Understand stackBuffer overflow attack and defense

Controls against program threats

Computer Emergency Response Team (CERT)

At the Carnegie Mellon University http://www.cert.org Formed after Morris Worm (after 1988)

A long report on Morris Worm by Eugene Spafford of Purdue CERIAS http://portal.acm.org/citation.cfm?id=66093.66095

Year Total vulnerabilities2007 7,236

2006 8,064

2005 5,990

2004 3,780

2003 3,784

2002 4,129

2001 2,437

2000 1,090

1999 417

1998 262

1997 311

1996 345

1995 171

No silver bullet to achieve security effortlessly 1. exhaustive testing of all program states is infeasible 2. software engineering techniques evolve rapidly

Program control – specification & verification typical approach: specify a should-do list security needs: a shouldn’t-do list

Some definitions and Types of flaws Program security flaw: unexpected behavior Error: human mistake Fault: an incorrect step, command, process, data

definition in a program Failure: departure from system’s required behavior

A taxonomy of program flaws

Intentional flaws Inadvertent flaws

Malicious Non-malicious Validation, domain, serialization/aliasing,Identification/authenticationBoundary condition violationLogic errors

Landwehr [LAN93]

Buffer overflows

Figure 3-1  Places Where a Buffer Can Overflow.

A buffer (or array or string) is a space in which data can be held In memory, finite capacity Checking bound takes

time/space

char sample[10];for(i=0;i<=9;i++)

sample[i]=‘A ’;sample[10]=‘B’;

Replace code in system space with kernel privilege

Java checks array bound – no buffer overflow

Process memory region

Stack is for procedure call – jump and returnUse stack for:

dynamically allocate local varspass parameters to functionsreturn values from functions

Text

Initialized)Data

(uninitialized)

Stack

Text region: code, read-only data

Static variables. If data region expands or stack space runs out, new memory is added between data and stack segments

Stack: an abstract data type.Last in, first out (LIFO)PUSH: add an element at top of stackPOP: remove element at top of stack

Aleph One. Smashing the stack for fun and profit. 96.http://www.phrack.com/issues.html?issue=49&id=14

How a process uses its stack: Call stack, stack pointer

Stack buffer overflow occurs when information is written into the memory allocated to a variable on a stack, but the size of this information exceeds what was allocated at compile time. HEAP buffer overflow – used in many drive-by downloads

Run-time stack, call stack, control stack, execution stack (all the same): What a process uses to keep track of the sequence of

subroutines called and local variables encountered

Stack frame: the consecutive stack space for each calling function that has not yet finished execution

Top stack frame: for function that just got called and is being executed

Stack pointer: memory location of the top of the stack Stored in a register

Avi Kak Computer Security lecture note

Another example

//example1.c: void function(int a, int b, int c)

{ char buffer1[5]; char buffer2[10];

} void main() {

function(1,2,3); }

buffer2 buffer1 sfp ret a b c <------ [ ] [ ] [ ] [ ] [ ] [ ] [ ]

Top of stack

Bottom of memory

Bottom of stack

Top of memory

sfp: saved frame pointer

An example of stack and stack frame

// ex.cint main() { int x = foo( 10 ); printf( "the value of x =

%d\n", x ); return 0;}int foo( int i ) { int ii = i + i; int iii = bar( ii ); int iiii = iii; return iiii;}int bar( int j ) { int jj = j + j; return jj;}

stack_ptr--> jj return-address to caller j

iii ii return-address to caller

i

x argc argv

stack frame for bar

stack frame for foo

stack frame for main

.globl bar

.type bar, @functionbar:pushl %ebpmovl %esp, %ebpmovl 8(%ebp), %eaxaddl %eax, %eaxpopl %ebpret.size bar, .-bar.globl foo

.type foo, @functionfoo:pushl %ebpmovl %esp, %ebpsubl $4, %espmovl 8(%ebp), %eaxaddl %eax, %eaxmovl %eax, (%esp)call barleaveret.size foo, .-foo

continues

Partial assembly code of ex.c in ex.S

Compile with gcc -S –O ex.c –o ex.S

Inspecting the call stack – assembly code of ex.c

To inspect the assembly code, run gcc -S -O ex.c -o ex.Sesp: stack pointer – top of the stackebp: base pointer (aka frame pointer) – param/local var

of current statck frameeip: instruction pointer – next CPU instruction to be

executed

foo:pushl %ebp push value stored in register ebp onto stackmovl %esp, %ebp move value in register esp to ebpsubl $4, %esp substract 4 from value in esp (stack grows)movl 8(%ebp), %eax move i into an accumulatoraddl %eax, %eax i+imovl %eax, (%esp) move accumulator content into stack location pointed to by the content of esp register – so that local var ii becomes the argument to barcall bar call barleaveret

Intel X86 32 bit architecture

Avi Kak Computer Security lecture note

Another buffer overflow example

void function(char *str) { char buffer[16];

strcpy(buffer,str); }

void main() { char large_string[256];

int i; for( i = 0; i < 255; i++) large_string[i] = 'A';

function(large_string); }

buffer sfp ret str* <------ [ ] [ ] [ ] [ ]

Top of stack Bottom of stack

Overwritten by ‘A ’ (0x414141…)

Return address is overwritten and becomes 0x41414141

You get segmentation fault

Worse, attacker can change flow of program

Observing buffer overflow in action – try this at home

#include <stdio.h>int main() {

while(1) foo();}int foo(){

unsigned int yy = 0;char buffer[5]; char ch; int i = 0;printf("Say something: ");while ((ch = getchar()) != '\n') buffer[i++] =

ch;buffer[i] = '\0';printf("You said: %s\n", buffer);printf("The variable yy: %d\n", yy);return 0;

}

Avi Kak Computer Security lecture note

gcc -fno-stack-protector buffover2.c -o buffover2

Heap overflow Heap located above program code/global data For use in dynamic data structures, e.g., linked lists Can affect the memory following it Unlike stack, there is no return address to overwrite So aims to overwrite pointer to a function

E.g., a list of record containing data & their processing function

Another type of buffer overflow (usually in web applications)

Overflow when passing parameters to a routine

http://www.somesite.com/userinout.asp?param1=(808)555-1212&param2=2009Jan17

Web developer may just allocate 20 bytes for param1.How does the program handle long phone number, e.g., 1000 digits?

Defense against buffer overflow Boundary checking, sanity checking by developers

Canaries: a know value on the stack just before the return address – canary word Check the canary when function is to return Stack guard by Crispin Cowan (a gcc extension)

Non-executable stacks Address randomization Compiler boundary checking

In Java Java JVM may still be susceptible to buffer overflow

attacks