pointer: memory location of the top of the stack Stored in a register
Avi Kak Computer Security lecture note
Another example
//example1.c: void function(int a, int b, int c)
{ char buffer1[5]; char buffer2[10];
} void main() {
function(1,2,3); }
buffer2 buffer1 sfp ret a b c <------ [ ] [ ] [ ] [ ] [ ] [ ] [ ]
Top of stack
Bottom of memory
Bottom of stack
Top of memory
sfp: saved frame pointer
An example of stack and stack frame
// ex.cint main() { int x = foo( 10 ); printf( "the value of x =
%d\n", x ); return 0;}int foo( int i ) { int ii = i + i; int iii = bar( ii ); int iiii = iii; return iiii;}int bar( int j ) { int jj = j + j; return jj;}
stack_ptr--> jj return-address to caller j
iii ii return-address to caller
i
x argc argv
stack frame for bar
stack frame for foo
stack frame for main
.globl bar
.type bar, @functionbar:pushl %ebpmovl %esp, %ebpmovl 8(%ebp), %eaxaddl %eax, %eaxpopl %ebpret.size bar, .-bar.globl foo
.type foo, @functionfoo:pushl %ebpmovl %esp, %ebpsubl $4, %espmovl 8(%ebp), %eaxaddl %eax, %eaxmovl %eax, (%esp)call barleaveret.size foo, .-foo
continues
Partial assembly code of ex.c in ex.S
Compile with gcc -S –O ex.c –o ex.S
Inspecting the call stack – assembly code of ex.c
To inspect the assembly code, run gcc -S -O ex.c -o ex.Sesp: stack pointer – top of the stackebp: base pointer (aka frame pointer) – param/local var
of current statck frameeip: instruction pointer – next CPU instruction to be
executed
foo:pushl %ebp push value stored in register ebp onto stackmovl %esp, %ebp move value in register esp to ebpsubl $4, %esp substract 4 from value in esp (stack grows)movl 8(%ebp), %eax move i into an accumulatoraddl %eax, %eax i+imovl %eax, (%esp) move accumulator content into stack location pointed to by the content of esp register – so that local var ii becomes the argument to barcall bar call barleaveret
Intel X86 32 bit architecture
Avi Kak Computer Security lecture note
Another buffer overflow example
void function(char *str) { char buffer[16];
strcpy(buffer,str); }
void main() { char large_string[256];
int i; for( i = 0; i < 255; i++) large_string[i] = 'A';
function(large_string); }
buffer sfp ret str* <------ [ ] [ ] [ ] [ ]
Top of stack Bottom of stack
Overwritten by ‘A ’ (0x414141…)
Return address is overwritten and becomes 0x41414141
You get segmentation fault
Worse, attacker can change flow of program
Observing buffer overflow in action – try this at home
#include <stdio.h>int main() {
while(1) foo();}int foo(){
unsigned int yy = 0;char buffer[5]; char ch; int i = 0;printf("Say something: ");while ((ch = getchar()) != '\n') buffer[i++] =
ch;buffer[i] = '\0';printf("You said: %s\n", buffer);printf("The variable yy: %d\n", yy);return 0;
}
Avi Kak Computer Security lecture note
gcc -fno-stack-protector buffover2.c -o buffover2
Heap overflow Heap located above program code/global data For use in dynamic data structures, e.g., linked lists Can affect the memory following it Unlike stack, there is no return address to overwrite So aims to overwrite pointer to a function
E.g., a list of record containing data & their processing function
Another type of buffer overflow (usually in web applications)
Overflow when passing parameters to a routine
http://www.somesite.com/userinout.asp?param1=(808)555-1212¶m2=2009Jan17
Web developer may just allocate 20 bytes for param1.How does the program handle long phone number, e.g., 1000 digits?
Defense against buffer overflow Boundary checking, sanity checking by developers
Canaries: a know value on the stack just before the return address – canary word Check the canary when function is to return Stack guard by Crispin Cowan (a gcc extension)
Non-executable stacks Address randomization Compiler boundary checking
In Java Java JVM may still be susceptible to buffer overflow
attacks